elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Sync iRedMail upgrade tutorial.

This commit is contained in:
Zhang Huangbin 2017-01-18 11:08:43 +08:00
parent cf70f099e1
commit a4de3175ed
4 changed files with 146 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md
View File

@ -5,15 +5,16 @@
## Summary
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
permission to normal domain admin to create new mail domains. All new domains
added by normal domain admin requires domain ownership verification, to ensure:
normal domain admin permission to create new mail domains. All new domains
added by normal domain admin require domain ownership verification by deafult,
to ensure:
* the newly added mail domain is an valid domain
* the newly added mail domain name is an valid domain name on internet
* the domain admin have the required privileges in the domain to manage the
email services.
email services
Mail services are disabled for pending domains, and will be activated
automatically after verified.
automatically after admin verified the ownership.
## How to enable or disable domain ownership verification
@ -24,7 +25,8 @@ iRedAdmin-Pro config file `settings.py`, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.
```
# Require domain ownership verification if it was added by normal domain admin.
# Require domain ownership verification if it's added by normal domain admin:
# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
@ -32,14 +34,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
# Usually normal domain admin won't frequently remove and re-add same domain
# name, so it's ok to remove saved ownership after X days.
# Admin won't frequently remove and re-add same domain name, so it's ok to
# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
# Timeout while performing each verification.
# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
```
@ -48,9 +50,11 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
There're several ways to verify domain ownership:
* Create a text file under top directory of the web site of new domain, both
file name and file content must be same as verify code. For example, for
pending domain `example.com` with verify code
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs:
file name and file content must be same as verify code.
For example, for pending domain `example.com` with verify code
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, iRedAdmin-Pro will
verify 2 URLs:
* http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
* https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
@ -59,28 +63,26 @@ There're several ways to verify domain ownership:
code as page content.
* Create a TXT type DNS record of the domain name, use the verify code as its
value. For example, for pending domain `example.com` with verify code
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
`nslookup -type=txt example.com` should return a record which is same as
verify code.
value.
For example, for pending domain `example.com` with verify code
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
`nslookup -type=txt example.com` should return a record which is same as
verify code.
Sample DNS query with `nslookup`:
Sample DNS query with `nslookup`:
```
$ nslookup -type=txt example.com
Non-authoritative answer:
...
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
example.com text = "v=spf1 ..."
example.com text = "..."
...
```
Sample DNS query with `dig`:
Sample DNS query with `dig`:
```
$ dig -t txt example.com
...
;; ANSWER SECTION:
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
iredmail.org. 4173 IN TXT "v=spf1 ..."
iredmail.org. 4173 IN TXT "..."
...
```

57
en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
View File

@ -438,36 +438,53 @@ $banned_namepath_re = new_RE(
## OpenLDAP backend special
### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
### Use the latest iRedMail LDAP schema file
> This fix is applicable to OpenBSD ldapd backend also.
iRedMail-0.9.6 introduces 2 new LDAP attributes:
In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
all mail accounts (mail users, aliases, lists) are still active and Postfix
will accept emails sent to them. Steps below fix the issue.
* `domainPendingAliasName`: used by mail domain account, to store new alias
domain names which is pending for domain ownership verification. Required by
iRedAdmin-Pro.
* `domainStatus`: used by mail user/alias/list accounts, to indicate domain
status.
#### Update OpenLDAP config file to index new attribute name: `domainStatus`
#### Update OpenLDAP config file to index new attributes
* Please open OpenLDAP config file `slapd.conf`, find line below:
* Please open OpenLDAP config file `slapd.conf`:
* On RHEL/CentOS, it's `/etc/openldap/slapd.conf`
* On Debian/Ubuntu, it's `/etc/ldap/slapd.conf`
* On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf`
* On OpenBSD, it's `/etc/openldap/slapd.conf`. If you're running ldapd as
LDAP server, please add a new line `index domainStats` in the `namespace
xxx {}` block.
* On OpenBSD:
* if you're running OpenLDAP, it's `/etc/openldap/slapd.conf`.
* if you're running ldapd(8) LDAP server, please add a new line
`index domainStats` in the `namespace xxx {}` block.
* for new attribute `domainPendingAliasName`, please find line below:
```
access to attrs="objectclass,domainName,mtaTransport,..."
```
Add new attribute name `domainPendingAliasName` in this line (__WARNING__:
don't leave any whitespace between attribute names and comma):
```
access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
```
* for new attribute `domainStatus`, please find line below:
```
access to attrs="employeeNumber,mail,..."
```
* Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
any whitespace between attribute names and comma):
Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
any whitespace between attribute names and comma):
```
access to attrs="domainStatus,employeeNumber,mail,..."
```
#### Use the latest iRedMail LDAP schema file
#### Download the latest iRedMail LDAP schema file
* On RHEL/CentOS:
@ -523,12 +540,20 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
```
### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
> This fix is applicable to OpenBSD ldapd backend also.
In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
all mail accounts (mail users, aliases, lists) are still active and Postfix
will accept emails sent to them. Steps below fix the issue.
#### Update Postfix/Dovecot LDAP lookup files
* On Linux and OpenBSD, run commands:
```
cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d)
cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
cd /etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
@ -539,7 +564,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di
* On FreeBSD, run commands:
```
cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d)
cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
cd /usr/local/etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf

60
html/iredadmin-pro.domain.ownership.verification.html
View File

@ -28,22 +28,24 @@
</div>
<h2 id="summary">Summary</h2>
<p>Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
permission to normal domain admin to create new mail domains. All new domains
added by normal domain admin requires domain ownership verification, to ensure:</p>
normal domain admin permission to create new mail domains. All new domains
added by normal domain admin require domain ownership verification by deafult,
to ensure:</p>
<ul>
<li>the newly added mail domain is an valid domain</li>
<li>the newly added mail domain name is an valid domain name on internet</li>
<li>the domain admin have the required privileges in the domain to manage the
email services.</li>
email services</li>
</ul>
<p>Mail services are disabled for pending domains, and will be activated
automatically after verified.</p>
automatically after admin verified the ownership.</p>
<h2 id="how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</h2>
<p>There're few parameters used to control domain ownership verifivation, you can
find default settings in file <code>libs/default_settings.py</code> under iRedAdmin-Pro
directory. If you want to change any of them, please copy the parameter to
iRedAdmin-Pro config file <code>settings.py</code>, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.</p>
<pre><code># Require domain ownership verification if it was added by normal domain admin.
<pre><code># Require domain ownership verification if it's added by normal domain admin:
# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
@ -51,14 +53,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
# Usually normal domain admin won't frequently remove and re-add same domain
# name, so it's ok to remove saved ownership after X days.
# Admin won't frequently remove and re-add same domain name, so it's ok to
# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
# Timeout while performing each verification.
# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
</code></pre>
@ -67,9 +69,10 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
<ul>
<li>
<p>Create a text file under top directory of the web site of new domain, both
file name and file content must be same as verify code. For example, for
pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, we will verify 2 URLs:</p>
file name and file content must be same as verify code.</p>
<p>For example, for pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, iRedAdmin-Pro will
verify 2 URLs:</p>
<ul>
<li>http: <code>http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
<li>https: <code>https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
@ -79,30 +82,25 @@ code as page content.</p>
</li>
<li>
<p>Create a TXT type DNS record of the domain name, use the verify code as its
value. For example, for pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
<code>nslookup -type=txt example.com</code> should return a record which is same as
verify code.</p>
<p>Sample DNS query with <code>nslookup</code>:</p>
value.</p>
<p>For example, for pending domain <code>example.com</code> with verify code
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
<code>nslookup -type=txt example.com</code> should return a record which is same as
verify code.</p>
</li>
</ul>
<p>Sample DNS query with <code>nslookup</code>:</p>
<pre><code>$ nslookup -type=txt example.com
Non-authoritative answer:
example.com text = &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
example.com text = &quot;v=spf1 ...&quot;
example.com text = &quot;...&quot;
</code></pre>
<pre><code>Sample DNS query with `dig`:
</code></pre>
<pre><code>$ dig -t txt example.com
...
;; ANSWER SECTION:
example.com text = &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
...
</code></pre>
<p>Sample DNS query with <code>dig</code>:</p>
<pre><code>$ dig -t txt example.com
...
iredmail.org. 4173 IN TXT &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
iredmail.org. 4173 IN TXT &quot;v=spf1 ...&quot;
iredmail.org. 4173 IN TXT &quot;...&quot;
...
</code></pre><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>

67
html/upgrade.iredmail.0.9.5.1-0.9.6.html
View File

@ -44,9 +44,12 @@
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a><ul>
<li><a href="#update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</a></li>
<li><a href="#download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</a></li>
</ul>
</li>
<li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
<li><a href="#update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: domainStatus</a></li>
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a></li>
<li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
</ul>
@ -470,36 +473,55 @@ your Amavisd config file.</p>
<li>Restart Amavisd service is required.</li>
</ul>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
<blockquote>
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
</blockquote>
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
all mail accounts (mail users, aliases, lists) are still active and Postfix
will accept emails sent to them. Steps below fix the issue.</p>
<h4 id="update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: <code>domainStatus</code></h4>
<h3 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h3>
<p>iRedMail-0.9.6 introduces 2 new LDAP attributes:</p>
<ul>
<li><code>domainPendingAliasName</code>: used by mail domain account, to store new alias
domain names which is pending for domain ownership verification. Required by
iRedAdmin-Pro.</li>
<li><code>domainStatus</code>: used by mail user/alias/list accounts, to indicate domain
status.</li>
</ul>
<h4 id="update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</h4>
<ul>
<li>
<p>Please open OpenLDAP config file <code>slapd.conf</code>:</p>
<ul>
<li>Please open OpenLDAP config file <code>slapd.conf</code>, find line below:<ul>
<li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
<li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
<li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
<li>On OpenBSD, it's <code>/etc/openldap/slapd.conf</code>. If you're running ldapd as
LDAP server, please add a new line <code>index domainStats</code> in the <code>namespace
xxx {}</code> block.</li>
<li>On OpenBSD:<ul>
<li>if you're running OpenLDAP, it's <code>/etc/openldap/slapd.conf</code>.</li>
<li>if you're running ldapd(8) LDAP server, please add a new line
<code>index domainStats</code> in the <code>namespace xxx {}</code> block.</li>
</ul>
</li>
</ul>
</li>
<li>
<p>for new attribute <code>domainPendingAliasName</code>, please find line below:</p>
</li>
</ul>
<pre><code>access to attrs=&quot;objectclass,domainName,mtaTransport,...&quot;
</code></pre>
<p>Add new attribute name <code>domainPendingAliasName</code> in this line (<strong>WARNING</strong>:
don't leave any whitespace between attribute names and comma):</p>
<pre><code>access to attrs=&quot;domainPendingAliasName,objectclass,domainName,mtaTransport,...&quot;
</code></pre>
<ul>
<li>for new attribute <code>domainStatus</code>, please find line below:</li>
</ul>
<pre><code>access to attrs=&quot;employeeNumber,mail,...&quot;
</code></pre>
<ul>
<li>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
any whitespace between attribute names and comma):</li>
</ul>
<p>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
any whitespace between attribute names and comma):</p>
<pre><code>access to attrs=&quot;domainStatus,employeeNumber,mail,...&quot;
</code></pre>
<h4 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h4>
<h4 id="download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</h4>
<ul>
<li>On RHEL/CentOS:</li>
</ul>
@ -558,6 +580,13 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
</code></pre>
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
<blockquote>
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
</blockquote>
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
all mail accounts (mail users, aliases, lists) are still active and Postfix
will accept emails sent to them. Steps below fix the issue.</p>
<h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
<ul>
<li>On Linux and OpenBSD, run commands:</li>