diff --git a/caddy/update-caddy-certs.sh b/caddy/update-caddy-certs.sh
index ed4ca2a..ca0d076 100755
--- a/caddy/update-caddy-certs.sh
+++ b/caddy/update-caddy-certs.sh
@@ -70,9 +70,12 @@ OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}    respond \"OK\" 200\n"
 OUTPUT="${OUTPUT}}\n\n"
 
-# Wildcard-Blocks pro Kundendomain
+# Wildcard-Blocks + webmail Block pro Kundendomain
 for domain in $DOMAINS; do
     echo "   → Wildcard Block: *.${domain}"
+    echo "   → Webmail Block:  webmail.${domain}"
+
+    # Wildcard-Cert Block (für Cert-Generierung + Fallback)
     OUTPUT="${OUTPUT}# Wildcard-Cert für $domain\n"
     OUTPUT="${OUTPUT}*.${domain}, ${domain} {\n"
     OUTPUT="${OUTPUT}    tls {\n"
@@ -80,6 +83,18 @@ for domain in $DOMAINS; do
     OUTPUT="${OUTPUT}    }\n"
     OUTPUT="${OUTPUT}    respond \"OK\" 200\n"
     OUTPUT="${OUTPUT}}\n\n"
+
+    # Webmail Block (Roundcube) - muss VOR dem Wildcard-Block matchen
+    # Caddy wertet Blöcke in Reihenfolge aus, spezifischere Hosts gewinnen
+    OUTPUT="${OUTPUT}# Roundcube Webmail für $domain\n"
+    OUTPUT="${OUTPUT}webmail.${domain} {\n"
+    OUTPUT="${OUTPUT}    reverse_proxy roundcube:80\n"
+    OUTPUT="${OUTPUT}    encode gzip\n"
+    OUTPUT="${OUTPUT}    log {\n"
+    OUTPUT="${OUTPUT}        output stderr\n"
+    OUTPUT="${OUTPUT}        format console\n"
+    OUTPUT="${OUTPUT}    }\n"
+    OUTPUT="${OUTPUT}}\n\n"
 done
 
 # --- Ausgabe ---