Alt-N Discussion Groups MDaemon Discussion Groups MDaemon Support Archive

The MS Exchange autodiscover protocol

Edmund Cramp

Novice
Posts: 235

MDaemon
Outlook Connector
WebAdmin

Edmund Cramp - 11:48am, Sep 27 2021

I'm seeing reports that a flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook (and implemented in MDaemon) can cause user credentials to leak to miscreants in certain circumstances. It would be nice to hear that the MD implementation has tested this and found that it's not a problem for us or, if there is a problem, that it's been fixed.

Arron Caruth - Sep 27, 2021 1:40 pm (#1 Total: 1)

Guest User

Posts: 1

Based on our understanding there is a flaw in how some clients implement AutoDiscover and not a flaw in the server implementation.

There is more information available at:

https://www.guardicore.com/labs/autodiscovering-the-great-leak/

If you'd rather not read the whole thing, here is a snippet that explains the issue:

However, in order to truly understand how Autodiscover works, we need to know what happens “behind the scenes”:

The client parses the email address supplied by the user – amit@example.com.
The client then tries to build an Autodiscover URL based on the email address with the following format:
- https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- https://example.com/Autodiscover/Autodiscover.xml
- http://example.com/Autodiscover/Autodiscover.xml

In the case that none of these URLs are responding, Autodiscover will start its “back-off” procedure. This “back-off” mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to “fail up,” so to speak. Meaning, the result of the next attempt to build an Autodiscover URL would be: http://Autodiscover.com/Autodiscover/Autodiscover.xml. This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain. For more information about how Autodiscover works, please check out Microsoft’s documentation.

If this is not the issue you are talking about, or if you have information that indicates the issue is with the server implementation, please share the information with us so that we can investigate further.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222 e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email

Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server

On Mon, 27 Sep 2021 11:48:25 -0500, "lists-md-support@mdaemon.com (Edmund Cramp)" <lists-md-support@mdaemon.com> wrote:
I'm seeing reports that a flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook (and implemented in MDaemon) can cause user credentials to leak to miscreants in certain circumstances. It would be nice to hear that the MD implementation has tested this and found that it's not a problem for us or, if there is a problem, that it's been fixed.

View/reply at The MS Exchange autodiscover protocol
--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------


--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------