diff --git a/howto/submission.md b/howto/submission.md
index 3edace28e35d6ee572304959f3658955da70c456..ebd8c4986fa81668aefb93837eea2596b593236f 100644
--- a/howto/submission.md
+++ b/howto/submission.md
@@ -66,6 +66,12 @@ TODO: how to setup the service from scratch. puppet role and DNS?
 
     _submission._tcp.example.com.     SRV 0 1 587 mail.example.com.
 
+In `letsencrypt.git`, add an entry for that host's specific TLS
+certificate. For example, the `submit-01.torproject.org` has a line
+like this:
+
+    submit-01.torproject.org submit.torproject.org
+
 ## SLA
 
 <!-- this describes an acceptable level of service for this service -->
@@ -125,7 +131,7 @@ The submission server is monitored like other mail servers that have
 
 To test delivery, make sure you have an `emailPassword` set
 (e.g. through [update.cgi](https://db.torproject.org/update.cgi)). Then you should be able to use the
-[swaks](https://tracker.debian.org/swaks) to test delivery:
+[swaks](https://tracker.debian.org/swaks) to test delivery.
 
 This will try to relay an email through server example.net to the
 example.com domain using TLS over the submission port (587) with user
@@ -133,6 +139,17 @@ name anarcat and a prompted password (`-ap -pp`).
 
     swaks -f anarcat@example.net -t anarcat@example.com -s example.net -tls -p 587 -au anarcat -ap -pp
 
+To set a new password by hand in LDAP, you can use `doveadm`:
+
+    doveadm pw -s BLF-CRYPT
+
+Then copy-paste the output (minus the {} prefix) into the
+`mailPassword` field in LDAP (if you want to bypass the web interface)
+or the `/etc/dovecot/private/mail-passwords` file on the submission
+server (if you want to bypass `ud-replicate` altogether, note that the
+change might be overwritten fairly quickly). Note that [other schemes
+can be used as well](https://doc.dovecot.org/configuration_manual/authentication/password_schemes/).
+
 ## Logs and metrics
 
 TODO: logs and metrics
@@ -148,6 +165,12 @@ No special backup of this service is required.
 
 TODO: <!-- references to upstream documentation, if relevant -->
 
+ * https://anarc.at/services/mail/
+ * https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
+ * https://wiki.dovecot.org/VirtualUsers
+ * https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
+ * https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb/
+
 # Discussion
 
 ## Overview