Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autoconfig returns mailcow_hostname for all domains, causing security certificate errors with Outlook clients #6230

Open
5 tasks done
ibesec opened this issue Dec 28, 2024 · 5 comments
Open
5 tasks done

autoconfig returns mailcow_hostname for all domains, causing security certificate errors with Outlook clients #6230

ibesec opened this issue Dec 28, 2024 · 5 comments
Labels
bug

Comments

@ibesec
Copy link

ibesec commented Dec 28, 2024
edited
Loading

Edit: 26/02/2025 bug still exists.

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

As per default, autoconfig returns mailcow_hostname for all hostname fields (incoming server/IMAP, outgoing server/SMTP, etc.), even for secondary domains.

This results in Outlook client returning an Internet Security Warning:
"The server you are connected to is using a security certificate that cannot be verified -  The target principal name is incorrect."

Returning the secondary domain's hostname instead fixes this issue.

Logs:

N/A

Steps to reproduce:

1. Set up a mailcow instance with an extra SAN (will call this the "secondary domain"), and set up all advanced SSL configurations as required.
2. Verify the newly issued Let's Encrypt certificate now includes your secondary domain as a SAN.
3. Create a new mailbox in the secondary domain.
4. Add your new mailbox as a new account to any Outlook (classic) client using the autoconfig parameters - don't manually modify any hostnames or ports.
5. The Internet Security Warning message will pop up.
6. By editing the newly added account details in Outlook, you will confirm autoconfig set IMAP and SMTP hostnames to the main mailcow_hostname.
7. Change the IMAP and SMTP hostnames to the secondary domain.
8. You have fixed the issue.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

N/A

Server/VM specifications:

N/A

Is Apparmor, SELinux or similar active?

N/A

Virtualization technology:

N/A

Docker version:

N/A

docker-compose version or docker compose version:

N/A

mailcow version:

2024-11b

Reverse proxy:

N/A

Logs of git diff:

N/A - only changes to SOGo configuration and certificates.

Logs of iptables -L -vn:

N/A

Logs of ip6tables -L -vn:

N/A

Logs of iptables -L -vn -t nat:

N/A

Logs of ip6tables -L -vn -t nat:

N/A

DNS check:

N/A
@ibesec ibesec added the bug label Dec 28, 2024
@milkmaker
Copy link
Collaborator

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@milkmaker milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Feb 26, 2025
@ibesec
Copy link
Author

ibesec commented Feb 26, 2025

This issue is still occurring.

@milkmaker milkmaker removed the stale Please update the issue with current status, unclear if it's still open/needed. label Feb 26, 2025
@4ntsu 4ntsu mentioned this issue Feb 28, 2025
Closed
5 tasks
@4ntsu
Copy link

4ntsu commented Feb 28, 2025

Hi,
Based on the docs here, I have implemented an ugly workaround for this issue, and it seems to work fine for my use case:

  1. In your mailcow directory, navigate to data/web/inc/ and create a file named vars.local.inc.php.
  2. In this file, add the following contents (adapt as needed if you're not using mail.* for your domains):
<?php

// Get the host from the request headers and replace "autoconfig" and "autodiscover" with "mail"
if (str_starts_with($_SERVER['HTTP_HOST'], 'autoconfig.') OR str_starts_with($_SERVER['HTTP_HOST'], 'autodiscover.')) {
  $config_host = str_replace('autoconfig', 'mail', $_SERVER['HTTP_HOST']);
  $config_host = str_replace('autodiscover', 'mail', $config_host);
} else { // Leave it as is
  $config_host = $_SERVER['HTTP_HOST'];
}

$autodiscover_config = array(
  // General autodiscover service type: "activesync" or "imap"
  // emClient uses autodiscover, but does not support ActiveSync. mailcow excludes emClient from ActiveSync.
  // With SOGo disabled, the type will always fallback to imap. CalDAV and CardDAV will be excluded, too.
  'autodiscoverType' => 'activesync',
  // If autodiscoverType => activesync, also use ActiveSync (EAS) for Outlook desktop clients (>= Outlook 2013 on Windows)
  // Outlook for Mac does not support ActiveSync
  'useEASforOutlook' => 'no',
  // Please don't use STARTTLS-enabled service ports in the "port" variable.
  // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
  // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.
  'imap' => array(
    'server' => $config_host,
    'port' => (int)filter_var(substr(getenv('IMAPS_PORT'), strrpos(getenv('IMAPS_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT),
    'tlsport' => (int)filter_var(substr(getenv('IMAP_PORT'), strrpos(getenv('IMAP_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT)
  ),
  'pop3' => array(
    'server' => $config_host,
    'port' => (int)filter_var(substr(getenv('POPS_PORT'), strrpos(getenv('POPS_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT),
    'tlsport' => (int)filter_var(substr(getenv('POP_PORT'), strrpos(getenv('POP_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT)
  ),
  'smtp' => array(
    'server' => $config_host,
    'port' => (int)filter_var(substr(getenv('SMTPS_PORT'), strrpos(getenv('SMTPS_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT),
    'tlsport' => (int)filter_var(substr(getenv('SUBMISSION_PORT'), strrpos(getenv('SUBMISSION_PORT'), ':')), FILTER_SANITIZE_NUMBER_INT)
  ),
  'activesync' => array(
    'url' => 'https://' . $config_host . ($https_port == 443 ? '' : ':' . $https_port) . '/Microsoft-Server-ActiveSync',
  ),
  'caldav' => array(
    'server' => $config_host,
    'port' => $https_port,
  ),
  'carddav' => array(
    'server' => $config_host,
    'port' => $https_port,
  ),
);

After saving this should already be active, there's no need to restart any services. Tested with Thunderbird on Linux.
Of course, it goes without saying: use this at your own risk. I'm not sure if there are any security risks involved here.

@mrclschstr
Copy link
Contributor

@4ntsu I have implemented a very similar workaround. I'm also interested in whether this has any drawbacks or security issues.

@ibesec
Copy link
Author

ibesec commented Mar 2, 2025

@4ntsu thank you for your contribution. This workaround fixes the issue temporarily indeed, but I believe it should be part of the main implementation of Mailcow.

On the other hand, I am not familiarised with the autodiscover specification, and I am unsure whether this is compliant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrclschstr @4ntsu @milkmaker @ibesec