Hi @malz
Your firewall should allow port 443 through. The standalone command spins up a temporary (python based) web server to answer the challenge.
After the challenge is complete no one will be able to connect on port 443 (as the web server is turned off)
This is a good solution for mail servers that do not have port 80 or 443 open
You were almost there just a small correction to firewall rules.
Note: Let’s Encrypt does not publish IP addresses so you cannot whitelist a certain IP range.
I have written an article about this sort of testing however as you have not provided a domain I can’t recommend more. Tutorial - Testing Mail Protocols with SSL/TLS
In terms of cipher support i recommend you look at this: https://www.sidorenko.io/post/2014/02/secure-ssl-configuration-for-apache-postfix-dovecot/
Andrei