The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

autodiscover.cgi redirect to cpanel.net

Discussion in 'General Discussion' started by mattin, Mar 14, 2013.

  1. mattin

    mattin Member

    Joined:
    Feb 10, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bratislava, Slovakia
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I want setup autodiscover feature to functional state... I have last cPanel 11.36.0.11.

    I have finally properly configured dns records, but apache always return 404 for autodiscover.domain.com.
    I tried also directly to visit /http://ip/cgi-sys/autodiscover.cgi, but this script automatically redirect to /https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml.

    I noticed that with version 11.36 this feature should working, but it still looks like it isn't. Did anybody manage to get it working?

    Thx.
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    The url you have give requires an http post.

    Code:
    # curl -d '<EMailAddress>me@nonexistantdomain9999333.org</EMailAddress>' https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
    <?xml version="1.0" encoding="utf-8"?>
    <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
    	<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    		<User>
    			<DisplayName>me@nonexistantdomain9999333.org</DisplayName>
                <EMailAddress>me@nonexistantdomain9999333.org</EMailAddress>
    		</User>
    		<Account>
    			<AccountType>email</AccountType>
    			<Action>settings</Action>
    			<Protocol>
    				<Type>IMAP</Type>
    				<Server>mail.nonexistantdomain9999333.org</Server>
    				<Port>993</Port>
    				<DomainRequired>off</DomainRequired>
    				<SPA>off</SPA>
    				<SSL>on</SSL>
    				<AuthRequired>on</AuthRequired>
    				<LoginName>me@nonexistantdomain9999333.org</LoginName>
    			</Protocol>
    			<Protocol>
    				<Type>SMTP</Type>
    				<Server>mail.nonexistantdomain9999333.org</Server>
    				<Port>465</Port>
    				<DomainRequired>off</DomainRequired>
    				<SPA>off</SPA>
    				<SSL>on</SSL>
    				<AuthRequired>on</AuthRequired>
    				<LoginName>me@nonexistantdomain9999333.org</LoginName>
    			</Protocol>
    		</Account>
    	</Response>
    </Autodiscover>
    
     
  3. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1

    Is there a way to not have the URL go to a cPanel domain? I haven't found a config for that yet.

    I'd rather the autodiscover URL be hosted in our environment.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    My original post is incorrect.
    It should only be going to cpanel.net if the local domain/server has a self-signed SSL certificate (or doesn't have a SSL certificate).
     
    #4 cPanelKenneth, Mar 29, 2013
    Last edited: Mar 29, 2013
  5. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Well all of our cpanel servers have SSL certs (Wild Card for all our servers) yet all the new auto-discover entries point to a cpanel domain for autodiscover.
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    My apologies, I misread how the functionality works. I'll correct my post to not mislead others.
     
  7. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    But is there a way to have the autodiscover url point to a URL on one of our internal servers rather than a cPanel direct hosted server?
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    The system is not currently designed to function in this manner as it would greatly increase the complexity of the system since it require keeping track of installed ssl certificates and updating dns records when certificates are added/removed/expired/changed.
     
  9. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hey Nick,

    I like the idea of auto-discover but really worry about this implementation.

    As it stands right now cPanel is now getting a fair amount of semi-private information if you choose to mine it. You get a request from every auto-discover mail client with the email address.

    So you know:

    1. The user is a cPanel user
    2. Their email address
    3. Their IP address
    4. When they open their mail client and more (What is the default refresh rate for Autodiscover - Dgoldman's WebLog - Site Home - MSDN Blogs)

    Also a serious security issue. If your auto-discover URL was every comprimised the attacker can update your script and direct users from all over the world to send their login credentials to their server by updating the XML.

    It's almost amazing you released this feature in it's state and had the default to on and published DNS records automatically rather than this being something that had to be toggled on.

    I would suggest at an absolute bare minimum, to make this feature reasonable, would be to have the autodiscover script code on each cPanel server and allow admin's to alter the url from a WHM config standpoint.

    Slightly better would be to detect the local cPanel server has a local trusted SSL certificate and automatically use the local URL.

    This would solve a lot of concerns. The autodiscover request would be going to the local cpanel server in which case the users IP and email address are not private from that servers perspective since you are logging into dovecot on that local server via the mail client anyways.

    There is no single central server that could be comprismised to potential take over 1,000's if not more email credentials with 1 exploit.

    I hope you make some changes to the autodiscover. The concept is a great idea and I'd love to deploy it but it's current state is troubling from a few perspectives.
     
  10. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    you could put the autodiscover directory at /usr/local/apache/htdocs/ that way it could be accessed via the ssl on the hostname. The advantage of the xml file being local is that you can change the settings via whm (for instance most of my clients use pop3 not imap). Nice little article here on setting it all up:
    http://moens.ch/2012/05/31/providing-email-client-autoconfiguration-information/
     
  11. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    right but there is no way to alter the URL for the feature added. As well I don't really want everyone to use the actual server name for their email but use mail.clientdomain.com. cpanel as obviously developed a script to dynamically create the XML file.

    Also with the feature cpanel integrated if you transfer a site between cpanel servers Then DNS would be automatically updated.
     
  12. skycomp

    skycomp Member

    Joined:
    Nov 1, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Was hoping for a further reply from cPanel on this and what their plan is.
     
  13. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We are working on a way to allow you to customize the host used for this service.
     
  14. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    We have added this to 11.38

    Screen Shot 2013-04-19 at 2.34.16 PM.png
     
Loading...

Share This Page