Still problems in v73 with mts-sta and _mts-sts for months now!

For each domain in Mail-in-a-Box I got the same error since months:
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

Example configuration in Custom DNS:
|box.example.com | A | 144.x.y.z | [delete] |
|_mta-sts.box.example.com | TXT | v=STSv1; id=20250811T1800 | [delete] |
|mta-sts.box.example.com | A | 192.168.a.b | [delete] |
|example.com | A | 144.x.y.z | [delete] |
|_mta-sts.example.com | TXT | v=STSv1; id=20250811T1800 | [delete] |
|mta-sts.example.com | A | 192.168.a.b| [ delete] |

Hint: mta-sts.example.com The domain’s website is hosted elsewhere at address [144.x.y.z].

I did the same thing with three domains. Result: The same error for all three domains! All certificates are in perfect order!

Do I understand correctly you manually created these mta-sts A and _mta-sts TXT records in the Custom DNS section of Mailinabox? That should not be necessary. What happens if you delete theme there?

1 Like

Now, for box.example.com and each domain in Mail-in-a-Box I got the same error four times:
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR
MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

For box.example.com and all three domain’s website is hosted elsewhere at the same address [144.x.y.z].

Does your box have multiple network interfaces, e.g., one on your internal 192.168 network and another external on your 144. address? If so, it’s possible the MTA-STS policy query is not reaching the nginx server on the same host. Try modifying /etc/hosts add an entry for just the mta-sts FQDNs, e.g., “192.168.1.50 mta-sts.domain1.example.com mta-sts.domain2.example.com mta-sts.domain3.example.com” (they can be stacked on a single entry). I’ve found this overrides DNS resolution and provides greater accuracy for mta-sts policy queries.

Hello, my situation has changed drastically since I had to change my MiaB service with one of my providers, where I was running my MiaB in bridging mode. Now I had to move my MiaB to my internal LAN behind the firewall and treat it like my other web server and Nextcloud instances. This way, all SNI connections (Port 443) in HAProxy received the external IP address also for the MiaB, i.e., see above, 144.x.y.z, and the nginx web server internally received the MiaB server address 192.168.a.b. This is why I’m splitting things up because of HAProxy. But I want to emphasize that this configuration worked well for a while.

Have you tried adding an entry in /etc/hosts that enumerates all the mta-sts.* entries to the internal address, as I described?

Many thanks! May I ask where I should make this change? Not on the MiaB server, perhaps? If so, what other entries for the external websites are necessary? Here is my suggestion for my three external websites: example1.com, example2.com und example3.com where each of them have a FQDN-SNI-String-Entry in the HAProxy of the firewall. My table of Custom DNS looks like as follows where the first domain is responsable for the MiaB (Sorry, I’m slowly getting confused myself!, Thank you so much!)

Domain Name Record Type Value

example1.com
example1.com A 144.x.y.z [delete]

example2.com
example2.com A 144.x.y.z [delete]

example3.com
example3.com A 144.x.y.z [delete]

On the MIAB host and only the mta-sts.* records, as I described on my earlier post.

Perfekt !!!

Message “MTA-STS policy is present.” four times achieved through:

192.168.a.b mta-sts.box.example1.com mta-sts.example1.com mta-sts.example2.com mta-sts.example3.com

Many, many thanks and all the best!

1 Like