Mailclient autoconfiguration

Revision as of 11:26, 22 January 2021 by WolfgangRosenauer (talk | contribs) (automx)

Providing autoconfiguration for mail clients

This article explains a solution for autoconfiguration for a set of mail clients which can be configured against a mail system automatically by just entering email address and password. There are three widely used approaches to do this via a self hosted lookup method, based on Microsoft's autodiscover, Mozilla's autoconfig, and iOS/MacOS provisioning which are relevant to support detecting IMAP and SMTP server details for client configuration. Another option is solely based on DNS SRV discovery (RFC 6186).

Since eMClient for OX App Suite is using the Microsoft based solution this service is especially important to have a smooth user experience for customer environments offering it to their users.

autodiscover and autoconfig are based on XML schemas. Therefore for very simple deployments it might even be enough to serve some static XML files for both usecases. Please see the respective vendor standard documentation for more details.

In this article we show how to deploy a simple autoconfiguration service based on the open source solution automx.

Preparations

The autoconfiguration protocols use several ways to find the XML provided later by automx. In the following section there is listed in which order the protocols are looking for the XML. Depending where you would like to serve the XML files you can choose from those options.

The domain example.org as in those examples are the ones taken from the entered email address.

autoconfig

  1. http://autoconfig.example.org/mail/config-v1.1.xml
  2. http://example.org/.well-known/autoconfig/mail/config-v1.1.xml


autodiscover

  1. https://example.org/autodiscover/autodiscover.xml
  2. https://autodiscover.example.org/autodiscover/autodiscover.xml
  3. DNS SRV lookup for autodiscover.tcp.example.org


DNS SRV

A DNS SRV entry for autodiscover would look like this:

 _autodiscover._tcp                      IN      SRV 0 0 443 $HOSTNAME.example.org.

The following DNS SRV records can be used to provide configuration hints for mail clients supporting RFC 6186:

 _submission._tcp     SRV 0 1 587 mail.example.org.
 _imap._tcp           SRV 2 1 143 imap.example.org.
 _imaps._tcp          SRV 1 1 993 imap.example.org.
 _pop3._tcp           SRV 4 1 110 pop3.example.org.
 _pop3s._tcp          SRV 3 1 995 pop3.example.org.


automx

Installation

If you would like to support eMClient for OX App Suite please make sure that you are using a version after 1.1.1 or an earlier patched version which supports the DAV and OX services. automx2 does not have any support for anything but mail protocols yet and is not sufficient. Also please note that the current versions of automx2 do neither support DAV nor the OX service extensions for autodiscover. It currently only supports IMAP and SMTP services.

For manual installation please refer to the automx download instructions.

RPM packages for SUSE and RHEL flavours are provided by the Open Build Service. Those packages are currently version 0.10.2 with the above patches applied and are working with Python 2.

Configuration

automx

Please find detailed documentation via man automx.conf and for more dynamic setups automx_script, automx_ldap and automx_sql.

/etc/automx.conf:

[automx]
provider = example.org
domains = example.org, example.com
debug = no
logfile = /var/log/automx/automx.log

# Protect against DoS
memcache = 127.0.0.1:11211
memcache_ttl = 600
client_error_limit = 20
rate_limit_exception_networks = 127.0.0.0/8, ::1/128

# The DEFAULT section is always merged into each other section. Each section
# can overwrite settings done here.
[DEFAULT]
account_type = email
account_name = example Mail
account_name_short = example Mail


# If a domain is listed in the automx section, it may have its own section. If
# none is found here, the global section is used.
[global]
backend = static
action = settings

# EAS (mobilesync)
server_url = https://eas.example.org
server_name = example

# If you want to sign mobileconfig profiles, enable these options. Make sure
# that your webserver has proper privileges to read the key. The cert file
# must contain the server certificate and all intermediate certificates. You
# can simply concatenate these certificates.
#sign_mobileconfig = yes
#sign_cert = /path/to/cert
#sign_key = /path/to/key

smtp = yes
smtp_server = mail.example.org
smtp_port = 587
smtp_encryption = starttls
smtp_auth = plaintext
smtp_auth_identity = %s
smtp_refresh_ttl = 6
smtp_default = yes

imap = yes
imap_server = mail.example.org
imap_port = 993
imap_encryption = ssl
imap_auth = plaintext
imap_auth_identity = %s
imap_refresh_ttl = 6
pop = yes
pop_server = mail.example.org
pop_port = 995
pop_encryption = ssl
pop_auth = plaintext
pop_auth_identity = %s
pop_refresh_ttl = 6

carddav = yes
carddav_server = https://dav.example.org/
carddav_auth_identity = %s

caldav = yes
caldav_server = https://dav.example.org/
caldav_auth_identity = %s

ox = yes
ox_server = https://ox.example.org/
ox_auth_identity = %s

follow = imap_starttls

[imap_starttls]
backend = static_append

imap = yes
imap_server = mail.example.org
imap_port = 143
imap_encryption = starttls
imap_auth = plaintext
imap_auth_identity = %s
imap_refresh_ttl = 6

Apache

e.g. /etc/{apache2,httpd}/conf.d/automx.conf:

<IfModule mod_wsgi.c>
    WSGIChunkedRequest On

    WSGIScriptAliasMatch \
      (?i)^/.+/(autodiscover|config-v1.1).xml \
      /usr/lib/automx/automx_wsgi.py

    WSGIScriptAlias \
      /mobileconfig \
      /usr/lib/automx/automx_wsgi.py

    <Directory "/usr/lib/automx">
            Require all granted
    </Directory>
</IfModule>

In case the iOS/MacOS web provisioning should be provided there should also be a /etc/{apache2,httpd}/conf.d/automx-web.conf:

Alias /automx "/usr/share/automx/"

<Directory "/usr/share/automx">
    Options Indexes MultiViews
    Require all granted
</Directory>

eMClient for OX App Suite has a special requirement to make the autoconfiguration experience nice and straightforward. To make it ask directly for a password instead of later in the setup process (where it requires a restart of the application to be fully functional) it is required to protect the autodiscover.xml via basic auth. In our scenario there is nothing to protect really so in this example we allow any credentials for access but still ask for some.

For this add the following section to /etc/{apache2,httpd}/conf.d/automx.conf:

    <Location "/autodiscover/autodiscover.xml">
            AuthType Basic
            AuthName "Restricted"
            AuthBasicProvider anon
            Anonymous_NoUserID off
            Anonymous_MustGiveEmail off
            Anonymous_VerifyEmail off
            Anonymous_LogEmail off
            Anonymous *
            Require valid-user
    </Location>

Related links

DAV autodiscovery