From 5634354911bf645ea6b8204af4964d51e06178db Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:28:56 +0200
Subject: [PATCH] document how to publish an MTA-STS policy

---
 docs/faq.rst | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/faq.rst b/docs/faq.rst
index a2c6bd33..98026ab1 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -369,6 +369,31 @@ How do I use webdav (radicale)?
 .. _`575`: https://github.com/Mailu/Mailu/issues/575
 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591
 
+How do I setup a MTA-STS policy?
+````````````````````````````````
+
+Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
+
+1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+
+2. configure an override with the policy itself; for example, your ``overrides/mta-sts.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /.well-known/mta-sts.txt {
+   return 200 "version: STSv1
+   mode: enforce
+   max_age: 86401
+   mx: mailu.example.com\r\n";
+   }
+
+3. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+
+*issue reference:* `1798`_.
+
+.. _`1798`: https://github.com/Mailu/Mailu/issues/1798
+.. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
+
 Technical issues
 ----------------