diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg
index 55c4602..51f3381 100644
--- a/roles/haproxy/files/haproxy.cfg
+++ b/roles/haproxy/files/haproxy.cfg
@@ -82,6 +82,9 @@ frontend www
     acl host_grafana hdr(host) -i grafana.comfycamp.space
     use_backend grafana if host_grafana
 
+    acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space
+    use_backend mta_sts if host_mta_sts
+
 frontend matrix-federation
     bind *:8448 ssl crt /usr/local/etc/haproxy/certs
     http-request set-header X-Forwarded-Proto https if { ssl_fc }
@@ -165,3 +168,7 @@ backend nextcloud
     mode http
     option forwardfor
     server s1 nextcloud-1:80 check
+
+backend mta_sts
+    mode http
+    server s1 mta-sts-1:8080 check
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 0f948cc..e4511d6 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -67,3 +67,13 @@
   when: not item.key in maddy_imap_accounts.stdout
   no_log: True
   loop: "{{ users | dict2items }}"
+- name: Run mta-sts container
+  become: true
+  community.docker.docker_container:
+    name: mta-sts-1
+    image: git.comfycamp.space/lumin/mta-sts:v0.1.2
+    networks:
+      - name: haproxy
+    env:
+      MTA_STS_MX: "{{ hostname }}"
+    restart_policy: unless-stopped