3
How properly set up autodiscover for multiple domains?
Question asked by David Costello - 9/27/2021 at 8:16 AM
Unanswered
Hello Folks, Hope you are doing all fine.
I have trouble with smartemail autodiscover. Can someone give me example how set up for multiple domains or point me to normal guide link?
Already have on server with about 10 mail domains. I use one autodiscover for all this domains, but for some domains its works and for some dont (while adding in thunderbird).

<Autodiscover>
<Response>
<User>
<DisplayName>%DisplayName%</DisplayName>
<LegacyDN>%LegacyDN%</LegacyDN>
<AutoDiscoverSMTPAddress>%EmailAddress%</AutoDiscoverSMTPAddress>
<DeploymentId>851c5d1c-a9e5-42f3-a7b4-805a093761e5</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<ConsumerMailbox>False</ConsumerMailbox>
<Protocol Type="mapiHttp" Version="1">
<MailStore>
<InternalUrl>
 //EXAMPLE.COM/mapi/emsmdb/?MailboxId=%Base64EmailAddress%
</InternalUrl>
<ExternalUrl>
 //EXAMPLE.COM /mapi/emsmdb/?MailboxId=%Base64EmailAddress%
</ExternalUrl>
</MailStore>
<AddressBook>
<InternalUrl>
 //EXAMPLE.COM /mapi/nspi/?MailboxId=%Base64EmailAddress%
</InternalUrl>
<ExternalUrl>
 //EXAMPLE.COM /mapi/nspi/?MailboxId=%Base64EmailAddress%
</ExternalUrl>
</AddressBook>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>EXAMPLE.COM </Server>
<SSL>On</SSL>
<AuthPackage>ntlm</AuthPackage>
<ASUrl> //EXAMPLE.COM /EWS/Exchange.asmx</ASUrl>
<OOFUrl> //EXAMPLE.COM /EWS/Exchange.asmx</OOFUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>EXAMPLE.COM </Server>
<AuthPackage>ntlm</AuthPackage>
<LoginName>%EmailAddress%</LoginName>
<DomainRequired>On</DomainRequired>
<DomainName>EXAMPLE.COM </DomainName>
<ASUrl> //EXAMPLE.COM /ews/exchange.asmx</ASUrl>
<EwsUrl> //EXAMPLE.COM /ews/exchange.asmx</EwsUrl>
<OOFUrl> //EXAMPLE.COM /ews/exchange.asmx</OOFUrl>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>EXAMPLE.COM </Server>
<Port>465</Port>
<LoginName>%EmailAddress%</LoginName>
<DomainRequired>On</DomainRequired>
<DomainName>EXAMPLE.COM</DomainName>
<SPA>Off</SPA>
<TLS>On</TLS>
<AuthRequired>On</AuthRequired>
</Protocol>
<Protocol>
<Type>IMAP</Type>
<Server>EXAMPLE.COM</Server>
<Port>993</Port>
<LoginName>%EmailAddress%</LoginName>
<DomainRequired>On</DomainRequired>
<DomainName>EXAMPLE.COM</DomainName>
<SPA>Off</SPA>
<SSL>On</SSL>
<AuthRequired>On</AuthRequired>
</Protocol>
<Protocol>
<Type>POP3</Type>
<Server>EXAMPLE.COM </Server>
<Port>995</Port>
<LoginName>%EmailAddress%</LoginName>
<DomainRequired>On</DomainRequired>
<DomainName>EXAMPLE.COM</DomainName>
<SPA>Off</SPA>
<SSL>On</SSL>
<AuthRequired>On</AuthRequired>
</Protocol>
</Account>
</Response>
</Autodiscover>

This above is my autodiscover xml publish. Can someone give me point what missing?
Regards

11 Replies

Reply to Thread
2
Douglas Foster Replied
Did you see this post?   https://portal.smartertools.com/community/a93872/streamlining-autodiscover.aspx
 Ignore some of my early comments, because the best information is at the bottom.   If you will have many domains, you probably want to use the "http redirect" option.

Autodiscover is mostly Microsoft magic.   If you connect to SmarterMail successfully, it should work.
0
David Costello Replied
Thanks for answering Douglas, I ll check test and answer you back with results. One more question, if I have multiple domains, when I bind ports for ssl like SMTP 465 and other, which domains certificate I have to use ?
Because now I have over 20 domains and under one host domain (with I send/receive mails), but when I try to add any account on mail client I got error on outgoing SMTP, it says NO Encryption. Support told me that I need for all domains separate IIS configuration and  separate  autodiscover. Also tried rewrite with guideline which is
in Knowledge Base here but, its not working properly . Any suggestions ?
Regards


0
Douglas Foster Replied
SmarterMail support is apparently still getting up to speed on the complexities of autodiscover, or they did not understand your question.

As I said, you want to use HTTP Redirect.
HTTP://Autodiscover.clientdomain.com (no certificate)
redirects to
HTTPS://server.vendordomain.com (with certificate)
Your SmarterMail ports are all configured to use the host name and certificate for server.vendordomain.com, so you only need one website and one certificate.   No need for wildcards or multiple SANs.

Caveat:  I have no need for this configuration, so it has not been tried, although the concept makes perfect sense to me.

Your clients will experience a faster autodiscover process if they use registry keys to direct Outlook to use the method which you have implemented, but it is not required.   By default, Outlook tries all of the options, following the indicated sequence.  However, if Outlook is using any of the protocols that require autodiscover, I think it repeats the autodiscover process every time that Outlook starts up.   Consequently, tuning the process with registry keys can be more than a one-time win.

My information was based on a Microsoft article, and I think the link is in post.    I often find Microsoft text to be obscure, so I tried to summarize and clarify.   But you should navigate to their article if mine is insufficient.
0
Sébastien Riccio Replied
Additionnally to Douglas answer, I would say that if the domain has a website under http[s]://domain.tld, with a matching SSL certificate, it is also useful to add:

A redirect for domain.tld/autodiscover/autodiscover.xml to https://yoursmmailserver.com/autodiscover/autodiscover.xml

Having analyzed a bit how most clients do their autodiscovering, it always starts with trying to get in the first place:
http[s]://domain.tld/autodiscover/autodiscover.xml
Then it tries to get:

Setting them to be redirects to https://yourmailserver.com/autodiscover/autodiscover.xml and then  ou don't need to have SSL certificates for each domain on the mail server itself.

I'm not sure I'm able to explain it clearly :)

Sébastien Riccio
System & Network Admin

0
David Costello Replied
Thanks for answering. I have done redirect from http to https but same result at this moment. I ll try to explain what I got at this moment
Root mail domain : example.com
1. autodiscover.example.com A record point mailserver IP
2. mail.example.com A record point mailserver IP
3. autoconfig.example.com A record point mailserver IP
4. _autodiscover._tcp.example.com SRV record  0 0 443 mail.cliquedmail.com
5. example.com MX record mail.example.com
6. IIS running with domain and subdomains (mail. and autodiscover. ) with redirect
7. SSL LetsEncrypt and is used by IIS and in smartermail bind port for SMTP,IMAP,POP. (SSL is wild card - *.example.com)
 


Now when I try to login from client (SmarterMail is latest version,Mail client - Thunderbird 91.1.2 x64 bit )

Scenario 1:
test@example.com it discovers :

Incoming IMAP mail.example.com SSL/TLS

Outgoing SMTP mail.example.com No Encryption

Username test@example.com

when I go to configure manually
seams it could not find outgoing SMTP, when I change Connection security to Autodetect or SSL/TLS and  Re-test everything is OK
Scenario 2:
test@test1.com it discovers:

Incoming IMAP mail.example.com SSL/TLS

Outgoing SMTP mail.example.com No Encryption

Username %EmailAddress%


seams it could not find outgoing SMTP and user, when I change Connection security to Autodetect or SSL/TLS and  Re-test everything is OK

Scenario 3: 
test@test2.com it discovers:

Incoming IMAP mail.test2.com SSL/TLS

Outgoing SMTP mail.test2.com SSL/TLS

Username test@test2.com

everthing seams okay. Only one warning with certificate 
in Location -  mail.test2.com:993 and when I click View certificate seams for *.example.com
which is okay I think.

For all of this 3 domains autodiscover is same, DNS records are same. What I am missing I dont know. SmarterMail support told me that is out of there scope.

and I'm not sure I'm able to explain it clearly :)))))))
0
Douglas Foster Replied
Not sure that I followed all that you posted, but here are some more general notes:

Since you are using IMAP the first step is to get it working without autodiscover.
1) You should use encryption in both directions (IMAP and SMTP)
2) You need to ensure that you have configured login credentials for both directions (IMAP and SMTP)
3) You need to be careful that SmarterMail domain object is not configured with a host name override.   The autodiscover redirect is going to point to the same destination for all domains, so SmarterMail needs to use a single host name for all domains.
4) The certificate needs to correspond with the single host name (wildcard certificates are fine - I use one also.)

Verify that you can connect using manual configuration, without any certificate warnings and without any login failures.

When enabling autodiscover:
The autodiscover host name should (must) be a CNAME record which resolves to your server name, not an A record.  When you resolve to an IP using an A record, the connection will be made using the IP address, and an IP address always fails certificate verification.

This autodiscover entry is created in the client domain.
The cname points to the server name
Your server is configured with a wildcard certificate in the same domain as the server name.
0
Douglas Foster Replied
Also, since you are not using one of the protocols based on HTTPS (MAPI, EAS, EWS), port 443, the SRV record is not used and http redirect does not apply.  

You may have only one problem - the need to convert the autodiscover record from A to CNAME.
0
David Costello Replied
Hello Douglas, Thanks for answer. I ll check and write you back update
0
Kyle Kerst Replied
Employee Post
David, I just wanted to clarify one point here. We did not advise you to have separate IIS configurations for each domain. In fact, having more than one IIS site for SmarterMail will lead to a variety of issues as I pointed out on your ticket.  

That said, you will require hostnames/SSL set up for each domain per Douglas' response above (the three criteria he noted) if you want MAPI/EAS/EWS to work properly. If your only concern is IMAP though these are less important.

Going forward though, per my latest followup on your ticket, this looks to be an authentication issue involving the Thunderbird install you are testing from. It is currently passing an empty string for username and password during AUTH LOGIN, and this is failing the account setup in general. This may be due to your testing taking place on the server itself rather than a client connecting. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
David Costello Replied
Hello Douglas, Hope you are doing fine. I have made this change to DNS record but still same error :/
0
David Costello Replied
Getting errors like this 

Reply to Thread