I have a fresh AWS Lightsail instance configured with:
- CentOS 7.8.2003
- Webmin 1.942
- Virtualmin 6.09
- Usermin 1.791
- Postfix 2.10.1
- Correct reverse DNS/PTR records, SPF, DKIM and DMARC DNS entries.
- Valid LetsEncrypt certificate, copied to Postfix, Dovecot, etc.
I’ve run the following postconf commands to implement RBL blocking, avoid being an open relay, and generally try to be a good netizen:
# Disable verify - stop clients querying for valid users postconf -e 'disable_vrfy_command = yes' # Force HELO required and limit who can greet us postconf -e 'smtpd_helo_required = yes' postconf -e 'smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname' # Encourage the use of TLS postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_sasl_auth_enable = yes' # Set client, recipient, relay & sender security and relay restrictions postconf -e 'smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org permit' postconf -e 'smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org eject_rhsbl_sender dbl.spamhaus.org' postconf -e 'smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination' postconf -e 'smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain' postconf -e 'smtpd_sasl_security_options = noanonymous' # Reload postfix postfix reload systemctl restart postfix
The problem I have is that if I view the autoconfig.xml by going to the example URL below it continues to provide non-TLS settings, as follows:
<outgoingServer type="smtp"> <hostname>domain.co.uk</hostname> <port>587</port> <socketType>plain</socketType> <authentication>password-cleartext</authentication> <username>email@example.com</username> </outgoingServer>
I am using the default mail-client auto configuration template provided in Virtualmin -> System Settings -> Server Templates -> Mail client auto-configuration.
I am aware that I could potentially change the value of the template, replacing
STARTTLS, but I’ve seen reports of this potentially being reverted by future updates and would like to find an appropriate fix.
Have I missed a setting in my Postfix config? I thought that
smtpd_tls_security_level = may would have done the trick.