diff --git a/src/mailserver/assets/dovecot.conf.d/10-ssl.conf b/src/mailserver/assets/dovecot.conf.d/10-ssl.conf
index 1b82c29..26df27f 100644
--- a/src/mailserver/assets/dovecot.conf.d/10-ssl.conf
+++ b/src/mailserver/assets/dovecot.conf.d/10-ssl.conf
@@ -9,8 +9,8 @@ ssl = yes
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = </etc/ssl/$myhostname/fullchain.pem
+ssl_key = </etc/ssl/$myhostname/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
diff --git a/src/mailserver/assets/main.cf b/src/mailserver/assets/main.cf
index 471ab0a..68ebd86 100644
--- a/src/mailserver/assets/main.cf
+++ b/src/mailserver/assets/main.cf
@@ -27,8 +27,8 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
 smtpd_tls_security_level=may
 # where to find certs
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file=/etc/ssl/$myhostname/fullchain.pem
+smtpd_tls_key_file=/etc/ssl/$myhostname/privkey.pem
 
 # SASL (user authentication) settings
 smtpd_sasl_type = dovecot
diff --git a/src/mailserver/docs/Deploy.md b/src/mailserver/docs/Deploy.md
index 2f36447..e50d1e1 100644
--- a/src/mailserver/docs/Deploy.md
+++ b/src/mailserver/docs/Deploy.md
@@ -3,8 +3,9 @@
 ## create dirs
 
 ```
-mkdir -p /srv/volumes/mailserver/{db,mail}
+mkdir -p /srv/volumes/mailserver/{db,mail,ssl}
 chown -R 5000:5000 /srv/volumes/mailserver
+chmod go-rwx /srv/volumes/mailserver/ssl
 ```
 put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mail` directory.
 
@@ -44,6 +45,6 @@ nft insert rule inet myfilter myfirewall tcp dport 80 accept
 
 Get a certificate for your domain by running:
 ```
-certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf"
+certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?} /srv/volumes/mailserver/ssl/; chown -R 5000:5000 /srv/volumes/mailserver/ssl" -d ${domain:?}
 ```
-the application will ask you a few questions, including you domain. Including the appropriate hooks when issuing the certificate should guarantee that the hooks are also used when renewing.
+the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands.