SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to RFC 2782.
Check the autoconfig output e.g. via curl https://autoconfig.example.com/mail/config-v1.1.xml. It should not contain IMAP and SMTP on plain ports.
Full output of the xml
<?xml version="1.0"?><clientConfig version="1.1">
<emailProvider id="mail.example.com">
<domain>%EMAILDOMAIN%</domain>
<displayName>A mailcow mail server</displayName>
<displayShortName>mail server</displayShortName>
<incomingServer type="imap">
<hostname>mail.example.com</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<incomingServer type="imap">
<hostname>mail.example.com</hostname>
<port>143</port>
<socketType>STARTTLS</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>mail.example.com</hostname>
<port>465</port>
<socketType>SSL</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</outgoingServer>
<outgoingServer type="smtp">
<hostname>mail.example.com</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</outgoingServer>
<enable visiturl="https://mail.example.com/admin.php">
<instruction>If you didn't change the password given to you by the administrator or if you didn't change it in a long time, please consider doing that now.</instruction>
<instruction lang="de">Sollten Sie das Ihnen durch den Administrator vergebene Passwort noch nicht geändert haben, empfehlen wir dies nun zu tun. Auch ein altes Passwort sollte aus Sicherheitsgründen geändert werden.</instruction>
</enable>
</emailProvider>
<webMail>
<loginPage url="https://mail.example.com/SOGo/" />
</webMail>
</clientConfig>
Contribution guidelines
I've found a bug and checked that ...
Description
In https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/autodiscover.php#L164-L185 we only publish TLS ports. In https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/autoconfig.php#L35-L48 and https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/autoconfig.php#L73-L86 we publish TLS and plain ports.
In https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/autoconfig.php#L62 and https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/autoconfig.php#L51 we already check if POP3/s is enabled via SRV record so checking against SRV records wouldn't even be something new.
To address https://www.usenix.org/system/files/sec21-poddebniak.pdf I "disabled" plain ports via
but due to the code in
autoconfig
, they are still published for this endpoint only.In the docs in https://docs.mailcow.email/getstarted/prerequisite-dns/#the-advanced-dns-configuration is stated
Also the mentioned RFC https://www.rfc-editor.org/rfc/rfc6186#section-3.4 says
in
I can also not fix it by adjusting something mentioned in https://docs.mailcow.email/manual-guides/u_e-autodiscover_config/
Please honor disabled SMTP and IMAP as well for the
autoconfig
endpoint.Logs:
Steps to reproduce:
autoconfig
output e.g. viacurl https://autoconfig.example.com/mail/config-v1.1.xml
. It should not contain IMAP and SMTP on plain ports.Full output of the xml
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Not relevant
Server/VM specifications:
Not relevant
Is Apparmor, SELinux or similar active?
Not relevant
Virtualization technology:
Not relevant
Docker version:
Not relevant
docker-compose version or docker compose version:
Not relevant
mailcow version:
2024-06a
Reverse proxy:
Not relevant
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: