diff --git a/apps/mail/mail.yaml b/apps/mail/mail.yaml
index 150f625..b02f31c 100644
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -207,20 +207,13 @@ spec:
     - port: 993
       targetPort: 993
       name: imaps
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: mail-tls
-  namespace: mail
-spec:
-  secretName: mail-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - mail.iamworkin.lan
+# --- mail-tls Certificate REMOVED 2026-06-01 ---
+# mail-tls is now managed OUTSIDE cert-manager: issued from step-ca's JWK 'admin'
+# provisioner and auto-renewed by a systemd timer on noc1 (step ca renew), which
+# writes the mail-tls secret directly. step-ca-acme only has an HTTP-01 (Traefik)
+# solver, but mail.iamworkin.lan must resolve to the dedicated MetalLB IP 10.0.56.202
+# (SMTP/IMAP), so HTTP-01 cannot validate. Do NOT re-add a cert-manager Certificate
+# here unless a DNS-01 solver is deployed for step-ca-acme.
 ---
 # Traefik IngressRoute - Webmail placeholder
 apiVersion: traefik.io/v1alpha1