Configure MTA-STS for an Anubiz Mail Server
MTA-STS forces other mail servers to use TLS when delivering mail to you and to verify your hostname matches a policy file. Without it, an attacker who can downgrade the SMTP connection between two servers reads your mail in plaintext. This is one of the easiest wins for a self-hosted mail server and it makes Gmail and the major providers display the green padlock for your domain. Walkthrough is for Postfix on an Anubiz Romania or Iceland VPS.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Prerequisites
Working Postfix with valid Let's Encrypt cert. A subdomain like mta-sts.example.com that can serve HTTPS. Control of the example.com zone for TXT records. Anubiz Romania VPS Mini-V is enough for personal mail.
Step 1: Publish the Policy File
Serve https://mta-sts.example.com/.well-known/mta-sts.txt with content: version: STSv1\nmode: enforce\nmx: mail.example.com\nmax_age: 604800. Use a tiny nginx vhost on the same VPS with its own Let's Encrypt cert. The file must be HTTPS-served and the cert must match mta-sts.example.com.
Step 2: DNS Records
Add TXT at _mta-sts.example.com with value v=STSv1; id=20260601T000000; (change id whenever you change the policy). Add TXT at _smtp._tls.example.com with v=TLSRPTv1; rua=mailto:tls-reports@example.com to receive enforcement reports.
Step 3: Test From Outside
Use the Hardenize or MX Toolbox MTA-STS checker. Send a test mail from Gmail and check the original headers for tls=TLS_AES_256_GCM_SHA384 and the absence of any downgrade.
Step 4: Iterate from testing to enforce
Start with mode: testing for a week, monitor TLSRPT JSON reports, then flip to mode: enforce. Bump the id when you swap MX or change the policy.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.