Do I need a separate VPS for the policy host?

No, the same Anubiz VPS works. Just add the mta-sts.example.com vhost in nginx with its own cert.

What if I change my MX?

Update mx: lines in the policy file and bump the id in the DNS TXT. Senders re-fetch policy when id changes.

Does MTA-STS reveal my mail volume?

TLSRPT reports show aggregate per-day TLS handshake outcomes from senders. Volume is roughly inferable but not contents.

Is this enough for compliance?

MTA-STS plus DANE plus DKIM/SPF/DMARC covers the modern email auth stack. See the DKIM/SPF/DMARC guide for the rest.

Configure MTA-STS for an Anubiz Mail Server

MTA-STS forces other mail servers to use TLS when delivering mail to you and to verify your hostname matches a policy file. Without it, an attacker who can downgrade the SMTP connection between two servers reads your mail in plaintext. This is one of the easiest wins for a self-hosted mail server and it makes Gmail and the major providers display the green padlock for your domain. Walkthrough is for Postfix on an Anubiz Romania or Iceland VPS.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Prerequisites

Working Postfix with valid Let's Encrypt cert. A subdomain like mta-sts.example.com that can serve HTTPS. Control of the example.com zone for TXT records. Anubiz Romania VPS Mini-V is enough for personal mail.

Step 1: Publish the Policy File

Serve https://mta-sts.example.com/.well-known/mta-sts.txt with content: version: STSv1\nmode: enforce\nmx: mail.example.com\nmax_age: 604800. Use a tiny nginx vhost on the same VPS with its own Let's Encrypt cert. The file must be HTTPS-served and the cert must match mta-sts.example.com.

Step 2: DNS Records

Add TXT at _mta-sts.example.com with value v=STSv1; id=20260601T000000; (change id whenever you change the policy). Add TXT at _smtp._tls.example.com with v=TLSRPTv1; rua=mailto:tls-reports@example.com to receive enforcement reports.

Step 3: Test From Outside

Use the Hardenize or MX Toolbox MTA-STS checker. Send a test mail from Gmail and check the original headers for tls=TLS_AES_256_GCM_SHA384 and the absence of any downgrade.

Step 4: Iterate from testing to enforce

Start with mode: testing for a week, monitor TLSRPT JSON reports, then flip to mode: enforce. Bump the id when you swap MX or change the policy.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Anubiz Mail VPS