Question Autodiscover

[Janko1000]

@Anthony is there someway to active auto config to suscription yet created?

That would be nice

 

[andyxyz]

Is there any way to turn this off other than hacking nginx.conf for each domain?

As the poster above mentions if the server responds on

https://domain.com:443/autodiscover/autodiscover.xml

which it does (wrong details) then the process breaks despite DNS records being correct.

 

[TomBoB]

The Plesk Mail autodiscovery feature relies on <website.com> name and not to server hostname. That's why it's important to have properly set SSL/TLS certificate for domain (expected for each website nowadays) and use the SNI feature.

Haven't started testing yet, but maybe someone can shine a light on the following:

We have a around a dozen clients that have their websites elsewhere, using us for their email only. This left us so far (Onyx) without an option of auto-securing webmail.clientsdomain.com using Lets Encrypt.
See here

We did not have any autodiscovery implemented and got the hopes up after Obsidian marketed it. However after mr-wolf observation that it checks the webserver first, and Anthonys statement above which hints email only still isn't supported, it'd also follow andyxyz thoughts on wanting to disable / not use the feature until it's more "complete".

 

[ChristophRo]

We have a around a dozen clients that have their websites elsewhere, using us for their email only. This left us so far (Onyx) without an option of auto-securing webmail.clientsdomain.com using Lets Encrypt.

If you manage the DNS of these domains on your plesk server, you can issue a wildcard certificate for this domain and use that for securing webmail.clientsdomain.com
But if both the website and the DNS is hosted elsewhere, you are our of luck.

As Mr-Wolf already wrote, "autodiscover" is a beast within and currently there are a multitude of different methods known and used by Outlook.
Of course this depends on the Outlook version, as older ones may not know all of them and also use them in a different order. There are also differences in Outlook for Windows and Mac or if your computer is joined to a Windows domain or not)

For example, with Outlook 2016 for Windows, these checks and the order of them would be:

- Office 365 account check (https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml)
- LDAP query for Service Connection Point (if domain joined)
- URL check https://DOMAIN.TLD:443/Autodiscover/Autodiscover.xml
- URL check https://autodiscover.DOMAIN.TLD:443/Autodiscover/Autodiscover.xml
- URL/HTTP Redirect check http://autodiscover.DOMAIN.TLD
- DNS SRV record check (_autodiscover._tcp.DOMAIN.TLD)

Of course, if any of these return a result, it will skip the following checks.
So if you've manually deployed the DNS SRV method, you need to make sure that all the previous fail or the autodiscover will not work properly despite your efforts.


And as a general recommendation for any autodiscover related stuff, I can recommend checking out the following website; https://testconnectivity.microsoft.com

 

[andyxyz]

This URGENTLY needs an OFF button
We are setting up all new servers on Obsidian and slowly migrating older and it has already caused major headaches for clients hosting their emails externally who can no longer use autodiscovery as the Plesk server is breaking this by responding on 443.

(I am missing the big OFF button? )

 

[eMiz0r]

It's either that or enable SSL/TLS certificate for mail by default on a per domain basis. This tutorial works fine https://support.plesk.com/hc/en-us/articles/115001446174-How-to-secure-a-Plesk-mail-server-with-different-SSL-certificates-SNI-support-

But doing it manually for every new user is just impossible

 

[Anthony]

@andyxyz ,

(I am missing the big OFF button? )

Yes, we wrote about management of this feature here Important - Plesk Obsidian Releases

For now, it's possible to manage mail autodiscover on a server-wide and per-domain basis. Since Obsidian GA, the additional properties will be added to the service plans as well.

 

[Ankebut]

what about apple mail is there also a possibility that it works with apple mail?

 

[Anthony]

@Ankebut

what about apple mail is there also a possibility that it works with apple mail?

It's not supported yet, but we are working on implementation. So, Plesk will support Apple mail in the near future.

 

[Ankebut]

The german translation for setting autodiscover is not so good, it is better when to change to:

Enable mail autodiscover -> Autoermittlungsdienst autodiscover aktivieren

instead of:

Automatische E-Mail-Erkennung aktivieren

 

[Robb3rt]

It's either that or enable SSL/TLS certificate for mail by default on a per domain basis. This tutorial works fine https://support.plesk.com/hc/en-us/articles/115001446174-How-to-secure-a-Plesk-mail-server-with-different-SSL-certificates-SNI-support-

But doing it manually for every new user is just impossible

For us the auto-discover works fine, the only thing is that we have manually select an SSL for the mail per domain.
We like to see that Plesk implement an feature to automatically enable SNI support per domain. It is just impossible to do by hand like eMiz0r mentions above.

The only thing that happens when enabling SSL for mail (SNI), is that Plesk generates an Dovecot SNI config for the domain.
Does anyone know which process or script Plesk uses for this process? So we can maybe make an cron job or something

 

[sebgonzes]

For us the auto-discover works fine, the only thing is that we have manually select an SSL for the mail per domain.
We like to see that Plesk implement an feature to automatically enable SNI support per domain. It is just impossible to do by hand like eMiz0r mentions above.

The only thing that happens when enabling SSL for mail (SNI), is that Plesk generates an Dovecot SNI config for the domain.
Does anyone know which process or script Plesk uses for this process? So we can maybe make an cron job or something

I request the same thing.. I review the binary but noone offer this option yet. Also need binary that able to create let's encrypt ssl to automate creation

 

[Robb3rt]

I request the same thing.. I review the binary but noone offer this option yet. Also need binary that able to create let's encrypt ssl to automate creation

The Plesk extension SSL-IT has an cron job for auto fixing Lets encrypt certificates, so that part is covered already.
The only thing we need is to generate an Dovecot SNI config for the domain with the correct locations to the certificates.

My problem is I have no idea how Plesk is generating those Dovecot configs..

 

[sebgonzes]

The Plesk extension SSL-IT has an cron job for auto fixing Lets encrypt certificates, so that part is covered already.
The only thing we need is to generate an Dovecot SNI config for the domain with the correct locations to the certificates.

My problem is I have no idea how Plesk is generating those Dovecot configs..

/usr/local/psa/bin/subscription --help <= option should be in this command but not yet present. For auto discover and SSL for mail service domain.

 

[sebgonzes]

/usr/local/psa/bin/subscription --help <= option should be in this command but not yet present. For auto discover and SSL for mail service domain.

/usr/local/psa/bin/subscription_settings -u XXXX.com -mail_certificate 'Lets Encrypt XXXX.com'
SUCCESS: Update of domain 'XXXX.com' completed.

 

[sebgonzes]

The Plesk extension SSL-IT has an cron job for auto fixing Lets encrypt certificates, so that part is covered already.
The only thing we need is to generate an Dovecot SNI config for the domain with the correct locations to the certificates.

My problem is I have no idea how Plesk is generating those Dovecot configs..

The SSL-IT not appear to automaticaly create SSL let's encrypt for each domain name... don't know what really do, but we have some domain name that have no let's encrypt creates and SSL-IT and his cron are active.

 

[Robb3rt]

The SSL-IT not appear to automaticaly create SSL let's encrypt for each domain name... don't know what really do, but we have some domain name that have no let's encrypt creates and SSL-IT and his cron are active.

In our experience the cron /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/sslit/scripts/keep-secured.php' is working fine.
The domain needs to be resolvable to the Plesk server to work.

The command /usr/local/psa/bin/subscription_settings -u XXXX.com -mail_certificate 'Lets Encrypt XXXX.com' is also working for me.
So now I have to build an event handler or something to automate this feature..

 

[Robb3rt]

So I fixed it with our setup.. I've created an event handler.

after SSL/TLS certificate on domain assigned/unassigned then -> /usr/local/psa/bin/subscription_settings -u <NEW_DOMAIN_NAME> -mail_certificate 'Lets Encrypt <NEW_DOMAIN_NAME>'

 

[sebgonzes]

So I fixed it with our setup.. I've created an event handler.

after SSL/TLS certificate on domain assigned/unassigned then -> /usr/local/psa/bin/subscription_settings -u <NEW_DOMAIN_NAME> -mail_certificate 'Lets Encrypt <NEW_DOMAIN_NAME>'

You had to check first that SSL is created, how you check it? Also there for now no option for active autodiscover (is another different problem, but we also search how to solve it).
I will try again to create an domain name without SSL and check if after 25 mn the ssl have been created by SSL-it cron.

 

[Robb3rt]

You had to check first that SSL is created, how you check it? Also there for now no option for active autodiscover (is another different problem, but we also search how to solve it).
I will try again to create an domain name without SSL and check if after 25 mn the ssl have been created by SSL-it cron.

Because of the event handler, right after the creation of the SSL the task for SNI is started. I will monitor it for the next couple of days if it is working as expected.

And what do you mean with active autodiscover?

Let me know how it works on you're Plesk server