[solved] Postfix secure smtp setup bug

3 posts / 0 new
Last post
#1 Wed, 03/26/2008 - 03:47
desperatedcoolman

[solved] Postfix secure smtp setup bug

Using VirtualMin of version of 1 month ago

I can turn on TLS login for postfix in one of the setup page of the Postfix section, but i think it only modify some directives. The smtps process was not turned on and the port of smtps was not opened by the change. I've done these myself and it works fine now.<br><br>Post edited by: desperatedcoolman, at: 2008/03/27 00:10

Wed, 03/26/2008 - 11:12
Joe
Joe's picture

This isn't a bug. There is no attempt to configure TLS in Postfix in install.sh, virtualmin-base, or Virtualmin, so it's working as designed, if it didn't happen. ;-)

The problem with mail and TLS is that if you don't have a proper certificate, it leads to lots of weirdness with many clients--sometimes mysterious warnings that confuse and alarm users, sometimes outright failures.

We'll probably add a system-wide SSL configuration step to Virtualmin in the future, though, that configures Dovecot, Postfix, Webmin, Usermin, etc. to all use the same certificate on the default IP address. (If your users are connecting using other domain names, however, they will get security warnings from all of these services.)

--

Check out the forum guidelines!

Wed, 03/26/2008 - 23:55 (Reply to #2)
desperatedcoolman

Thanks very much. I didn't mean the installation has problem but some settings in the Postfix section could be improved.

After installation of virtualmin, i understand smtps of postfix is not on by default. But after I set the path of the cert and key for TLS and chose to enable TLS in the &quot;Authentication and.... &quot; section in the Postfix section, smtps still cannot be connected.

Maybe users should open the port of smtps by themselves, however i found that the process of smtps was not started too, i.e. in netstat, nothing is listening to port smtps. Probably it was designed to be a 3-step (open port, start process, edit directives) config for using TLS, but hope that it could be done in one step (i.e. only setting correct paths of cert and key and choose to enable TLS) in future. Thanks!

Topic locked