Webmin does not support STARTTLS when sending e-mail

Hi,

This issue has been reported previously on the Webmin mailing list at SourceForge (https://sourceforge.net/p/webadmin/bugs/4517/?page=1 and https://sourceforge.net/p/webadmin/discussion/600155/thread/3717d120/?li...) but none of the reports have gotten working solutions, so I thought I would report this again on the Virtualmin site as I am now experiencing this bug for myself.

We run a cluster of four Web servers, each running Webmin (and one running Virtualmin). I have Postfix configured on the Virtualmin server, and have secured it by requiring authenticated mail clients to connect to port 587 and use TLS/STARTTLS together with SASL authentication before they can send e-mail.

I am trying to configure Webmin to automatically check for and install software package updates on the four Web servers I have, and want it to send e-mail notifications when this is complete, as well as send e-mails about scheduled backups and other related tasks. On the Virtualmin server, I went into Webmin > Webmin Configuration > Sending E-mail and chose to send via the local mail server command, which worked flawlessly.

However, I haven't been able to get Webmin to send e-mail on the other three servers running only Webmin. Because there is no local mail server on those machines, I select to send via remote SMTP server from Webmin > Webmin Configuration > Sending Email, then check the "use SSL encryption" box, change the port number to 587, and put in my authentication details, selecting LOGIN as the authentication method. But when I try to send a test message, I just get "SMTP command failed."

When I send the same test but uncheck "use SSL encryption" (still on port 587), I get the following: sending failed : SMTP command mail from: virtualmin@jemediacorp.com failed : 530 5.7.0 Must issue a STARTTLS command first , line 4.

I can send e-mail in Roundcube, Apple Mail for macOS, Apple Mail for iOS, and Outlook but cannot send via Webmin.

Status: 
Fixed (pending)

Comments

Webmin doesn't currently support using STARTTLS to switch to SSL mode, but if the remote mail server is listening on a different port in SSL-only mode, Webmin can use that.

Thanks for your reply. Right now, for security reasons we only support STARTTLS on port 587 for authenticated SMTP clients (similar to othe services like Office365). Is it possible to add STARTTLS support into Webmin, or even set up some kind of command (via the send using local mail server command option in Webmin) to get the message sent via STARTTLS?

I'll look into adding STARTTLS support - will update this bug when it's done

Thank you, we really appreciate this and everything else you do for Virtualmin :)

Hello,

Just inquiring as to the status of STARTTLS support. G Suite's SMTP relay service will only allow TLS connections when authenticating via SMTP, so we currently cannot securely route mail from webmin/virtualmin in our organization without enabling less-secure app access.

Thank you!

Does gsuite not support connections that start in TLS mode, versus switching to it after authentication?

Based on how the documentation is worded, I don't think that it does.

"Require SMTP Authentication—Enforces the use of SMTP authentication to identify the sending domain. Using this option requires your clients to connect via TLS."

And

"In the Encryption section, check the Require TLS encryption box to require that the communication between your server and Google’s server be TLS encrypted, including the message contents."

Long story short, when I attempt to tell Webmin to connect via SSL, it always rejects the credentials and provides links to the article referenced above, until I enable less-secure app access for the account.

What port do you have Webmin configure to connect to gmail on? It should be 465, if using TLS mode for the entire connections.

By the way, Gmail has recently limited when just a login and password can be used for sending email, which impacts older SMTP clients.

"What port do you have Webmin configure to connect to gmail on? It should be 465, if using TLS mode for the entire connections."

465.

"By the way, Gmail has recently limited when just a login and password can be used for sending email, which impacts older SMTP clients."

That's what I'm referring to by enabling "less secure application access." You can bypass that restriction in GSuite/Gmail by enabling less secure application access in your Google account, which allows traditional SMTP over SSL to occur. However, this is considered deprecated, and will be eliminated in the future.

"What port do you have Webmin configure to connect to gmail on? It should be 465, if using TLS mode for the entire connections."

465.

"By the way, Gmail has recently limited when just a login and password can be used for sending email, which impacts older SMTP clients."

That's what I'm referring to by enabling "less secure application access." You can bypass that restriction in GSuite/Gmail by enabling less secure application access in your Google account, which allows traditional SMTP over SSL to occur. However, this is considered deprecated, and will be eliminated in the future.

FYI, the next release of Webmin (1.960) will support STARTTLS when sending email.