Untested, but I think this will do the trick. There’s a rewrite condition now that exists purely for the purpose of capturing the subdomain value, then we use that captured value (%1) in the rewrite.
Specify port 80 not any port containing 80 as digits in the port number.
Specify mail.fancyblue.net using No Case.
If both conditions are met, redirect the {REQUEST_URI} to the secure server without duplicating Apache variables for {HTTP_HOST} and {REQUEST_URI}; any query string will not be affected.