Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Hosted Exchange issues Autodiscover and redirect

G'day guys,

I spent awhile on the phone to the hosted exchange provider trying to resolve this but he could not.

Basically what happens is that I have a bunch of clients who use Hosted Exchange services. Now most clients use me or some other 3rd party to host their websites, DNS, etc but I generally like to move every client to Hosted Exchange because I just can't compete and it means it becomes someone else's responsibility to make sure that it is up and running 24/7.

Now this works fine, up until the following scenario.

Joe Bloggs has a domain called joebloggs.com

Website is hosted with me. DNS management is with my hosting provider, along with domain registration.
IP of the server is (this is a shared cPanel server, I'm just one of the resellers on this server).

I use Hosted Exchange through iiNet - https://iihelp.iinet.net.au/DNS_records_for_Hosted_Exchange
Followed the DNS records to the letter.

So for the DNS I would have something like this:

joebloggs.com. 14400 A
www.joebloggs.com. 14400 CNAME joebloggs.com.

Open in new window

joebloggs.com. 14400 MX 10 smtp.exchange.iinet.net.au.
autodiscover.joebloggs.com. 14400 CNAME autodiscvr.exchange.iinet.net.au.
webmail.joebloggs.com. 14400 CNAME exchange.iinet.net.au
joebloggs.com 14400 TXT "v=spf1 redirect=exchange.iinet.net.au"

Open in new window

Now my issues are these:

1) When configuring Outlook or similar to connect through using the Autodiscover feature it always complains that the SSL Certificate is wrong - it picks up the SSL Certificate in use at (keep in mind it is shared hosting so that could be anything)

2) If I try to use the webmail.joebloggs.com in the URL bar, it will error with a certificate issue because it clearly doesn't match the name attributed to the the exchange.iinet.net.au

So my question(s) are these:

1) How do I fix the autodiscover so that rather then picking up the SSL certificate used at it picks up the certificate used at the Hosted Exchange provider??

2) How do I setup a tailored DNS record like webmail.joebloggs.com to redirect me without causing a SSL Certificate issue? I'm happy for the URL to change, I just want my clients to type in something familiar to them.

Thanks in advance.

Steven Swarts
  • 6
  • 4
  • 2
  • +1
1 Solution
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Instead of using a CNAME record for autodiscover, use a SRV record instead.  That should resolve the ssl cert error for that part.

Create that record as follows:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: autodiscvr.exchange.iinet.net.au
Weight: 0
Priority: 0

Also make sure that your DNS Zone doesn't have any wildcard "*" A or CNAME records.

For the webmail issue, you can use a redirect instead of a CNAME.  The URL will change in the user's browser, but at least it won't have the SSL error.  Configure a redirect in cPanel > Domains > Redirects
Raghu AddankiCommented:
That's by design. It checks www or domain.com first and moves on to discover a record Autodiscover.

That is why you see invalid or failed lookup wrt SSL.

I am currently driving and if no one else help you with how it works and how to correct records I would do in next 3 hours.

But you get a good grip on it here meanwhile:

FOXActive Directory/Exchange EngineerCommented:
I hope it is not throwing an error because of your typo

autodiscover.joebloggs.com. 14400 CNAME autodiscvr.exchange.iinet.net.au.<< Do you intentionally have the o missing in autodiscover in your CNAME

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

sjswartsAuthor Commented:
@foxluv if you look at the link provided by iiNet (Hosted Exchange Provider) they have it set like that for whatever reason.

Also it's missing more then just the o :p
sjswartsAuthor Commented:
@Jeffrey Kane

You seem to be on the right track. I was sure that I read somewhere today that I shouldn't use SRV records, but maybe that is only when you have a SSL certificate for autodiscover.domain.com  - https://www.reddit.com/r/exchangeserver/comments/3qm2l8/autodiscoverdomaincom_is_getting_ssl_certificate/

As it stands I've removed the autodiscover and replaced it with this (keep in mind this is cPanel so it's a little different)

_autodiscover._tcp 3600 0 0 443 autodiscvr.exchange.iinet.net.au.

Open in new window

cPanel SRV vs CNAME autodiscover
Attached is a screen shot of my options and also what I originally had.

However when I do this it still doesn't autodiscover correctly on my Android phone (might work on others). What I mean is that it correctly asks me if it should use the found SRV record pointing to autodiscover.exchange.iinet.net.au but then it doesn't populate the server field correctly which obviously fails because it fills it with joebloggs.com rather then exchange.iinet.net.au.

I am fixing my Outlook to try it locally at my office so I will report back with any findings.

As for the redirects that does work. However I found that you missed a step, first you need to create a subdomain and then you have option to redirect that subdomain. For our example:

Create subdomain webmail.joebloggs.com

Redirect webmail.joebloggs.com permanently (301) to exchange.iinet.net.au

Then it works beautifully. Is this what you meant? Be nice if that extra step wasn't there.
sjswartsAuthor Commented:
@Raghu Addanki

Thanks for that article. I presumed that was the case.

I guess the only way it is possible for me to resolve this then is to get my clients to buy a dedicated IP for their public website?? Make sure they don't utilise SSL certificate OR have a current one??

A shared IP (which is commonly used for cheap website hosting) appears to cause this issue.
Raghu AddankiCommented:
Perfect sjswarts!
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Make sure they don't utilise SSL certificate OR have a current one??

No, you missed a fine point in that article -- you want to make sure that if you do have an SSL certificate on your public web site that it includes the ROOT (ie, joebloggs.com) as well as www.joebloggs.com.  Then it won't throw a certificate error.
sjswartsAuthor Commented:
@Jeffrey - don't all www certificates automatically secure root domains?

For example:

Buy 2 year SSL Certificate for www.joebloggs.com and it covers both https://www.joebloggs.com and https://joebloggs.com

Although I presume that this is not the case for any other subdomains.
sjswartsAuthor Commented:
@Jeffrey why doesn't the SRV record work to configure autocomplete properly?

I noticed that if I only have the SRV record it fills the "Server" section to my android device with "joebloggs.com".

But if I use the autodiscover A record it fills it just fine and works like a charm, of course not if there isn't a dedicated IP for the public website or a current SSL certificate.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Unfortunately this seems to be a problem with Android: https://goo.gl/cLPjqZ

But when creating the autodiscover record in cPanel be sure that the Name field has the following:

I just tested creating one in cPanel and it actually added the domain name automatically after I entered the _autodiscover._tcp. part
sjswartsAuthor Commented:
Hmmm interesting find.

I'll have to investigate further, but thanks for the heads up.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
author abandoned

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now