diff --git a/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md b/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md index 52455e16..82987a16 100644 --- a/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md +++ b/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md @@ -5,15 +5,16 @@ ## Summary Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant -permission to normal domain admin to create new mail domains. All new domains -added by normal domain admin requires domain ownership verification, to ensure: +normal domain admin permission to create new mail domains. All new domains +added by normal domain admin require domain ownership verification by deafult, +to ensure: -* the newly added mail domain is an valid domain +* the newly added mail domain name is an valid domain name on internet * the domain admin have the required privileges in the domain to manage the - email services. + email services Mail services are disabled for pending domains, and will be activated -automatically after verified. +automatically after admin verified the ownership. ## How to enable or disable domain ownership verification @@ -24,7 +25,8 @@ iRedAdmin-Pro config file `settings.py`, set proper value, then restart Apache or uwsgi (if you're running Nginx) service to reload the changes. ``` -# Require domain ownership verification if it was added by normal domain admin. +# Require domain ownership verification if it's added by normal domain admin: +# True, False. REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True # How long should we remove verified or (inactive) unverified domain ownerships. @@ -32,14 +34,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True # iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin # removed the domain and re-adds it, no verification required. # -# Usually normal domain admin won't frequently remove and re-add same domain -# name, so it's ok to remove saved ownership after X days. +# Admin won't frequently remove and re-add same domain name, so it's ok to +# remove saved ownership after X days. DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30 # The string prefixed to verify code. Must be shorter than than 60 characters. DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-' -# Timeout while performing each verification. +# Timeout (in seconds) while performing each verification. DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10 ``` @@ -48,9 +50,11 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10 There're several ways to verify domain ownership: * Create a text file under top directory of the web site of new domain, both - file name and file content must be same as verify code. For example, for - pending domain `example.com` with verify code - `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs: + file name and file content must be same as verify code. + + For example, for pending domain `example.com` with verify code + `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, iRedAdmin-Pro will + verify 2 URLs: * http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV` * https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV` @@ -59,28 +63,26 @@ There're several ways to verify domain ownership: code as page content. * Create a TXT type DNS record of the domain name, use the verify code as its - value. For example, for pending domain `example.com` with verify code - `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command - `nslookup -type=txt example.com` should return a record which is same as - verify code. + value. + + For example, for pending domain `example.com` with verify code + `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command + `nslookup -type=txt example.com` should return a record which is same as + verify code. + +Sample DNS query with `nslookup`: - Sample DNS query with `nslookup`: ``` $ nslookup -type=txt example.com - -Non-authoritative answer: +... example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV" -example.com text = "v=spf1 ..." -example.com text = "..." +... ``` - Sample DNS query with `dig`: +Sample DNS query with `dig`: ``` $ dig -t txt example.com - ... -;; ANSWER SECTION: iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV" -iredmail.org. 4173 IN TXT "v=spf1 ..." -iredmail.org. 4173 IN TXT "..." +... ``` diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md index 4d27a1af..ec94a176 100644 --- a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md +++ b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md @@ -438,36 +438,53 @@ $banned_namepath_re = new_RE( ## OpenLDAP backend special -### Fixed: mail accounts (user, alias, list) are still active when domain is disabled +### Use the latest iRedMail LDAP schema file -> This fix is applicable to OpenBSD ldapd backend also. +iRedMail-0.9.6 introduces 2 new LDAP attributes: -In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain, -all mail accounts (mail users, aliases, lists) are still active and Postfix -will accept emails sent to them. Steps below fix the issue. +* `domainPendingAliasName`: used by mail domain account, to store new alias + domain names which is pending for domain ownership verification. Required by + iRedAdmin-Pro. +* `domainStatus`: used by mail user/alias/list accounts, to indicate domain + status. -#### Update OpenLDAP config file to index new attribute name: `domainStatus` +#### Update OpenLDAP config file to index new attributes -* Please open OpenLDAP config file `slapd.conf`, find line below: +* Please open OpenLDAP config file `slapd.conf`: * On RHEL/CentOS, it's `/etc/openldap/slapd.conf` * On Debian/Ubuntu, it's `/etc/ldap/slapd.conf` * On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf` - * On OpenBSD, it's `/etc/openldap/slapd.conf`. If you're running ldapd as - LDAP server, please add a new line `index domainStats` in the `namespace - xxx {}` block. + * On OpenBSD: + * if you're running OpenLDAP, it's `/etc/openldap/slapd.conf`. + * if you're running ldapd(8) LDAP server, please add a new line + `index domainStats` in the `namespace xxx {}` block. + +* for new attribute `domainPendingAliasName`, please find line below: + +``` +access to attrs="objectclass,domainName,mtaTransport,..." +``` + +Add new attribute name `domainPendingAliasName` in this line (__WARNING__: +don't leave any whitespace between attribute names and comma): + +``` +access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..." +``` + +* for new attribute `domainStatus`, please find line below: ``` access to attrs="employeeNumber,mail,..." ``` -* Add new attribute name `domainStatus` in this line (__WARNING__: don't leave - any whitespace between attribute names and comma): +Add new attribute name `domainStatus` in this line (__WARNING__: don't leave +any whitespace between attribute names and comma): ``` access to attrs="domainStatus,employeeNumber,mail,..." ``` - -#### Use the latest iRedMail LDAP schema file +#### Download the latest iRedMail LDAP schema file * On RHEL/CentOS: @@ -523,12 +540,20 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/ rcctl restart slapd ``` +### Fixed: mail accounts (user, alias, list) are still active when domain is disabled + +> This fix is applicable to OpenBSD ldapd backend also. + +In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain, +all mail accounts (mail users, aliases, lists) are still active and Postfix +will accept emails sent to them. Steps below fix the issue. + #### Update Postfix/Dovecot LDAP lookup files * On Linux and OpenBSD, run commands: ``` -cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d) +cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak cd /etc/postfix/ldap/ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf @@ -539,7 +564,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di * On FreeBSD, run commands: ``` -cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d) +cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak cd /usr/local/etc/postfix/ldap/ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf diff --git a/html/iredadmin-pro.domain.ownership.verification.html b/html/iredadmin-pro.domain.ownership.verification.html index 6e8766ac..7443f3f7 100644 --- a/html/iredadmin-pro.domain.ownership.verification.html +++ b/html/iredadmin-pro.domain.ownership.verification.html @@ -28,22 +28,24 @@
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant -permission to normal domain admin to create new mail domains. All new domains -added by normal domain admin requires domain ownership verification, to ensure:
+normal domain admin permission to create new mail domains. All new domains +added by normal domain admin require domain ownership verification by deafult, +to ensure:Mail services are disabled for pending domains, and will be activated -automatically after verified.
+automatically after admin verified the ownership.There're few parameters used to control domain ownership verifivation, you can
find default settings in file libs/default_settings.py
under iRedAdmin-Pro
directory. If you want to change any of them, please copy the parameter to
iRedAdmin-Pro config file settings.py
, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.
# Require domain ownership verification if it was added by normal domain admin.
+# Require domain ownership verification if it's added by normal domain admin:
+# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
@@ -51,14 +53,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
-# Usually normal domain admin won't frequently remove and re-add same domain
-# name, so it's ok to remove saved ownership after X days.
+# Admin won't frequently remove and re-add same domain name, so it's ok to
+# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
-# Timeout while performing each verification.
+# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
@@ -67,9 +69,10 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
-
Create a text file under top directory of the web site of new domain, both
- file name and file content must be same as verify code. For example, for
- pending domain example.com
with verify code
- iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, we will verify 2 URLs:
+ file name and file content must be same as verify code.
+For example, for pending domain example.com
with verify code
+iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, iRedAdmin-Pro will
+verify 2 URLs:
- http:
http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
- https:
https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
@@ -79,30 +82,25 @@ code as page content.
-
Create a TXT type DNS record of the domain name, use the verify code as its
- value. For example, for pending domain example.com
with verify code
- iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, DNS query by command
- nslookup -type=txt example.com
should return a record which is same as
- verify code.
-Sample DNS query with nslookup
:
+ value.
+For example, for pending domain example.com
with verify code
+iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, DNS query by command
+nslookup -type=txt example.com
should return a record which is same as
+verify code.
+Sample DNS query with nslookup
:
$ nslookup -type=txt example.com
-
-Non-authoritative answer:
-example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-example.com text = "v=spf1 ..."
-example.com text = "..."
-
-
-Sample DNS query with `dig`:
-
-$ dig -t txt example.com
-
...
-;; ANSWER SECTION:
+example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
+...
+
+
+Sample DNS query with dig
:
+$ dig -t txt example.com
+...
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-iredmail.org. 4173 IN TXT "v=spf1 ..."
-iredmail.org. 4173 IN TXT "..."
+...
diff --git a/html/upgrade.iredmail.0.9.5.1-0.9.6.html b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
index 44cee1ca..bff55b09 100644
--- a/html/upgrade.iredmail.0.9.5.1-0.9.6.html
+++ b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
@@ -44,9 +44,12 @@
OpenLDAP backend special
+- Use the latest iRedMail LDAP schema file
+
- Fixed: mail accounts (user, alias, list) are still active when domain is disabled
@@ -470,36 +473,55 @@ your Amavisd config file.
- Restart Amavisd service is required.
OpenLDAP backend special
-Fixed: mail accounts (user, alias, list) are still active when domain is disabled
-
-This fix is applicable to OpenBSD ldapd backend also.
-
-In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
-all mail accounts (mail users, aliases, lists) are still active and Postfix
-will accept emails sent to them. Steps below fix the issue.
-Update OpenLDAP config file to index new attribute name: domainStatus
+Use the latest iRedMail LDAP schema file
+iRedMail-0.9.6 introduces 2 new LDAP attributes:
+
+domainPendingAliasName
: used by mail domain account, to store new alias
+ domain names which is pending for domain ownership verification. Required by
+ iRedAdmin-Pro.
+domainStatus
: used by mail user/alias/list accounts, to indicate domain
+ status.
+
+Update OpenLDAP config file to index new attributes
+
+-
+
Please open OpenLDAP config file slapd.conf
:
-- Please open OpenLDAP config file
slapd.conf
, find line below:
- On RHEL/CentOS, it's
/etc/openldap/slapd.conf
- On Debian/Ubuntu, it's
/etc/ldap/slapd.conf
- On FreeBSD, it's
/usr/local/etc/openldap/slapd.conf
-- On OpenBSD, it's
/etc/openldap/slapd.conf
. If you're running ldapd as
- LDAP server, please add a new line index domainStats
in the namespace
- xxx {}
block.
+- On OpenBSD:
+- if you're running OpenLDAP, it's
/etc/openldap/slapd.conf
.
+- if you're running ldapd(8) LDAP server, please add a new line
+
index domainStats
in the namespace xxx {}
block.
+
+-
+
for new attribute domainPendingAliasName
, please find line below:
+
+
+access to attrs="objectclass,domainName,mtaTransport,..."
+
+
+Add new attribute name domainPendingAliasName
in this line (WARNING:
+don't leave any whitespace between attribute names and comma):
+access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
+
+
+
+- for new attribute
domainStatus
, please find line below:
+
access to attrs="employeeNumber,mail,..."
-
-- Add new attribute name
domainStatus
in this line (WARNING: don't leave
- any whitespace between attribute names and comma):
-
+Add new attribute name domainStatus
in this line (WARNING: don't leave
+any whitespace between attribute names and comma):
access to attrs="domainStatus,employeeNumber,mail,..."
-Use the latest iRedMail LDAP schema file
+Download the latest iRedMail LDAP schema file
- On RHEL/CentOS:
@@ -558,6 +580,13 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
+++This fix is applicable to OpenBSD ldapd backend also.
+
In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain, +all mail accounts (mail users, aliases, lists) are still active and Postfix +will accept emails sent to them. Steps below fix the issue.