diff --git a/states/certificates/dehydrated/conf.d/hook.sh b/states/certificates/dehydrated/conf.d/hook.sh
index e647c51..ed09c82 100644
--- a/states/certificates/dehydrated/conf.d/hook.sh
+++ b/states/certificates/dehydrated/conf.d/hook.sh
@@ -1,3 +1,3 @@
-HOOK=/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh
+HOOK=/etc/dehydrated/hooks/hookchain.sh
 CHALLENGETYPE=dns-01
 HOOK_CHAIN=yes
diff --git a/states/certificates/dehydrated/hooks/deploy.sh b/states/certificates/dehydrated/hooks/deploy.sh
new file mode 100755
index 0000000..7d0e2a0
--- /dev/null
+++ b/states/certificates/dehydrated/hooks/deploy.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+#
+# Copy dehydrated generated certs into /var/local/certificates and
+# set required ownership. Also restart local services as appropriate.
+
+action=$1
+shift
+
+deploy_cert() {
+    cp -R /var/lib/dehydrated/certs/* /var/local/certificates/
+    chown -R root:ssl-cert /var/local/certificates/
+
+    DOMAIN="$1"
+    case $DOMAIN in
+        "mail.lunch.org.uk")
+            systemctl restart exim4
+            ;;
+    esac
+}
+
+case $action in
+    deploy_cert)
+        deploy_cert "$@"
+        ;;
+esac
+
diff --git a/states/certificates/dehydrated/hooks/hookchain.sh b/states/certificates/dehydrated/hooks/hookchain.sh
new file mode 100755
index 0000000..4dd288f
--- /dev/null
+++ b/states/certificates/dehydrated/hooks/hookchain.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Call Mythic's DNS hook.
+/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh "$@"
+
+# Now our deployment script.
+
+/etc/dehydrated/hooks/deploy.sh "$@"
diff --git a/states/certificates/init.sls b/states/certificates/init.sls
index cf7d37f..58ec13b 100644
--- a/states/certificates/init.sls
+++ b/states/certificates/init.sls
@@ -34,23 +34,20 @@ dehydrated_cert_group:
     - name: ssl-cert
     - system: true
 
-dehydrated_permissions:
-  file.directory:
-    - name: /var/lib/dehydrated/certs
-    - group: ssl-cert
-    - dir_mode: 2750
-    - file_mode: 0640
-    - recurse:
-      - group
-      - mode
-
-dehydrated_hooks:
+dehydrated_confs:
   file.recurse:
     - name: /etc/dehydrated/conf.d
     - source: salt://certificates/dehydrated/conf.d
     - dir_mode: '0755'
     - file_mode: '0644'
 
+dehydrated_hooks:
+  file.recurse:
+    - name: /etc/dehydrated/hooks
+    - source: salt://certificates/dehydrated/hooks
+    - dir_mode: '0755'
+    - file_mode: '0755'
+
 dehydrated_cron:
   file.managed:
     - name: /etc/cron.daily/dehydrated
@@ -69,6 +66,7 @@ server_key:
     - source: salt://certificates/certificates_id_ed25519.pub
 
 server_client_certificate_location:
-  file.symlink:
+  file.directory:
     - name: /var/local/certificates
-    - target: /var/lib/dehydrated/certs
+    - dir_mode: 0750
+    - file_mode: 0640