diff --git a/docs/content/config/advanced/mail-mta-sts.md b/docs/content/config/advanced/mail-mta-sts.md
new file mode 100644
index 00000000..5a30e04d
--- /dev/null
+++ b/docs/content/config/advanced/mail-mta-sts.md
@@ -0,0 +1,27 @@
+---
+title: 'Advanced | MTA-STS'
+---
+
+MTA-STS is an optional mechanism for a domain to signal support for
+STARTTLS. It can be used to prevent man-in-the-middle-attacks hiding the
+feature to force mail servers to send outgoing emails as plain text.
+MTA-STS is an alternative to DANE without the need of DNSSEC.
+
+MTA-STS is supported by some of the biggest mail providers like Google Mail
+and Outlook.
+
+## Supporting MTA-STS for outgoing mails
+
+This is enabled by setting `ENABLE_MTA_STS=1` [](../environment.md#enable_mta_sts)
+in the environment.
+
+!!! warning
+
+    MTA-STS will by default override DANE if both are in used by a domain.
+    This can be partially addressed by configuring a dane-only policy resolver
+    before the MTA-STS entry in smtp_tls_policy_maps. See [the postfix-mta-sts-resolver documentation](https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication)
+    for further details.
+
+## Supporting MTA-STS for incoming mails
+
+A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 678ec965..2eb97c66 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -108,6 +108,15 @@ This enables DNS block lists in _Postscreen_. If you want to know which lists we
 - **0** => DNS block lists are disabled
 - 1     => DNS block lists are enabled
 
+##### ENABLE_MTA_STS
+
+Enables MTA-STS for outgoing mails.
+
+- **0** => Disabled
+- 1 => Enabled
+
+See [MTA-STS](advanced/mail-mta-sts.md) for further explanation.
+
 ##### ENABLE_OPENDKIM
 
 Enables the OpenDKIM service.
diff --git a/mailserver.env b/mailserver.env
index 1a57ceca..562e672c 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -346,6 +346,13 @@ POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all
 
+# If enabled, STARTTLS support is enforced for outgoing mails to domains
+# with MTA-STS records like Google Mail.
+# This can prevent man-in-the-middle that hide the STARTTLS feature.
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh
index e9b2d479..099752bf 100644
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@@ -68,7 +68,7 @@ function _install_packages() {
   )
 
   POSTFIX_PACKAGES=(
-    pflogsumm postgrey postfix-ldap
+    pflogsumm postgrey postfix-ldap postfix-mta-sts-resolver
     postfix-pcre postfix-policyd-spf-python postsrsd
   )
 
diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh
index f0f385f3..0f43ff84 100755
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@@ -113,6 +113,11 @@ function _register_functions() {
   _register_setup_function '_setup_apply_fixes_after_configuration'
   _register_setup_function '_environment_variables_export'
 
+  if [[ ${ENABLE_MTA_STS} -eq 1 ]]; then
+    _register_setup_function '_setup_mta_sts'
+    _register_start_daemon '_start_daemon_mta_sts_daemon'
+  fi
+
   # ? >> Daemons
 
   _register_start_daemon '_start_daemon_cron'
diff --git a/target/scripts/startup/daemons-stack.sh b/target/scripts/startup/daemons-stack.sh
index 5476fc9f..a4cecf67 100644
--- a/target/scripts/startup/daemons-stack.sh
+++ b/target/scripts/startup/daemons-stack.sh
@@ -38,6 +38,7 @@ function _start_daemon_opendkim       { _default_start_daemon 'opendkim'       ;
 function _start_daemon_opendmarc      { _default_start_daemon 'opendmarc'      ; }
 function _start_daemon_postgrey       { _default_start_daemon 'postgrey'       ; }
 function _start_daemon_postsrsd       { _default_start_daemon 'postsrsd'       ; }
+function _start_daemon_mta_sts_daemon { _default_start_daemon 'mta-sts-daemon' ; }
 function _start_daemon_rspamd         { _default_start_daemon 'rspamd'         ; }
 function _start_daemon_rspamd_redis   { _default_start_daemon 'rspamd-redis'   ; }
 function _start_daemon_rsyslog        { _default_start_daemon 'rsyslog'        ; }
diff --git a/target/scripts/startup/setup.d/mta_sts.sh b/target/scripts/startup/setup.d/mta_sts.sh
new file mode 100644
index 00000000..7456120d
--- /dev/null
+++ b/target/scripts/startup/setup.d/mta_sts.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Set up MTA-STS
+
+function _setup_mta_sts() {
+  _log 'trace' 'Adding MTA-STS lookup to the Postfix TLS policy map'
+  postconf 'smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix'
+}
diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf
index 2dd8b917..aca4324d 100644
--- a/target/supervisor/conf.d/supervisor-app.conf
+++ b/target/supervisor/conf.d/supervisor-app.conf
@@ -157,3 +157,11 @@ autostart=false
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/bin/bash -l -c /usr/local/bin/update-check.sh
+
+[program:mta-sts-daemon]
+startsecs=0
+stopwaitsecs=55
+autostart=false
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+command=/usr/bin/python3 /usr/bin/mta-sts-daemon --config /etc/mta-sts-daemon.yml