diff --git a/handlers/main.yml b/handlers/main.yml
index 46b2e17..cd6817c 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -23,3 +23,13 @@
   ansible.builtin.service:
     name: monit
     state: reloaded
+
+- name: Get certificate
+  command: dehydrated --cron -g
+  delegate_to: "{{ gateway_host }}"
+
+- name: reload nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded
+  delegate_to: "{{ gateway_host }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 4c0e680..533ee41 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,11 @@
   ansible.builtin.import_tasks: tls-helper.yml
   tags: tls-helper
 
+- name: MTA-STS
+  ansible.builtin.import_tasks: mta-sts.yml
+  tags: mta-sts
+  loop: "{{ postfix_domains }}"
+
 - name: Hostname
   ansible.builtin.import_tasks: hostname.yml
   tags: hostname
diff --git a/tasks/mta-sts.yml b/tasks/mta-sts.yml
new file mode 100644
index 0000000..e1c5bc3
--- /dev/null
+++ b/tasks/mta-sts.yml
@@ -0,0 +1,31 @@
+---
+- name: "MTA-STS | Copy file"
+  ansible.builtin.template:
+    src: nginx/mta-sts.txt.j2
+    dest: /var/www/html/mta-sts.txt
+    mode: "0644"
+
+- name: "MTA-STS | Get certificate"
+  ansible.builtin.lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "mta-sts.{{ item.name }}"
+  when: "'dehydrated' in ansible_facts.packages and item.mta-sts is defined and item.mta-sts"
+  loop: "{{ postfix_domains }}"
+  notify: Get certificate
+
+- name: "MTA-STS | Copy Nginx configuration"
+  ansible.builtin.template:
+    src: nginx/nginx-mta-sts.j2
+    dest: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
+    mode: "0644"
+  when: item.mta-sts is defined and item.mta-sts
+  loop: "{{ postfix_domains }}"
+
+- name: "MTA-STS | Enable Nginx configuration"
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/mta-sts.{{ item.name }}"
+    dest: "/etc/nginx/sites-enabled/mta-sts.{{ item.name }}"
+    state: link
+  when: item.mta-sts is defined and item.mta-sts
+  loop: "{{ postfix_domains }}"
+  notify: reload nginx
diff --git a/templates/nginx/mta-sts.j2 b/templates/nginx/mta-sts.j2
new file mode 100644
index 0000000..41aa3cf
--- /dev/null
+++ b/templates/nginx/mta-sts.j2
@@ -0,0 +1,14 @@
+server {
+    listen 80;
+    server_name mta-sts.{{ item.name }};
+    include snippets/letsencrypt.conf;
+    location / { return 301 https://$http_host$request_uri; }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mta-sts.{{ item.name }};
+    ssl_certificate /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/mta-sts.{{ item.name }}/privkey.pem;
+    location /.well-known { alias /var/www/html; }
+}
diff --git a/templates/nginx/mta-sts.txt.j2 b/templates/nginx/mta-sts.txt.j2
new file mode 100644
index 0000000..fadc625
--- /dev/null
+++ b/templates/nginx/mta-sts.txt.j2
@@ -0,0 +1,6 @@
+version: STSv1
+mode: enforce
+max_age: 10368000
+{% for mx in item.mx_server %}
+mx: {{ mx }}
+{% endfor %}