REQ: Validate Virtual Servers should ALSO validate all new security DNSSEC, TLSA, DMARC, actual served certificates, for each virtual server.

[chris001]

There are many scenarios I've run into, where Validate Virtual Servers says everything is OK, but the server is actually failing on one of the newer security methods, e.g. DKIM, DNSSEC.

Virtualmin really should validate all of the latest security methods, for each virtual server:

It'd be great if a 3rd party linux library could perform the validation and return the result.

1. DNSSEC is valid,
2. TLSA records refer to ports which are open and listening, and the fingerprint matches the fingerprint of the served cert cert,
3. DMARC passes syntax and validity check,
4. DKIM is valid,
5. certs served on SMTP (587 STARTTLS), IMAPS (993), HTTPS (443), and LDAPS (636) ports are valid, contains expected hostnames, and are not expired.

[jcameron]

Good idea - we could add this to the connectivity check already in Virtualmin.

[chris001]

Just to give an example. Virtualmin is too loose, it lets the sys admin bungle pretty badly and put absolutely any SSL cert on Dovecot IMAP and Postfix SMTP, with no warning or error, implying those certs are going to work for the users. Then a user goes to configure their mail app (eg Apple Mail on iOS iPhone), provides the IMAP hostname, port, username, password, SMTP hostname, port, (username and password optional it uses the same from the IMAP if none specified), the mail app attempts a first time connectivity check, and halts with a security error, "Mail hostname given doesn't match the hostname on the SSL cert! Go back and re-enter your connection details please." This is needlessly frustrating for users, when we know that mail client apps are going to throw an error when the mail hostname is missing from the SSL cert, and when the SSL cert is self signed and/or expired!

[PitWenkin]

Please add POP3 via SSL on port 995 too