Skip to content

feat: Implement passwordless autodiscover endpoint#6976

Merged
FreddleSpl0it merged 6 commits intostagingfrom
fix/autodiscover-passwordless
Mar 3, 2026
Merged

feat: Implement passwordless autodiscover endpoint#6976
FreddleSpl0it merged 6 commits intostagingfrom
fix/autodiscover-passwordless

Conversation

@DerLinkman
Copy link
Copy Markdown
Member

@DerLinkman DerLinkman commented Dec 17, 2025
edited
Loading

Contribution Guidelines

What does this PR include?

Short Description

This PR implements passwordless authentication for the Autodiscover endpoint (/Autodiscover/Autodiscover.xml), enhancing security and improving compatibility with modern email clients.

Key Changes:

  • Removed HTTP Basic Authentication requirement from autodiscover endpoint
  • Email address is now extracted from the XML request body instead of authentication headers
  • Added validation to ensure mailbox exists and is active before returning configuration
  • Maintains full logging functionality in Redis
  • Follows industry standards used by major providers (Microsoft, Google, Apple)
  • Added view_autodiscover.sh script to test autodiscover XML output.

Security Benefits:

  • Eliminates password transmission during autodiscover process
  • Prevents credential stuffing attacks on this endpoint
  • Reduces attack surface while maintaining necessary validation
  • No access to mailbox data without proper authentication

Backward Compatibility:

  • Existing email clients continue to work seamlessly
  • No configuration changes required
  • All logging preserved in AUTODISCOVER_LOG

Affected Containers

  • phpfpm-mailcow (indirect - PHP code changes)

Did you run tests?

What did you tested?

  1. Valid active mailbox request:

    • Sent properly formatted XML with existing, active email address
    • Verified correct autodiscover configuration returned

  2. Non-existent mailbox:

    • Sent request with non-existent email address
    • Verified appropriate error response

  3. Invalid/malformed XML:

    • Sent invalid XML data
    • Verified error handling

  4. Inactive mailbox:

    • Tested with deactivated mailbox
    • Verified access denied with appropriate error

  5. Logging verification:

    • Confirmed all requests properly logged to Redis AUTODISCOVER_LOG
    • Verified log entries contain correct information

What were the final results? (Awaited, got)

Expected:

  • Valid mailboxes receive full autodiscover configuration without authentication
  • Invalid/inactive mailboxes receive error responses
  • No authentication prompts or 401 errors
  • All requests properly logged

Got:

  • ✅ All test cases passed as expected
  • ✅ Autodiscover configuration correctly returned for valid mailboxes
  • ✅ Appropriate errors for invalid/inactive mailboxes
  • ✅ Logging functionality intact
  • ✅ No breaking changes to existing functionality

This change aligns with modern email autodiscovery standards and improves overall security posture.

@DerLinkman
feat: implement passwordless autodiscover endpoint
ee15721 
- Remove HTTP Basic Authentication requirement from autodiscover.php
- Extract email address from XML request body instead of AUTH headers
- Validate mailbox existence and active status before returning config
- Improve security by eliminating password transmission
- Add comprehensive error handling for invalid/inactive mailboxes
- Follow industry standards (Microsoft, Google, Apple)
- Maintain backward compatibility with existing email clients
- Keep full logging functionality in Redis AUTODISCOVER_LOG

This change enhances security while improving user experience and
follows modern email client configuration best practices.
@DerLinkman
Fix autodiscover.php: Use random error IDs and fix SQL type casting
ec77406 
- Replace hardcoded error IDs with random values (1-10 billion range) for better debugging
- Cast SimpleXMLElement email to string before SQL query to prevent type errors
- Qualify ambiguous 'active' column with table names in JOIN query
- Add proper error XML response for database errors instead of die()
- Ensure all error paths return complete XML documents
@DerLinkman
Add autodiscover debug script with domain override support
b005803 
- Add view_autodiscover.sh helper script for testing autodiscover responses
- Support -h/--help flag for usage information
- Support -d/--domain flag to override autodiscover target (useful for testing)
- Auto-detect xmllint availability for formatted output
- Email validation with regex
- Interactive mode if no email provided
- Display response length for debugging
FreddleSpl0it
FreddleSpl0it requested changes Dec 18, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@FreddleSpl0it FreddleSpl0it left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's a good idea to perform a user check and return mailbox not found or inactive on failure. This can lead to user enumeration.

Also, if we create unit test i propose to use another repository because i think it will just pollute the mailcow repository.

@FreddleSpl0it FreddleSpl0it marked this pull request as ready for review January 28, 2026 10:10
@FreddleSpl0it FreddleSpl0it merged commit 609ce6b into staging Mar 3, 2026
@FreddleSpl0it FreddleSpl0it deleted the fix/autodiscover-passwordless branch March 3, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FreddleSpl0it FreddleSpl0it FreddleSpl0it approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DerLinkman @FreddleSpl0it