mta-sts-daemon - provide MTA-STS policy to Postfix as policy map
Contents
Description
This daemon opens a socket where Postfix can query and retrieve the MTA-STS policy for a domain. The
configuration file is described in mta-sts-daemon.yml(5).
MTA-STS, specified in RFC 8461 [0], is a security standard for email servers. When a site configures
MTA-STS, other mail servers can require the successful authentication of that site when forwarding mail
there.
Examples
Configure Postfix in /etc/postfix/main.cf:
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
smtp_tls_CApath = /etc/ssl/certs/
Reload Postfix. Then verify it works:
/usr/sbin/postmap-qdismail.desocketmap:inet:127.0.0.1:8461:postfix
This configuration overrides DANE TLS authentication. If you wish to meet the requirement of RFC 8461,
section 2, you should list a DANE policy resolver (or a static lookup table for domains known to
implement both MTA-STS & DANE) before mta-sts-daemon in smtp_tls_policy_maps.
Name
mta-sts-daemon - provide MTA-STS policy to Postfix as policy map
Notes
0.
SMTPMTAStrictTransportSecurity(MTA-STS): https://tools.ietf.org/html/rfc8461
postfix-mta-sts-resolver 2025-03-10 MTA-STS-DAEMON(1)
Options
-h,--help
show a help message and exit
-v,--verbosityVERBOSITY
set log verbosity level: debug, info (default), warn, error, or fatal.
-c,--configFILE
config file location (default: /etc/mta-sts-daemon.yml)
-g,--groupGROUP
change eGID to this group (default: none)
-l,--logfileFILE
log file location (default: none)
-p,--pidfilePIDFILE
name of the file to write the current pid to (default: none)
-u,--userUSER
change eUID to this user (default: none)
--disable-uvloop
do not use uvloop even if it is available (default: enabled if available)
See Also
mta-sts-query(1), mta-sts-daemon.yml(5)
Synopsis
mta-sts-daemon [OPTION]...
