diff --git a/config/config.go b/config/config.go
index 100b115..d7e2509 100644
--- a/config/config.go
+++ b/config/config.go
@@ -71,6 +71,7 @@ type ACME struct {
 	DirectoryURL string        `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
 	RenewBefore  time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
 	ContactEmail string        `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
+	Port         int           `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
 
 	Manager *autotls.Manager `sconf:"-" json:"-"`
 }
@@ -134,10 +135,12 @@ type Listener struct {
 	} `sconf:"optional" sconf-doc:"Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on a public IP!"`
 	AutoconfigHTTPS struct {
 		Enabled bool
+		Port    int `sconf:"optional" sconf-doc:"TLS port, 443 by default. You should only override this if you cannot listen on port 443 directly. Autoconfig requests will be made to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
 	} `sconf:"optional" sconf-doc:"Serve autoconfiguration/autodiscovery to simplify configuring email applications, will use port 443. Requires a TLS config."`
 	MTASTSHTTPS struct {
 		Enabled bool
-	} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements, will use port 443. Requires a TLS config."`
+		Port    int `sconf:"optional" sconf-doc:"TLS port, 443 by default. You should only override this if you cannot listen on port 443 directly. MTA-STS requests will be made to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
+	} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config."`
 }
 
 type Domain struct {
diff --git a/config/doc.go b/config/doc.go
index 8717f71..c4e175a 100644
--- a/config/doc.go
+++ b/config/doc.go
@@ -66,6 +66,12 @@ describe-static" and "mox config describe-domains":
 			# in such notification emails not arriving.
 			ContactEmail:
 
+			# TLS port for ACME validation, 443 by default. You should only override this if
+			# you cannot listen on port 443 directly. ACME will make requests to port 443, so
+			# you'll have to add an external mechanism to get the connection here, e.g. by
+			# configuring port forwarding. (optional)
+			Port: 0
+
 	# File containing hash of admin password, for authentication in the web admin
 	# pages (if enabled). (optional)
 	AdminPasswordFile:
@@ -228,11 +234,23 @@ describe-static" and "mox config describe-domains":
 			AutoconfigHTTPS:
 				Enabled: false
 
-			# Serve MTA-STS policies describing SMTP TLS requirements, will use port 443.
-			# Requires a TLS config. (optional)
+				# TLS port, 443 by default. You should only override this if you cannot listen on
+				# port 443 directly. Autoconfig requests will be made to port 443, so you'll have
+				# to add an external mechanism to get the connection here, e.g. by configuring
+				# port forwarding. (optional)
+				Port: 0
+
+			# Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
+			# (optional)
 			MTASTSHTTPS:
 				Enabled: false
 
+				# TLS port, 443 by default. You should only override this if you cannot listen on
+				# port 443 directly. MTA-STS requests will be made to port 443, so you'll have to
+				# add an external mechanism to get the connection here, e.g. by configuring port
+				# forwarding. (optional)
+				Port: 0
+
 	# Destination for emails delivered to postmaster address.
 	Postmaster:
 		Account:
diff --git a/http/web.go b/http/web.go
index 473b8b0..bfb8b7f 100644
--- a/http/web.go
+++ b/http/web.go
@@ -55,12 +55,12 @@ func ListenAndServe() {
 				s = serve{nil, nil, &http.ServeMux{}}
 			}
 			s.kinds = append(s.kinds, kind)
-			if https && port == 443 && l.TLS.ACME != "" {
+			if https && l.TLS.ACME != "" {
 				s.tlsConfig = l.TLS.ACMEConfig
 			} else if https {
 				s.tlsConfig = l.TLS.Config
 				if l.TLS.ACME != "" {
-					ensureServe(true, 443, "acme-tls-alpn-01")
+					ensureServe(true, config.Port(mox.Conf.Static.ACME[l.TLS.ACME].Port, 443), "acme-tls-alpn-01")
 				}
 			}
 			portServe[port] = s
@@ -68,7 +68,7 @@ func ListenAndServe() {
 		}
 
 		if l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled {
-			ensureServe(true, 443, "acme-tls-alpn01")
+			ensureServe(true, config.Port(config.Port(l.AutoconfigHTTPS.Port, 443), 443), "acme-tls-alpn01")
 		}
 
 		if l.AccountHTTP.Enabled {
@@ -110,12 +110,12 @@ func ListenAndServe() {
 			}))
 		}
 		if l.AutoconfigHTTPS.Enabled {
-			srv := ensureServe(true, 443, "autoconfig-https")
+			srv := ensureServe(true, config.Port(l.AutoconfigHTTPS.Port, 443), "autoconfig-https")
 			srv.mux.HandleFunc("/mail/config-v1.1.xml", safeHeaders(autoconfHandle(l)))
 			srv.mux.HandleFunc("/autodiscover/autodiscover.xml", safeHeaders(autodiscoverHandle(l)))
 		}
 		if l.MTASTSHTTPS.Enabled {
-			srv := ensureServe(true, 443, "mtasts-https")
+			srv := ensureServe(true, config.Port(l.MTASTSHTTPS.Port, 443), "mtasts-https")
 			srv.mux.HandleFunc("/.well-known/mta-sts.txt", safeHeaders(mtastsPolicyHandle))
 		}
 		if l.PprofHTTP.Enabled {