Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Autodiscovery fix for additional hosted email domains, Fixes #941 #1467

Merged
merged 5 commits into from May 9, 2019

Conversation

Projects
None yet
3 participants
@jvolkenant
Copy link
Contributor

commented Nov 2, 2018

Autodiscovery problems exist for email domains added in addition to the first domain used for setup. This problem exists for both Thunderbird lookup, as well as ActiveSync Autodiscovery.

For example, If we setup a MIAB at box.example.com. Thunderbird autoconfig will work because MIAB already hosts the config here https://example.com/.well-known/autoconfig/mail/config-v1.1.xml. ActiveSync Autodiscovery will work because MIAB already hosts https://example.com/Autodiscover/Autodiscover.xml

This patch fixes the following problem. On the same example MIAB server, I setup otherdomain.com for email, but I don't host my website there. https://otherdomain.com/.well-known/autoconfig/mail/config-v1.1.xml is never found since the A record points somewhere else. Thunderbird will then try https://autoconfig.otherdomain.com/mail/config-v1.1.xml. Currently that file (and associating dns record) is not configured, and in this scenario Thunderbird would need to be configured Manually.

ActiveSync Autodiscovery fails as well, https://otherdomain.com/Autodiscover/Autodiscover.xml runs into the same problem.

Lucky for us both Thunderbird and ActiveSync Autodiscovery will check additional URL's during its search for auto information.

This patch adds CNAME entries to make autoconfig.otherdomain.com and autodiscover.otherdomain.com entries with dns_update. (It will technically make all non PRIMARY_HOSTNAME domains have a CNAME ENTRY). As well as a nginx config posted on #941.

This patch gives us the additional Thunderbird lookup at https://autoconfig.otherdomain.com/mail/config-v1.1.xml. For ActiveSync Autodiscovery, the path https://autodiscover.otherdomain.com/Autodiscover/Autodiscover.xml is a 302 redirect to https://box.example.com/Autodiscover/Autodiscover.xml.

Testing:
Thunderbird: Test with Thunderbird for an email that is in addition to the domain used to setup MIAB.
Activesync Autodiscover: Microsoft Remote Connectivity Analyzer or any Activesync App, I tested Nine on Android.

The only better way I can see would be to add the nginx edit 0e69c5e, but instead of CNAME, we would generate SSL certs instead for autoconfig. and autodiscover. for every domain. But the CNAME seems to work from what I've tested.

@JoshData

This comment has been minimized.

Copy link
Member

commented Nov 2, 2018

Nice work.

@JoshData

This comment has been minimized.

Copy link
Member

commented Dec 2, 2018

Hey.

What's happening with TLS with this patch? With a CNAME the clients will resolve the autodiscover subdomains but the TLS certificate won't be valid for it because we're not provisioning TLS certificates for them, right? The clients should show a TLS error.

We might also want to revise the nginx config to explicitly handle those domains, otherwise nginx is probably just falling back to the primary hostname because the autodiscover subdomains aren't otherwise handled.

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 3, 2018

Although autoconfig/autodiscover is working with the patch, the primary hostname cert is what is being used. I'll have to dig into how to add autodiscover... and autoconfig... to the list of certs to request.

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 3, 2018

I see 3 ways to solve this problem.

Method 1 from this PR (Above):
CNAME autodiscover&autoconfig to PRIMARY_HOSTNAME, seems to work, but the wrong certs are served.

Method 2 from this PR (https://github.com/jvolkenant/mailinabox/tree/client_autoconfig_fixes_method2):
Handle autodiscover&autcoconfig like www, however with autodiscover&autoconfig we don't redirect to the base domain, we redirect those to PRIMARY_HOSTNAME (in case base domain is hosted elsewhere like it is in my case). This method allows us to provision ssl certs and via a series of 301's, we can do both Thunderbird and AutoSync Setup.

Method 3, still needs a PR (if its decided this method is best):
Provision autodiscover&autoconfig SSL's, but instead of 301 to PRIMARY_HOSTNAME, we just serve it directly (with conf/nginx-alldomains.conf)

@JoshData

This comment has been minimized.

Copy link
Member

commented Dec 3, 2018

I like 3. :)

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 3, 2018

Back to the drawing board :)

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 4, 2018

#1196 should be related to this

@jvolkenant jvolkenant force-pushed the jvolkenant:client_autoconfig_fixes branch 2 times, most recently from c947693 to 0e69c5e Dec 4, 2018

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 4, 2018

I updated the PR such that the autoconfig/autodiscover subdomains are added to the domains list. You can now provision ssl certificates for those domains and they will serve with correct SSL certs.

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented Dec 19, 2018

So, I ended up just enabling autoconfig/autodiscover records for all mail domains. So if there is an email address configured, it should have an autoconfig/autodiscover record now.

@ringe

This comment has been minimized.

Copy link

commented May 9, 2019

I'm going to test this patch now

@ringe

This comment has been minimized.

Copy link

commented May 9, 2019

I patched this PR onto the current master branch and is running a full live test at my former mailserver IP address. Thunderbird found the setup right away. Outlook mobile was still asking for which server and username to use, but found the email address to belong to an Exchange server. Meaning it found ActiveSync. Outlook desktop didn't figure it out automatically and had to be told it was an IMAP server and I had to type the password again. Couldn't get the calendar up on Outlook desktop.

I consider this a success. I recommend merging the PR.

@ringe

ringe approved these changes May 9, 2019

Copy link

left a comment

This PR does what it is advertising. I would like to have these changes on my production server.

@jvolkenant

This comment has been minimized.

Copy link
Contributor Author

commented May 9, 2019

I patched this PR onto the current master branch and is running a full live test at my former mailserver IP address. Thunderbird found the setup right away. Outlook mobile was still asking for which server and username to use, but found the email address to belong to an Exchange server. Meaning it found ActiveSync. Outlook desktop didn't figure it out automatically and had to be told it was an IMAP server and I had to type the password again. Couldn't get the calendar up on Outlook desktop.

I consider this a success. I recommend merging the PR.

Did you go to the "TLS (SSL) Certificates" and get the autodiscover.* and autoconfig.* certs after adding the PR?

I've never known that Outlook works with Activesync & Z-Push (or at least I've never got it to work). Activesync and iPhone/Android phone apps should work fine (it does with Google and Nine on Android for me as well as the https://testconnectivity.microsoft.com test "Exchange Activesync Autodiscover" test) as well as Thunderbird IMAP setup as worked fine for me with this patch (Thunderbird Calendar and Contacts setup is a manual process (always has been)).

@ringe

This comment has been minimized.

Copy link

commented May 9, 2019

@JoshData JoshData merged commit aff80ac into mail-in-a-box:master May 9, 2019

@JoshData

This comment has been minimized.

Copy link
Member

commented May 9, 2019

Thanks everyone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.