Autoconfig not enforcing SSL/TLS for SMTP

stom · May 4, 2020, 9:30pm

I have a fresh AWS Lightsail instance configured with:

CentOS 7.8.2003
Webmin 1.942
Virtualmin 6.09
Usermin 1.791
Postfix 2.10.1
Correct reverse DNS/PTR records, SPF, DKIM and DMARC DNS entries.
Valid LetsEncrypt certificate, copied to Postfix, Dovecot, etc.

I’ve run the following postconf commands to implement RBL blocking, avoid being an open relay, and generally try to be a good netizen:

# Disable verify - stop clients querying for valid users
postconf -e 'disable_vrfy_command = yes'

# Force HELO required and limit who can greet us
postconf -e 'smtpd_helo_required = yes'
postconf -e 'smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname'

# Encourage the use of TLS
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_sasl_auth_enable = yes'

# Set client, recipient, relay & sender security and relay restrictions
postconf -e 'smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org permit'
postconf -e 'smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org eject_rhsbl_sender dbl.spamhaus.org'
postconf -e 'smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination'
postconf -e 'smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_sender_domain'
postconf -e 'smtpd_sasl_security_options = noanonymous'

# Reload postfix
postfix reload
systemctl restart postfix

The problem I have is that if I view the autoconfig.xml by going to the example URL below it continues to provide non-TLS settings, as follows:

http://www.domain.co.uk/cgi-bin/autoconfig.cgi?emailaddress=info@domain.co.uk

    <outgoingServer type="smtp">
      <hostname>domain.co.uk</hostname>
      <port>587</port>
      <socketType>plain</socketType>
      <authentication>password-cleartext</authentication>
      <username>info@domain.co.uk</username>
    </outgoingServer>

I am using the default mail-client auto configuration template provided in Virtualmin -> System Settings -> Server Templates -> Mail client auto-configuration.

I am aware that I could potentially change the value of the template, replacing $SMTP_TYPE with STARTTLS, but I’ve seen reports of this potentially being reverted by future updates and would like to find an appropriate fix.

Have I missed a setting in my Postfix config? I thought that smtpd_tls_security_level = may would have done the trick.

stom · May 4, 2020, 11:12pm

Manually replacing $SMTP_TYPE with STARTTLS does indeed do the trick, and can be done fairly quickly with:

virtualmin modify-template --id 0 --setting autoconfig --value '<?xml version="1.0" encoding="UTF-8"?><clientConfig version="1.1"><emailProvider id="$SMTP_DOMAIN"> <domain>$SMTP_DOMAIN</domain><displayName>$OWNER Email</displayName> <displayShortName>$OWNER</displayShortName> <incomingServer type="imap"> <hostname>$IMAP_HOST</hostname> <port>$IMAP_PORT</port> <socketType>$IMAP_TYPE</socketType> <authentication>$IMAP_ENC</authentication> <username>$SMTP_LOGIN</username></incomingServer> <incomingServer type="pop3"> <hostname>$IMAP_HOST</hostname> <port>$POP3_PORT</port> <socketType>$IMAP_TYPE</socketType> <authentication>$POP3_ENC</authentication> <username>$SMTP_LOGIN</username></incomingServer> <outgoingServer type="smtp"><hostname>$SMTP_HOST</hostname><port>$SMTP_PORT</port> <socketType>STARTTLS</socketType> <authentication>$SMTP_ENC</authentication> <username>$SMTP_LOGIN</username> </outgoingServer></emailProvider></clientConfig>'
virtualmin modify-mail --all-domains --autoconfig

This still seems less than ideal, and I would greatly appreciate knowing how to have the correct value be automatically used.

Joe · May 5, 2020, 12:58am

Server Templates are never replaced by upgrades. That’s what they’re for.

stom · May 5, 2020, 1:52am

Thanks for clarifying that @Joe. Do you know which postfix setting the $SMTP_TYPE variable is derived from? I’d prefer to add this to my config so that the stock template gives the right result without being hard-coded.

stom · May 6, 2020, 12:10pm

It seems that the incorrect port is also shown up by the autodiscover template so I would also need to hard-code it also.

I’ve tried adding the superseded flag smtpd_use_tls to my Postfix config but that doesn’t change it either. Which config value are $SMTP_TYPE and $SMTP_SSL derived from? Any hints would be much appreciated.

stom · May 11, 2020, 2:25pm

@Joe Sorry to ping you, but do you happen to know which values it’s using from the postfix config?

system · June 10, 2020, 2:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.