How to automatically configure Thunderbird and Outlook email with Nethserver

danb35 (Dan) 2018-04-01 18:22:00 UTC #1

I’ve been reading up a bit on how to automate, or at least simplify, configuration of email clients to connect to Nethserver. Unfortunately, there doesn’t appear to be any one standard–Thunderbird, Outlook, and iOS/Mac OSX Mail all use different methods to accomplish this. Thunderbird and Outlook are relatively simple, and fairly straightforward, so I’ll describe them here.

The issue

The purpose of this short write-up is to make it easier on your users to correctly configure their email accounts in Thunderbird or Outlook. Once you set this up, they’ll only need to enter their email address and password, and the mail client will contact your server for the rest of the details (mail server names, protocols, port numbers, encryption support, etc.). This how-to is heavily based on Mozilla’s documentation here and here, this blog post, and Microsoft’s documentation.

Overview

When a user sets up a new mail account, both email clients try several methods to determine the correct server settings. The simplest one for us to use is to set up a configuration server. This will be a virtual host with a hostname of autoconfig.yourdomain, whose only purpose will be to serve up an XML file. Unfortunately, Microsoft and Mozilla can’t agree on what that XML file should look like, so you’ll need to create two separate files to cover both clients.

The Virtual Host

Begin by creating a DNS entry for autoconfig.yourdomain, pointing to your Nethserver installation. Since every DNS host is different, you’re on your own here.

Next, create a virtual host. In the Nethserver server manager, go to the Virtual Hosts page and click the Create New button. Enter autoconfig as the name, any description you like, and autoconfig.yourdomain in the Virtual Host Names (FQDN) field. If you handle email for more than one domain, you can enter them all here: autoconfig.domain1,autoconfig.domain2. If users will be accessing their email remotely, uncheck the “Allow access from trusted networks only” box. Check “Require SSL”, and uncheck “Enable FTP”. Click the red Submit button.

Thunderbird Configuration

Now that the virtual host is created, you’ll need to create the config file. SSH in to your Nethserver, cd /var/lib/nethserver/vhost/autoconfig/, mkdir mail, and nano mail/config-v1.1.xml. Substitute your favorite text editor, if it isn’t nano.

You’ll now need to enter the contents of the configuration file. It should look like the sample below, although the displayName and displayShortName fields can be changed to whatever you like.

<?xml version="1.0" encoding="UTF-8"?>

<clientConfig version="1.1">
  <emailProvider id="yourdomain">
    <domain>yourdomain</domain>
    <displayName>Yourdomain Mail</displayName>
    <displayShortName>Yourdomain</displayShortName>
    <incomingServer type="imap">
      <hostname>imap.yourdomain</hostname>
      <port>143</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>smtp.yourdomain</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
  </emailProvider>
</clientConfig>

Save that file, then chown -R apache mail.

You’re done with the configuration for Thunderbird. When a Thunderbird user sets up a new email account, and enters an email address of user@yourdomain, Thunderbird will retrieve http://autoconfig.yourdomain/mail/config-v1.1.xml and read how to set up the account. Your user will only need to know their email address and password.

Outlook Configuration

Outlook works similarly, but we’ll also need to publish another DNS record to tell it to look at your autoconfig Virtual Host for this file. To do this, log in to your DNS provider and create a SRV record for _autodiscover._tcp.yourdomain with a setting of 0 0 443 autoconfig.yourdomain. Then, back at the shell for your Neth server, change back to the directory for your virtual host (cd /var/lib/nethserver/vhost/autoconfig/), make a new directory called autodiscover (mkdir Autodiscover), and create the autodiscover XML file (nano Autodiscover/Autodiscover.xml). Its contents should look like the example below, but again, DisplayName can be changed to whatever you like:

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>YourDomain</DisplayName>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>IMAP</Type>
        <Server>imap.yourdomain</Server>
        <Port>143</Port>
        <DomainRequired>off</DomainRequired>
        <SPA>off</SPA>
        <Encryption>TLS</Encryption>
        <AuthRequired>on</AuthRequired>
      </Protocol>
      <Protocol>
        <Type>SMTP</Type>
        <Server>smtp.yourdomain</Server>
        <Port>587</Port>
        <DomainRequired>off</DomainRequired>
        <SPA>off</SPA>
       	<Encryption>TLS</Encryption>
        <AuthRequired>on</AuthRequired>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

Again, chown -R apache Autodiscover to make the apache user the owner of that directory and file.
Note: The information for Outlook above is based on the documentation–I don’t have a copy of MS Outlook here to test with. However, test results from Microsoft indicate it’s working on my system.

MailServer Configuration (autodiscover, SPF, DKIM)

dnutan (Marc) 2018-04-01 19:53:34 UTC #2

Great! There were some community members interested in having this for their email client of choice (like No autodiscover, MailServer Configuration (autodiscover, SPF, DKIM)).
Having a clear and simple howto for Thunderbird is a good starting point, as there are many Thunderbird users here.

danb35 (Dan) 2018-04-01 20:07:32 UTC #3

I’ve added information that should work for Outlook, though not having a copy of MS Outlook on hand, I can’t test it myself. But it looks like you gave links to a number of useful tools in the “no autodiscover” thread; might need to check those out.

iOS is going to be the tricky one. To do it right, you need a .mobileconfig profile which should be signed by a trusted TLS certificate. There’s a tool to create these here, but it seems to depend on a number of packages that aren’t installed in Neth by default, and it would need to run as root in order to read the server’s private key.

Edit: Oh, automx looks like it could be very handy indeed.

Edit 2: Using Microsoft’s connectivity analyzer, I checked my instructions for Outlook, and had to make a small change (the Autodiscover directory, and Autodiscover.xml filename, both need to be capitalized), but with that change, it’s working. Though I still think I may want to play with automx, as it would be a one-stop solution if it works as advertised.

danb35 (Dan) 2018-04-02 00:28:14 UTC #4

Well, I’ve played with it a little bit, and automx really looks like the better tool to use here–static files like I’ve shown above don’t require any software installation, and only minimal configuration, but they don’t do the job for iOS, and they aren’t very flexible.

OTOH, automx only needs a few packages to be installed (mod_wsgi, python-ipaddr, and m2crypto, all of which are in the standard repos), takes a single config file, and can pull user information out of LDAP (so the user only needs to give email address and password–though I haven’t tested this feature on Neth yet). It will create configs for Thunderbird, Outlook, and iOS, and will sign the configs for iOS allowing them to be imported without warnings. It takes a few tweaks to the virtual host configuration, but nothing too bad.

It ships with a simple little HTML form that will take email address, full name, and password, and generate an iOS .mobileconfig profile. The ideal use of this would probably be to integrate a similar form into the server manager and have it accessible to all users (like the change password panel).

/etc/automx.conf needs to be templated, but that shouldn’t be too tough of a chore. That would cover server names, LDAP configuration, organization name (to attach to the account), TLS cert/key paths, etc. And really, the whole thing probably should be packaged into an RPM.

Problem is that, in order to sign the iOS configuration, the script needs to be able to read the server’s private key, which is ordinarily only readable by root. Since it isn’t a daemon, (I assume) it can’t do the trick that Apache itself does to start up as root, read the key, then shed privileges. So either the script needs to run as root, or the private key needs to be readable by apache–neither sounds like an attractive proposition. I guess a third option would be to generate a separate cert just for the config signing–straightforward enough if using Let’s Encrypt, though rate limits can be a concern.

Edit: It does look like the last “official” release of automx, 0.10.2, is nearly four years old, while there’s a v1.1.2 that hasn’t been tagged as an official release on github but seems to make some significant changes.

mrmarkuz (Markus Neuberger) 2018-04-02 00:38:42 UTC #5

Great work, great howto!
Client autoconfig support for TB, OL and iOS is a killer feature!

It’s on my list.

Stefano_Zamboni (Stefano Zamboni) 2018-04-02 09:10:39 UTC #6

About automx, ask @stephdl, he already has something workable

stephdl (Stéphane de Labrusse) 2018-04-02 10:33:01 UTC #7

yes @mrmarkuz, stefano did some work that you can browse at http://mirror.de-labrusse.fr/NethDev/

I have not much time now on this but if you can do it, I’m fine

danb35 (Dan) 2018-04-02 13:35:02 UTC #8

That’s blocked at work as a porn site (stupid internet filtering), so I’ll have to take a look when I get home. Looking at the release notes for automx, it sounds like they’ve dropped the need for m2crypto, so that’s one less package that would need to be added. OTOH, we’d also need to add python-ldap to be able to pull user information from there, which I’d think we’d want to do.

How are you planning to handle access to the server private key, or have you gotten that far yet?

Edit: An implementation detail I’d suggest is to keep the DNS SRV record I mention above, rather than to use separate autoconfig and autodiscover hosts as recommended by the (less-than-fantastic) Automx docs. It does put one more step on the user, but it’s going to simplify the server-side configuration (one VirtualHost can handle everything), and have one less hostname needed on the TLS cert.

alefattorini (Alessio Fattorini) 2018-04-02 18:12:21 UTC #9

Great job so far Dan! Many members will benefit of such work.
I love that

danb35 (Dan) 2018-04-02 18:58:38 UTC #10

Well, my work computer can’t get it, but my tablet can VPN to my home network, and… Just a few things I’m noticing on a quick look:

The filename (nethserver-automx-0.0.1.tar.gz) indicates that it’s gzipped, but it isn’t. Slight issue in extracting the file.
I see that this will depend on automx and automx-web. Will you be building separate packages for those, or do those packages already exist somewhere I don’t know about?
Even though it raises the issues of script access to the server’s private key that I’ve mentioned above, it really should enable signing of iOS .mobileconfig files–unsigned profiles are not worthless, but are much less useful than signed ones.
Looks like the configuration will be calling for IMAPS/993 rather than IMAP/STARTTLS/143–based on the manual, it sounds like the latter would be preferable.

stephdl (Stéphane de Labrusse) 2018-04-02 19:57:50 UTC #11

@Stefano_Zamboni can advice you, I’m not the author. In tar.gz you have all the mandatory files to build the rpm, I just verified it

Stefano_Zamboni (Stefano Zamboni) 2018-04-03 09:40:01 UTC #12

you can use the src.rpm for automx you’ll find here:
https://build.opensuse.org/package/show/home:wrosenauer:devel/automx