diff --git a/config/net.nix b/config/net.nix
index b991b2c5..fa7607af 100644
--- a/config/net.nix
+++ b/config/net.nix
@@ -58,6 +58,8 @@
         ${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
         ${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
         ${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
+        # forward HTTP traffic, which we need for letsencrypt to work
+        ${iproute2}/bin/ip netns exec ovpns ${socat}/bin/socat TCP4-LISTEN:80,reuseaddr,fork,su=nobody TCP4:10.0.1.5:80 &
       '';
 
       ExecStop = with pkgs; writeScript "wg0veth-stop" ''
diff --git a/config/services/nginx.nix b/config/services/nginx.nix
index 83f21485..c5318ad1 100644
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@@ -182,11 +182,16 @@
     };
   };
 
-  # exists only to manage acme for dovecot
+  # exists only to manage certs for dovecot
   services.nginx.virtualHosts."imap.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
   };
+  # exists only to manage certs for Postfix
+  services.nginx.virtualHosts."mx.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+  };
 
   security.acme.acceptTerms = true;
   security.acme.email = "acme@uninsane.org";
diff --git a/config/users.nix b/config/users.nix
index 6e7e711f..6471898b 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -39,8 +39,9 @@
       pkgs.nettools
       pkgs.nmap
       pkgs.ripgrep
-      pkgs.telnet
+      pkgs.socat
       pkgs.sudo
+      pkgs.telnet
       pkgs.wireguard
       pkgs.zola
       (pkgs.vim_configurable.customize {