How to automatically configure email (Thunderbird, Outlook, and iOS/OSX Mail) with Nethserver

,

I left that deliberately vague, as there are a number of ways you could use Let’s Encrypt with your Neth installation. But if you got your primary cert using the server manager, you should be able to just run certbot certonly webroot -w /var/www/html -d autoconfig.yourdomain --fullchain-path /etc/automx/fullchain.pem --key-path /etc/automx/privkey.pem. No events should be needed on renewal, and this cert should be renewed when your normal renewal task happens.

Edit: In case it wasn’t clear, you do need to create the directory first: mkdir /etc/automx.

Sorry for requesting futher help :slight_smile: :

   How would you like to authenticate with the ACME CA?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: Spin up a temporary webserver (standalone)
    2: Place files in webroot directory (webroot)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

… my letsencrypt certificate is valid for several vhost A records, e.g. autoconfig.mydomain, sogo.mydomain, www.mydomain, mail.mydomain as well as for AD (not exlusive list).

From details before, I suppose it is [1], as I set up an A record & collected an certificate update for autoconfig.mydomain.tld

TIA
Thorsten

You’d use option 2, webroot.

Tried that, but my apple phone reported an error for autoconfig. As it used myservername.myname.tld instead of autoconfig.myname.tld, I think there is an error for my SRV record. I will put this to my provider to set up correctly according to your requirements.

What error, exactly? I’ve seen some errors with properly signing the .mobileconfig file, but haven’t been able to track down the cause as yet. But the SRV record shouldn’t affect anything on an iPhone; it would only affect Outlook.

From Internal (green) Netwerk, it reports an Certificate Error reporting the DNS of Nethservers FQDN as invalid. I suppose it expects an Certificate for autoconfig.myname.tld instead of nethservername.myname.tld. I am wondering at as as no virtual host vor autoconfig.myname.tld is set up. However, I did not manage to fullfill all steps of installation procedure for iphone. Additionally, I am wondering, why I use option [2] - webroot - instead of autoconfig. Or is this because webroot meens any DNS not explicetly defined -> autoconfig.myname.tld = webroot as long no vhost ist defined?

From External source, no error is reported, it does simply not work. I leads me to manual configuration.

TIA
Thorsten

No, I don’t think that’s what’s going on. To autoconfigure an iPhone (or iPad, or the Apple Mail app on MacOS), you need to generate and download a .mobileconfig profile. You can do that by either creating your own web form (using the code posted above) or by using the automx-web package. iOS Mail will not auto-configure by just entering name/email address the way that Outlook and Thunderbird will.

If you’re getting a certificate error, it’s because the server is presenting a certificate that doesn’t match the hostname being requested. Your iPhone shouldn’t be requesting autoconfig.yourdomain, but even if it were, your main server cert should include autoconfig.yourdomain. I think I need to clarify those instructions a bit.

The nethserver-automx RPM sets up a virtual host for autoconfig.yourdomain, but it doesn’t appear in the server manager.

Because you have a web server running already. The standalone option would only work if you didn’t have one running.

1 Like

In order for Thunderbird to autoconfigure for user@maildomain, autoconfig.maildomain must respond to queries with appropriately-formatted XML. Therefore, I’m thinking that this property:

isn’t really a good idea. Outlook can use any FQDN you want, as long as the SRV record is set appropriately, but if you want Thunderbird to work, you need to use autoconfig*.

*Well, there is an alternative for Thunderbird, which makes the XML available at maildomain/.well-known/(something), but automx doesn’t implement that.

1 Like

Dear Dan,

Still does not work on my Iphone. Ok, my failure is that I mixed up the command you provided with the the manual copy step of certificates. I guess I will need to add the certificates: Which files do I need to copy in /etc/automx/

> config show automx
   automx=service
     CertPath=/etc/automx/fullchain.pem
     Debug=disabled
     KeyPath=/etc/automx/privkey.pem
     SignMobileconfig=enabled
     UseLdap=disabled

Edit:
Is there a missunderstanding? Initially I supposed to set up a user profile on my iPhone from “Accounts & Passowords” -> Add Account -> Exchange Account.
Indeed, I need to call autoconfig.mydomain.tld from Safari which resulted in a IMAP profile instead of an ActiveSync account

TIA
Thorsten

/etc/letsencrypt/live/autoconfig.yourdomain/fullchain.pem and /privkey.pem.

Yes, I think so–that isn’t at all the way you’d do it. The options are:

  • Thunderbird users: Create new email account, enter name and email address, and Thunderbird will retrieve the remainder of the account settings.
  • MS Outlook users: Same as Thunderbird–the backend mechanism works differently, but the UX is pretty much the same.
  • Apple Mail users (iOS or MacOS): Import the .mobileconfig file. Ideally that would be done by visiting the web form on the device in question, entering name/email/password, and clicking the button. This will let you open (import) the .mobileconfig file. Importing that configuration will create the email account with the name, email address, password, and all the correct server settings.

I understand there are other clients that implement either Thunderbird-style or Outlook-style auto-discovery, but I don’t know what they are.

Thanks, lets encrypt is working now! :+1:

My intention was to be able to change the domainname so I can have autoconfig.mydomain.com. The domain where I can setup SRV records is not the same I used as domainname on my server.

I’ll do some more tests with thunderbird and report back…

EDIT:

Now thunderbird just works! :+1:

Fortunately, Thunderbird doesn’t care about SRV records–they’re there only for Outlook’s benefit. To do automatic configuration with the method provided by automx, for a user user@domain.tld, Thunderbird needs to be able to connect to autoconfig.domain.tld and retrieve the appropriate XML configuration. Outlook, by default, will connect to autodiscover.domain.tld, unless it finds a SRV record telling it to look elsewhere. You could make Outlook work without the SRV record by setting up autodiscover.domain.tld to point to your server (and adding that FQDN onto your TLS certificate), but it seemed to me that the method I’m using was the simplest way to do it.

2 Likes

Hi ! Very interesting work.

I ran into multiple issues however. At first nothing worked. Mobileconfig files were empty, and Thunderbird didn’t auto configured.

Here are my debug notes :

Trying to test using /usr/bin/automx-test :

Testing Autoconfig ...
Connecting to http://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be ...

  HTTP/1.1 302 Found
  Date: Sat, 08 Sep 2018 19:31:50 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Location: https://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be
  Content-Length: 267
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
  HTTP/1.1 500 Internal Server Error
  Date: Sat, 08 Sep 2018 19:31:50 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 0
  Connection: close
  Content-Type: text/xml
Trying fallback URL ...
Connecting to http://gaillet.be/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be ...

No autoconfig endpoint found.

In /var/log/httpd/error_log, I see [Errno 2] No such file or directory: u'/var/log/automx/automx.log'
–> easy one : chown apache:apache /var/log/automx/

and also :
raise Exception("python ldap missing")

Therefore I tried to pip install python-ldap, which in turn failed because I first needed to yum install python-devel openldap-devel.

Then it begun to work. At least it looked like it worked but still Thunderbird isn’t auto configuring.

There is a connection on http port, with a 302 invitation to switch https, then I don’t know what happens.

Next I use the web interface to generate a mobileconfig file. It works !

Now the next big deal is getting caldav and carddav auto configure for nextcloud !

Enough for tonight, I’ll go further tomorrow. If someone has some advice, I’ll be happy to follow them.

BTW, passwords are showed as clear text in the logs. I guess that shouldn’t be the case ?!

1 Like

I thought I’d required python-ldap as a dependency in nethserver-automx, but it looks like I hadn’t. I’ll try to get an updated RPM out shortly to address that. I’d recommend yum install python-ldap, though, rather than pip.

I believe this is expected if you have Debug turned on–which is one reason you shouldn’t leave it turned on.

The redirect issue isn’t expected with 0.0.1-5–which version do you have installed?

Thanks I followed your advice.

Installed Packages
Name        : nethserver-automx
Arch        : noarch
Version     : 0.0.1
Release     : 5.ns7
Size        : 4.5 k
Repo        : installed
From repo   : danb35
Summary     : NethServer configuration for automx
License     : GPL
Description : NethServer configuration for automx (https://automx.org)

This morning there was an update, I did it :

---> Package nethserver-automx.noarch 0:0.0.1-5.ns7 will be updated
---> Package nethserver-automx.noarch 0:0.0.1-6.ns7 will be an update

in access-log I see

10.0.1.57 - - [09/Sep/2018:09:14:06 +0200] "POST /mobileconfig HTTP/1.1" 200 4886 "https://autoconfig.gaillet.be/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.│

That looks better but still Thunderbird complains that it can’t find the right settings. Could be a Thunderbird issue tough.

Could be, but shouldn’t. What’s the result of automx-test now?

Works perfectly.

Wireshark tcp conversation trace taken on the client side :

GET /mail/config-v1.1.xml?emailaddress=matthieu%40gaillet.be HTTP/1.1
Host: autoconfig.gaillet.be
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 Lightning/5.4.9.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 302 Found
Date: Sun, 09 Sep 2018 10:34:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Location: https://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu%2540gaillet.be
Content-Length: 271
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu%2540gaillet.be">here</a>.</p>
</body></html>

Then it there is https trafic that I can not read obviously.

Maybe you could try on your side ?

[root@neth ~]# automx-test
Provide the mail address for which configuration settings should be retrieved.
Mail address: matthieu@gaillet.be

Testing Autoconfig ...
Connecting to http://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be ...

  HTTP/1.1 302 Found
  Date: Sun, 09 Sep 2018 10:41:51 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Location: https://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be
  Content-Length: 267
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
  HTTP/1.1 200 OK
  Date: Sun, 09 Sep 2018 10:41:51 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 858
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/xml
<?xml version='1.0' encoding='utf-8'?>
<clientConfig version="1.1">
  <emailProvider id="localhost">
    <domain>gaillet.be</domain>
    <displayName>matthieu@gaillet.be account</displayName>
    <displayShortName>matthieu</displayShortName>
    <outgoingServer type="smtp">
      <hostname>mattlabs.gaillet.be</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>matthieu</username>
      <useGlobalPreferredServer>yes</useGlobalPreferredServer>
    </outgoingServer>
    <incomingServer type="imap">
      <hostname>mattlabs.gaillet.be</hostname>
      <port>143</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>matthieu</username>
    </incomingServer>
  </emailProvider>
</clientConfig>

Testing Autodiscover (Microsoft Outlook(tm)) ...
Connecting to https://autoconfig.gaillet.be/autodiscover/autodiscover.xml ...

  HTTP/1.1 200 OK
  Date: Sun, 09 Sep 2018 10:41:51 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 1693
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/xml
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>prova</DisplayName>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>SMTP</Type>
        <Server>mattlabs.gaillet.be</Server>
        <Port>587</Port>
        <DomainRequired>off</DomainRequired>
        <LoginName>matthieu</LoginName>
        <SPA>off</SPA>
        <Encryption>TLS</Encryption>
        <AuthRequired>on</AuthRequired>
        <TTL>6</TTL>
      </Protocol>
      <Protocol>
        <Type>IMAP</Type>
        <Server>mattlabs.gaillet.be</Server>
        <Port>143</Port>
        <DomainRequired>off</DomainRequired>
        <LoginName>matthieu</LoginName>
        <SPA>off</SPA>
        <Encryption>TLS</Encryption>
        <AuthRequired>on</AuthRequired>
        <TTL>6</TTL>
      </Protocol>
      <Protocol>
        <Type>CardDAV</Type>
        <Server>mattlabs.gaillet.be</Server>
        <Port>443</Port>
        <DomainRequired>off</DomainRequired>
        <LoginName>matthieu</LoginName>
        <Encryption>SSL</Encryption>
        <AuthRequired>off</AuthRequired>
      </Protocol>
      <Protocol>
        <Type>CalDAV</Type>
        <Server>mattlabs.gaillet.be</Server>
        <Port>443</Port>
        <DomainRequired>off</DomainRequired>
        <LoginName>matthieu</LoginName>
        <Encryption>SSL</Encryption>
        <AuthRequired>off</AuthRequired>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

Testing Autodiscover (mobilesync) ...
Connecting to https://autoconfig.gaillet.be/autodiscover/autodiscover.xml ...

  HTTP/1.1 200 OK
  Date: Sun, 09 Sep 2018 10:41:52 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 543
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/xml
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
    <Culture>en:us</Culture>
    <User>
      <DisplayName>prova</DisplayName>
      <EmailAddress>matthieu@gaillet.be</EmailAddress>
    </User>
    <Action>
      <Settings>
        <Server>
          <Type>MobileSync</Type>
        </Server>
      </Settings>
    </Action>
  </Response>
</Autodiscover>

Testing mobileconfig...
Connecting to https://autoconfig.gaillet.be/mobileconfig ...

  HTTP/1.1 200 OK
  Date: Sun, 09 Sep 2018 10:41:52 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Disposition: attachment; filename="company.mobileconfig
  Content-Length: 4878
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/x-apple-aspen-config; charset=utf-8
(binary content snipped)

On first glance, at least, this looks just fine. What do you see on your client machine if you try to pull up https://autoconfig.gaillet.be/mail/config-v1.1.xml?emailaddress=matthieu@gaillet.be

Edit: and noticing that python-ldap hasn’t been installed or required makes me wonder if that’s why retrieving user information from LDAP wasn’t working. I’ll feel pretty silly if that was the case, but at least it’s a pretty easy fix. Still some testing to do on that.

That’s why it’s a beta :slight_smile:

I’l not investigate further right now because I just discovered that a simple redirection from /.well-known/caldvav to /nextcloud/remote.php/dav (my personal case) was enough for my need, it helps OSX clients to connect easily to the nextcloud instance.

You should probably take care of the possibility to run nextcloud in a virtualhost on nethserver if you want to support that case. See Nextcloud — NethServer 7 Final