MTA-STS Connection refused

[BEBU88]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

Checklist prior issue creation

• I understand that failure to follow below instructions may cause this issue to be closed.
• I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
• I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
• I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
• I confirm that I have reviewed previous issues to ensure this matter has not already been addressed.
• I confirm that my environment meets all prerequisite requirements as specified in the official documentation.

Description

I'm running my mailcow UI at a different port. Therefore I've changed HTTPS_PORT in mailcow.conf. The connection for https://mta-sts.example.com/.well-known/mta-sts.txt on port 443 got refused. I switched the port to 443 for testing purposes and it worked as expected.

Unfortunately the error wasn‘t fixed with #6739.

In my opinion mailcow should always serve the mta-sts at https://mta-sts.example.com/.well-known/mta-sts.txt at Port 443 if enabled. Connections to the mailcow domain for the Ul should only be served at the HTTPS_PORT (actual behavior).

Steps to reproduce:

1. Setup MTA-STS in mailcow
2. change HTTPS_PORT to something other than 443
3. Connection for mta-sts.example.com is refused
4. change HTTPS_PORT back to 443
5. MTA-STS is working as expected

Logs:

-

Which branch are you using?

master (stable)

Which architecture are you using?

x86_64

Operating System:

Debian 13

Server/VM specifications:

4GB 4 Core

Is Apparmor, SELinux or similar active?

No

Virtualization technology:

KVM

Docker version:

docker-compose version or docker compose version:

mailcow version:

2025-12a

Reverse proxy:

Buildin mailcow Proxy

Logs of git diff:

Logs of iptables -L -vn:

-

Logs of ip6tables -L -vn:

-

Logs of iptables -L -vn -t nat:

-

Logs of ip6tables -L -vn -t nat:

-

DNS check:

-

[monster010]

The problem is the reverse proxy in front of mailcow.

Because there's a reverse proxy in front of mailcow, the PHP script responsible for the mta-sts.txt file doesn't receive the originally requested host, but rather the host specified in the reverse proxy's configuration.

One possible solution would be to check HTTP_X_FORWARDED_HOST in addition to HTTP_HOST.

[monster010]

I've created a pull request (#7080) that should solve the problem, enjoy! =)