1.4 KiB
MTA-STS for performancewest.net
DNS TXT _mta-sts.performancewest.net = v=STSv1; id=20260505 (already published).
TLS-RPT TXT _smtp._tls.performancewest.net published.
Added A record mta-sts.performancewest.net -> 207.174.124.71 (Hestia).
Policy served at https://mta-sts.performancewest.net/.well-known/mta-sts.txt
from /var/www/mta-sts/.well-known/mta-sts.txt (content = mta-sts.txt here).
PENDING: Let's Encrypt cert for mta-sts.performancewest.net (waiting on HE.net
secondary DNS propagation). Once dig +short mta-sts.performancewest.net @8.8.8.8
resolves, run:
sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
STATUS 2026-06-07
- DNS A record added + policy file served over HTTP (working).
- Cert issuance FAILED twice: HE.net secondary DNS is flapping (mta-sts resolves
on 1.1.1.1/9.9.9.9 but intermittently empty on 8.8.8.8), so Let's Encrypt's
multi-vantage validation can't get consistent resolution. nginx left on the
safe HTTP-only vhost. RETRY the certbot command above once
dig +short mta-sts.performancewest.netis stable across 8.8.8.8 / 1.1.1.1 / 9.9.9.9, then upgrade to the 443 vhost. (nginx -t before any reload — a missing cert ref will break the reload.)