Improving email server SSL security (and test the result ;) )

Current OS’s supported by Virtualmin have some significant improvements in the SSL (openssl) and eMail server (Postfix) arenas. The GUI doesn’t yet know about these things, but we can do a bit of config file tweaking to make significant improvements. What follows applies to Postfix versions 3.3 and later (current in Webmin is 3.5)

The edits below accomplish several Good Things. IMPORTANT: don’t just do this completely blindly! It’s possible that you need to support users or systems with very old email clients or servers… in which case you could defeat their ability to connect. However, please note that we’re talking very old systems. (Any system 2015 on ought to be fine. We’re talking Windows XP, MacOS before Sierra, etc)

What we’re going to accomplish:

  • Provide modern TLSv1.3 support, and disable the oldest versions.
  • Disable the SSL protocols that have been deprecated for quite some time, including ones that are easily breached by hackers.
  • Install a free test tool that will analyze your situation.

SSL Test Tool
Let’s start with the free test tool. We’ll download what is (today) the current released version. You may want to go look for a newer one if you’re reading this a long time after I’m writing!

  • Login to an admin account and become superuser (sudo su -)
  • Now…
cd  (gets to your home folder)
tar xvf v3.0.8.tar.gz
  • There. Downloaded and extracted. No “install” needed.

Here are a few handy things you can do with this:

  • ./ localhost:465 – this will test an SMTP SSL connection on the current server
  • ./ <mx-dom.ain>:465 – same but using the correct domain name. That avoids a complaint about reverse DNS
  • ./ <mx-dom.ain>:25 – same, but use the normal SMTP port and STARTTLS protocol
  • ./ – discover vulnerabilities and client compatibility of a popular website (hmmm… IE 6 on Win XP is not supported anymore :wink: )

SSL eMail Improvements
OK, let’s make some improvements to our SSL compatibility. First, I’ll show what I changed, then discuss it:

  • ASSUMPTION: you already have set up an SSL cert, and have it enabled in Postfix (with “may” aka “allowed” usage)
  • You’re going to be making significant edits to /etc/postfix/ – I urge making a backup first!
  • Then, in Webmin’s Servers->Postfix->Edit Config Files, we’re editing /etc/postfix/
  • Here we go…
# TLS parameters
#smtpd_tls_CAfile =
#smtpd_tls_cert_file =
#smtpd_tls_key_file =
smtpd_tls_chain_files = /etc/webmin/,/etc/webmin/,/etc/webmin/

smtpd_tls_received_header = yes

smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL,  SHA1, SHA256, SHA384
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SHA1, SHA256, SHA384
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
  • NOTE: you may need to search to find all of these. They may not be all together in your file.

What did we just do??

  1. We switched from separate cert, intermediate, and key files, to the new “chain” file listing. SMTP servers like to see the entire chain of certs, and this new feature automagically enables that. YES the list includes the secret private key; it’s not shared with the world but is used internally by Postfix.
    • If you want to have multiple sets of certs using different forms of encryption, that’s also supported now.
    • (Advanced hint for people like @Joe and @Ilia below***)
  2. We enabled the current TLSv1.3 protocol, and disabled TLSv1 and older. Up to you if you want to disable TLSv1.1 – I still have some client systems using that, although it’s rare.
  3. We disabled the deprecated, compromised and highly abused old encryption methods. That includes anonymous/unencrypted (aDH, aNull), and quite compromised things like Aria and CBC (SHA1, SHA256, SHA384). We only did that for the SMTP server role, not the SMTP client role.
  4. We enabled prioritization, so the email server prefers to use more secure methods (That’s the tls_preempt_cipherlist line.)

Now, save the changes and reload postfix to put those changes into action. Hints:

  • Check the mail.log to ensure Postfix is not only running, but that the TLS config items were accepted.
    • Bad TLS config won’t break postfix. It will just cause Postfix to run with TLS disabled!
  • Run the script (above) again and ensure your desired improvements are in place
  • Test your email server from one or more of the handy external testing sites, such as:

I hope that was helpful! Obviously there are many other aspects of email server security. Good SSL support is just one.

Advanced Hint ***

  • The Postfix maintainers have a concern about using separate key vs cert vs ca-intermediate chain files. In theory, when a cert is updated, it’s possible that these files might be updated at different moments, so a live validation could fail. Their recommendation: for each encryption protcol, keep all of this in a single file (always in the same order: key, cert, other chain elements). eg rsa.pem, ecdsa.pem, ed25519.pem, ed448.pem… For now, the file separation doesn’t seem like a big risk, and it is nicely compatible with the existing Virtualmin/Webmin back end :slight_smile:
Operating system Debian Linux 11
Webmin version 2.013
Virtualmin version 7.5
1 Like

This really does depend on what sort of service you’re providing. We (and many other’s I suspect) simply cannot disable older TLS and SSL because there are still servers out there using them and all we’ll be doing is dumping email that customers want. We know that the protocol handshake will adopt the best security that is supported by both ends, so if TLS1.2 is supported, that will be used, but if only TLS1.0 or simply clear text then we’ve got to support that.

This is just my use case, but I wanted to reinforce what MrPete said about just not blindly throwing this into your

As a side note we’re not seeing very much TLS1.3 update (which is supported on our message routers) but it will come as people update etc.


  1. IMPORTANT: Internet RFC’s require all public-facing email servers to support fallback to non-encrypted (no TLS or SSL) connections. It’s ok to prohibit for internal use but not on the Internet. That 's the “may” in smtpd_tls_security_level = "may" :wink:
  2. You didn’t mention TLSv1.3 – since I enabled it, at least 10 percent of our connections are using it. Not a surprise, Google etc all use it.
  3. If you have clients that can’t handle TLSv1.2 they are VERY old. And a lot of other services/servers will block them. (For internal use, we use HAproxy to provide a clean interface to outdated routers, switches, NAS boxes and such)
    • Windows XP only supports TLSv1.0 at install time – and that is why it can no longer be activated online! Fortunately, even for XP there are patches for 1.2 support.
    • TLSv1.2 was released in 2008.
    • Since 2018, IETF has recommended actively disabling 1.0 and 1.1
    • I do get that some need to support very old systems. We serve nonprofits literally worldwide, and it is always interesting to see the oldest systems actively in use by someone somewhere :wink:

Here’s how to actually know what connections are being made to your email server, in a simple way:

zgrep "TLS connection established" /var/log/mail.log*| egrep -v "(shodan|immuniweb|internet-census|localhost)" | sed 's/.*: //g' | sort | uniq -c | sort -rn

(this version has an egrep to remove some common protocol test sources, including localhost running the SSLtest :wink: )

Additional hint: if you have archived mail logs (*.gz), you can pull in all of that as well…

  • apt install zutils will install improved zgrep that understands all grep switches
  • Then the script can start with:
# zgrep -R "TLS connection established" /var/log/mail.log*

And if your archives are further down…something like /var/log/*/*/mail.log* etc