Outlook 2016 sync

ladas

Hi everybody.
I install grommunio 2022.05.1 fresh install, made base configuration, create domain and first user. I connect Outlook 2016. For first wiew it seems good, but Outlook say Disconnected and messages which I have in WEB GUI not synced into Outlook.
This is only error which I found in /var/log/grommunio-sync/grommunio-sync-error.log:
26/05/2022 15:04:04 [23503] [FATAL] [user@domain.com] Exception: (ProvisioningRequiredException) - Retry after sending a PROVISION command

Outlook account is configured by Control Pannels / Mail / Profiles / MS Exchange Active sync and it was correctly finished. Can someone help where could be a trouble? Thank you.

mwilliams

Are you sure you wanted Outlook to connect using ActiveSync rather than Exchange/MAPI mode?

ladas

It is not the same? We use old Zarafa server and it needs outlook plugin. I did not find any plugin for grommunio for outlook.
I tryed to connect Outlook as to Exchange (by documentation) but I was not successfull. Even when I set autodiscover=1 Must be set some other prameters too? At documentation I did not find more other details :( Can you help how to do it properly, please? Thank you very much.

mwilliams

ladas

No, not even close to the same. While it is possible to connect Outlook to grommunio via EAS, it is not recommended and not supported. grommunio does not require any plugin for Outlook. It speaks the 'native language', or moreover the identical protocols as Exchange does, which is why no plugins are required. If you are not able to connect your Outlook correctly, you might want to check if your autodiscover is setup correctly, as defined here: https://docs.grommunio.com/admin/quickstart.html?highlight=autodiscover#minimum-requirements and setup the outlook profile as defined here: https://docs.grommunio.com/user/groupware.html#microsoft-outlook

ladas

Thank you for your answer. I read this part of doku during installation, but when I read it again I discovered my trouble. During installation I set our old-domain.com and because I need to use more domains in one server (as aliases for each user) and after installation I created new-domain.com as a main and old-domain.com as alias. And autodiscover foud new-domain.com from username@new-domain.com When I switch domains autodiscover start to work and Outlook is connected now. Thank you for fast help :) I can test all features now.

bunker

Hi,

I am able to connect outlook through EAS to grommunio without any problem with a user address that are made of the main domain of our server.

I'm also able to connect a user with a different domain name than the main domain but not whitout any warning.
it prompt about the certificate that do not match this user email address. I did setup autodiscover , cname and srv record according those other domains. The account is added succesfully but not whitout any warning.

Do we have to setup a different SSL certificate for eah domains so outllook can be added succesfully without any prompt? If yes, how?

And about iphone. You cannot add an account if the certificatr do not match. So all users that have a different domain thant the main domain, they cannot add their account to an Apple device..

Did I mist something?

crpb

Hey bunker,

how did you setup all those DNS-Settings and Stuff?
I use Hostnames w/o any of the Hosted Mail-Domains in my Installations.
And with .htaccess-Rules on Web-Sites like the Following

RedirectMatch 302 (?i)^/Autodiscover/(.*)$ https://grommunio.private.domain.de/Autodiscover/$1

And "autodiscover.domain.tld" is a CNAME to "grommunio.private.domain.de" in that example.

EDIT:

And don't forget those SRV-Entries :P

_autodiscover._tcp.emaildomain.tld. IN SRV 0 0 443 grommunio.private.domain.de

crpb

Another approach( i think up there somewhere ) would be to create an VirtualHost(apache in that context) "autodiscover.domainz.com" on the Web-Hosting-Site and do a Redirect as described

crpb RedirectMatch 302 (?i)^/Autodiscover/(.*)$ https://grommunio.private.domain.de/Autodiscover/$1

Or if configured in the apache vhost

ServerName autodiscover.domain.tld
....
RewriteRule   ^/(.*)$ https://grommunio.internal.domain.tld/autodiscover/autodiscover.xml  [R=301,L]

And with nginx maybe something like that

server_name autodiscover.domain.tld;
....
return 301 https://grommunio.internal.domain.tld/autodiscover/autodiscover.xml;

Which doesn't care for anything else than autodiscover.xml! So keep that in mind.
But if i'm not mistaken gromox currently only supports this endpoint?!

For all this to work your DNS-Entry should obviously point to the Web-Hosting - Wherever you might do that!/internal with reverse-proxies/outside on the normal web-hosting-server/somewhere totally different...

These snippets aren't the golden rule in any way!

The problem with those autodiscover-f*** is i would guess the password.
Maybe it would even be better to remove those "autodiscover.domain.tld" DNS-Entries completely to let Outlook "skip" that step.

And you could even disable those "Discovery-Mechanisms" via a Group-Policy.

It all depends on your Network.

I personally don't care for multiple Domains on the Grommunio-Host and also not naming them "autodiscover.xyz.tld".
The default NGINX-Configuration of Grommunio will let you use multiple Hostnames. But your certificate should reflect those. I also don't use the letsencrypt/acme-bot because in my usual setup an haproxy is in front of all HTTP(s)-Hosts and i use wildcard-domains in form of "*.customer.mypersonaldnsdomain.tld". And because of that i'm not really familiar with those Configuration-Steps because I don't have to care.

Enough said for now! :-).

bunker

Hi crpd,

Thanks for your quick answer again.

Most of my users is unsing the default main domain of the server; domainA.com
For the domainA.com I did setup the
srv --> autodiscover.tcp.domainA.com. IN SRV 0 0 443 grommunio.domainA.com
cname --> autodisvcover.domainA.com --> grommunio.domainA.com

for other domains. ex: domainZ.com

srv --> autodiscover.tcp.domainZ.com. IN SRV 0 0 443 grommunio.domainA.com
cname --> autodisvcover.domainZ.com --> grommunio.domainA.com

I don't know about tha .htaccess rules, Do we have to do this on grommunio server for all hostaed domains? Or we have to configure this on the web server (WEB SITE ) that host domainZ.com ?

Can you direct me more than this?

Thank for yor help. I really appreciate! ++

crpb

bunker Possible Hosts: domainZ.com autodiscover.domainZ.com record

Trying: domainZ.com

Trying: autodiscover.domainZ.com

Trying: record

->

I guess the DNS-Setup for DomainZ isn't correct.
The third check is a SRV lookup on _autodiscover._tcp.domainZ.com.

A typical SRV record looks like this:
Service: _autodiscover
Protocol: ._tcp
Port Number: 443
Host: mail.contoso.com
Priority: 0
Weight: 0

https://docs.grommunio.com/admin/architecture.html?highlight=autodiscover#rpc-http-mapi-http-ews-workflow
https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019#autodiscover-in-dns

You said it would be correct but it doesn't seem so.

bunker for other domains. ex: domainZ.com

srv --> autodiscover.tcp.domainZ.com. IN SRV 0 0 443 grommunio.domainA.com
cname --> autodisvcover.domainZ.com --> grommunio.domainA.com

You can check with one of these commands

Windows and Linux
- nslookup -querytype=SRV _autodiscover._tcp.domainZ.com
Linux
- dig SRV _autodiscover._tcp.domainz.com
- host -t SRV _autodiscover._tcp.domainZ.com

crpb

Hey,

those should usually be enough... i guess o_0.. But with (i)phones you never no...

The Redirect-Rule would go on the actual Website of domainA.com and domainB.com.
Just put the Rule at the top of the current one or create a new .htaccess in the Root-Directory. This is in most cases enabled. With some hoster you could also create this rule in some Management-Interface... you probabbly know the drill :P.

An curl -IL domainA.com/Autodiscover/AutoDiscover.xml should then print something like

http/2 302
server: BLAH
date: 545464
content-type xyz.....
location: https://grommunio.domainA.com/Autodiscover/AutoDiscover.xml
.......

You could also put an xml there.. But I personally didn't want to bother with such tasks..

A bit of Information on those mechanisms..
https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019#autodiscover-in-dns
https://www.msxfaq.de/exchange/autodiscover/autodiscover_dns.htm

There is also the tool gromox-dscli to test the Autodiscovery.
and i have written a little wrapper to make it a bit more usable for myself. Also take a look here for more info.

bunker

I don't understand.

If I did ok and you said that it should be enough.
Why I always have prompt about the certificate? I don't understand how to get rid of it.

I am talking only about outlook No iphone yet..

I dont' understand how the xml files will erase the certifiatce warning.. can you explain the mecanisme more than this?

crpb

bunker

Hey Bunker,

Both Domains? And does Firefox work? Is OCSP maybe Active?

And maybe try my wrapper for that gromox-dscli and post the Output.

EDIT: And also do tell where those Clients are. It doesn't matter where they are or only from a specific location?
There are so many possibilities with such stuff..

EDIT2: I remembered something.. o_9...
Set if possible
autodiscover.domain.tld A to the Webhosting and add an certificate. The Redirect should now definitely be routing to your grommunio.domain.tld-Host..

bunker

I am Sorry but now, i'm quite lost.

Both Domains? And does Firefox work? --> I don't follow you at all... What do you want me to do or test with firefox? Can you explain in detail?

Is OCSP maybe Active? Again I don't know what you talking about..

All clients and/or users are at same location.

EDIT2: I remembered something.. o_9...
Set if possible
autodiscover.domain.tld A to the Webhosting and add an certificate. The Redirect should now definitely be routing to your grommunio.domain.tld-Host.. -> I don't understand what you asking me to do...

here is the wrapper output fomr my main domainA wich runs all ok. No prompt at all on outlook and iphone.

DOMAINA
->
sh testautodiscover.sh

export EMAIL="email@addre.ss" to hide this prompt.

EMAIL: jean@domainA.com

export PASS="SECRET" to hide this prompt.

PASS:
Possible Hosts: domainA.com autodiscover.domainA.com mail4.domainA.com

Trying: domainA.com

Trying: autodiscover.domainA.com

Trying: mail4.domainA.com

========================================================

DomainZ output. The one that does not work. Always prompt for the bad ssl cert. impossible to add in iphone...

Definitely something wrong or missing. Short output..

DOMAINZ
-->
sh testautodiscover.sh

export EMAIL="email@addre.ss" to hide this prompt.

EMAIL: alain@domainZ.com

export PASS="SECRET" to hide this prompt.

PASS:
Possible Hosts: domainZ.com autodiscover.domainZ.com record

Trying: domainZ.com

Trying: autodiscover.domainZ.com

Trying: record

bunker

Big thanks crpd !

I found the mistake in the srv record on domainZ. I can now add it to iphone succesfully.

but still, we get prompt about the SSL cert everytimes we open outlook.

I 'm very sorry for my ignorance. I really appreciate your help.

Can you help me to get rid of this prompt? Where and How can I install a certificat for domainZ ?

crpb

You don't need a certificate for domainZ.com on the Grommunio-Host.
This would make things even more complicated o_0.

How did you add the Account? Did you enter the Hostname yourself and used "domainZ.com"?
If yes, change it to the grommunio.domainA.tld Address. This would fix it.

I don't have an iPhone and i haven't even looked at one in a while. So i'm not certain how it is configured.

bunker

crpb

I really appreciate the fact that you stay with me trying to help again.

here is my explication again..

DomainA is my main domain. most users is under that domainA. Outlook and iphone i working perfectly !

the problem is when I have a user with a diffrent domain. DomainZ.

For a user with domainZ, I have to specify manually hostname at the moment I'm adding the account. it does not detect automticaly like domainA.

To answer your question. Yes I put hosthame manually with domainA.
But it seem that because the user email address is made with domainZ and the certificate of the server is made with DomainA. It always says that cert is not valid all the time. probably because it mismmatch the email addres entered. this is in Outlook. We put iphone on the sidre for now..

How can you add a user with domainZ whitout having a certificat warning from grommunio server hostname that it with domainA?

Again, big THANKS for your help!

bunker

This is the warning I'm talking about. for domainZ

bunker

CRPD sayd; change it to the grommunio.domainA.tld Address. This would fix it.

That's not the case. It did not fix the ssl certificate warning..

Am I the only one who having problem with certificate? It's bad that grommunio is quite hard to setup correctly. I'm a bit dissapointed about that situation..

sbudach

Well… afaiks, in the end grommunio is replying with the certificate from domainA.tld to a request from a client using domainZ.tld - no matter, if you're having a CNAME DNS record, which only the DNS resolver will care about, but Outlook is oblivious to.

Would Outlook just accept this without complaining, spoofing would be too easy, wouldn't it? The only way around this would be to use a reverse proxy in front of Grommunio, where you can server different certs based on SNI, like haproxy or some custom Nginx setup.