feat: Implement passwordless autodiscover endpoint #6976
+257
−78
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Remove HTTP Basic Authentication requirement from autodiscover.php - Extract email address from XML request body instead of AUTH headers - Validate mailbox existence and active status before returning config - Improve security by eliminating password transmission - Add comprehensive error handling for invalid/inactive mailboxes - Follow industry standards (Microsoft, Google, Apple) - Maintain backward compatibility with existing email clients - Keep full logging functionality in Redis AUTODISCOVER_LOG This change enhances security while improving user experience and follows modern email client configuration best practices.
- Replace hardcoded error IDs with random values (1-10 billion range) for better debugging - Cast SimpleXMLElement email to string before SQL query to prevent type errors - Qualify ambiguous 'active' column with table names in JOIN query - Add proper error XML response for database errors instead of die() - Ensure all error paths return complete XML documents
- Add view_autodiscover.sh helper script for testing autodiscover responses - Support -h/--help flag for usage information - Support -d/--domain flag to override autodiscover target (useful for testing) - Auto-detect xmllint availability for formatted output - Email validation with regex - Interactive mode if no email provided - Display response length for debugging
FreddleSpl0it
requested changes
Dec 18, 2025
Collaborator
There was a problem hiding this comment.
I don't think it's a good idea to perform a user check and return mailbox not found or inactive on failure. This can lead to user enumeration.
Also, if we create unit test i propose to use another repository because i think it will just pollute the mailcow repository.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contribution Guidelines
What does this PR include?
Short Description
This PR implements passwordless authentication for the Autodiscover endpoint (
/Autodiscover/Autodiscover.xml), enhancing security and improving compatibility with modern email clients.Key Changes:
view_autodiscover.shscript to test autodiscover XML output.Security Benefits:
Backward Compatibility:
AUTODISCOVER_LOGAffected Containers
Did you run tests?
What did you tested?
Valid active mailbox request:
Non-existent mailbox:
Invalid/malformed XML:
Inactive mailbox:
Logging verification:
AUTODISCOVER_LOGWhat were the final results? (Awaited, got)
Expected:
Got:
This change aligns with modern email autodiscovery standards and improves overall security posture.