Help needed - Certificate for internal Mail server with multiple domain
Posted by GrcivRed@reddit | sysadmin | View on Reddit | 4 comments
Hi,
We manage a locally hosted MDaemon Mail Server handling email for a dozen companies. I recently inherited this legacy configuration and am working to modernize it. My primary goals are:
- SSL Certificates: Implementing a valid certificate for the service and all associated domains.
- AutoDiscover: Configuring AutoDiscover so Outlook clients can automatically retrieve IMAP/SMTP parameters.
DNS
We have a dozen domains:
- companygroup.com
- company1.com
- company2.com
- company3.com
- etc.
The mail server is hosted by company1, and all the Outlook clients of all the companies use mail.company1.com as incoming and outgoing mail servers.
The DNS are as follow:
ZONE COMPANYGROUP.COM
mail A public IP address
@ MX 10 mail.company1.com
autodiscover A public IP address
_autodiscover._tcp SRV 443 mail.company1.com
_submissions._tcp SRV 465 mail.company1.com
_smtps._tcp SRV 465 mail.company1.com
_imaps._tcp SRV 993 mail.company1.com
_pop3s._tcp SRV 995 mail.company1.com
ZONE COMPANY1.COM
mail.company1.com A public IP address
@ MX 10 mail.company1.com
autodiscover CNAME mail.companygroup.com
_autodiscover._tcp SRV 443 mail.company1.com
_submissions._tcp SRV 465 mail.company1.com
_smtps._tcp SRV 465 mail.company1.com
_imaps._tcp SRV 993 mail.company1.com
_pop3s._tcp SRV 995 mail.company1.com
ZONE COMPANY2.COM, COMPANY3.COM, etc.
mail.company2.com CNAME mail.companygroup.com
@ MX 10 mail.company1.com
autodiscover CNAME mail.companygroup.com
_autodiscover._tcp SRV 443 mail.company1.com
_submissions._tcp SRV 465 mail.company1.com
_smtps._tcp SRV 465 mail.company1.com
_imaps._tcp SRV 993 mail.company1.com
_pop3s._tcp SRV 995 mail.company1.com
Some DNS records point to companygroup.com because in the next 2-3 years we would like to migrate the users to that domain.
I was able to get a Let'sEncrypt certificate for mail.company1.com, with alternative hosts: autodiscover.company1.com, mail.companygroup.com, autodiscover.companygroup.com, mail.company2.com, autodiscover.company2.com, mail.company3.com, autodiscover.company3.com, etc.
I've tested multiple mailboxes and the Certificate appears to be working.
Regarding the AutoDiscover I'm getting no such luck. The AutoDiscover page is publicly available at: https://mail.company1.com/autodiscover/autodiscover.xml, but Outlook sometimes prompts me as if I were to log in with a M365 account, sometimes instead it gives out a Warning about a redirect from https://mail.company2.com/autodiscover/autodiscover.xml to https://mail.companygroup.com/autodiscover/autodiscover.xml and again to https://mail.company1.com/autodiscover/autodiscover.xml
Is there a way to resolve this via GPO (e.g., Internet Options or Office templates), or is there a fundamental flaw in the redirect logic?
Helpjuice@reddit
You have too much cross-domain autodiscover redirects going on here. To fix it take each autodiscover.company<#>.com and point it directly to the mail server without the CNAME chains or redirects so outlook can resolve it cleanly without the warnings which are generated due to the security problems you are generating with the redirects. Update the zone files to look similar to the following.
company1
company2
company3
GrcivRed@reddit (OP)
I changed the configuration as suggested, but it's still not working:
I see that the Configuration testing utility:
- first tries to reach Office 365 (the tennant does not exists)
- then tries https://company1.com/autodiscover/autodiscover.xml error 0x8004013
- finally tries https://autodiscover.company1.com/autodiscover/autodiscover.xml error 0x800401F
GrcivRed@reddit (OP)
Thank you.
sembee2@reddit
Also be aware that Outlook will try to Autodiscover against Office365 on its own. You can block that behaviour with a registry entry and I think a GPO.