Hello
This is my first post as a Virtualmin user, so do not throw rocks if I say something stupid. I come from a CPanel environment and so far I like what I see.
Nevertheless, I have stumbled upon some problems which I think I could have done without.
a.SPF
By default, the SPF records that get added to the DNS are insecure.
Example: "v=spf1 a mx a:example.com ip4:11.222.333.444 ?all" The "?all" statement should be "-all" for increased security http://www.openspf.org/SPF_Record_Syntax
Of course, without the proper SPF setup (which is not included in a default Virtualmin install) it does not matter if you put ? or -.
After all the tweaking and setting up, I was stunned to see that local accounts are so easily spoofed. You can check https://www.wormly.com/test_smtp_server and see how easily your default Virtualmin accepts and delivers email to local email users from existing or fake local email users.
First step in preventing the above problem is to install and enable the Policy Service for SPF. A very good and fast quide https://help.ubuntu.com/community/Postfix/SPF
After setting the SPF in a proper way, check https://www.wormly.com/test_smtp_serve again and with some luck, you will be a bit more secure
b. Verify command is allowed by default Who want to just give away a list of their users? By default, Virtualmin has disable_vrfy_command = no Add disable_vrfy_command = yes in main.cfg
c DKIM signing No DKIM installed by default. Why ask on forums why your emails are not received by some servers when you can implement DKIM by default? Not a big problem, but would be nice to have it by default
d. Automated banning tools Would be very handy to have a tool to automatically drop connections from people trying to repeatedly break into your services.. Such a tool can be easily deployed from http://www.fail2ban.org/ Would love to see such a tool installed by default.
e. Way to relaxed Postfix configuration I know defaults have to be relaxed and only of you want and need to be tweaked. But my opinion is that AT LEAST some RFC checks should have been implemented. I am referring in special to smtpd_recipient_restriction section. There are some options you can add which every RFC compliant mail server should obey, that can make a spammer's life a bit harder.
I am happy and satisfied that I chose to use Virtualmin and everyone who thinks payed alternatives are way better are sorely mistaken. Better donate to open source developers and have real power!
I will stop here because I can hardly see what I am typing (2 nights without sleep so far)
Keep up the good work and please, do not take my little "default security issues" too serious.