Add mail.cnx.email client alias as a cert SAN

A mail.cnx.email CNAME (-> mx1.cnx.email) lets clients (Thunderbird etc.)
use a friendly hostname for submission/IMAP. To avoid a TLS name
mismatch the cert now carries mail.cnx.email as a SAN, so the acme_mx1
key is authorized to write _acme-challenge.mail too. The MX still points
at mx1.cnx.email and --reuse-key keeps the DANE TLSA digest valid across
the re-issue.

machines/ns1/configuration.nix

@@ -58,8 +58,8 @@ in
   # ACME DNS-01, dedicated mx1 key. A *separate* TSIG key (acme_mx1) that only
   # mx1 holds, rendered from the shared secret (generator dns-acme-mx1-secret,
   # imported above). acl_acme_mx1 scopes it to TXT updates at exactly
-  # _acme-challenge.mx1 and _acme-challenge.mta-sts (the mail cert and its
-  # MTA-STS SAN), and it is attached only to the cnx.email zone below — so this
+  # _acme-challenge.{mx1,mta-sts,mail} (the mail cert and its MTA-STS + client-
+  # alias SANs), and it is attached only to the cnx.email zone below — so this
   # credential can write nothing but mx1's own cert challenges.
   clan.core.vars.generators.dns-acme-mx1-knot = {
     files."acme.conf" = {
@@ -99,6 +99,7 @@ in
       "update-owner-name" = [
         "_acme-challenge.mx1"
         "_acme-challenge.mta-sts"
+        "_acme-challenge.mail"
       ];
     }
   ];