autodiscover.cgi redirect to cpanel.net

[mattin]

Hello,

I want setup autodiscover feature to functional state... I have last cPanel 11.36.0.11.

I have finally properly configured dns records, but apache always return 404 for autodiscover.domain.com.
I tried also directly to visit /http://ip/cgi-sys/autodiscover.cgi, but this script automatically redirect to /https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml.

I noticed that with version 11.36 this feature should working, but it still looks like it isn't. Did anybody manage to get it working?

Thx.

 

[cPanelNick]

Hello,

I want setup autodiscover feature to functional state... I have last cPanel 11.36.0.11.

I have finally properly configured dns records, but apache always return 404 for autodiscover.domain.com.
I tried also directly to visit /http://ip/cgi-sys/autodiscover.cgi, but this script automatically redirect to /https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml.

I noticed that with version 11.36 this feature should working, but it still looks like it isn't. Did anybody manage to get it working?

Thx.

The url you have give requires an http post.

# curl -d '<EMailAddress>[email protected]</EMailAddress>' https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
	<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
		<User>
			<DisplayName>[email protected]</DisplayName>
            <EMailAddress>[email protected]</EMailAddress>
		</User>
		<Account>
			<AccountType>email</AccountType>
			<Action>settings</Action>
			<Protocol>
				<Type>IMAP</Type>
				<Server>mail.nonexistantdomain9999333.org</Server>
				<Port>993</Port>
				<DomainRequired>off</DomainRequired>
				<SPA>off</SPA>
				<SSL>on</SSL>
				<AuthRequired>on</AuthRequired>
				<LoginName>[email protected]</LoginName>
			</Protocol>
			<Protocol>
				<Type>SMTP</Type>
				<Server>mail.nonexistantdomain9999333.org</Server>
				<Port>465</Port>
				<DomainRequired>off</DomainRequired>
				<SPA>off</SPA>
				<SSL>on</SSL>
				<AuthRequired>on</AuthRequired>
				<LoginName>[email protected]</LoginName>
			</Protocol>
		</Account>
	</Response>
</Autodiscover>

 

[skycomp]

The url you have give requires an http post.

# curl -d '<EMailAddress>[email protected]</EMailAddress>' https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
	<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
		<User>
			<DisplayName>[email protected]</DisplayName>
            <EMailAddress>[email protected]</EMailAddress>
		</User>
		<Account>
			<AccountType>email</AccountType>
			<Action>settings</Action>
			<Protocol>
				<Type>IMAP</Type>
				<Server>mail.nonexistantdomain9999333.org</Server>
				<Port>993</Port>
				<DomainRequired>off</DomainRequired>
				<SPA>off</SPA>
				<SSL>on</SSL>
				<AuthRequired>on</AuthRequired>
				<LoginName>[email protected]</LoginName>
			</Protocol>
			<Protocol>
				<Type>SMTP</Type>
				<Server>mail.nonexistantdomain9999333.org</Server>
				<Port>465</Port>
				<DomainRequired>off</DomainRequired>
				<SPA>off</SPA>
				<SSL>on</SSL>
				<AuthRequired>on</AuthRequired>
				<LoginName>[email protected]</LoginName>
			</Protocol>
		</Account>
	</Response>
</Autodiscover>

Is there a way to not have the URL go to a cPanel domain? I haven't found a config for that yet.

I'd rather the autodiscover URL be hosted in our environment.

 

[cPanelKenneth]

Is there a way to not have the URL go to a cPanel domain? I haven't found a config for that yet.

I'd rather the autodiscover URL be hosted in our environment.

My original post is incorrect.
It should only be going to cpanel.net if the local domain/server has a self-signed SSL certificate (or doesn't have a SSL certificate).

 

[skycomp]

It should only be going to cpanel.net if the local domain/server has a self-signed SSL certificate (or doesn't have a SSL certificate).

Well all of our cpanel servers have SSL certs (Wild Card for all our servers) yet all the new auto-discover entries point to a cpanel domain for autodiscover.

 

[cPanelKenneth]

Well all of our cpanel servers have SSL certs (Wild Card for all our servers) yet all the new auto-discover entries point to a cpanel domain for autodiscover.

My apologies, I misread how the functionality works. I'll correct my post to not mislead others.

 

[skycomp]

But is there a way to have the autodiscover url point to a URL on one of our internal servers rather than a cPanel direct hosted server?

 

[cPanelNick]

But is there a way to have the autodiscover url point to a URL on one of our internal servers rather than a cPanel direct hosted server?

The system is not currently designed to function in this manner as it would greatly increase the complexity of the system since it require keeping track of installed ssl certificates and updating dns records when certificates are added/removed/expired/changed.

 

[skycomp]

Hey Nick,

I like the idea of auto-discover but really worry about this implementation.

As it stands right now cPanel is now getting a fair amount of semi-private information if you choose to mine it. You get a request from every auto-discover mail client with the email address.

So you know:

1. The user is a cPanel user
2. Their email address
3. Their IP address
4. When they open their mail client and more (What is the default refresh rate for Autodiscover - Dgoldman's WebLog - Site Home - MSDN Blogs)

Also a serious security issue. If your auto-discover URL was every comprimised the attacker can update your script and direct users from all over the world to send their login credentials to their server by updating the XML.

It's almost amazing you released this feature in it's state and had the default to on and published DNS records automatically rather than this being something that had to be toggled on.

I would suggest at an absolute bare minimum, to make this feature reasonable, would be to have the autodiscover script code on each cPanel server and allow admin's to alter the url from a WHM config standpoint.

Slightly better would be to detect the local cPanel server has a local trusted SSL certificate and automatically use the local URL.

This would solve a lot of concerns. The autodiscover request would be going to the local cpanel server in which case the users IP and email address are not private from that servers perspective since you are logging into dovecot on that local server via the mail client anyways.

There is no single central server that could be comprismised to potential take over 1,000's if not more email credentials with 1 exploit.

I hope you make some changes to the autodiscover. The concept is a great idea and I'd love to deploy it but it's current state is troubling from a few perspectives.

 

[rs-freddo]

I would suggest at an absolute bare minimum, to make this feature reasonable, would be to have the autodiscover script code on each cPanel server and allow admin's to alter the url from a WHM config standpoint.

you could put the autodiscover directory at /usr/local/apache/htdocs/ that way it could be accessed via the ssl on the hostname. The advantage of the xml file being local is that you can change the settings via whm (for instance most of my clients use pop3 not imap). Nice little article here on setting it all up:
http://moens.ch/2012/05/31/providing-email-client-autoconfiguration-information/

 

[skycomp]

you could put the autodiscover directory at /usr/local/apache/htdocs/ that way it could be accessed via the ssl on the hostname. The advantage of the xml file being local is that you can change the settings via whm (for instance most of my clients use pop3 not imap). Nice little article here on setting it all up:
Providing Email client autoconfiguration information – Everyday Geek

right but there is no way to alter the URL for the feature added. As well I don't really want everyone to use the actual server name for their email but use mail.clientdomain.com. cpanel as obviously developed a script to dynamically create the XML file.

Also with the feature cpanel integrated if you transfer a site between cpanel servers Then DNS would be automatically updated.

 

[skycomp]

Was hoping for a further reply from cPanel on this and what their plan is.

 

[cPanelKenneth]

Was hoping for a further reply from cPanel on this and what their plan is.

We are working on a way to allow you to customize the host used for this service.

 

[cPanelNick]

We are working on a way to allow you to customize the host used for this service.

We have added this to 11.38