Current OS’s supported by Virtualmin have some significant improvements in the SSL (openssl) and eMail server (Postfix) arenas. The GUI doesn’t yet know about these things, but we can do a bit of config file tweaking to make significant improvements. What follows applies to Postfix versions 3.3 and later (current in Webmin is 3.5)
The edits below accomplish several Good Things. IMPORTANT: don’t just do this completely blindly! It’s possible that you need to support users or systems with very old email clients or servers… in which case you could defeat their ability to connect. However, please note that we’re talking very old systems. (Any system 2015 on ought to be fine. We’re talking Windows XP, MacOS before Sierra, etc)
What we’re going to accomplish:
- Provide modern TLSv1.3 support, and disable the oldest versions.
- Disable the SSL protocols that have been deprecated for quite some time, including ones that are easily breached by hackers.
- Install a free test tool that will analyze your situation.
SSL Test Tool
Let’s start with the free test tool. We’ll download what is (today) the current released version. You may want to go look for a newer one if you’re reading this a long time after I’m writing!
- Login to an admin account and become superuser (sudo su -)
- Now…
cd (gets to your home folder)
wget https://github.com/drwetter/testssl.sh/archive/refs/tags/v3.0.8.tar.gz
tar xvf v3.0.8.tar.gz
cd testssl.sh-3.0.8
- There. Downloaded and extracted. No “install” needed.
Here are a few handy things you can do with this:
-
./testssl.sh localhost:465– this will test an SMTP SSL connection on the current server -
./testssl.sh <mx-dom.ain>:465– same but using the correct domain name. That avoids a complaint about reverse DNS -
./testssl.sh <mx-dom.ain>:25– same, but use the normal SMTP port and STARTTLS protocol -
./testssl.sh www.google.com:443– discover vulnerabilities and client compatibility of a popular website (hmmm… IE 6 on Win XP is not supported anymore
)
SSL eMail Improvements
OK, let’s make some improvements to our SSL compatibility. First, I’ll show what I changed, then discuss it:
- ASSUMPTION: you already have set up an SSL cert, and have it enabled in Postfix (with “may” aka “allowed” usage)
- You’re going to be making significant edits to /etc/postfix/main.cf – I urge making a backup first!
- Then, in Webmin’s Servers->Postfix->Edit Config Files, we’re editing /etc/postfix/main.cf
- Here we go…
# TLS parameters
#smtpd_tls_CAfile =
#smtpd_tls_cert_file =
#smtpd_tls_key_file =
smtpd_tls_chain_files = /etc/webmin/aster.ds.org.key,/etc/webmin/aster.ds.org.cert,/etc/webmin/aster.ds.org.ca
smtpd_tls_received_header = yes
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SHA1, SHA256, SHA384
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SHA1, SHA256, SHA384
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
- NOTE: you may need to search to find all of these. They may not be all together in your main.cf file.
What did we just do??
- We switched from separate cert, intermediate, and key files, to the new “chain” file listing. SMTP servers like to see the entire chain of certs, and this new feature automagically enables that. YES the list includes the secret private key; it’s not shared with the world but is used internally by Postfix.
- We enabled the current TLSv1.3 protocol, and disabled TLSv1 and older. Up to you if you want to disable TLSv1.1 – I still have some client systems using that, although it’s rare.
- We disabled the deprecated, compromised and highly abused old encryption methods. That includes anonymous/unencrypted (aDH, aNull), and quite compromised things like Aria and CBC (SHA1, SHA256, SHA384). We only did that for the SMTP server role, not the SMTP client role.
- We enabled prioritization, so the email server prefers to use more secure methods (That’s the
tls_preempt_cipherlistline.)
Now, save the changes and reload postfix to put those changes into action. Hints:
- Check the mail.log to ensure Postfix is not only running, but that the TLS config items were accepted.
- Bad TLS config won’t break postfix. It will just cause Postfix to run with TLS disabled!
- Run the testssl.sh script (above) again and ensure your desired improvements are in place
- Test your email server from one or more of the handy external testing sites, such as:
- SSL Security Test | ImmuniWeb (use ‘your-dom.ain:465’ to test SMTP SSL only, if you don’t have a public-facing web server.)
I hope that was helpful! Obviously there are many other aspects of email server security. Good SSL support is just one.
Advanced Hint ***
- The Postfix maintainers have a concern about using separate key vs cert vs ca-intermediate chain files. In theory, when a cert is updated, it’s possible that these files might be updated at different moments, so a live validation could fail. Their recommendation: for each encryption protcol, keep all of this in a single file (always in the same order: key, cert, other chain elements). eg rsa.pem, ecdsa.pem, ed25519.pem, ed448.pem… For now, the file separation doesn’t seem like a big risk, and it is nicely compatible with the existing Virtualmin/Webmin back end
| SYSTEM INFORMATION | |
|---|---|
| Operating system | Debian Linux 11 |
| Webmin version | 2.013 |
| Virtualmin version | 7.5 |