diff --git a/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md b/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md
index 52455e16..82987a16 100644
--- a/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md
+++ b/en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md
@@ -5,15 +5,16 @@
## Summary
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
-permission to normal domain admin to create new mail domains. All new domains
-added by normal domain admin requires domain ownership verification, to ensure:
+normal domain admin permission to create new mail domains. All new domains
+added by normal domain admin require domain ownership verification by deafult,
+to ensure:
-* the newly added mail domain is an valid domain
+* the newly added mail domain name is an valid domain name on internet
* the domain admin have the required privileges in the domain to manage the
- email services.
+ email services
Mail services are disabled for pending domains, and will be activated
-automatically after verified.
+automatically after admin verified the ownership.
## How to enable or disable domain ownership verification
@@ -24,7 +25,8 @@ iRedAdmin-Pro config file `settings.py`, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.
```
-# Require domain ownership verification if it was added by normal domain admin.
+# Require domain ownership verification if it's added by normal domain admin:
+# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
@@ -32,14 +34,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
-# Usually normal domain admin won't frequently remove and re-add same domain
-# name, so it's ok to remove saved ownership after X days.
+# Admin won't frequently remove and re-add same domain name, so it's ok to
+# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
-# Timeout while performing each verification.
+# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
```
@@ -48,9 +50,11 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
There're several ways to verify domain ownership:
* Create a text file under top directory of the web site of new domain, both
- file name and file content must be same as verify code. For example, for
- pending domain `example.com` with verify code
- `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs:
+ file name and file content must be same as verify code.
+
+ For example, for pending domain `example.com` with verify code
+ `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, iRedAdmin-Pro will
+ verify 2 URLs:
* http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
* https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
@@ -59,28 +63,26 @@ There're several ways to verify domain ownership:
code as page content.
* Create a TXT type DNS record of the domain name, use the verify code as its
- value. For example, for pending domain `example.com` with verify code
- `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
- `nslookup -type=txt example.com` should return a record which is same as
- verify code.
+ value.
+
+ For example, for pending domain `example.com` with verify code
+ `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
+ `nslookup -type=txt example.com` should return a record which is same as
+ verify code.
+
+Sample DNS query with `nslookup`:
- Sample DNS query with `nslookup`:
```
$ nslookup -type=txt example.com
-
-Non-authoritative answer:
+...
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-example.com text = "v=spf1 ..."
-example.com text = "..."
+...
```
- Sample DNS query with `dig`:
+Sample DNS query with `dig`:
```
$ dig -t txt example.com
-
...
-;; ANSWER SECTION:
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-iredmail.org. 4173 IN TXT "v=spf1 ..."
-iredmail.org. 4173 IN TXT "..."
+...
```
diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
index 4d27a1af..ec94a176 100644
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
@@ -438,36 +438,53 @@ $banned_namepath_re = new_RE(
## OpenLDAP backend special
-### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
+### Use the latest iRedMail LDAP schema file
-> This fix is applicable to OpenBSD ldapd backend also.
+iRedMail-0.9.6 introduces 2 new LDAP attributes:
-In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
-all mail accounts (mail users, aliases, lists) are still active and Postfix
-will accept emails sent to them. Steps below fix the issue.
+* `domainPendingAliasName`: used by mail domain account, to store new alias
+ domain names which is pending for domain ownership verification. Required by
+ iRedAdmin-Pro.
+* `domainStatus`: used by mail user/alias/list accounts, to indicate domain
+ status.
-#### Update OpenLDAP config file to index new attribute name: `domainStatus`
+#### Update OpenLDAP config file to index new attributes
-* Please open OpenLDAP config file `slapd.conf`, find line below:
+* Please open OpenLDAP config file `slapd.conf`:
* On RHEL/CentOS, it's `/etc/openldap/slapd.conf`
* On Debian/Ubuntu, it's `/etc/ldap/slapd.conf`
* On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf`
- * On OpenBSD, it's `/etc/openldap/slapd.conf`. If you're running ldapd as
- LDAP server, please add a new line `index domainStats` in the `namespace
- xxx {}` block.
+ * On OpenBSD:
+ * if you're running OpenLDAP, it's `/etc/openldap/slapd.conf`.
+ * if you're running ldapd(8) LDAP server, please add a new line
+ `index domainStats` in the `namespace xxx {}` block.
+
+* for new attribute `domainPendingAliasName`, please find line below:
+
+```
+access to attrs="objectclass,domainName,mtaTransport,..."
+```
+
+Add new attribute name `domainPendingAliasName` in this line (__WARNING__:
+don't leave any whitespace between attribute names and comma):
+
+```
+access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
+```
+
+* for new attribute `domainStatus`, please find line below:
```
access to attrs="employeeNumber,mail,..."
```
-* Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
- any whitespace between attribute names and comma):
+Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
+any whitespace between attribute names and comma):
```
access to attrs="domainStatus,employeeNumber,mail,..."
```
-
-#### Use the latest iRedMail LDAP schema file
+#### Download the latest iRedMail LDAP schema file
* On RHEL/CentOS:
@@ -523,12 +540,20 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
```
+### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
+
+> This fix is applicable to OpenBSD ldapd backend also.
+
+In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+all mail accounts (mail users, aliases, lists) are still active and Postfix
+will accept emails sent to them. Steps below fix the issue.
+
#### Update Postfix/Dovecot LDAP lookup files
* On Linux and OpenBSD, run commands:
```
-cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d)
+cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
cd /etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
@@ -539,7 +564,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di
* On FreeBSD, run commands:
```
-cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d)
+cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
cd /usr/local/etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
diff --git a/html/iredadmin-pro.domain.ownership.verification.html b/html/iredadmin-pro.domain.ownership.verification.html
index 6e8766ac..7443f3f7 100644
--- a/html/iredadmin-pro.domain.ownership.verification.html
+++ b/html/iredadmin-pro.domain.ownership.verification.html
@@ -28,22 +28,24 @@
Summary
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
-permission to normal domain admin to create new mail domains. All new domains
-added by normal domain admin requires domain ownership verification, to ensure:
+normal domain admin permission to create new mail domains. All new domains
+added by normal domain admin require domain ownership verification by deafult,
+to ensure:
-- the newly added mail domain is an valid domain
+- the newly added mail domain name is an valid domain name on internet
- the domain admin have the required privileges in the domain to manage the
- email services.
+ email services
Mail services are disabled for pending domains, and will be activated
-automatically after verified.
+automatically after admin verified the ownership.
How to enable or disable domain ownership verification
There're few parameters used to control domain ownership verifivation, you can
find default settings in file libs/default_settings.py under iRedAdmin-Pro
directory. If you want to change any of them, please copy the parameter to
iRedAdmin-Pro config file settings.py, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.
-# Require domain ownership verification if it was added by normal domain admin.
+# Require domain ownership verification if it's added by normal domain admin:
+# True, False.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
@@ -51,14 +53,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
-# Usually normal domain admin won't frequently remove and re-add same domain
-# name, so it's ok to remove saved ownership after X days.
+# Admin won't frequently remove and re-add same domain name, so it's ok to
+# remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
-# Timeout while performing each verification.
+# Timeout (in seconds) while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
@@ -67,9 +69,10 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
-
Create a text file under top directory of the web site of new domain, both
- file name and file content must be same as verify code. For example, for
- pending domain example.com with verify code
- iredmail-domain-verification-5tzh5gHjU688yyWK7cSV, we will verify 2 URLs:
+ file name and file content must be same as verify code.
+For example, for pending domain example.com with verify code
+iredmail-domain-verification-5tzh5gHjU688yyWK7cSV, iRedAdmin-Pro will
+verify 2 URLs:
- http:
http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
- https:
https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
@@ -79,30 +82,25 @@ code as page content.
-
Create a TXT type DNS record of the domain name, use the verify code as its
- value. For example, for pending domain example.com with verify code
- iredmail-domain-verification-5tzh5gHjU688yyWK7cSV, DNS query by command
- nslookup -type=txt example.com should return a record which is same as
- verify code.
-Sample DNS query with nslookup:
+ value.
+For example, for pending domain example.com with verify code
+iredmail-domain-verification-5tzh5gHjU688yyWK7cSV, DNS query by command
+nslookup -type=txt example.com should return a record which is same as
+verify code.
+Sample DNS query with nslookup:
$ nslookup -type=txt example.com
-
-Non-authoritative answer:
-example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-example.com text = "v=spf1 ..."
-example.com text = "..."
-
-
-Sample DNS query with `dig`:
-
-$ dig -t txt example.com
-
...
-;; ANSWER SECTION:
+example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
+...
+
+
+Sample DNS query with dig:
+$ dig -t txt example.com
+...
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-iredmail.org. 4173 IN TXT "v=spf1 ..."
-iredmail.org. 4173 IN TXT "..."
+...
diff --git a/html/upgrade.iredmail.0.9.5.1-0.9.6.html b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
index 44cee1ca..bff55b09 100644
--- a/html/upgrade.iredmail.0.9.5.1-0.9.6.html
+++ b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
@@ -44,9 +44,12 @@
OpenLDAP backend special
OpenLDAP backend special
-Fixed: mail accounts (user, alias, list) are still active when domain is disabled
-
-This fix is applicable to OpenBSD ldapd backend also.
-
-In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
-all mail accounts (mail users, aliases, lists) are still active and Postfix
-will accept emails sent to them. Steps below fix the issue.
-Update OpenLDAP config file to index new attribute name: domainStatus
+Use the latest iRedMail LDAP schema file
+iRedMail-0.9.6 introduces 2 new LDAP attributes:
+
+domainPendingAliasName: used by mail domain account, to store new alias
+ domain names which is pending for domain ownership verification. Required by
+ iRedAdmin-Pro.domainStatus: used by mail user/alias/list accounts, to indicate domain
+ status.
+Update OpenLDAP config file to index new attributes
+
+-
+
Please open OpenLDAP config file slapd.conf:
+access to attrs="objectclass,domainName,mtaTransport,..."
+
+
+Add new attribute name domainPendingAliasName in this line (WARNING:
+don't leave any whitespace between attribute names and comma):
+access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
+
+
+
+- for new attribute
domainStatus, please find line below:
+
access to attrs="employeeNumber,mail,..."
-
-- Add new attribute name
domainStatus in this line (WARNING: don't leave
- any whitespace between attribute names and comma):
-
+Add new attribute name domainStatus in this line (WARNING: don't leave
+any whitespace between attribute names and comma):
access to attrs="domainStatus,employeeNumber,mail,..."
-Use the latest iRedMail LDAP schema file
+Download the latest iRedMail LDAP schema file
@@ -558,6 +580,13 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
+Fixed: mail accounts (user, alias, list) are still active when domain is disabled
+
+This fix is applicable to OpenBSD ldapd backend also.
+
+In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+all mail accounts (mail users, aliases, lists) are still active and Postfix
+will accept emails sent to them. Steps below fix the issue.
Update Postfix/Dovecot LDAP lookup files
- On Linux and OpenBSD, run commands: