Webmail redirect uses client-side redirect exposing internal server hostname instead of reverse proxy #1194
Description
Description:
When "Webmail Redirects" is enabled for a virtual server, Virtualmin generates the following inside the main domain's VirtualHost block:
apacheServerAlias webmail.example.com
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^/(?!.well-known)(.*)$ https://serverhostname.example.com:20000/ [R]
This is a client-side redirect. The browser is sent to serverhostname.example.com:20000 and the URL in the address bar permanently changes away from webmail.example.com. This causes two concrete problems:
Problem 1: Internal server hostname is exposed to end users. On a server hosting multiple domains, the actual server hostname (e.g. pookie.dstaftn.org) is leaked to every user who accesses webmail on any hosted domain. The Usermin login page then displays "You must enter a username and password to login to the server on pookie.dstaftn.org" regardless of which domain's webmail was accessed. This breaks per-domain branding entirely and is an unnecessary information disclosure.
Problem 2: The web_webmaildom config key defaults to empty, substituting the domain name. When web_webmaildom is not set in the template, Virtualmin substitutes the domain name itself into the redirect URL, producing https://example.com:20000/. Usermin does not recognize requests addressed to a domain name it is not configured to serve, returning "No resource with given URL found." This means the webmail redirect is broken by default on any installation where the server hostname differs from the hosted domain names, which is the majority of multi-domain hosting setups.
Expected behavior: webmail.example.com should remain in the browser address bar throughout the login and Usermin session. The correct implementation is a reverse proxy rather than a client-side redirect:
apache<VirtualHost [ip]:443>
ServerName webmail.example.com
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPreserveHost On
ProxyPass /.well-known !
ProxyPass / https://localhost:20000/
ProxyPassReverse / https://localhost:20000/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "webmail.example.com"
</VirtualHost>
This requires mod_proxy and mod_proxy_http to be enabled, which Virtualmin should enforce or check for when the webmail redirect feature is activated.
Additional note: The webmail redirect is currently generated as a ServerAlias plus inline RewriteCond/RewriteRule inside the main domain's VirtualHost block. A reverse proxy implementation requires a dedicated VirtualHost block per webmail subdomain. This is a structural change to how the feature generates Apache config.
Workaround applied: A post-change hook script (post_command in /etc/webmin/virtual-server/config) can be used to rewrite the generated config after each domain create or modify operation, replacing the inline redirect with a dedicated reverse-proxy VirtualHost. This works but should not be necessary.
Environment:
- Virtualmin 8.1.0 Professional
- Ubuntu 24.04 LTS
- Apache 2.4.58
- Usermin 2.521
- Webmin 2.621
Steps to reproduce:
Install Virtualmin on a server where the hostname differs from the hosted domain names (standard multi-domain setup)
Create a virtual server for any domain
Enable "Webmail Redirects" for that domain
Access https://webmail.yourdomain.com in a browser
Observe the browser redirects to https://serverhostname:20000 and Usermin displays the server hostname, not the domain name