Skip to content

Skip mta-sts certificate request when MTA-STS is not active for a domain#7315

Open
DRKMDMZ wants to merge 1 commit into
mailcow:stagingfrom
DRKMDMZ:feat/mta-sts-optional-cert
Open

Skip mta-sts certificate request when MTA-STS is not active for a domain#7315
DRKMDMZ wants to merge 1 commit into
mailcow:stagingfrom
DRKMDMZ:feat/mta-sts-optional-cert

Conversation

@DRKMDMZ

@DRKMDMZ DRKMDMZ commented Jul 4, 2026

Copy link
Copy Markdown

Contribution Guidelines

What does this PR include?

Short Description

When MTA-STS is not active for a domain (the "active" checkbox is unchecked, or no MTA-STS policy exists), the ACME container will no longer request a certificate for the mta-sts.<domain> subdomain.

Previously, mta-sts was added unconditionally to the additional SAN list for every active domain when AUTODISCOVER_SAN=y, so ACME tried to obtain a certificate for mta-sts.<domain> even when MTA-STS was never configured or explicitly disabled. This caused unnecessary certificate requests and log noise/failures for the mta-sts subdomain.

The ACME script now checks the mta_sts table for an active entry (active = 1) for the domain before adding the mta-sts subdomain, mirroring the logic already used for alias domains directly below it. A tooltip was added to the "active" checkbox in the domain MTA-STS settings to make this behaviour transparent to admins.

Affected Containers

  • acme-mailcow
  • php-fpm-mailcow

Did you run tests?

What did you tested?

  • Syntax check of the modified ACME script (bash -n acme.sh) and JSON validation of both changed language files.
  • Behaviour with an active MTA-STS policy for a domain.
  • Behaviour with MTA-STS inactive / not configured for a domain.

What were the final results? (Awaited, got)

  • With MTA-STS active: awaited a certificate request for mta-sts.<domain> as before - got exactly that.
  • With MTA-STS inactive/not configured: awaited the subdomain to be skipped - got it skipped, with the log line MTA-STS is not enabled for <domain> - skipping mta-sts subdomain certificate.

Closes #6859

Previously the ACME container always requested a certificate for the
mta-sts.<domain> subdomain of every active domain when AUTODISCOVER_SAN
was enabled, regardless of whether MTA-STS was actually configured or
active for that domain.

Now the mta-sts subdomain certificate is only requested if an active
MTA-STS policy (active = 1) exists for the domain in the mta_sts table.
This mirrors the existing behaviour already used for alias domains.

Additionally, a tooltip was added to the "active" checkbox in the domain
MTA-STS settings to clarify that unchecking it also prevents the ACME
certificate request for the mta-sts subdomain.

- data/Dockerfiles/acme/acme.sh: gate mta-sts SAN on active mta_sts entry
- data/web/templates/edit/domain.twig: add tooltip to active checkbox
- data/web/lang/lang.en-gb.json / lang.de-de.json: new mta_sts_active_info
- docker-compose.yml: bump acme image tag 1.97 -> 1.98
@DRKMDMZ

DRKMDMZ commented Jul 14, 2026

Copy link
Copy Markdown
Author

We need this urgently! LE is limiting renews because of too many invalid requests of mta-sts.xxxx.xx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant