feat(infra): real TLS for mail.dezky.eu

The cert-sync timer waited forever for a mail/mail-tls secret no
Certificate resource ever requested — Stalwart served self-signed certs
since install, so mail clients refused the IMAP handshake ('cannot verify
account name or password' in Apple Mail). Adds the cert-manager
Certificate (HTTP-01 via Traefik on :80) and documents the v0.16 wrinkle:
TLS files aren't read from config anymore; a one-time file-backed
x:Certificate object (created via management JMAP) points at the synced
paths, after which cert-sync renewals keep working unchanged. Verified:
:993 now serves the Let's Encrypt cert, verify rc=0.

infrastructure/production/host/stalwart/cert-sync.sh

@@ -7,6 +7,14 @@
 #
 # Run by stalwart-cert-sync.timer (every 12h + on boot). Safe to run by hand.
 #
+# v0.16 NOTE: Stalwart no longer reads TLS files directly from config.toml.
+# A one-time x:Certificate object (management JMAP) points at these paths
+# with the File variant:
+#   {"certificate":{"@type":"File","filePath":"/opt/stalwart/etc/tls/cert.pem"},
+#    "privateKey":{"@type":"File","filePath":"/opt/stalwart/etc/tls/key.pem"}}
+# Created 2026-06-10. With that in place this script's file update + reload
+# keeps working for renewals exactly as designed.
+#
 # Forward dependency: needs the fleet layer to have created the TLS secret
 # (default: namespace 'mail', secret 'mail-tls'). Until then this is a no-op and
 # Stalwart keeps using the self-signed bootstrap cert from install.sh.