diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl
index 04b9b20..b6227f1 100644
--- a/deployment/deploy-yml.tmpl
+++ b/deployment/deploy-yml.tmpl
@@ -1,3 +1,28 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: exim-forwarder-cert
+spec:
+  secretName: exim-forwarder-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - mx.mainscnt.eu
+  issuerRef:
+    name: letsencrypt-staging-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -35,6 +60,9 @@ spec:
             - name: exim-config
               mountPath: /etc/exim/db
               readOnly: true
+            - name: tls-cert
+              mountPath: /etc/exim/db
+              readOnly: true
       volumes:
         - name: exim-config
           configMap:
@@ -44,6 +72,14 @@ spec:
                 path: forward_domains
               - key: addresses
                 path: forward_addresses
+        - name: tls-cert
+          secret:
+            secretName: exim-forwarder-cert
+            items:
+              - key: tls.crt
+                path: server.crt
+              - key: tls.key
+                path: server.key
 ---
 apiVersion: v1
 kind: Service
diff --git a/exim.conf b/exim.conf
index c1f4dd3..3dd284d 100644
--- a/exim.conf
+++ b/exim.conf
@@ -1,6 +1,8 @@
 domainlist forward_domains = lsearch;/etc/exim/db/forward_domains
 
 tls_advertise_hosts = *
+tls_certificate = /etc/exim/db/server.crt
+tls_privatekey = /etc/exim/db/server.key
 
 
 # acl_smtp_connect = acl_connect
diff --git a/forward_addresses b/forward_addresses
deleted file mode 100644
index 280710d..0000000
--- a/forward_addresses
+++ /dev/null
@@ -1 +0,0 @@
-wn@mainscnt.eu: wolfgang.hottgenroth@icloud.com
diff --git a/forward_domains b/forward_domains
deleted file mode 100644
index 326640a..0000000
--- a/forward_domains
+++ /dev/null
@@ -1,2 +0,0 @@
-mainscnt.eu
-
diff --git a/snippets/certificate-test.yml b/snippets/certificate-test.yml
index b8ff620..5089a38 100644
--- a/snippets/certificate-test.yml
+++ b/snippets/certificate-test.yml
@@ -1,10 +1,9 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: wiki-mainscnt-eu
-  namespace: homea
+  name: mx-hottis-de
 spec:
-  secretName: wiki-mainscnt-eu-cert
+  secretName: mx-hottis-de-cert
   duration: 2160h
   renewBefore: 360h
   subject:
@@ -18,7 +17,7 @@ spec:
   usages:
     - server auth
   dnsNames:
-    - wiki.mainscnt.eu
+    - mx.hottis.de
   issuerRef:
     name: letsencrypt-staging-http
     kind: ClusterIssuer