Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve port selection for autoconfig / mobileconfig #5466

Open
wants to merge 3 commits into
base: staging
Choose a base branch
from
Open

Improve port selection for autoconfig / mobileconfig #5466

wants to merge 3 commits into from

Conversation

smarsching
Copy link
Contributor

In setups where some of the ports are not available (e.g. due to firewall rules, corporate policies, etc.) it is desirable to to not announce these ports as part of the autoconfig / autodiscovery / mobileconfig process. This ensures that clients using the respective process will use the correct ports.

In autoconfig.php, this was partially implemented before: For POP3 and POP3S, autoconfig.php would look for relevant DNS SRV records and omit the ports from the generated configuration when the SRV record indicated that these services were deliberately not available.

This PR improves on this concept by making the following changes:

  • When an e-mail address is provided to autoconfig.php, the script will now use the domain from that e-mail address for the DNS lookups instead of using the domain from the server name in the HTTP headers. This has the advantage that the correct domain is going to be selected when the autoconfig URL used by the client is not directly served by mailcow, but is served by a different webserver which proxies the request or redirects the client to the mailcow server. One example where such a setup is necessary is when the DNS name autoconfig.<mail domain> is also needed for other services or when corporate policies do not allow adding such a name, but the webserver at <mail domain> can be configured to forward requests to http://<mail domain>/.well-known/autoconfig/mail/config-v1.1.xml to the mailcow server. In addition to that, I made a small change that makes the DNS lookup fail gracefully (treating a DNS failure like if the requested record did not exist and thus enabling the port).

  • Both the autoconfig.php and mobileconfig.php scripts will now check for a portDisabled and tlsportDisabled flag in $autodiscover_config. This allows administrators to disable the announcement of certain ports as part of autoconfig, even when they cannot add the relevant SRV records to DNS. More importantly, it makes mobileconfig.php treat the situation correctly where IMAPS (port 993) or SMTPS (port 465) are not available, but IMAP with STARTTLS (port 143) or SMTP with STARTTLS (port 587) are available.

I tested all changes (autoconfig.php with Thunderbird version 102, mobileconfig.php with iPad OS 16.7). In particular, I tested that iPad OS can actually handle IMAP with STARTTLS.

I think that in theory, the changes made to mobileconfig.php should also be made to autodiscover.php to allow for the correct configuration of Microsoft Outlook when IMAP / SMTP is used and IMAPS or SMTPS are disabled. However, I could not make the autodiscover process work at all (I tested with Outlook from the Microsoft 365 client for macOS and for Windows). This was regardless of whether I tested it with the original version of autodiscover.php or with my changes and regardless of whether $autodiscover_config['autodiscoverType'] was set to activesync or imap and $autodiscover_config['autodiscoverType']['useEASforOutlook'] was set to yes or no.

I rather believe this to be a problem with Outlook than with autodiscover.php, in particular because the Nginx logs show that Outlook is requesting the autodiscover.xml file and the server responds with a 200 status code. Due to Outlook being closed source, I don’t really have any idea how I could investigate this further, and as supporting Outlook is not really important for us (IMO it is one of the worse e-mail clients anyway), I did not want to spend more time on this.

Anyway, without being able to test the changes, I did not want to include them in this PR. One of the reasons why I did not want to include the changes without being able to test them is that the <Encryption> tag that apparently needs to be used to tell Outlook to use STARTTLS is not part of Microsoft’s official documentation, but there are some sources which claim that it has the desired effect.

If someone has a working autodiscover process for Outlook and is interested in testing these changes, here is the patch:

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 992524b3..ec0e8a26 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -41,6 +41,28 @@ if (getenv('SKIP_SOGO') == "y") {
   $autodiscover_config['autodiscoverType'] = 'imap';
 }
 
+if (isset($autodiscover_config['imap']['port_disabled'])
+  && $autodiscover_config['imap']['port_disabled'] === TRUE
+  && !isset($autodiscover_config['imap']['tlsport_disabled'])
+  || $autodiscover_config['imap']['tlsport_disabled'] !== TRUE) {
+  $imap_port = $autodiscover_config['imap']['tlsport'];
+  $imap_encryption_line = "<Encryption>TLS</Encryption>";
+} else {
+  $imap_port = $autodiscover_config['imap']['port'];
+  $imap_encryption_line = "<SSL>on</SSL>";
+}
+
+if (isset($autodiscover_config['smtp']['port_disabled'])
+  && $autodiscover_config['smtp']['port_disabled'] === TRUE
+  && !isset($autodiscover_config['smtp']['tlsport_disabled'])
+  || $autodiscover_config['smtp']['tlsport_disabled'] !== TRUE) {
+  $smtp_port = $autodiscover_config['smtp']['tlsport'];
+  $smtp_encryption_line = "<Encryption>TLS</Encryption>";
+} else {
+  $smtp_port = $autodiscover_config['smtp']['port'];
+  $smtp_encryption_line = "<SSL>on</SSL>";
+}
+
 //$dsn = $database_type . ":host=" . $database_host . ";dbname=" . $database_name;
 $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
 $opt = [
@@ -164,21 +186,21 @@ if ($login_role === "user") {
       <Protocol>
         <Type>IMAP</Type>
         <Server><?=$autodiscover_config['imap']['server'];?></Server>
-        <Port><?=$autodiscover_config['imap']['port'];?></Port>
+        <Port><?=$imap_port;?></Port>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
         <SPA>off</SPA>
-        <SSL>on</SSL>
+        <?=$imap_encryption_line;?>
         <AuthRequired>on</AuthRequired>
       </Protocol>
       <Protocol>
         <Type>SMTP</Type>
         <Server><?=$autodiscover_config['smtp']['server'];?></Server>
-        <Port><?=$autodiscover_config['smtp']['port'];?></Port>
+        <Port><?=$smtp_port;?></Port>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
         <SPA>off</SPA>
-        <SSL>on</SSL>
+        <?=$smtp_encryption_line;?>
         <AuthRequired>on</AuthRequired>
         <UsePOPAuth>on</UsePOPAuth>
         <SMTPLast>off</SMTPLast>

One thing that we might want to think about is disabling the DNS lookups in autoconfig.php completely, when portDisabled or tlsportDisabled are explicitly set to false (instead of not being set at all).

@smarsching
Use domain from e-mail address, if provided.
c4a158e 
This ensures that the correct SRV records are retrieved when the
autoconfig file is loaded through a redirect or proxy.
@smarsching
Make DNS lookups fail gracefully.
d8161e6
@smarsching
Allow explicitly disabling ports for autoconfig / mobileconfig.
581ba6f
@DerLinkman DerLinkman added this to the 2023-11 milestone Oct 13, 2023
@DerLinkman DerLinkman modified the milestones: 2023-11, 2024 Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement needs testing
Projects
None yet
Milestone
2024
Development

Successfully merging this pull request may close these issues.
2 participants
@smarsching @DerLinkman