hMailServer, IIS 8.5 and Autodiscover – Impossible? NOPE

Last updated: January 24, 2015 at 19:22 pm
It certainly is not impossible! Well… I mean … at least partly. You know, if autodiscover for Outlook is enough for you that is. I couldn’t verify this working for iOS, have not yet checked Windows Phone (WP) or Android (will update if I do).

The Basics – As always first things first

What exactly does the Outlook Autodiscover do? Like this Technet-Article states very clear it’s simple, really. For the rest of this article I will just assume you read this.

So, the Autodiscover asks for 2 URL’s, but is _not_ using a GET for this, but a direct, unasked POST with an XML (kinda like a SOAP Message – but whatever). That .xml contains basic information about the User who is trying to reach the system. My guess is, that with an Exchange there would be some handling with the .xml. However our hMailserver doesn’t care about this file, but the IIS has to handle that. This took me a while to understand, because I didn’t understand that despite me putting the autodiscover.xml where it should be it didn’t work – at all. In retrospect it is very obvious. I mean, of course the IIS doesn’t know how to answer to a .xml POST – there is no handler to do this.

I need to do a little explanation as to why I need to do the second step that I’m about to explain. If you feel that this doesn’t concern you, go ahead and skip the rest of this part. That was the first part of what I stumbled across while searching for an answer. The other thing is, that hMailserver only accepts the full E-Mail Address as a loginname. I know, some of you are able to use the Active Directory option. Then that first part is all I would need to worry about. Let’s just assume I don’t want to do that for security reasons. Maybe I don’t  want to add an AD-User for every Mailbox I have. Maybe I have a User-Based licensing model. I bet there are tons of reasons, mine simply was that my hMailserver didn’t want to accept the AD-Credentials – even when typed in manually.

Going after the Microsoft Schema using the full E-Mail is one of the last things Outlook tries while the Autodiscover is running. By the time it reaches that constellation your IP is (at least) time banned from hMailserver (with the standard settings). So what now? Hey, it looks like the autodiscover.xml can hold a  <LoginName> attribute…. niiice. But I don’t want to use the same mailbox for every client do I? Dang it. What if I could automatically generate that username by taking the posted .xml that we got from Outlook? Bingo! As I quickly found out I’m not the only one with this idea, so I will put the links down for you where I found my input.

What do you need? What Setup did you have?

Software:

Since we use PHP to generate the right .xml later I recommend for security reasons that you setup a separate Application Pool with a different user, folder etc. So that even if there is a new bug/exploit the user has (if any) limited rights on your system. Return here when you are finished.

This is the first part of two. The second post will contain the juicy bits, with screenshots and such. Again: Don’t hesitate to contact me here

UPDATE: The second part is now finished