Experience replacing Microsoft Outlook with Mozilla Thunderbird with Exchange Server

Task

There is a company with Windows servers. They raised DNS, WINS, Active Directory, CA, Exchange. Office is installed on user sites with Outlook for information exchange, since there is no direct connection between departments and the ability to write to external media is significantly limited. All licensed. Quite a typical situation for medium-sized companies.

In terms of cost savings, the question arose of sufficient replacement of the Microsoft Office component - Outlook. There are many advantages of Outlook: pass-through authentication, a convenient and intuitive interface, automatic archiving, flexible and full integration with Exchange, which includes dynamic address books, shared folders, and so on. Replacing such a product is quite difficult without loss of functionality.

Implementation

After some comparisons, Mozilla Thunderbird (currently version 31) was chosen as an alternative client as a free, open source project that supports IMAP and an LDAP address book, as well as with the ability to use add-ons.

Password

The password is sewn into the client and can be viewed in the settings. Yes, it reduces security, but Thunderbird mail users have guest domain accounts, and are not administrators on local computers. In addition, it is planned to implement a centralized setting where the password view will be blocked. This was considered acceptable.
')

Mail account

Thunderbird does not work correctly with Russian logins Windows. Therefore, you must first rename the domain logins of Thunderbird users to the English equivalent. It is recommended to make logins exactly like mail, to simplify setup, although this is not necessary, especially if the host is a domain, it does not matter.

The Exchange server has IIS for accessing mail through a web interface, Outlook Web Access. A handy thing for remote work with mail, provided that mail for some period is stored on the server. But the lack of the ability to archive mail from the browser does not allow you to make this mode of operation permanent, because the Exchange server hardware resources are not unlimited, and it is not intended for storage. Thunderbird has several modes to help set up an account . The easiest way to alias (CNAME) is DNS autoconfig on the Exchange server: autoconfig.company.loc . And on the server in IIS, create a mail folder with the file config-v1.1.xml . The content of the file is quite simple and is described on the Mozilla website . In my case it turned out like this:

<?xml version="1.0" encoding="UTF-8"?> <clientConfig version="1.1"> <emailProvider id="company.loc"> <domain>company.loc</domain> <displayName>Company Exchange Server</displayName> <displayShortName>Company e-mail</displayShortName> <incomingServer type="imap"> <hostname>mail.company.loc</hostname> <port>993</port> <socketType>SSL</socketType> <authentication>NTLM</authentication> <username>%EMAILLOCALPART%</username> </incomingServer> <incomingServer type="imap"> <hostname>mail.company.loc</hostname> <port>143</port> <socketType>STARTTLS</socketType> <authentication>NTLM</authentication> <username>%EMAILLOCALPART%</username> </incomingServer> <incomingServer type="pop3"> <hostname>mail.company.loc</hostname> <port>995</port> <socketType>SSL</socketType> <authentication>NTLM</authentication> <username>%EMAILLOCALPART%</username> <pop3> <leaveMessagesOnServer>true</leaveMessagesOnServer> <downloadOnBiff>true</downloadOnBiff> <daysToLeaveMessagesOnServer>14</daysToLeaveMessagesOnServer> </pop3> </incomingServer> <outgoingServer type="smtp"> <hostname>mail.company.loc</hostname> <port>587</port> <socketType>STARTTLS</socketType> <authentication>NTLM</authentication> <username>%EMAILLOCALPART%</username> </outgoingServer> </emailProvider> </clientConfig> 

The mail folder should be made virtual and explicitly disable the SSL requirement for it.

It is worth mentioning that with us, like with many, the domain name from the outside is different from the name of the local domain inside the perimeter. But mail should be referred to the same everywhere. Therefore, within Exchange accounts have two addresses: external and internal. External is used by default. (Exchange can also use different DNS for internal and external forwarding). Hence the subtlety; The user addresses for the settings are external, so the name for the user name is only the name % EMAILLOCALPART% . In addition, the autoconfig alias (CNAME) must also be created in the copy of the external domain of the root zone of the local DNS.

It can be seen that I decided to use two types of access to mail: IMAP and POP3. The fact is that sometimes very active users come across with a very large amount of mail. If such a user does not use mail anywhere except for his PC at his workplace (do not forget about OWA), then in the case of Outlook local folders are created and assigned as the main ones for all accounts. Thus, all mail will be deleted from the Exchange server and stored directly on the user's PC, which does not require any additional archiving, but binds the user to the PC and increases the likelihood of mail loss if the hard disk is damaged. Otherwise, individual setting of limits on Exchange for such users is required, which I try to avoid in every way. But you cannot foresee everything. Therefore, for Thunderbird also left the possibility of simple work with mail in the form of POP3. Although it is still not useful, frankly.

All this allows you to quickly select the desired access method when setting up an account in Thunderbird. If the host is in the AD domain, then it is better, nevertheless, to tweak by selecting the authentication method "Kerberos / GSSAPI" and not to specify the password in the form.

Access to Exchange via IMAP and POP3 is very easy to set up and does not require any special consideration. Is that additionally you have to configure the certificate with the appropriate server name masks for connectors. And it also took some additional configuration of the SMTP connector with TLS on Exchange 2007:

 Get-ReceiveConnector “Client TLS” | Add-ADPermission –User “authenticated users” -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender 

Otherwise, Thunderbird could not access via SMTP as unauthorized.

Profile and certificate

The first launch of the newly installed Thunderbird client is done with the -p key to specify the path for the mail profile. The default mail profile is created on the system partition, which is unacceptable for us. The key allows you to specify a folder on the user section for storing the Thunderbird profile (in our case, the d: \ Mail folder). You should first make sure that the user has the right to change this folder (NTFS rights).

 "c:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe" -p 

It is worth recalling that the command must be executed from the user context, and not the administrative one. There were precedents.

The first step to configure the running client is to refuse the wizard's suggestions and add the organization root certificate to Thunderbird, because Thunderbird, for some reason, does not use the system certificate base.

LDAP Address Book

You must then configure your LDAP address book. There are a lot of materials on this topic on the Internet, but I didn’t find a single full-fledged document with adequate parameters, so here’s my own.

1. Open the Address Book window.
2. Call Tools -> Settings -> Compilation -> Autocompletion of addresses and tick the Directory Server

_{The Microsoft Exchange Global Addressbook and Contacts switches in the picture are due to the ExQuilla add-on under test - connecting to Exchange via http. The result - the speed of work is unsatisfactory with a large amount of mail.}

3. Actually create an LDAP connection:

Everything is obvious. Non- SSL port: 3268 . It should be borne in mind that setting up with SSL works significantly slower.

Next, switch to the Advanced tab:

Here it must be said that the number of displayed results was chosen based on the number of Exchange CALs, plus Active Directory contacts with groups and a small margin. Authentication method is better to select “Simple” if the PC is not in the AD domain, otherwise I recommend Kerberos (GSSAPI), and you must remove the user name on the “Basic” tab.

About the filter . The most interesting. I use dynamic mailing lists in Exchange, in addition there are many temporarily or permanently disabled accounts in Active Directory, and some accounts are excluded from visibility in the address book for various needs, plus contacts. It turns out the following filter:

 (&(mailnickname=*)(|(objectcategory=person)(objectclass=msExchDynamicDistributionList))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(msExchHideFromAddressLists=TRUE))) 

Close the dialogs. Now open the newly created address book and type @ in the search bar without pressing Enter, since the input will go into a dialog with a password. In the dialog, type the user password and tick the Save password box. A mailing list should appear. It works well. Simply start typing the name or address of the recipient in the To: line of the new letter to get a list of possible options.

Attention! If in Active Directory you have restricted the list of hosts for an account that you can log in to, then in order to access LDAP on the PDC, you will need to add the name of the controller to this list.

Further. Create a user account. If everything is pre-configured correctly, the option with the correct setting will be offered instantly.

It remains to click ready and, if the root certificate was previously connected, we will receive the connected mail. Otherwise, you will have to confirm each certificate.

Archiving and other additions

Customize signed folders. While synchronization is in progress, we set up archiving to local folders: Account Settings -> Copies and Folders -> Message Archives - Store archived messages in: - the “Archives” folder in: Local folders. Archiving can be divided into folders, years, months. In normal mode, Thunderbird can only archive mail manually. Autoarchiving can be achieved by installing a special plugin ( Awesome Auto Archive) . It is configured quite simply.

Also install the following additions:

• MinimizeToTray revived - Minimize the current window to tray
• Lightning - Organizer

We get a workable email client. Access to shared folders can be obtained through OWA by creating a link in the browser or on the desktop to the corresponding OWA section:

  https: //mail.company.loc/Public 

PST import

Now to the question of importing previously archived Outlook mail into Thunderbird . The described method with the installation of 30-day Outlook does not work. Thunderbird is thrown, generating an exception. Tested many different configurations. In addition, import on Windows x64 is excluded. I had to go round the way. There is a working method, but it is quite saturated with manipulations.

1. A free Outlook Viewer is being downloaded that can read .pst files - Outlook archives. Installed on the PC for manipulation.
2. The client pst is taken over the network, opened and the letters are exported to a folder with subfolders (subfolders can be inside the archive) in EML format with attachments. This is still half the battle!
3. Then in the temporarily installed Thunderbird with the ImportExportTools add-on installed, create a local folder, for example , Outlook-Archive and right-click on it to open the add - on import menu:
4. 
5. Select the folder with the previously exported letters and import.
6. Now right-click on the folder Archive-Outlook, call the properties of the folder and see where it is located. Having determined, we transfer (files with the folder name, and subfolders with the folder name) on the user's PC to the user profile in local folders. Our folder with mail from the archive should appear in the user in Thunderbird after restarting.

I think to introduce a centralized configuration of users.

Work on the run-in is still underway, so I can make additions and changes.