Is there a possibility in cloudron to propagate a mta-sts policy?

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Tue, 27 Jan 2026 10:21:38 GMT

m-si — Tue, 27 Jan 2026 10:21:38 GMT

@7dowWilkes sorry for answering that late. You need to have app that serves the file at the expected URL.

You need to set up surfer app (this is the webserver you are looking for) at mta-sts.YOURDOMAIN.TLD (YOURDOMAIN= is your domain... TLD=Top Level Domain e.g. .com, .org...) inside surfer app you need to create .well-known folder inside folder public and then place the mta-sts file as described earlier there...

I hope this clarifies it for you ...and yes it is still working. @james I think it would be awesome to somehow implement it into cloudron for the ease of use mail setup. As long as it is not implemented maybe a notice in the mail section of cloudron might work.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Wed, 14 Jan 2026 10:23:59 GMT

7dowWilkes — Wed, 14 Jan 2026 10:23:59 GMT

@IniBudi: Thank you for your comment. The DNS entries for MTA-STS are not the problem; I can easily store them with a domain and DNS provider. The critical point is storing the necessary TXT file with the actual rules of conduct, which cannot be provided at the DNS level. To do this, I need a web server under the respective domain, and so, when using Cloudron, I automatically end up in the Cloudron user interface and in the domain settings area. There is already an area for so-called “well-known URIs” where entries for services such as Matrix, Mastodon, and Jitsi can already be stored. In my opinion, to implement this cleanly in cloudron, all that is needed is an input field where the MTA-STS rules can be stored.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Wed, 14 Jan 2026 08:05:52 GMT

IniBudi — Wed, 14 Jan 2026 08:05:52 GMT

@7dowWilkes If I am not mistaken, you can configure it from the DNS level, let's say you're using Cloudflare, so you don't have to create an app to handle MTA-STS for your email. CMIIW.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Sun, 11 Jan 2026 12:35:55 GMT

7dowWilkes — Sun, 11 Jan 2026 12:35:55 GMT

I may be misunderstanding this, but if my domain provider supports DNSSEC and I can set the necessary DNS entries for MTA-STS there directly, I would only need to be able to enter the content for the “mta-sts.txt file” under “Well-known URIs” for the respective domain within Cloudron (as described by @m-si under No. 3). Unfortunately, I am only an end user, but would this be a lot of work for the Cloudron developer community?

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Sat, 10 Jan 2026 20:44:32 GMT

james — Sat, 10 Jan 2026 20:44:32 GMT

Hello @inibudi
We could add this to the documentation indeed.
But, I think it would be better if we implement this feature directly.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Sat, 10 Jan 2026 14:11:48 GMT

IniBudi — Sat, 10 Jan 2026 14:11:48 GMT

@m-si said in Is there a possibility in cloudron to propagate a mta-sts policy?:

Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

Steps to reproduce working MTA-STS setup in cloudron useing surfer app

setup surfer app at the following subdomain mta-sts.

make folder .well-known inside folder public

create mta-sts.txt
version: STSv1
mode: enforce
max_age: 86400
mx: mail.
(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my. as well, but for the tests the above has been sufficient.)

set up following DNS records
_mta-sts in TXT v=STSv1; id=20221123132400Z
(where the id is a simple Timestamp or a uniq number to identify the entry)
_smtp._tls in TXT v=TLSRPTv1; rua=mailto:@ 
(where the rua-Mail-Adress is an Address one want's to get the reports)

EDIT:
We can easily check if the setup is correct via check tls.

Is this tutorial still relevant to be added to the documentation page regarding the MTA-STS, @james?

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Fri, 25 Nov 2022 18:03:11 GMT

nichu42 — Fri, 25 Nov 2022 18:03:11 GMT

@m-si Sweet! Thanks a lot for sharing this workaround. It works perfectly and helps me to cover the time until true MTA-STS + DANE support from Cloudron. E-Mail reputation is really crucial these days.

Just one remark for other readers: If you are doing this for the first time, you should probably start with mode: testing.
Once you have successfully established MTA-STS (no errors), you should change to "mode: enforce" and increase the max_age value. Many senders expect it to be at least several weeks.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Wed, 23 Nov 2022 12:38:32 GMT

m-si — Wed, 23 Nov 2022 12:38:32 GMT

Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

Steps to reproduce working MTA-STS setup in cloudron useing surfer app

setup surfer app at the following subdomain mta-sts.
make folder .well-known inside folder public
create mta-sts.txt

version: STSv1
mode: enforce
max_age: 86400
mx: mail.

(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my. as well, but for the tests the above has been sufficient.)

set up following DNS records

_mta-sts in TXT v=STSv1; id=20221123132400Z

(where the id is a simple Timestamp or a uniq number to identify the entry)

_smtp._tls in TXT v=TLSRPTv1; rua=mailto:@

(where the rua-Mail-Adress is an Address one want's to get the reports)

EDIT:
We can easily check if the setup is correct via check tls.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 18:37:58 GMT

girish — Thu, 17 Feb 2022 18:37:58 GMT

That suggestion in turn came from https://forum.cloudron.io/topic/2315/cloudron-email-feature-improvements-ideas

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 18:36:51 GMT

7dowWilkes — Thu, 17 Feb 2022 18:36:51 GMT

@girish perfect! That's cool

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 18:33:07 GMT

girish — Thu, 17 Feb 2022 18:33:07 GMT

@7dowWilkes right, this was request a while ago along with DANE support - https://git.cloudron.io/cloudron/box/-/issues/780 . Can look into this next release.

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 15:54:36 GMT

7dowWilkes — Thu, 17 Feb 2022 15:54:36 GMT

@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 15:37:21 GMT

7dowWilkes — Thu, 17 Feb 2022 15:37:21 GMT

you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/

you only need 3 records in your dns:

_mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt

The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.org

instead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=en

cloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron

the dns entries could also be set automatically by cloudron or once manually by the domain-owner

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 13:10:24 GMT

jdaviescoates — Thu, 17 Feb 2022 13:10:24 GMT

@7dowWilkes said in Is there a possibility in cloudron to propagate a mta-sts policy?:

mts-sts-policy

I'd never heard of this so I did a search and found this about it from the UK Gov't

https://www.gov.uk/government/publications/email-security-standards/using-the-mail-transfer-agent-strict-transport-security-mta-sts-protocol-in-your-organisation

Reply to Is there a possibility in cloudron to propagate a mta-sts policy? on Thu, 17 Feb 2022 12:18:30 GMT

micmc — Thu, 17 Feb 2022 12:18:30 GMT

@7dowWilkes Sounds like a great idea to me, if it can possibly be implemented. +1