diff --git a/deploy-chatmail/src/deploy_chatmail/__init__.py b/deploy-chatmail/src/deploy_chatmail/__init__.py
index e842d2fa..f7a22e8b 100644
--- a/deploy-chatmail/src/deploy_chatmail/__init__.py
+++ b/deploy-chatmail/src/deploy_chatmail/__init__.py
@@ -297,7 +297,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_server])
+    deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
 
     apt.packages(
         name="Install Postfix",
diff --git a/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2 b/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
index 7484d339..186e2642 100644
--- a/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
@@ -20,8 +20,6 @@ http {
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
 
 	gzip on;
 
@@ -30,6 +28,8 @@ http {
 		listen [::]:80 default_server;
 		listen 443 ssl default_server;
 		listen [::]:443 ssl default_server;
+        ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+        ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
 
 		root /var/www/html;
 
@@ -37,6 +37,28 @@ http {
 
 		server_name _;
 
+		location / {
+			# First attempt to serve request as file, then
+			# as directory, then fall back to displaying a 404.
+			try_files $uri $uri/ =404;
+		}
+	}
+	server {
+		listen 80;
+		listen [::]:80;
+		listen 443 ssl;
+		listen [::]:443 ssl;
+
+		root /var/www/html;
+
+		index index.html index.htm;
+
+		server_name mta-sts.{{ config.domain_name }};
+
+        ssl_certificate /var/lib/acme/live/mta-sts.{{ config.domain_name }}/fullchain;
+    	ssl_certificate_key /var/lib/acme/live/mta-sts.{{ config.domain_name }}/privkey;
+
+
 		location / {
 			# First attempt to serve request as file, then
 			# as directory, then fall back to displaying a 404.
diff --git a/scripts/generate-dns-zone.sh b/scripts/generate-dns-zone.sh
index b4657b20..4243f6d4 100755
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -18,13 +18,12 @@ _imap._tcp.$CHATMAIL_SERVER.        SRV 0 1 143 $CHATMAIL_SERVER.
 _imaps._tcp.$CHATMAIL_SERVER.       SRV 0 1 993 $CHATMAIL_SERVER.
 $CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
 _mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
-_mta-sts.$CHATMAIL_SERVER. IN A $(dig +short $CHATMAIL_SERVER)
-_mta-sts.$CHATMAIL_SERVER. IN AAAA $(dig AAAA +short $CHATMAIL_SERVER)
+mta-sts.$CHATMAIL_SERVER. IN CNAME $CHATMAIL_SERVER.
 _smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
 EOF
 if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then
 cat <<EOF
-_mta-sts.$CHATMAIL_DOMAIN. IN CNAME _mta-sts.$CHATMAIL_SERVER.
+mta-sts.$CHATMAIL_DOMAIN. IN CNAME mta-sts.$CHATMAIL_SERVER.
 _smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER.
 EOF
 fi