I’m cleaning up and improving my postfix configuration, attempting to become at least compatible with latest standards. Along the way, I discovered some anomalies in the Postfix config GUI.
NOTED up-front: my original config was a conversion from an existing pretty-reasonable setup, and it is possible some of the following is purposefully missing / obscure in the GUI.
What follows is mostly in the Webmin Servers->Postfix-> SMTP Authentication & Encryption tab…
- “Allow connections from this system” checkbox is misleading (in the two lists of SMTP connection options)
- Postfix docs show listing 127.0.0.1/8 as part of $mynetworks… which when followed (as I do) means “this system” is 100% able to connect, without this item checked.
- In addition, the “this system” checkboxes turn on “permit_inet_interfaces”… and inet_interfaces has a default value of “all” (i.e. every IP address on this server), rather than “loopback-only” which would actually mean “this system”. [That particular config item, available in Webmin on the Postfix->General tab, is actually rather complex. They recommend leaving it at “all”]
Bottom line: this checkbox in reality enables a rather complex setting that is not what it sounds like
- There’s no GUI setting for outgoing SMTP security (TLS etc).
I didn’t realize my main.cf was completely missing smtp_tls_security_level
until I did some intense looping tests with gmail and saw them complaining that my emails were “unencrypted”
That’s when I learned:
- The Webmin GUI has no equivalent outgoing SMTP setting comparable to
Enable TLS encryption? If requested by client
- None of the verification tests check for this either
By the way, you really want smtp_tls_security_level = may
in your main.cf!
AND, unless you’re running an entirely in-house email system with no outside access to your email server, you want the incoming (SMTPD / “client” connection") settings to be as loose as possible:
- Use
smtpd_tls_security_level = may
(note the “d”) – this is required by RFC for all internet-facing email servers! - Allow all levels of TLS security and protocol, even the ones that are insecure
YES, that means most checkers will complain that you’re not very secure. That’s because they are looking at the port over which you likely have little control! You CAN still use high security for your own client connections. That’s what smtpd_mandatory_security_level etc is about. Which leads me to…
- The GUI doesn’t understand some pretty important modern TLS configuration elements
-
[Preface: you actually don’t normally want to specify client / outgoing TLS certs, even though it is possible. That’s a long discussion. Webmin doesn’t do that today, which is just fine
]
-
Specifying separate cert / key and CA (chain) files is now deprecated, as I noted in another post. The “modern” way to do it is a single config item that combines them all:
smtpd_tls_chain_files = <key filename>, <cert filename>, <ca filename>
– but that isn’t in the GUI. Right now it appears as if I don’t have any of the files -
You really want to be able to separately specify the allowed TLS levels and protocols for normal (ie external port 25) vs mandatory (ie internal port 587) connections. The former should be loose; the latter ideally tight. Note that the test_ssl.sh script I mentioned in another post can test any of these.
- Finally, a niggly bit
- At the bottom of the SMTP Authentication & Encryption tab is an item with elements kinda swapped around. It says:
Send outgoing mail via host [ ] Deliver directly [* ] [__________________]
- Clearly, the data field on the right should be next to “via host”. Perhaps this tweak? I dunno:
Send outgoing mail delivered directly [*], or via host [ ] [__________________]
I hope this helps a bit!
SYSTEM INFORMATION | |
---|---|
Operating system | Debian Linux 11 |
Webmin version | 2.013 |
Usermin version | 1.861 |
Virtualmin version | 7.5 |
Authentic theme version | 20.13 |