Apply suggestions from code review

docs/content/config/advanced/mail-mta-sts.md

@@ -2,26 +2,27 @@
 title: 'Advanced | MTA-STS'
 ---
 
-MTA-STS is an optional mechanism for a domain to signal support for
+MTA-STS is an optional mechanism for a domain to signal support for STARTTLS.
-STARTTLS. It can be used to prevent man-in-the-middle-attacks hiding the
-feature to force mail servers to send outgoing emails as plain text.
-MTA-STS is an alternative to DANE without the need of DNSSEC.
 
-MTA-STS is supported by some of the biggest mail providers like Google Mail
+- It can be used to prevent man-in-the-middle-attacks from hiding STARTTLS support that would force DMS to send outbound mail through an insecure connection.
-and Outlook.
+- MTA-STS is an alternative to DANE without the need of DNSSEC.
+- MTA-STS is supported by some of the biggest mail providers like Google Mail and Outlook.
 
-## Supporting MTA-STS for outgoing mails
+## Supporting MTA-STS for outbound mail
 
-This is enabled by setting `ENABLE_MTA_STS=1` [](../environment.md#enable_mta_sts)
+Enable this feature via the ENV setting [`ENABLE_MTA_STS=1`](../environment.md#enable_mta_sts).
-in the environment.
 
-!!! warning
+!!! warning "If you have configured DANE"
 
-    MTA-STS will by default override DANE if both are in used by a domain.
+    Enabling MTA-STS will by default override DANE if both are configured for a domain.
-    This can be partially addressed by configuring a dane-only policy resolver
-    before the MTA-STS entry in smtp_tls_policy_maps. See [the postfix-mta-sts-resolver documentation](https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication)
-    for further details.
 
-## Supporting MTA-STS for incoming mails
+    This can be partially addressed by configuring a dane-only policy resolver before the MTA-STS entry in `smtp_tls_policy_maps`. See the [`postfix-mta-sts-resolver` documentation][postfix-mta-sts-resolver::dane] for further details.
+
+[postfix-mta-sts-resolver::dane]: https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication
+
+## Supporting MTA-STS for inbound mail
+
+While this feature in DMS supports ensuring STARTTLS is used when mail is sent to another mail server, you may setup similar for mail servers sending mail to DMS.
+
+This requires configuring your DNS and hosting the MTA-STS policy file via a webserver. A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).
 
-A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).

docs/content/config/environment.md

@@ -110,7 +110,7 @@ This enables DNS block lists in _Postscreen_. If you want to know which lists we
 
 ##### ENABLE_MTA_STS
 
-Enables MTA-STS for outgoing mails.
+Enables MTA-STS support for outbound mail.
 
 - **0** => Disabled
 - 1 => Enabled

mailserver.env

@@ -346,9 +346,8 @@ POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all
 
-# If enabled, STARTTLS support is enforced for outgoing mails to domains
+# Enables MTA-STS support for outbound mail.
-# with MTA-STS records like Google Mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/mail-mta-sts/
-# This can prevent man-in-the-middle that hide the STARTTLS feature.
 # - **0** ==> MTA-STS disabled
 # - 1 => MTA-STS enabled
 ENABLE_MTA_STS=0

target/scripts/startup/setup.d/mta_sts.sh

@@ -4,5 +4,5 @@
 
 function _setup_mta_sts() {
   _log 'trace' 'Adding MTA-STS lookup to the Postfix TLS policy map'
-  postconf 'smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix'
+  _add_to_or_update_postfix_main smtp_tls_policy_maps 'socketmap:inet:127.0.0.1:8461:postfix'
 }