How to automatically configure email (Thunderbird, Outlook, and iOS/OSX Mail) with Nethserver


Idea: you could retrieve the language needed by the nethserver rpm translation


we could have a chat one day on this.


It’s a possibility. Since the only options are English and German, though, I’m not sure it would be terribly useful. My own preference, in any event, is to have my own form rather than to use the automx-branded one.

Great work! :clap:
I have no apple device but it worked well with Outlook except of it configures the full name to “prova”. I had no success with Thunderbird, it was autoconfigured as POP3.

I didn’t use the original domain name, I used another domain (where I am allowed to set SRV) so I had to tweak it a little bit:

I added some props…

config setprop automx ServerName
config setprop automx ServerAdmin
config setprop automx ServerAlias

…and changed /etc/e-smith/templates/etc/httpd/conf.d/virtualhosts.conf/05autoconfig_vhost to use them:

my $servername = ${'automx'}{'ServerName'} || "autoconfig.".$DomainName;
my $serveradmin = ${'automx'}{'ServerAdmin'} || "webmaster@".$DomainName;
my $serveralias = ${'automx'}{'ServerAlias'} || "autodiscover.".$DomainName;


I found it has the letsencrypt bug - it’s not working because of the virtualhost.


Oops, bitten again–I’ll try to push out a fixed RPM tonight.

Edit: Should be available now.


Hi Dan,

there are days I feel small and insignificant. You made today such a day… in a positive manner: I was allways wondering why Thunderbird does not configure my e-mail accounts correctly out of the box. I was thinking of “my fault - I did not set up the thunderbird or myserver” correct. It did not even cross my mind that there might by an autotool for this. You did not only solve one of my issues, you also tougth me something new :slight_smile: … Works yout of the box, thank you so much.

As I do not know much on certificates and I do not want to make an error, can you explain / code this steps in more detail? Additionally, would this require an update if Letsencrypt certificates are renewed? I think there is some script provide by … do not rember, it was about using certificate for AD server … maybe same mechanism can be applied, too, will try to find it…


Best regards

1 Like

I left that deliberately vague, as there are a number of ways you could use Let’s Encrypt with your Neth installation. But if you got your primary cert using the server manager, you should be able to just run certbot certonly webroot -w /var/www/html -d autoconfig.yourdomain --fullchain-path /etc/automx/fullchain.pem --key-path /etc/automx/privkey.pem. No events should be needed on renewal, and this cert should be renewed when your normal renewal task happens.

Edit: In case it wasn’t clear, you do need to create the directory first: mkdir /etc/automx.

Sorry for requesting futher help :slight_smile: :

   How would you like to authenticate with the ACME CA?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: Spin up a temporary webserver (standalone)
    2: Place files in webroot directory (webroot)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

… my letsencrypt certificate is valid for several vhost A records, e.g. autoconfig.mydomain, sogo.mydomain, www.mydomain, mail.mydomain as well as for AD (not exlusive list).

From details before, I suppose it is [1], as I set up an A record & collected an certificate update for autoconfig.mydomain.tld


You’d use option 2, webroot.

Tried that, but my apple phone reported an error for autoconfig. As it used myservername.myname.tld instead of autoconfig.myname.tld, I think there is an error for my SRV record. I will put this to my provider to set up correctly according to your requirements.

What error, exactly? I’ve seen some errors with properly signing the .mobileconfig file, but haven’t been able to track down the cause as yet. But the SRV record shouldn’t affect anything on an iPhone; it would only affect Outlook.

From Internal (green) Netwerk, it reports an Certificate Error reporting the DNS of Nethservers FQDN as invalid. I suppose it expects an Certificate for autoconfig.myname.tld instead of nethservername.myname.tld. I am wondering at as as no virtual host vor autoconfig.myname.tld is set up. However, I did not manage to fullfill all steps of installation procedure for iphone. Additionally, I am wondering, why I use option [2] - webroot - instead of autoconfig. Or is this because webroot meens any DNS not explicetly defined -> autoconfig.myname.tld = webroot as long no vhost ist defined?

From External source, no error is reported, it does simply not work. I leads me to manual configuration.


No, I don’t think that’s what’s going on. To autoconfigure an iPhone (or iPad, or the Apple Mail app on MacOS), you need to generate and download a .mobileconfig profile. You can do that by either creating your own web form (using the code posted above) or by using the automx-web package. iOS Mail will not auto-configure by just entering name/email address the way that Outlook and Thunderbird will.

If you’re getting a certificate error, it’s because the server is presenting a certificate that doesn’t match the hostname being requested. Your iPhone shouldn’t be requesting autoconfig.yourdomain, but even if it were, your main server cert should include autoconfig.yourdomain. I think I need to clarify those instructions a bit.

The nethserver-automx RPM sets up a virtual host for autoconfig.yourdomain, but it doesn’t appear in the server manager.

Because you have a web server running already. The standalone option would only work if you didn’t have one running.

1 Like

In order for Thunderbird to autoconfigure for user@maildomain, autoconfig.maildomain must respond to queries with appropriately-formatted XML. Therefore, I’m thinking that this property:

isn’t really a good idea. Outlook can use any FQDN you want, as long as the SRV record is set appropriately, but if you want Thunderbird to work, you need to use autoconfig*.

*Well, there is an alternative for Thunderbird, which makes the XML available at maildomain/.well-known/(something), but automx doesn’t implement that.

1 Like

Dear Dan,

Still does not work on my Iphone. Ok, my failure is that I mixed up the command you provided with the the manual copy step of certificates. I guess I will need to add the certificates: Which files do I need to copy in /etc/automx/

> config show automx

Is there a missunderstanding? Initially I supposed to set up a user profile on my iPhone from “Accounts & Passowords” -> Add Account -> Exchange Account.
Indeed, I need to call autoconfig.mydomain.tld from Safari which resulted in a IMAP profile instead of an ActiveSync account


/etc/letsencrypt/live/autoconfig.yourdomain/fullchain.pem and /privkey.pem.

Yes, I think so–that isn’t at all the way you’d do it. The options are:

  • Thunderbird users: Create new email account, enter name and email address, and Thunderbird will retrieve the remainder of the account settings.
  • MS Outlook users: Same as Thunderbird–the backend mechanism works differently, but the UX is pretty much the same.
  • Apple Mail users (iOS or MacOS): Import the .mobileconfig file. Ideally that would be done by visiting the web form on the device in question, entering name/email/password, and clicking the button. This will let you open (import) the .mobileconfig file. Importing that configuration will create the email account with the name, email address, password, and all the correct server settings.

I understand there are other clients that implement either Thunderbird-style or Outlook-style auto-discovery, but I don’t know what they are.

Thanks, lets encrypt is working now! :+1:

My intention was to be able to change the domainname so I can have The domain where I can setup SRV records is not the same I used as domainname on my server.

I’ll do some more tests with thunderbird and report back…


Now thunderbird just works! :+1:

Fortunately, Thunderbird doesn’t care about SRV records–they’re there only for Outlook’s benefit. To do automatic configuration with the method provided by automx, for a user user@domain.tld, Thunderbird needs to be able to connect to autoconfig.domain.tld and retrieve the appropriate XML configuration. Outlook, by default, will connect to autodiscover.domain.tld, unless it finds a SRV record telling it to look elsewhere. You could make Outlook work without the SRV record by setting up autodiscover.domain.tld to point to your server (and adding that FQDN onto your TLS certificate), but it seemed to me that the method I’m using was the simplest way to do it.


Hi ! Very interesting work.

I ran into multiple issues however. At first nothing worked. Mobileconfig files were empty, and Thunderbird didn’t auto configured.

Here are my debug notes :

Trying to test using /usr/bin/automx-test :

Testing Autoconfig ...
Connecting to ...

  HTTP/1.1 302 Found
  Date: Sat, 08 Sep 2018 19:31:50 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 267
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
  HTTP/1.1 500 Internal Server Error
  Date: Sat, 08 Sep 2018 19:31:50 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
  Content-Length: 0
  Connection: close
  Content-Type: text/xml
Trying fallback URL ...
Connecting to ...

No autoconfig endpoint found.

In /var/log/httpd/error_log, I see [Errno 2] No such file or directory: u'/var/log/automx/automx.log'
–> easy one : chown apache:apache /var/log/automx/

and also :
raise Exception("python ldap missing")

Therefore I tried to pip install python-ldap, which in turn failed because I first needed to yum install python-devel openldap-devel.

Then it begun to work. At least it looked like it worked but still Thunderbird isn’t auto configuring.

There is a connection on http port, with a 302 invitation to switch https, then I don’t know what happens.

Next I use the web interface to generate a mobileconfig file. It works !

Now the next big deal is getting caldav and carddav auto configure for nextcloud !

Enough for tonight, I’ll go further tomorrow. If someone has some advice, I’ll be happy to follow them.

BTW, passwords are showed as clear text in the logs. I guess that shouldn’t be the case ?!

1 Like