I have a fresh AWS Lightsail instance configured with:
- CentOS 7.8.2003
- Webmin 1.942
- Virtualmin 6.09
- Usermin 1.791
- Postfix 2.10.1
- Correct reverse DNS/PTR records, SPF, DKIM and DMARC DNS entries.
- Valid LetsEncrypt certificate, copied to Postfix, Dovecot, etc.
I’ve run the following postconf commands to implement RBL blocking, avoid being an open relay, and generally try to be a good netizen:
# Disable verify - stop clients querying for valid users
postconf -e 'disable_vrfy_command = yes'
# Force HELO required and limit who can greet us
postconf -e 'smtpd_helo_required = yes'
postconf -e 'smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname'
# Encourage the use of TLS
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_sasl_auth_enable = yes'
# Set client, recipient, relay & sender security and relay restrictions
postconf -e 'smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org permit'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org eject_rhsbl_sender dbl.spamhaus.org'
postconf -e 'smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination'
postconf -e 'smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain'
postconf -e 'smtpd_sasl_security_options = noanonymous'
# Reload postfix
postfix reload
systemctl restart postfix
The problem I have is that if I view the autoconfig.xml by going to the example URL below it continues to provide non-TLS settings, as follows:
http://www.domain.co.uk/cgi-bin/autoconfig.cgi?emailaddress=info@domain.co.uk
<outgoingServer type="smtp">
<hostname>domain.co.uk</hostname>
<port>587</port>
<socketType>plain</socketType>
<authentication>password-cleartext</authentication>
<username>info@domain.co.uk</username>
</outgoingServer>
I am using the default mail-client auto configuration template provided in Virtualmin -> System Settings -> Server Templates -> Mail client auto-configuration.
I am aware that I could potentially change the value of the template, replacing $SMTP_TYPE
with STARTTLS
, but I’ve seen reports of this potentially being reverted by future updates and would like to find an appropriate fix.
Have I missed a setting in my Postfix config? I thought that smtpd_tls_security_level = may
would have done the trick.