Page MenuHomeDevCentral
Create Task
Maniphest T1113

Provide an autoconfig.nasqueron.org configuration server for mail user agents
Closed, ResolvedPublic
Actions

Description

In T1112, we provided generic instructions through DNS for autoconfiguration.

Yet, we can provide more fine grained information, with statements like "use full email address as login" with a configuration server.

Plan is to deploy this in three steps, to directly offer good defaults, then tune them in two waves, per domain and per user.

Step 1: static document

Provide an universal document with instructions to use mail.nasqueron.org.

Reference is https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo

Step 2: domain preferences

We recommend for stability the use of mail.domain.tld, so if a domain is hosted elsewhere, there is a path not to have to migrate user configuration but keep the same.

That means for example to instruct to use "mail.wolfplex.be" instead of "mail.nasqueron.org" for @wolfplex.be addresses.

This asks to solve a certificate issue, as the value in hostname = the '''common name''' wanted by the mail user agent, and so deploy several of them to the mail server, per http://wiki.dovecot.org/SSL/DovecotConfiguration.

For SMTP:

  • we can check if '''common name''' isn't a documentation error with a multi domain let's encrypt certificate covering mail
  • if it doesn't work, another way could be to do the TLS terminaison in nginx, but that won't work for STARTTLS. In such case, we have to advertise to use TLS on submission port, and spawn a new submission server doesn't trying to do TLS, as nginx will do it.

See http://nginx.org/en/docs/mail/ngx_mail_ssl_module.html

Step 3: user preferences

Requests to server configuration receives the full mail address to the query string. That allows to personalize the message according user preferences.

There are two obvious cases:

  • Standards push for STARTTLS, but @xcombelle begs to differ, concerned by downgrade attacks. In such cases, we can allow users to opt in to TLS.
  • We prioritize IMAP over POP3. We = both modern mail users agents or our SRV DNS records. Yet, we can allow users to opt in to POP3. But that will ask to convince upstream to extend the configuration format.

Revisions and Commits

rAUTOCONFIG Autoconfiguration server
D840rAUTOCONFIGc91aa5fe50e0 Initial configuration document

Related Objects

Event Timeline

dereckson created this task.Jan 16 2017, 05:57
dereckson mentioned this in T1114: Allow Outlook to autodiscover mail server configuration.Jan 16 2017, 09:26
dereckson claimed this task.Jan 16 2017, 12:34
dereckson triaged this task as Normal priority.
dereckson added a revision: D840: Initial configuration document.
dereckson mentioned this in rAUTOCONFIGc91aa5fe50e0: Initial configuration document.Jan 16 2017, 12:49
dereckson mentioned this in T1116: [autoconfig] Allow to provide dynamic replies per domain.Jan 16 2017, 13:43
dereckson mentioned this in T1117: [autoconfig] Allow to provide dynamic replies per user.Jan 16 2017, 13:46
dereckson closed this task as Resolved.Jan 16 2017, 13:55

Autoconfig document are published, so step 1 is done.

DNS records for T1113 and T1114:

autoconfig.nasqueron.org. 86400 IN CNAME www1.nasqueron.org.
autodiscovery.nasqueron.org. 86400 IN CNAME autoconfig.nasqueron.org.
autodiscover.nasqueron.org. 86400 IN CNAME autoconfig.nasqueron.org.

(autodiscovery is actually a typo, propagated to the Let's encrypt certificate)

dereckson added a commit: rAUTOCONFIGc91aa5fe50e0: Initial configuration document.Jan 16 2017, 13:56
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator