Automatically configure smtps (465/SSL) for Postfix in addition to smtp and submission

Hi,

When Virtualmin adds per-IP SSL configuration for Postfix, it's currently adding smtp (25) and submission (587) to master.cf.

In addition to these, port 465 is (was) commonly used before STARTTLS came about, or at least became widely supported, and is apparently still in use at some mail providers for compatibility reasons. Wikipedia specifically mentions Entourage 10 and Outlook for Mac 2011 (https://en.wikipedia.org/wiki/SMTPS). Postfix does support this type of configuration with "-o smtpd_tls_wrappermode=yes" (in addition to the other configuration set for smtp and submission).

Glancing at server/copycert-lib.pl I do actually see mention of this wrappermode configuration in Postfix, but if I'm reading it right this appears to be more of a global thing. virtual-server/feature-ssl.pl only deals with smtp and submission for Postfix, and no configuration other than this is added to my master.cf when I add domains to our servers.

As is mentioned on Wikipedia, 465/SSL has been deprecated for a while now, so I'm not really sure what your thoughts would be on including this in Virtualmin. I've personally found this configuration to be useful on our internal corporate mail server, and I have been able to add this to our Virtualmin test servers with some post-add/modify/delete hooks, but it could be useful for others as well so I thought I'd post a feature request here.

Thanks,

Mike

Comments

Would it work if you just added a firewall rule to redirect port 465 to 587? Or is a custom Postfix config needed for the server that listens on 465?

Hi,

Very sorry for the late reply. Either I don't have my notifications setup correctly or they ended up going into my spam folder and I never noticed...

Anyway, an iptables redirect isn't enough. Port 465 is a unique configuration compared to submission. smtp/submission can both be upgraded to SSL if the client/server negotiate it. 465 requires SSL right off the bat, so you know for sure that your mail credentials are protected, and not just guessing as to whether or not the connection was upgraded to SSL.

Here's what Virtualmin normally adds to master.cf:

x.x.x.x:smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes ...

x.x.x.x:submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes ...

And my addition for 465 is:

x.x.x.x:smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes ...

It's similar to the other entries, but includes the smtpd_tls_wrappermode=yes option. That's why I thought it might be a pretty easy thing to add.

I'm currently maintaining these entries for our hosted customers with some post-add Virtual hooks. I had previously setup this configuration on our non-Virtualmin corporate mail server and it's been working well for years. I'm personally using it as are a number of my coworkers.

There doesn't seem to be a whole lot of interest in this feature... Not sure if it's really worth the time to add/maintain the code. Just thought I'd throw it out there.

Thanks,

Mike

Interesting, I didn't know about port 465 being SSL-only SMTP. Is this a standard thing?

To my knowledge it was never a proper standard, just SMTP wrapped in SSL. I guess you could say that it was more of a hack to provide that additional layer of security before STARTTLS came along. For the mail providers out there that still offer it, it's probably more on the legacy support side of things. We offer all 3 ports as actively supported options but recommend submission (w/STARTTLS) of course.

I'd certainly understand if there was no interest in including this since it is kind of an oddball thing that probably never really reached widespread use..

Do mail clients typically support this port and protocol though?

Oh yeah. Everything I know supports it.. Outlook, Apple Mail, Thunderbird, Mutt, Net::IMAP::Simple, etc. You just enter the port number and make sure SSL is enabled.