diff --git a/configuration.nix b/configuration.nix
index c3f4a72..c102770 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -49,9 +49,13 @@
   networking.hostName = "extremist-software";
   networking.firewall.allowedTCPPorts = [
     22
+    25
     80
     443
-  ]; # SSH, HTTP, HTTPS
+    465
+    587
+    993
+  ]; # SSH, SMTP, HTTP, HTTPS, SMTPS, Submission, IMAPS
   # Tailscale
   services.tailscale.enable = true;
   # We assume the user will authenticate manually or via a one-time key service
diff --git a/modules/caddy.nix b/modules/caddy.nix
index afb852d..589e030 100644
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@@ -77,6 +77,22 @@
         '';
       };
 
+      "mta-sts.extremist.software" = {
+        extraConfig = ''
+          handle /.well-known/mta-sts.txt {
+            header Content-Type "text/plain"
+            respond `version: STSv1
+mode: enforce
+mx: mail.extremist.software
+max_age: 604800
+`
+          }
+          handle {
+            respond 404
+          }
+        '';
+      };
+
       "search.extremist.software" = {
         extraConfig = ''
           rate_limit {
diff --git a/modules/mail.nix b/modules/mail.nix
index a6c1bd4..da3baa1 100644
--- a/modules/mail.nix
+++ b/modules/mail.nix
@@ -4,8 +4,7 @@
   services.stalwart = {
     enable = true;
     stateVersion = config.system.stateVersion;
-    # Let stalwart open its own ports if needed for the main services
-    openFirewall = true;
+    openFirewall = false;
 
     settings = {
       server = {
@@ -24,6 +23,11 @@
             protocol = "smtp";
             tls.implicit = true;
           };
+          submission = {
+            bind = "[::]:587";
+            protocol = "smtp";
+            tls.implicit = false;
+          };
           imaps = {
             bind = "[::]:993";
             protocol = "imap";