Issue when trying to set MTA-STS policy

1. The problem I’m having:

Hi everyone,

I am currently trying to setup a mail server (stalwart) and to update my mta-sts policy.
I have setup stalwart to listen on port 10443, and when I do a curl -k https://127.0.0.1:10443/.well-known/mta-sts.txt, I get the policy.

2. Error messages and/or full log output:

But when I try to access https://mta-sts.domain.tld/.well-known/mta-sts.txt via a web browser, I get a 502 and with curl I get nothing at all.
Where is something wrong?

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

a. System environment:

Arch linux package, systemd service

b. Command:

sudo systemctl start caddy.service

d. My complete Caddy config:

{
	# Restrict the admin interface to a local unix file socket whose directory
	# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
	# modification for any process and user that has access to the local
	# interface. If admin over TCP is turned on one should make sure
	# implications are well understood.
	admin "unix//run/caddy/admin.socket"
}

http:// {
	# Set this path to your site's directory.
	root * /srv/www/html/

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000

	# Refer to the directive documentation for more options.
	# https://caddyserver.com/docs/caddyfile/directives
}

artav.fr {
	# Set this path to your site's directory.
	root * /srv/www/html/

	# Enable the static file server.
	file_server
	# reverse_proxy localhost:10443
}

mail.artav.fr, mta-sts.artav.fr {
	reverse_proxy localhost:10443 {
		transport http {
			proxy_protocol v2
			tls_server_name mail.artav.fr
		}
	}
	log {
		output file /var/log/caddy/mail.log
	}
}

webmail.artav.fr {
	reverse_proxy 127.0.0.1:8084
}

auth.artav.fr {
	reverse_proxy localhost:9091
}

dav.artav.fr {
	reverse_proxy localhost:5232 {
		# header_up X-Script-Name /radicale
	}
}

gamja.artav.fr {
	root * /usr/share/webapps/gamja
	file_server
	reverse_proxy /socket localhost:8083
}

rss.artav.fr {
	forward_auth localhost:9091 {
		uri /api/authz/forward-auth
		## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest
		## this is configured in the Session Cookies section of the Authelia configuration.
		# uri /api/authz/forward-auth?authelia_url=https://auth.artav.fr/
		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
	}

	reverse_proxy localhost:8081
}

shaarli.artav.fr {
	root * /usr/share/webapps/shaarli
}

wallabag.artav.fr {
	root * /usr/share/wallabag/web
	file_server
	php_fastcgi unix//run/php-fpm/php-fpm-wallabag.sock {
		index app.php
	}
	try_files {path} {path}/ /app.php?{query}
	log {
		output file /var/log/caddy/wbg.access.log
	}
}

wiki.artav.fr {
	encode gzip zstd
	root * /usr/share/webapps/dokuwiki
	#Remember to comment the below forbidden block out when you're installing, and uncomment it when done.
	@forbidden path /data/* /conf/* /bin/* /inc/* /install.php
	handle @forbidden {
		respond * 403
	}
	#End of the forbidden block
	try_files {path} {path}/index.html
	route {
		handle_path /_media/* {
			rewrite * /lib/exe/fetch.php?media={path}&{query}
		}
		handle_path /_detail/* {
			rewrite * /lib/exe/detail.php?media={path}&{query}
		}
		handle /_export/* {
			@export path_regexp export ^/_export/([^/]+)/(.*)
			rewrite @export /doku.php?do=export_{re.export.1}&{query}&id={re.export.2}
		}
		handle / {
			rewrite * /doku.php?{query}
		}
		try_files {path} /doku.php?id={path}&{query}
	}
	file_server
	php_fastcgi unix//run/php-fpm/php-fpm.sock
}

5. Links to relevant resources:

Change this:

to this:

mail.artav.fr, mta-sts.artav.fr {
	reverse_proxy https://localhost:10443 {
		transport http {
			tls_insecure_skip_verify
			proxy_protocol v2
			tls_server_name mail.artav.fr
		}
	}
	log {
		output file /var/log/caddy/mail.log
	}
}

More details:

and

Hey, thanks for the answer! I tried but it did not work. but I managed to solve it anyway by changing a parameter in my Stalwart configuration (server.listener.https.proxy.trusted-networks) and it seems to work, which is kind of weird.