1package http

3import (

4 "encoding/xml"

5 "fmt"

6 "log/slog"

7 "net/http"

8 "strings"

10 "github.com/prometheus/client_golang/prometheus"

11 "github.com/prometheus/client_golang/prometheus/promauto"

12 "rsc.io/qr"

14 "github.com/mjl-/mox/admin"

15 "github.com/mjl-/mox/dns"

16 "github.com/mjl-/mox/smtp"

17)

19var (

20 metricAutoconf = promauto.NewCounterVec(

21 prometheus.CounterOpts{

22 Name: "mox_autoconf_request_total",

23 Help: "Number of autoconf requests.",

24 },

25 []string{"domain"},

26 )

27 metricAutodiscover = promauto.NewCounterVec(

28 prometheus.CounterOpts{

29 Name: "mox_autodiscover_request_total",

30 Help: "Number of autodiscover requests.",

31 },

32 []string{"domain"},

33 )

34)

36// Autoconfiguration/Autodiscovery:

37//

38// - Thunderbird will request an "autoconfig" xml file.

39// - Microsoft tools will request an "autodiscovery" xml file.

40// - In my tests on an internal domain, iOS mail only talks to Apple servers, then

41// does not attempt autoconfiguration. Possibly due to them being private DNS

42// names. Apple software can be provisioned with "mobileconfig" profile files,

43// which users can download after logging in.

44//

45// DNS records seem optional, but autoconfig.<domain> and autodiscover.<domain>

46// (both CNAME or A) are useful, and so is SRV _autodiscovery._tcp.<domain> 0 0 443

47// autodiscover.<domain> (or just <hostname> directly).

48//

49// Autoconf/discovery only works with valid TLS certificates, not with self-signed

50// certs. So use it on public endpoints with certs signed by common CA's, or run

51// your own (internal) CA and import the CA cert on your devices.

52//

53// Also see https://roll.urown.net/server/mail/autoconfig.html

55// Autoconfiguration for Mozilla Thunderbird.

56// User should create a DNS record: autoconfig.<domain> (CNAME or A).

57// See https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat

58func autoconfHandle(w http.ResponseWriter, r *http.Request) {

59 log := pkglog.WithContext(r.Context())

61 var addrDom string

62 defer func() {

63 metricAutoconf.WithLabelValues(addrDom).Inc()

64 }()

66 email := r.FormValue("emailaddress")

67 log.Debug("autoconfig request", slog.String("email", email))

68 var domain dns.Domain

69 if email == "" {

70 email = "%EMAILADDRESS%"

71 // Declare this here rather than using := to avoid shadowing domain from

72 // the outer scope.

73 var err error

74 domain, err = dns.ParseDomain(r.Host)

75 if err != nil {

76 http.Error(w, fmt.Sprintf("400 - bad request - invalid domain: %s", r.Host), http.StatusBadRequest)

77 return

78 }

79 domain.ASCII = strings.TrimPrefix(domain.ASCII, "autoconfig.")

80 domain.Unicode = strings.TrimPrefix(domain.Unicode, "autoconfig.")

81 } else {

82 addr, err := smtp.ParseAddress(email)

83 if err != nil {

84 http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)

85 return

86 }

87 domain = addr.Domain

88 }

90 socketType := func(tlsMode admin.TLSMode) (string, error) {

91 switch tlsMode {

92 case admin.TLSModeImmediate:

93 return "SSL", nil

94 case admin.TLSModeSTARTTLS:

95 return "STARTTLS", nil

96 case admin.TLSModeNone:

97 return "plain", nil

98 default:

99 return "", fmt.Errorf("unknown tls mode %v", tlsMode)

100 }

101 }

102

103 var imapTLS, submissionTLS string

104 config, err := admin.ClientConfigDomain(domain)

105 if err == nil {

106 imapTLS, err = socketType(config.IMAP.TLSMode)

107 }

108 if err == nil {

109 submissionTLS, err = socketType(config.Submission.TLSMode)

110 }

111 if err != nil {

112 http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)

113 return

114 }

115

116 // Thunderbird doesn't seem to allow U-labels, always return ASCII names.

117 var resp autoconfigResponse

118 resp.Version = "1.1"

119 resp.EmailProvider.ID = domain.ASCII

120 resp.EmailProvider.Domain = domain.ASCII

121 resp.EmailProvider.DisplayName = email

122 resp.EmailProvider.DisplayShortName = domain.ASCII

123

124 // todo: specify SCRAM-SHA-256 once thunderbird and autoconfig supports it. or perhaps that will fall under "password-encrypted" by then.

125 // todo: let user configure they prefer or require tls client auth and specify "TLS-client-cert"

126

127 incoming := incomingServer{

128 "imap",

129 config.IMAP.Host.ASCII,

130 config.IMAP.Port,

131 imapTLS,

132 email,

133 "password-encrypted",

134 }

135 resp.EmailProvider.IncomingServers = append(resp.EmailProvider.IncomingServers, incoming)

136 if config.IMAP.EnabledOnHTTPS {

137 tlsMode, _ := socketType(admin.TLSModeImmediate)

138 incomingALPN := incomingServer{

139 "imap",

140 config.IMAP.Host.ASCII,

141 443,

142 tlsMode,

143 email,

144 "password-encrypted",

145 }

146 resp.EmailProvider.IncomingServers = append(resp.EmailProvider.IncomingServers, incomingALPN)

147 }

148

149 outgoing := outgoingServer{

150 "smtp",

151 config.Submission.Host.ASCII,

152 config.Submission.Port,

153 submissionTLS,

154 email,

155 "password-encrypted",

156 }

157 resp.EmailProvider.OutgoingServers = append(resp.EmailProvider.OutgoingServers, outgoing)

158 if config.Submission.EnabledOnHTTPS {

159 tlsMode, _ := socketType(admin.TLSModeImmediate)

160 outgoingALPN := outgoingServer{

161 "smtp",

162 config.Submission.Host.ASCII,

163 443,

164 tlsMode,

165 email,

166 "password-encrypted",

167 }

168 resp.EmailProvider.OutgoingServers = append(resp.EmailProvider.OutgoingServers, outgoingALPN)

169 }

170

171 // todo: should we put the email address in the URL?

172 resp.ClientConfigUpdate.URL = fmt.Sprintf("https://autoconfig.%s/mail/config-v1.1.xml", domain.ASCII)

173

174 w.Header().Set("Content-Type", "application/xml; charset=utf-8")

175 enc := xml.NewEncoder(w)

176 enc.Indent("", "\t")

177 fmt.Fprint(w, xml.Header)

178 err = enc.Encode(resp)

179 log.Check(err, "write autoconfig xml response")

180}

181

182// Autodiscover from Microsoft, also used by Thunderbird.

183// User should create a DNS record: _autodiscover._tcp.<domain> SRV 0 0 443 <hostname>

184//

185// In practice, autodiscover does not seem to work wit microsoft clients. A

186// connectivity test tool for outlook is available on

187// https://testconnectivity.microsoft.com/, it has an option to do "Autodiscover to

188// detect server settings". Incoming TLS connections are all failing, with various

189// errors.

190//

191// Thunderbird does understand autodiscover.

192func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {

193 log := pkglog.WithContext(r.Context())

194

195 var addrDom string

196 defer func() {

197 metricAutodiscover.WithLabelValues(addrDom).Inc()

198 }()

199

200 if r.Method != "POST" {

201 http.Error(w, "405 - method not allowed - post required", http.StatusMethodNotAllowed)

202 return

203 }

204

205 var req autodiscoverRequest

206 if err := xml.NewDecoder(r.Body).Decode(&req); err != nil {

207 http.Error(w, "400 - bad request - parsing autodiscover request: "+err.Error(), http.StatusMethodNotAllowed)

208 return

209 }

210

211 log.Debug("autodiscover request", slog.String("email", req.Request.EmailAddress))

212

213 addr, err := smtp.ParseAddress(req.Request.EmailAddress)

214 if err != nil {

215 http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)

216 return

217 }

218

219 // tlsmode returns the "ssl" and "encryption" fields.

220 tlsmode := func(tlsMode admin.TLSMode) (string, string, error) {

221 switch tlsMode {

222 case admin.TLSModeImmediate:

223 return "on", "TLS", nil

224 case admin.TLSModeSTARTTLS:

225 return "on", "", nil

226 case admin.TLSModeNone:

227 return "off", "", nil

228 default:

229 return "", "", fmt.Errorf("unknown tls mode %v", tlsMode)

230 }

231 }

232

233 var imapSSL, imapEncryption string

234 var submissionSSL, submissionEncryption string

235 config, err := admin.ClientConfigDomain(addr.Domain)

236 if err == nil {

237 imapSSL, imapEncryption, err = tlsmode(config.IMAP.TLSMode)

238 }

239 if err == nil {

240 submissionSSL, submissionEncryption, err = tlsmode(config.Submission.TLSMode)

241 }

242 if err != nil {

243 http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)

244 return

245 }

246

247 // The docs are generated and fragmented in many tiny pages, hard to follow.

248 // High-level starting point, https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/78530279-d042-4eb0-a1f4-03b18143cd19

249 // Request: https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/2096fab2-9c3c-40b9-b123-edf6e8d55a9b

250 // Response, protocol: https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/f4238db6-a983-435c-807a-b4b4a624c65b

251 // It appears autodiscover does not allow specifying SCRAM-SHA-256 as

252 // authentication method, or any authentication method that real clients actually

253 // use. See

254 // https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/21fd2dd5-c4ee-485b-94fb-e7db5da93726

255

256 w.Header().Set("Content-Type", "application/xml; charset=utf-8")

257

258 // todo: let user configure they prefer or require tls client auth and add "AuthPackage" with value "certificate" to Protocol? see https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/21fd2dd5-c4ee-485b-94fb-e7db5da93726

259

260 resp := autodiscoverResponse{}

261 resp.XMLName.Local = "Autodiscover"

262 resp.XMLName.Space = "http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"

263 resp.Response.XMLName.Local = "Response"

264 resp.Response.XMLName.Space = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"

265 resp.Response.Account = autodiscoverAccount{

266 AccountType: "email",

267 Action: "settings",

268 Protocol: []autodiscoverProtocol{

269 {

270 Type: "IMAP",