[I’m posting this request with the help of Claude Code. ]
OS type and version: Ubuntu 22.04.5 LTS
Webmin version: 2.641
Virtualmin version: 8.1.0.pro-1 (Pro)
When Virtualmin provisions or updates per-IP Postfix listeners in master.cf, it
hard-codes -o smtpd_tls_security_level=may unconditionally. This occurs in at least three
places: sync_postfix_ssl_cert() in feature-ssl.pl, and two locations in copycert-lib.pl.
There is no config lookup — the value is a string literal.
The consequence is that the per-IP -o flag overrides any smtpd_tls_security_level value
set in main.cf via Webmin or direct edit. Operators who want to enforce TLS on submission
listeners (port 587) by setting smtpd_tls_security_level=encrypt cannot do so through
Virtualmin — and any manual edit to master.cf is overwritten on the next cert renewal or
domain modification.
The Server Template SSL section currently offers only a yes/no toggle for enabling
Postfix SSL. There is no field to specify the security level.
Requested change: Add a smtpd_tls_security_level selector to the Server Template SSL
section (or the Postfix mail server settings), with options for none, may, and encrypt.
Use the configured value — defaulting to may for backward compatibility — when generating
the -o smtpd_tls_security_level= flag in per-IP master.cf stanzas. Apply consistently
across sync_postfix_ssl_cert() and both call sites in copycert-lib.pl.
Why this matters: encrypt on port 587 is a current best practice for submission
listeners. RFC 8314 recommends it. Many operators are blocked from implementing it
because Virtualmin’s regeneration cycle makes manual edits to master.cf unsustainable.
A global default with a per-domain override would be ideal, but a global setting alone
would resolve the majority of use cases.
Related thread: GitHub issue #1057 (“Default SPF, TLS and Ciphers upgrade?”) is
thematically adjacent — this request focuses specifically on the per-IP master.cf stanza
generation, which is a distinct and currently unaddressed code path.