• Community Support
  • USEnglish
  • The MX host does not match any MX allowed by the STS policy.

Receiving the following error from Gmail when sending email to my mailcow server.
The MX host does not match any MX allowed by the STS policy.

  • Maybe it has something to do with max age that was set on Mail-in-a-Box server. The default mta-sts.txt looks like this on MiaB:

    version: STSv1
    mode: enforce
    mx: box.domain.tld
    max_age: 604800`

    It has set a max age of 604800 seconds (7 days), and the policy is set to “enforced”.

    I’m not a 100% sure, but if I had to guess, I would say that in the worst case it can take up to 7 days for Google (or any other mail providers that are checking MTA-STS) to recognize the change of policy respectively the deletion of the MTA-STS records. No idea if there is a way to en-force the change before the 7 days have passed. Maybe you can find some information about this in the documentation that I linked in my previous post.

Did you move your domain from another mail server / mail service to Mailcow, and are there maybe still DNS records for MTA-STS in place that are pointing to the old server / service?

If yes you have two options:

  1. Just delete the DNS records for MTA-STS (Turn off MTA-STS for your domain)

  2. Change the records to point to your Mailcow server

Important: Option 2 requires some manual configuration and setup on your Mailcow server, which is not documented or officially supported by Mailcow. However, Mailcow does support DMARC and DKIM out of the box, and as far as I know, that should be enough for your server to have a good reputation. Google, for example is checking other mail servers for DKIM and MTA-STS, but you should be fine if either one of those is in place, you don’t necessarily need both.

If you still want to set it up, I highly recommend reading Google’s documentation about it, in order to understand how it works: Help prevent spoofing and spam with SPF - Google Workspace Admin Help

And here is a blog post on how to set it up on Mailcow: (Sorry only in German) Mailcow - MTA-STS richtig einrichten - Security mit TLS

Hope this helps…

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

I was using Mail-in-a-box previously maybe that caused the problem 🤔

but I cleared all the DNS records after that

Maybe it has something to do with max age that was set on Mail-in-a-Box server. The default mta-sts.txt looks like this on MiaB:

version: STSv1
mode: enforce
mx: box.domain.tld
max_age: 604800`

It has set a max age of 604800 seconds (7 days), and the policy is set to “enforced”.

I’m not a 100% sure, but if I had to guess, I would say that in the worst case it can take up to 7 days for Google (or any other mail providers that are checking MTA-STS) to recognize the change of policy respectively the deletion of the MTA-STS records. No idea if there is a way to en-force the change before the 7 days have passed. Maybe you can find some information about this in the documentation that I linked in my previous post.

ok that could be a possibility. I will try again after some days.

can you check my installation process also I think there might be a problem there also.

root@mail:~# sudo apt-get update -y

root@mail:~# sudo apt-get install apt-transport-https ca-certificates curl software-properties-common -y

root@mail:~# sudo mkdir -p /etc/apt/keyrings
root@mail:~# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

root@mail:~# echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

root@mail:~# sudo apt-get update -y

root@mail:~# sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

root@mail:~# sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 52.0M  100 52.0M    0     0  40.1M      0  0:00:01  0:00:01 --:--:-- 40.1M

root@mail:~# sudo chmod +x /usr/local/bin/docker-compose

root@mail:~# docker-compose --version
Docker Compose version v2.18.0

root@mail:~# hostnamectl set-hostname mail.dhanoa.co.in

root@mail:~# apt install git -y

root@mail:~# cd /opt

root@mail:/opt# git clone https://github.com/mailcow/mailcow-dockerized

root@mail:/opt# cd mailcow-dockerized

root@mail:/opt/mailcow-dockerized# ./generate_config.sh
Found Docker Compose Standalone.
Setting the DOCKER_COMPOSE_VERSION Variable to standalone
Notice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.
Press enter to confirm the detected value '[value]' where applicable or enter a custom value.
Mail server hostname (FQDN) - this is not your mail domain, but your mail servers hostname: mail.example.com
Timezone [Etc/UTC]: Asia/Kolkata
Which branch of mailcow do you want to use?

Available Branches:
- master branch (stable updates) | default, recommended [1]
- nightly branch (unstable updates, testing) | not-production ready [2]
Choose the Branch with it´s number [1/2] 1

root@mail:/opt/mailcow-dockerized# nano mailcow.conf

root@mail:/opt/mailcow-dockerized# docker-compose pull
                                                                             
root@mail:/opt/mailcow-dockerized# docker-compose up -d

    should be fine, except maybe for the following:

    Nanak Mail server hostname (FQDN) - this is not your mail domain, but your mail servers hostname: mail.example.com

    Did you check whether the MAILCOW_HOSTNAME in the file mailcow.confis set correctly, respectively if the name there matches the hostname of your server?

    Yes, I redacted hostname. Thank you for your help

    No one is typing