From d23384d4d18c4986a34bae66b6f2335cba68eea4 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 21:21:49 +0100
Subject: [PATCH 1/5] remove some garbage

---
 bundles/dovecot/files/sudors      | 1 -
 bundles/letsencrypt/files/hook.sh | 2 --
 bundles/letsencrypt/metadata.py   | 2 --
 nodes/netcup.mails.py             | 4 ----
 4 files changed, 9 deletions(-)
 delete mode 100644 bundles/dovecot/files/sudors

diff --git a/bundles/dovecot/files/sudors b/bundles/dovecot/files/sudors
deleted file mode 100644
index e48cf33..0000000
--- a/bundles/dovecot/files/sudors
+++ /dev/null
@@ -1 +0,0 @@
-www-data ALL=(ALL) NOPASSWD: /usr/bin/doveadm pw -s ARGON2ID
diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh
index 4275eb0..f08509d 100644
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@@ -9,8 +9,6 @@ deploy_challenge() {
     update add $1.${zone}. 60 IN TXT \"$3\"
     send
   " | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key}
-  
-  sleep 10
 }
 
 clean_challenge() {
diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py
index c7caa85..64e7ebb 100644
--- a/bundles/letsencrypt/metadata.py
+++ b/bundles/letsencrypt/metadata.py
@@ -1,5 +1,3 @@
-from ipaddress import ip_interface
-
 defaults = {
     'apt': {
         'packages': {
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index 4506b3c..ff13ea6 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -38,7 +38,6 @@
                 'freibrief.net',
                 'nadenau.net',
                 'naeder.net',
-                'rolfwerner.eu',
                 'wettengl.net',
                 'wingl.de',
                 'woodpipe.de',
@@ -80,10 +79,7 @@
                 'freibrief.net',
                 'nadenau.net',
                 'naeder.net',
-                'rolfwerner.eu',
                 'wettengl.net',
-                'wingl.de',
-                'woodpipe.de',
             },
         },
         'rspamd': {

From c66374c9db9abc14c3ae89991734cc8d31f99ce2 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 21:22:54 +0100
Subject: [PATCH 2/5] add forgotten wiegand.tel domain

---
 nodes/netcup.mails.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index ff13ea6..e4c289f 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -44,6 +44,7 @@
                 'ckn.li',
                 'islamicstate.eu',
                 'hausamsilberberg.de',
+                'wiegand.tel',
             },
         },
         'dns': {
@@ -80,6 +81,7 @@
                 'nadenau.net',
                 'naeder.net',
                 'wettengl.net',
+                'wiegand.tel',
             },
         },
         'rspamd': {

From 8b84fe0f0e1c87d67a4a73c5a2050b446d4f9fd7 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 21:23:05 +0100
Subject: [PATCH 3/5] postfix enable smtps

---
 bundles/postfix/files/master.cf | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/bundles/postfix/files/master.cf b/bundles/postfix/files/master.cf
index f9d8b21..5ed0bbb 100644
--- a/bundles/postfix/files/master.cf
+++ b/bundles/postfix/files/master.cf
@@ -42,14 +42,25 @@ mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
 submission inet n       -       y       -       -       smtpd
-   -o syslog_name=postfix/submission
-   -o smtpd_tls_security_level=encrypt
-   -o smtpd_sasl_auth_enable=yes
-   -o smtpd_tls_auth_only=yes
-   -o smtpd_reject_unlisted_recipient=no
-   -o smtpd_client_restrictions=$mua_client_restrictions
-   -o smtpd_helo_restrictions=$mua_helo_restrictions
-   -o smtpd_sender_restrictions=$mua_sender_restrictions
-   -o smtpd_recipient_restrictions=
-   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-   -o milter_macro_daemon_name=ORIGINATING
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_tls_auth_only=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=$mua_client_restrictions
+  -o smtpd_helo_restrictions=$mua_helo_restrictions
+  -o smtpd_sender_restrictions=$mua_sender_restrictions
+  -o smtpd_recipient_restrictions=
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_client_restrictions=$mua_client_restrictions
+  -o smtpd_helo_restrictions=$mua_helo_restrictions
+  -o smtpd_sender_restrictions=$mua_sender_restrictions
+  -o smtpd_recipient_restrictions=
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING

From 59a598448db7b55020598d119521c23b98f5c068 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 21:23:37 +0100
Subject: [PATCH 4/5] wiegand.tel dkms

---
 data/dkim/wiegand.tel.privkey.enc | 1 +
 data/dkim/wiegand.tel.pubkey      | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 data/dkim/wiegand.tel.privkey.enc
 create mode 100644 data/dkim/wiegand.tel.pubkey

diff --git a/data/dkim/wiegand.tel.privkey.enc b/data/dkim/wiegand.tel.privkey.enc
new file mode 100644
index 0000000..174ecdb
--- /dev/null
+++ b/data/dkim/wiegand.tel.privkey.enc
@@ -0,0 +1 @@
+encrypt$gAAAAABhlq_D2jvj7dxi_FGdRARCtVD03iEUWDY3dyX-wzZmc1MlyW4c2hOv-K1FzXzH3Ki9kdniBVtu3V8eewizG7p1eZAwO-hn4mD2WJOV30pHo2_ZLiS8UDCtxDTvAYhNILiCVefZVb_-8RWBpojIhI3MEB7GHbHWuTb6vNFMuS4pGGTMqXRH5HFQOsVxp6ID7vTKL_sRc3hM_wNncGd0Nh02BPMC9JzuGLuVJPBWEfzslPfkmTy_6qN-D-cppFkXcR7aLOWtfOQxPnZy5vZ_3vT5LDSG9B1xjVuFcUXsb8_f0K6gu3pkrjJOsi5_CuJhterC9mYXp0A3vo7AVRFAuZHL0Y7cSb_kmbWGmqCi2-wqHSjnl5jkdLjvT8qWoftdpYt0cIDNkiAOaU9JSf4J6GCK2Ph5ZYZAoSu7jjYrysqjuW3EzfrYFYNGrvWzP3ZLGggMb8aCmwOqDRmeOF859nO2O4_dUpeBSEwvihv8cO5WCgZKm2-niGf_UprmGWtqKOxZ-Oix0DQ4npaf2u65X1xXahXsxJH-UCkymrW7p7qzrLOCH0E0B90HhhL2U4IGMxUtYV0egX2vHg45b1YSnLRg3lQmCk6SUitcrNCWmwTRMilsY-RRcYOQFu3-Z9Pbz3QTLGGOTeFAhi1jqdhP3CObtKRbkhRc8FXABiErrNkAcWYM-SW3lqWAZbVhDewfD0m_uQuEJLDpHFNnqW_xCJiFpC-1RIXBwcGDCCoki0Gto8S1EdsIk-c7taq6F1cR__eXc6E3phIh9C7GignOUnlwlz1qvJ6zKZ5BXeUxI_MlSxZy18KTVjUhxrk4X-p8x4CSVrPR7yi5k9Pr31KdqjUSileb5byZIORkiyh6UCx40ODf98zLJVFF3NxiFRrAGRDFyKQ-bWX2JTGZ0M62CSkFdqM7rA6IenZ0WpVWY4jNu8u8ir-IMgLNP_iQzJGSSXsJn-hMI580fza_dJD8L-A05u0ZcAMcEXAQ7Vs9X3ilCcqQd-vZJIPlIc6lUch_evNBwreRSZ32I5GabVYWLbXKO1wJUi6fIzHmLY_vYNPpF15mDqcMbHcIxyDgua-zFGeK51PI9vHlbgfnDbHdqvXm8hGVI8R5fVFr_CTTqHBXAXkzYTtRd1YgNf4ibbdWyx6Bx0l_Zper21-FHnbjgDLKG9yeKz-5SLIL0F_uY_K4WdEn9UVlC5BP7OS2etk-pFXOgKdJry91jlZ-7NdEwki7mwYYndO_rNCMcjPvmQ1V050dh4kZNOYBHo18roFgojgiJSDYv3CSziXXHUAEiELXnfhssarF7OZ3blM9K6RNSz2vKx4blVifTYhA3zcyLa5vPJyn2zySLHU9u4-E_UDe9lYa7esCJhBhWi1PtqMC8nIJmU-DW3vcb_Jkc7MuKUBIcPLlSiJu5Y7lV469-rztRbj6BaNJQCtXgYii8dZgeA5GsUSc6ofwWKgmA7aCdL5xcQWYlQ7nho0HNapSjqe7uh3fwLxud2BExfJRd9T2HWScoZ77qbRuHn4zp5fdZQD26fbmMgMVpP7PjB1pBXOnmVIyJBXqN2KhemRYul9RL7YjeuydFgM-Ek8II0WdZf0S0dbzjRmLNHz8hoVwHV18V7yTXazx6vYTIzrhQlcY8Q91VyuYuA8EV-AbdM5WxFKCUr4NDSOrJzCXray0HjD2YY_MdqRbD3-IdQGqm5LM9yHq9YqVskGc1HU0eA_jt-Sst7YclyfZl01LvG_tvg-rz1eCAO8rzGt5M_x7FJZdxKrQW8L_fyONtPhgdzYg6aYToKZhsN8iR-mFbsfJ8097H3KVtfmXPijrdiJRCrhkp-0MGhS8WHUplbhlxXyxgzzaXkTdTWp4pEc4ei6YpZ_f6IVBKKRlFVlsua-0J9PbZVFAX2D_tUMFI5NlwLoKHUm7WNFBypRULdp6xiW8fDboZi6daZ8kCQRNbhqgZRxZQs1Wy5OH6yZxBJC1J6sY38n36Y6UP_xLYUnAlaHITu2dyIShvpRgZQCDYxeWv8oaJxodFiGpJaMOBukozz4sVL_-dBIQxK9_oGTyE-5wPo_5ad-fuhd2lnCYDtWhDhSNaKrk0yMRhFgRNAQzMFBKPibUvpLX5NGek8VcP5KRO3dbLB8Q3QacjWe2CI3Y16Ix1HqPCAZ1j79A-LmowoYq7qhTUHoVYJ4zf2Jd2zeuaMjdpZ4Bej0Be6dJNpZBsolXQl-QJPlw08ZUf1HbP-XhT0URcVQt9reAHU-G77rJVSo30OrrsDRjNxvh0LVnzrvaeFdtEl6rKh_Qtli6vNDBOCk1hNre6cKDgjCy-O-rOKdOwmBueXI5tEJMNaFLOoX29elGTHE=
\ No newline at end of file
diff --git a/data/dkim/wiegand.tel.pubkey b/data/dkim/wiegand.tel.pubkey
new file mode 100644
index 0000000..956733e
--- /dev/null
+++ b/data/dkim/wiegand.tel.pubkey
@@ -0,0 +1 @@
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvB69VOHK0vJ0yumq5TR9/29N0PQiZj4HQJ1hMdQGuwt3zozDR7vvgINJ5lJo8NXcZEJtbRbkIEJLJFvMiGfALNYU/Lcgpfc0bfCgWgwsvFe2P8JrcxSDf0M0eEV/k78agXVn75b5eWDCPPSm16XqjK8RlNz3LJo7ENkVAZshPg4mRm039ejAFmKKCirfzw3l4uZak9czSQxlLmOd503uiu0ljlguwHoNRX2FLSi77mdDYQl16BtHgu96fJL0ruiokfyuBi0Ves1LX2Fc4KQIzk1cgEt/dSZvQBkvYH/idR48rVgOT+lGyT30y2VbyFK0rCSft8tcC7HDoqYi2zJQQIDAQAB
\ No newline at end of file

From 8cfa3575f8b44f7c76b52455aaa9739963231ea5 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 21:23:56 +0100
Subject: [PATCH 5/5] mailserver-autoconfig

---
 bundles/mailserver-autoconfig/README.md       |  3 +
 .../files/autodiscover.php                    | 83 +++++++++++++++++++
 .../files/config-v1.1.xml                     | 57 +++++++++++++
 bundles/mailserver-autoconfig/items.py        | 16 ++++
 bundles/mailserver-autoconfig/metadata.py     | 78 +++++++++++++++++
 data/mailserver-autodiscover/vhost.conf       | 16 ++++
 groups/applications/mailserver.py             |  1 +
 7 files changed, 254 insertions(+)
 create mode 100644 bundles/mailserver-autoconfig/README.md
 create mode 100644 bundles/mailserver-autoconfig/files/autodiscover.php
 create mode 100644 bundles/mailserver-autoconfig/files/config-v1.1.xml
 create mode 100644 bundles/mailserver-autoconfig/items.py
 create mode 100644 bundles/mailserver-autoconfig/metadata.py
 create mode 100644 data/mailserver-autodiscover/vhost.conf

diff --git a/bundles/mailserver-autoconfig/README.md b/bundles/mailserver-autoconfig/README.md
new file mode 100644
index 0000000..38bf776
--- /dev/null
+++ b/bundles/mailserver-autoconfig/README.md
@@ -0,0 +1,3 @@
+test autodiscover.php:
+
+`curl -X POST https://autoconfig.mail.example.com/Autodiscover/Autodiscover.xml -d '<EMailAddress>test@example.com</EMailAddress>'`
diff --git a/bundles/mailserver-autoconfig/files/autodiscover.php b/bundles/mailserver-autoconfig/files/autodiscover.php
new file mode 100644
index 0000000..1134fac
--- /dev/null
+++ b/bundles/mailserver-autoconfig/files/autodiscover.php
@@ -0,0 +1,83 @@
+<?php
+
+// https://raw.githubusercontent.com/Radiergummi/autodiscover/master/autodiscover/autodiscover.php
+
+/********************************
+ * Autodiscover responder
+ ********************************
+ * This PHP script is intended to respond to any request to http(s)://mydomain.com/autodiscover/autodiscover.xml.
+ * If configured properly, it will send a spec-complient autodiscover XML response, pointing mail clients to the
+ * appropriate mail services.
+ * If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if 
+ * you use POP/IMAP servers, this will provide autoconfiguration to Outlook, Apple Mail and mobile devices.
+ *
+ * To work properly, you'll need to set the service (sub)domains below in the settings section to the correct 
+ * domain names, adjust ports and SSL.
+ */
+
+//get raw POST data so we can extract the email address
+$request = file_get_contents("php://input");
+
+// optional debug log
+# file_put_contents( 'request.log', $request, FILE_APPEND );
+
+// retrieve email address from client request
+preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email );
+
+// check for invalid mail, to prevent XSS
+if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) {
+	throw new Exception('Invalid E-Mail provided');
+}
+
+// get domain from email address
+$domain = substr( strrchr( $email[1], "@" ), 1 );
+
+/**************************************
+ *   Port and server settings below   *
+ **************************************/
+
+// IMAP settings
+$imapServer = 'imap.' . $domain; // imap.example.com
+$imapPort   = 993;
+$imapSSL    = true;
+
+// SMTP settings
+$smtpServer = 'smtp.' . $domain; // smtp.example.com
+$smtpPort   = 587;
+$smtpSSL    = true;
+
+//set Content-Type
+header( 'Content-Type: application/xml' );
+?>
+<?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
+	<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
+		<Account>
+			<AccountType>email</AccountType>
+			<Action>settings</Action>
+			<Protocol>
+			<Protocol>
+				<Type>IMAP</Type>
+				<Server><?php echo $imapServer; ?></Server>
+				<Port><?php echo $imapPort; ?></Port>
+				<DomainRequired>off</DomainRequired>
+				<LoginName><?php echo $email[1]; ?></LoginName>
+				<SPA>off</SPA>
+				<SSL><?php echo $imapSSL ? 'on' : 'off'; ?></SSL>
+				<AuthRequired>on</AuthRequired>
+			</Protocol>
+			<Protocol>
+				<Type>SMTP</Type>
+				<Server><?php echo $smtpServer; ?></Server>
+				<Port><?php echo $smtpPort; ?></Port>
+				<DomainRequired>off</DomainRequired>
+				<LoginName><?php echo $email[1]; ?></LoginName>
+				<SPA>off</SPA>
+				<SSL><?php echo $smtpSSL ? 'on' : 'off'; ?></SSL>
+				<AuthRequired>on</AuthRequired>
+				<UsePOPAuth>on</UsePOPAuth>
+				<SMTPLast>on</SMTPLast>
+			</Protocol>
+		</Account>
+	</Response>
+</Autodiscover>
diff --git a/bundles/mailserver-autoconfig/files/config-v1.1.xml b/bundles/mailserver-autoconfig/files/config-v1.1.xml
new file mode 100644
index 0000000..a044635
--- /dev/null
+++ b/bundles/mailserver-autoconfig/files/config-v1.1.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+  <!-- Outgoing Server -->
+  <emailProvider id="${mailserver}">
+
+    <!-- Hosted Domains -->
+
+    <domain>${mailserver}</domain>
+    <displayName>${mailserver}</displayName>
+    <displayShortName>${mailserver}</displayShortName>
+
+    <!-- Incoming Mail Servers -->
+
+    <incomingServer type="imap">
+      <hostname>${mailserver}</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+
+    <incomingServer type="imap">
+      <hostname>${mailserver}</hostname>
+      <port>143</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+
+    <!-- Outgoing Mail Servers -->
+
+    <outgoingServer type="smtp">
+      <hostname>${mailserver}</hostname>
+      <port>465</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+
+    <outgoingServer type="smtp">
+      <hostname>${mailserver}</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+
+    <!-- Documentation -->
+
+    <documentation url="http://www.example.com/help/mail/thunderbird">
+      <descr lang="en">Configure Thunderbird 2.0 for IMAP</descr>
+      <descr lang="de">Thunderbird 2.0 mit IMAP konfigurieren</descr>
+    </documentation>
+
+  </emailProvider>
+  <clientConfigUpdate url="https://${autoconfig}/mail/config-v1.1.xml" />
+</clientConfig>
diff --git a/bundles/mailserver-autoconfig/items.py b/bundles/mailserver-autoconfig/items.py
new file mode 100644
index 0000000..8dd667c
--- /dev/null
+++ b/bundles/mailserver-autoconfig/items.py
@@ -0,0 +1,16 @@
+autoconfig_hostname = node.metadata.get('mailserver/autoconfig_hostname')
+
+files = {
+    f'/var/www/{autoconfig_hostname}/mail/config-v1.1.xml': {
+        'content_type': 'mako',
+        'context': {
+            'mailserver': node.metadata.get('mailserver/hostname'),
+            'autoconfig': autoconfig_hostname,
+        },
+        'owner': 'www-data',
+    },
+    f'/var/www/{autoconfig_hostname}/autodiscover/autodiscover.php': {
+        'content_type': 'mako',
+        'owner': 'www-data',
+    },
+}
diff --git a/bundles/mailserver-autoconfig/metadata.py b/bundles/mailserver-autoconfig/metadata.py
new file mode 100644
index 0000000..b943c74
--- /dev/null
+++ b/bundles/mailserver-autoconfig/metadata.py
@@ -0,0 +1,78 @@
+defaults = {}
+
+
+@metadata_reactor.provides(
+    'mailserver/autoconfig_hostname',
+)
+def hostname(metadata):
+    return {
+        'mailserver': {
+            'autoconfig_hostname': f"autoconfig.{metadata.get('mailserver/hostname')}",
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('mailserver/autoconfig_hostname'): {
+                    'content': 'mailserver-autodiscover/vhost.conf',
+                    'context': {
+                        'root': f"/var/www/{metadata.get('mailserver/autoconfig_hostname')}",
+                    },
+                },
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'letsencrypt/domains',
+)
+def letsencrypt(metadata):
+    return {
+        'letsencrypt': {
+            'domains': {
+                metadata.get('mailserver/autoconfig_hostname'): {
+                    'aliases': {
+                        *{
+                            f'autoconfig.{domain}'
+                                for domain in metadata.get('mailserver/domains')
+                        },
+                        *{
+                            f'autodiscover.{domain}'
+                                for domain in metadata.get('mailserver/domains')
+                        },
+                    },
+                },
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'dns',
+)
+def autoconfig(metadata):
+    dns = {}
+    
+    for domain in metadata.get('mailserver/domains'):
+        dns.update({
+            f'autoconfig.{domain}': {
+                'CNAME': {f"{metadata.get('mailserver/autoconfig_hostname')}."},
+            },
+            f'_autodiscover._tcp.{domain}': {
+                'SRV': {f"10 10 443 {metadata.get('mailserver/autoconfig_hostname')}."},
+            },
+            f'autodiscover.{domain}': {
+                'CNAME': {f"{metadata.get('mailserver/autoconfig_hostname')}."},
+            },
+        })
+    
+    return {
+        'dns': dns,
+    }
diff --git a/data/mailserver-autodiscover/vhost.conf b/data/mailserver-autodiscover/vhost.conf
new file mode 100644
index 0000000..12f36a9
--- /dev/null
+++ b/data/mailserver-autodiscover/vhost.conf
@@ -0,0 +1,16 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${server_name};
+
+    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+    root ${root};
+    
+    location ~ /(?:a|A)utodiscover/(?:a|A)utodiscover.xml {
+        try_files /autodiscover/autodiscover.php =404;
+        fastcgi_pass php-handler;
+        include fastcgi.conf;
+    }
+}
diff --git a/groups/applications/mailserver.py b/groups/applications/mailserver.py
index 8025893..f37cfbc 100644
--- a/groups/applications/mailserver.py
+++ b/groups/applications/mailserver.py
@@ -4,6 +4,7 @@
         'dovecot',
         'letsencrypt',
         'mailserver',
+        'mailserver-autoconfig',
         'nginx',
         'php',
         'postfix',