diff --git a/config/services/stalwart.nix b/config/services/stalwart.nix
index cfe140d..046a98b 100644
--- a/config/services/stalwart.nix
+++ b/config/services/stalwart.nix
@@ -152,7 +152,6 @@ in
         [
           "autoconfig.${domain}"
           "autodiscover.${domain}"
-          "mta-sts.${domain}"
         ]
         (_: {
           forceSSL = true;
@@ -638,6 +637,9 @@ in
           ];
         };
 
+        # needs certificate for all domain
+        # Dane is better anyway
+        session.mta-sts.mode = "none";
         session.ehlo = {
           require = true;
           reject-non-fqdn = [
diff --git a/hosts/mailnix/net.nix b/hosts/mailnix/net.nix
index 8244117..5edbbc6 100644
--- a/hosts/mailnix/net.nix
+++ b/hosts/mailnix/net.nix
@@ -58,10 +58,6 @@
       domain = config.secrets.secrets.global.domains.mail_public;
       extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_public}" ];
     };
-    "${config.secrets.secrets.global.domains.mail_private}" = {
-      domain = config.secrets.secrets.global.domains.mail_private;
-      extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_private}" ];
-    };
   };
   environment.persistence."/state".directories = [
     {
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 6c50eaa..2e12704 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ