From 95e06087494cb28e4a40c68147bcf148b825d231 Mon Sep 17 00:00:00 2001
From: Markku Post <markku.post@cleverest.eu>
Date: Thu, 23 Oct 2025 00:27:13 +0300
Subject: [PATCH] [Web] Disable login on autodiscover/autoconfig domains

Autodiscover and autoconfig domains (autodiscover.*, autoconfig.*) are intended solely for client autoconfiguration endpoints and should not display the mailcow login page. This change check the hostname and disables unauthenticated users from seeing the login page on those domains; HTTP 404 response is returned when necessary.
---
 data/web/index.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/web/index.php b/data/web/index.php
index d4fa46e74..a1ff9310f 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -27,6 +27,12 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   exit();
 }
 
+$host = strtolower($_SERVER['HTTP_HOST'] ?? '');
+if (str_starts_with($host, 'autodiscover.') || str_starts_with($host, 'autoconfig.')) {
+  http_response_code(404);
+  exit();
+}
+
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
 $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];