Autoconfig not enforcing SSL/TLS for SMTP

I have a fresh AWS Lightsail instance configured with:

  • CentOS 7.8.2003
  • Webmin 1.942
  • Virtualmin 6.09
  • Usermin 1.791
  • Postfix 2.10.1
  • Correct reverse DNS/PTR records, SPF, DKIM and DMARC DNS entries.
  • Valid LetsEncrypt certificate, copied to Postfix, Dovecot, etc.

I’ve run the following postconf commands to implement RBL blocking, avoid being an open relay, and generally try to be a good netizen:

# Disable verify - stop clients querying for valid users
postconf -e 'disable_vrfy_command = yes'

# Force HELO required and limit who can greet us
postconf -e 'smtpd_helo_required = yes'
postconf -e 'smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname'

# Encourage the use of TLS
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_sasl_auth_enable = yes'

# Set client, recipient, relay & sender security and relay restrictions
postconf -e 'smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client reject_rbl_client reject_rbl_client permit'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client reject_rhsbl_reverse_client reject_rhsbl_helo eject_rhsbl_sender'
postconf -e 'smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination'
postconf -e 'smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain'
postconf -e 'smtpd_sasl_security_options = noanonymous'

# Reload postfix
postfix reload
systemctl restart postfix

The problem I have is that if I view the autoconfig.xml by going to the example URL below it continues to provide non-TLS settings, as follows:

    <outgoingServer type="smtp">

I am using the default mail-client auto configuration template provided in Virtualmin -> System Settings -> Server Templates -> Mail client auto-configuration.

I am aware that I could potentially change the value of the template, replacing $SMTP_TYPE with STARTTLS, but I’ve seen reports of this potentially being reverted by future updates and would like to find an appropriate fix.

Have I missed a setting in my Postfix config? I thought that smtpd_tls_security_level = may would have done the trick.

Manually replacing $SMTP_TYPE with STARTTLS does indeed do the trick, and can be done fairly quickly with:

virtualmin modify-template --id 0 --setting autoconfig --value '<?xml version="1.0" encoding="UTF-8"?><clientConfig version="1.1"><emailProvider id="$SMTP_DOMAIN"> <domain>$SMTP_DOMAIN</domain><displayName>$OWNER Email</displayName> <displayShortName>$OWNER</displayShortName> <incomingServer type="imap"> <hostname>$IMAP_HOST</hostname> <port>$IMAP_PORT</port> <socketType>$IMAP_TYPE</socketType> <authentication>$IMAP_ENC</authentication> <username>$SMTP_LOGIN</username></incomingServer> <incomingServer type="pop3"> <hostname>$IMAP_HOST</hostname> <port>$POP3_PORT</port> <socketType>$IMAP_TYPE</socketType> <authentication>$POP3_ENC</authentication> <username>$SMTP_LOGIN</username></incomingServer> <outgoingServer type="smtp"><hostname>$SMTP_HOST</hostname><port>$SMTP_PORT</port> <socketType>STARTTLS</socketType> <authentication>$SMTP_ENC</authentication> <username>$SMTP_LOGIN</username> </outgoingServer></emailProvider></clientConfig>'
virtualmin modify-mail --all-domains --autoconfig

This still seems less than ideal, and I would greatly appreciate knowing how to have the correct value be automatically used.

1 Like

Server Templates are never replaced by upgrades. That’s what they’re for.

Thanks for clarifying that @Joe. Do you know which postfix setting the $SMTP_TYPE variable is derived from? I’d prefer to add this to my config so that the stock template gives the right result without being hard-coded.

It seems that the incorrect port is also shown up by the autodiscover template so I would also need to hard-code it also.

I’ve tried adding the superseded flag smtpd_use_tls to my Postfix config but that doesn’t change it either. Which config value are $SMTP_TYPE and $SMTP_SSL derived from? Any hints would be much appreciated.

@Joe Sorry to ping you, but do you happen to know which values it’s using from the postfix config?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.