[horde] Struggling with two issues using ActiveSync

Sat Aug 11 16:32:14 UTC 2018

Citeren Kevin <kevo at gatorgraphics.com>:

>> On Aug 11, 2018, at 7:19 AM, Ad-Min <admin at 123.dynu.com> wrote:
>>
>> Kevin wrote
>>> The first problem is that when setting up an iPhone using autodiscover the
>>> iPhone wants to use http instead of https by default. I can switch on
>>> https later in the phone and everything works fine. I think the problem is
>>> that the autodiscover.xml file is being returned with http in the Server
>>> URL inside the xml instead of https. I'm not sure how Horde is determining
>>> this or if it's a setting I need to change somewhere. I'm assuming that if
>>> that URL was https that the phone would use SSL automatically. I don't
>>> want any users having to set that up manually because some of them surely
>>> won't and then there would be no encryption and that would be a bad thing
>>> IMO.
>>
>> You should be able to force redirect to https from your web server. This has
>> nothing to do with horde. Do this in Apache virtual host if you're using
>> Apache.
>
> So I changed my Apache config to redirect to https. While it does  
> accomplish the goal of ensuring some security by not passing all  
> email data in the clear, it's not a great solution. Capturing  
> packets on the server shows that the client still makes the initial  
> request to http and gets the redirect and then goes to https?
>
> So after thinking about this some more and looking at the  
> Autodiscover.php file I think I know what's going on. I'm running  
> Horde on Univention Corporate Server and it's installed in a docker  
> container. The container is reached via proxy from the main server  
> and that communication takes place over http. So when the request  
> reaches Horde it doesn't show up as https, only http.
>
> So I ended up editing the php code.
>
> $httpsurl = str_replace( 'http://', 'https://', $properties['url'] );
>
> .....
>
> <Type>MobileSync</Type>
>      <Url>' . $httpsurl . '</Url>
>      <Name>' . $httpsurl . '</Name>
>
>
> Now the result is correct and the client uses https automatically.

You can also configure Horde to use only https in the Administration  
panel if you only want to generate https links (and you probably do).

Having said that, running ActiveSync over a proxy is challenging. Most  
proxies will close open connections where no data is flowing in either  
direction after a few minutes, but for 'push' to work properly, you  
need to allow these to remain open for up to 59 minutes. Closing them  
prematurely for clients that use push (which is usually lowest in  
bandwidth and latency) means this will break. This means mails will be  
delayed.

> I'll post this on the Univention forum to see if there is a good  
> solution for this without editing code. They have a Let's Encrypt  
> integration so maybe when that is turned on it can automatically  
> link in the existing cert into the container and turn on https for  
> the container as well.
>
> Thanks for pushing me in a good direction.
>
> - Kevin