diff --git a/DMS/setup-dms-tls.sh b/DMS/setup-dms-tls.sh
index ab0ec85..d6be340 100755
--- a/DMS/setup-dms-tls.sh
+++ b/DMS/setup-dms-tls.sh
@@ -8,8 +8,10 @@
 #   - docker-data/dms/config/postfix-main.cf
 #
 # Cert-Konvention (Caddy Wildcard):
-#   /etc/mail/certs/*.domain.tld/*.domain.tld.crt
-#   /etc/mail/certs/*.domain.tld/*.domain.tld.key
+#   Caddy speichert *.domain.tld unter: wildcard_.domain.tld/wildcard_.domain.tld.crt
+#   Im Container (gemountet unter /etc/mail/certs):
+#     /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.crt
+#     /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.key
 #
 # Usage:
 #   ./setup-dms-tls.sh
@@ -50,6 +52,15 @@ fi
 echo "   Gefundene Domains:"
 for d in $DOMAINS; do echo "   - $d"; done
 
+# --- Cert-Pfad Hilfsfunktionen ---
+# Caddy speichert Wildcard-Certs unter: wildcard_.domain.tld/wildcard_.domain.tld.crt
+wildcard_cert_path() {
+    echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.crt"
+}
+wildcard_key_path() {
+    echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.key"
+}
+
 # --- Cert-Verfügbarkeit im Container prüfen ---
 echo ""
 echo "🔍 Prüfe Zertifikat-Verfügbarkeit..."
@@ -57,11 +68,11 @@ DOMAINS_OK=""
 DOMAINS_MISSING=""
 
 for domain in $DOMAINS; do
-    CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
-    KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
+    CERT_PATH=$(wildcard_cert_path "$domain")
+    KEY_PATH=$(wildcard_key_path "$domain")
 
     if docker exec "$DMS_CONTAINER" test -f "$CERT_PATH" 2>/dev/null; then
-        echo "   ✅ $domain → Cert vorhanden"
+        echo "   ✅ $domain → $CERT_PATH"
         DOMAINS_OK="$DOMAINS_OK $domain"
     else
         echo "   ⚠️  $domain → KEIN Cert unter $CERT_PATH"
@@ -72,13 +83,10 @@ done
 
 # Node-Hostname Cert prüfen (direktes Cert, kein Wildcard)
 NODE_CERT_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.crt"
-NODE_KEY_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.key"
 if docker exec "$DMS_CONTAINER" test -f "$NODE_CERT_PATH" 2>/dev/null; then
     echo "   ✅ $NODE_HOSTNAME → Cert vorhanden (Node Default)"
-    NODE_CERT_OK=true
 else
     echo "   ⚠️  $NODE_HOSTNAME → KEIN Cert! Caddy-Block im Caddyfile prüfen."
-    NODE_CERT_OK=false
 fi
 
 if [ -n "$DOMAINS_MISSING" ]; then
@@ -106,14 +114,17 @@ cat > "$DOVECOT_CFG" << 'HEADER'
 # Dovecot liest dieses File über den Volume-Mount in /tmp/docker-mailserver/
 # und wendet es automatisch an.
 #
+# Caddy Wildcard-Cert Pfad-Schema:
+#   wildcard_.domain.tld/wildcard_.domain.tld.crt|.key
+#
 # Volume-Mount in docker-compose.yml:
 #   - ./docker-data/dms/config/dovecot-sni.cf:/tmp/docker-mailserver/dovecot-sni.cf:ro
 
 HEADER
 
 for domain in $DOMAINS_OK; do
-    CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
-    KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
+    CERT_PATH=$(wildcard_cert_path "$domain")
+    KEY_PATH=$(wildcard_key_path "$domain")
 
     cat >> "$DOVECOT_CFG" << EOF
 # $domain
@@ -138,6 +149,10 @@ EOF
 done
 
 echo "   ✅ Dovecot SNI: $(echo $DOMAINS_OK | wc -w) Domain(s)"
+echo ""
+echo "   --- dovecot-sni.cf Inhalt ---"
+cat "$DOVECOT_CFG"
+echo "   --- Ende ---"
 
 # ================================================================
 # POSTFIX SNI Konfiguration
@@ -146,18 +161,17 @@ POSTFIX_CFG="$CONFIG_DIR/postfix-main.cf"
 echo ""
 echo "📝 Generiere: $POSTFIX_CFG"
 
-# Backup falls vorhanden
 if [ -f "$POSTFIX_CFG" ]; then
     cp "$POSTFIX_CFG" "${POSTFIX_CFG}.bak.$(date +%Y%m%d%H%M%S)"
     echo "   ℹ️  Backup: ${POSTFIX_CFG}.bak.*"
 fi
 
-# smtpd_tls_chain_files aufbauen: Key + Cert Paar pro Domain
+# smtpd_tls_chain_files: Key + Cert Paar pro Domain
 # Postfix wählt automatisch per SNI das passende Paar
 CHAIN_LINES=""
 for domain in $DOMAINS_OK; do
-    KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
-    CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
+    KEY_PATH=$(wildcard_key_path "$domain")
+    CERT_PATH=$(wildcard_cert_path "$domain")
     if [ -z "$CHAIN_LINES" ]; then
         CHAIN_LINES="    $KEY_PATH, $CERT_PATH"
     else
@@ -170,6 +184,9 @@ cat > "$POSTFIX_CFG" << POSTFIX_EOF
 # Postfix SNI-Konfiguration: pro Kundendomain ein Key/Cert-Paar.
 # Postfix wählt beim TLS-Handshake das passende Paar per SNI.
 # DMS lädt dieses File automatisch beim Start.
+#
+# Caddy Wildcard-Cert Pfad-Schema:
+#   wildcard_.domain.tld/wildcard_.domain.tld.crt|.key
 
 # TLS Chain: Key + Cert Paare (Postfix >= 3.4)
 smtpd_tls_chain_files =
@@ -178,6 +195,10 @@ $(printf '%b' "$CHAIN_LINES")
 POSTFIX_EOF
 
 echo "   ✅ Postfix SNI: $(echo $DOMAINS_OK | wc -w) Domain(s)"
+echo ""
+echo "   --- postfix-main.cf Inhalt ---"
+cat "$POSTFIX_CFG"
+echo "   --- Ende ---"
 
 # ================================================================
 # Zusammenfassung