My setup is a server behind NAT (because I want openvpn, ipset for country acls, own firewall rules, rspamd, nginx reverse proxy in front of MIAB server). I do DNAT to MIAB for mail and http reverse proxiing to MIAB for http(s).
My previous setup (iRedMail) worked perfectly without greylisting with rspamd - but got unsupportable after upgrade to bullseye.
These are all reasons why I do not need letsencrypt (I do this with dehydrated - much easier on the frontend server). Anyway, I also tried to forward the .well-known location to MIAB server.
The forward works for my mail domains, but I wonder why I had the same issue than self-signed-not-replaced #8495.
Manually replacing the cert links with my own letsencrypt certs resulted in
#3867 (no reply) and #3565 (sorry, cannot post more links on my first post:-).
Still the reason why I not just using letsencrypt builtin is issue #8495.
Why my self-signed cert of the host itself is not done by builtin letsencrpyt?
The maildomains do work - but the cert for the hostname itself is still self-signed.