Sync iRedMail upgrade tutorial.
This commit is contained in:
parent
cf70f099e1
commit
a4de3175ed
|
@ -5,15 +5,16 @@
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
|
Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
|
||||||
permission to normal domain admin to create new mail domains. All new domains
|
normal domain admin permission to create new mail domains. All new domains
|
||||||
added by normal domain admin requires domain ownership verification, to ensure:
|
added by normal domain admin require domain ownership verification by deafult,
|
||||||
|
to ensure:
|
||||||
|
|
||||||
* the newly added mail domain is an valid domain
|
* the newly added mail domain name is an valid domain name on internet
|
||||||
* the domain admin have the required privileges in the domain to manage the
|
* the domain admin have the required privileges in the domain to manage the
|
||||||
email services.
|
email services
|
||||||
|
|
||||||
Mail services are disabled for pending domains, and will be activated
|
Mail services are disabled for pending domains, and will be activated
|
||||||
automatically after verified.
|
automatically after admin verified the ownership.
|
||||||
|
|
||||||
## How to enable or disable domain ownership verification
|
## How to enable or disable domain ownership verification
|
||||||
|
|
||||||
|
@ -24,7 +25,8 @@ iRedAdmin-Pro config file `settings.py`, set proper value, then restart
|
||||||
Apache or uwsgi (if you're running Nginx) service to reload the changes.
|
Apache or uwsgi (if you're running Nginx) service to reload the changes.
|
||||||
|
|
||||||
```
|
```
|
||||||
# Require domain ownership verification if it was added by normal domain admin.
|
# Require domain ownership verification if it's added by normal domain admin:
|
||||||
|
# True, False.
|
||||||
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
||||||
|
|
||||||
# How long should we remove verified or (inactive) unverified domain ownerships.
|
# How long should we remove verified or (inactive) unverified domain ownerships.
|
||||||
|
@ -32,14 +34,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
||||||
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
|
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
|
||||||
# removed the domain and re-adds it, no verification required.
|
# removed the domain and re-adds it, no verification required.
|
||||||
#
|
#
|
||||||
# Usually normal domain admin won't frequently remove and re-add same domain
|
# Admin won't frequently remove and re-add same domain name, so it's ok to
|
||||||
# name, so it's ok to remove saved ownership after X days.
|
# remove saved ownership after X days.
|
||||||
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
|
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
|
||||||
|
|
||||||
# The string prefixed to verify code. Must be shorter than than 60 characters.
|
# The string prefixed to verify code. Must be shorter than than 60 characters.
|
||||||
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
|
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
|
||||||
|
|
||||||
# Timeout while performing each verification.
|
# Timeout (in seconds) while performing each verification.
|
||||||
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -48,9 +50,11 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
||||||
There're several ways to verify domain ownership:
|
There're several ways to verify domain ownership:
|
||||||
|
|
||||||
* Create a text file under top directory of the web site of new domain, both
|
* Create a text file under top directory of the web site of new domain, both
|
||||||
file name and file content must be same as verify code. For example, for
|
file name and file content must be same as verify code.
|
||||||
pending domain `example.com` with verify code
|
|
||||||
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs:
|
For example, for pending domain `example.com` with verify code
|
||||||
|
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, iRedAdmin-Pro will
|
||||||
|
verify 2 URLs:
|
||||||
|
|
||||||
* http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
|
* http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
|
||||||
* https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
|
* https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
|
||||||
|
@ -59,28 +63,26 @@ There're several ways to verify domain ownership:
|
||||||
code as page content.
|
code as page content.
|
||||||
|
|
||||||
* Create a TXT type DNS record of the domain name, use the verify code as its
|
* Create a TXT type DNS record of the domain name, use the verify code as its
|
||||||
value. For example, for pending domain `example.com` with verify code
|
value.
|
||||||
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
|
|
||||||
`nslookup -type=txt example.com` should return a record which is same as
|
For example, for pending domain `example.com` with verify code
|
||||||
verify code.
|
`iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
|
||||||
|
`nslookup -type=txt example.com` should return a record which is same as
|
||||||
|
verify code.
|
||||||
|
|
||||||
|
Sample DNS query with `nslookup`:
|
||||||
|
|
||||||
Sample DNS query with `nslookup`:
|
|
||||||
```
|
```
|
||||||
$ nslookup -type=txt example.com
|
$ nslookup -type=txt example.com
|
||||||
|
...
|
||||||
Non-authoritative answer:
|
|
||||||
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
||||||
example.com text = "v=spf1 ..."
|
...
|
||||||
example.com text = "..."
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Sample DNS query with `dig`:
|
Sample DNS query with `dig`:
|
||||||
```
|
```
|
||||||
$ dig -t txt example.com
|
$ dig -t txt example.com
|
||||||
|
|
||||||
...
|
...
|
||||||
;; ANSWER SECTION:
|
|
||||||
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
||||||
iredmail.org. 4173 IN TXT "v=spf1 ..."
|
...
|
||||||
iredmail.org. 4173 IN TXT "..."
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -438,36 +438,53 @@ $banned_namepath_re = new_RE(
|
||||||
|
|
||||||
## OpenLDAP backend special
|
## OpenLDAP backend special
|
||||||
|
|
||||||
### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
|
### Use the latest iRedMail LDAP schema file
|
||||||
|
|
||||||
> This fix is applicable to OpenBSD ldapd backend also.
|
iRedMail-0.9.6 introduces 2 new LDAP attributes:
|
||||||
|
|
||||||
In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
|
* `domainPendingAliasName`: used by mail domain account, to store new alias
|
||||||
all mail accounts (mail users, aliases, lists) are still active and Postfix
|
domain names which is pending for domain ownership verification. Required by
|
||||||
will accept emails sent to them. Steps below fix the issue.
|
iRedAdmin-Pro.
|
||||||
|
* `domainStatus`: used by mail user/alias/list accounts, to indicate domain
|
||||||
|
status.
|
||||||
|
|
||||||
#### Update OpenLDAP config file to index new attribute name: `domainStatus`
|
#### Update OpenLDAP config file to index new attributes
|
||||||
|
|
||||||
* Please open OpenLDAP config file `slapd.conf`, find line below:
|
* Please open OpenLDAP config file `slapd.conf`:
|
||||||
* On RHEL/CentOS, it's `/etc/openldap/slapd.conf`
|
* On RHEL/CentOS, it's `/etc/openldap/slapd.conf`
|
||||||
* On Debian/Ubuntu, it's `/etc/ldap/slapd.conf`
|
* On Debian/Ubuntu, it's `/etc/ldap/slapd.conf`
|
||||||
* On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf`
|
* On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf`
|
||||||
* On OpenBSD, it's `/etc/openldap/slapd.conf`. If you're running ldapd as
|
* On OpenBSD:
|
||||||
LDAP server, please add a new line `index domainStats` in the `namespace
|
* if you're running OpenLDAP, it's `/etc/openldap/slapd.conf`.
|
||||||
xxx {}` block.
|
* if you're running ldapd(8) LDAP server, please add a new line
|
||||||
|
`index domainStats` in the `namespace xxx {}` block.
|
||||||
|
|
||||||
|
* for new attribute `domainPendingAliasName`, please find line below:
|
||||||
|
|
||||||
|
```
|
||||||
|
access to attrs="objectclass,domainName,mtaTransport,..."
|
||||||
|
```
|
||||||
|
|
||||||
|
Add new attribute name `domainPendingAliasName` in this line (__WARNING__:
|
||||||
|
don't leave any whitespace between attribute names and comma):
|
||||||
|
|
||||||
|
```
|
||||||
|
access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
|
||||||
|
```
|
||||||
|
|
||||||
|
* for new attribute `domainStatus`, please find line below:
|
||||||
|
|
||||||
```
|
```
|
||||||
access to attrs="employeeNumber,mail,..."
|
access to attrs="employeeNumber,mail,..."
|
||||||
```
|
```
|
||||||
|
|
||||||
* Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
|
Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
|
||||||
any whitespace between attribute names and comma):
|
any whitespace between attribute names and comma):
|
||||||
|
|
||||||
```
|
```
|
||||||
access to attrs="domainStatus,employeeNumber,mail,..."
|
access to attrs="domainStatus,employeeNumber,mail,..."
|
||||||
```
|
```
|
||||||
|
#### Download the latest iRedMail LDAP schema file
|
||||||
#### Use the latest iRedMail LDAP schema file
|
|
||||||
|
|
||||||
* On RHEL/CentOS:
|
* On RHEL/CentOS:
|
||||||
|
|
||||||
|
@ -523,12 +540,20 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
|
||||||
rcctl restart slapd
|
rcctl restart slapd
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
|
||||||
|
|
||||||
|
> This fix is applicable to OpenBSD ldapd backend also.
|
||||||
|
|
||||||
|
In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
|
||||||
|
all mail accounts (mail users, aliases, lists) are still active and Postfix
|
||||||
|
will accept emails sent to them. Steps below fix the issue.
|
||||||
|
|
||||||
#### Update Postfix/Dovecot LDAP lookup files
|
#### Update Postfix/Dovecot LDAP lookup files
|
||||||
|
|
||||||
* On Linux and OpenBSD, run commands:
|
* On Linux and OpenBSD, run commands:
|
||||||
|
|
||||||
```
|
```
|
||||||
cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d)
|
cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
|
||||||
cd /etc/postfix/ldap/
|
cd /etc/postfix/ldap/
|
||||||
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
||||||
|
|
||||||
|
@ -539,7 +564,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di
|
||||||
* On FreeBSD, run commands:
|
* On FreeBSD, run commands:
|
||||||
|
|
||||||
```
|
```
|
||||||
cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d)
|
cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
|
||||||
cd /usr/local/etc/postfix/ldap/
|
cd /usr/local/etc/postfix/ldap/
|
||||||
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
||||||
|
|
||||||
|
|
|
@ -28,22 +28,24 @@
|
||||||
</div>
|
</div>
|
||||||
<h2 id="summary">Summary</h2>
|
<h2 id="summary">Summary</h2>
|
||||||
<p>Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
|
<p>Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
|
||||||
permission to normal domain admin to create new mail domains. All new domains
|
normal domain admin permission to create new mail domains. All new domains
|
||||||
added by normal domain admin requires domain ownership verification, to ensure:</p>
|
added by normal domain admin require domain ownership verification by deafult,
|
||||||
|
to ensure:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>the newly added mail domain is an valid domain</li>
|
<li>the newly added mail domain name is an valid domain name on internet</li>
|
||||||
<li>the domain admin have the required privileges in the domain to manage the
|
<li>the domain admin have the required privileges in the domain to manage the
|
||||||
email services.</li>
|
email services</li>
|
||||||
</ul>
|
</ul>
|
||||||
<p>Mail services are disabled for pending domains, and will be activated
|
<p>Mail services are disabled for pending domains, and will be activated
|
||||||
automatically after verified.</p>
|
automatically after admin verified the ownership.</p>
|
||||||
<h2 id="how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</h2>
|
<h2 id="how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</h2>
|
||||||
<p>There're few parameters used to control domain ownership verifivation, you can
|
<p>There're few parameters used to control domain ownership verifivation, you can
|
||||||
find default settings in file <code>libs/default_settings.py</code> under iRedAdmin-Pro
|
find default settings in file <code>libs/default_settings.py</code> under iRedAdmin-Pro
|
||||||
directory. If you want to change any of them, please copy the parameter to
|
directory. If you want to change any of them, please copy the parameter to
|
||||||
iRedAdmin-Pro config file <code>settings.py</code>, set proper value, then restart
|
iRedAdmin-Pro config file <code>settings.py</code>, set proper value, then restart
|
||||||
Apache or uwsgi (if you're running Nginx) service to reload the changes.</p>
|
Apache or uwsgi (if you're running Nginx) service to reload the changes.</p>
|
||||||
<pre><code># Require domain ownership verification if it was added by normal domain admin.
|
<pre><code># Require domain ownership verification if it's added by normal domain admin:
|
||||||
|
# True, False.
|
||||||
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
||||||
|
|
||||||
# How long should we remove verified or (inactive) unverified domain ownerships.
|
# How long should we remove verified or (inactive) unverified domain ownerships.
|
||||||
|
@ -51,14 +53,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
|
||||||
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
|
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
|
||||||
# removed the domain and re-adds it, no verification required.
|
# removed the domain and re-adds it, no verification required.
|
||||||
#
|
#
|
||||||
# Usually normal domain admin won't frequently remove and re-add same domain
|
# Admin won't frequently remove and re-add same domain name, so it's ok to
|
||||||
# name, so it's ok to remove saved ownership after X days.
|
# remove saved ownership after X days.
|
||||||
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
|
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
|
||||||
|
|
||||||
# The string prefixed to verify code. Must be shorter than than 60 characters.
|
# The string prefixed to verify code. Must be shorter than than 60 characters.
|
||||||
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
|
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
|
||||||
|
|
||||||
# Timeout while performing each verification.
|
# Timeout (in seconds) while performing each verification.
|
||||||
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
|
@ -67,9 +69,10 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<p>Create a text file under top directory of the web site of new domain, both
|
<p>Create a text file under top directory of the web site of new domain, both
|
||||||
file name and file content must be same as verify code. For example, for
|
file name and file content must be same as verify code.</p>
|
||||||
pending domain <code>example.com</code> with verify code
|
<p>For example, for pending domain <code>example.com</code> with verify code
|
||||||
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, we will verify 2 URLs:</p>
|
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, iRedAdmin-Pro will
|
||||||
|
verify 2 URLs:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>http: <code>http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
|
<li>http: <code>http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
|
||||||
<li>https: <code>https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
|
<li>https: <code>https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
|
||||||
|
@ -79,30 +82,25 @@ code as page content.</p>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p>Create a TXT type DNS record of the domain name, use the verify code as its
|
<p>Create a TXT type DNS record of the domain name, use the verify code as its
|
||||||
value. For example, for pending domain <code>example.com</code> with verify code
|
value.</p>
|
||||||
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
|
<p>For example, for pending domain <code>example.com</code> with verify code
|
||||||
<code>nslookup -type=txt example.com</code> should return a record which is same as
|
<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
|
||||||
verify code.</p>
|
<code>nslookup -type=txt example.com</code> should return a record which is same as
|
||||||
<p>Sample DNS query with <code>nslookup</code>:</p>
|
verify code.</p>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
<p>Sample DNS query with <code>nslookup</code>:</p>
|
||||||
<pre><code>$ nslookup -type=txt example.com
|
<pre><code>$ nslookup -type=txt example.com
|
||||||
|
|
||||||
Non-authoritative answer:
|
|
||||||
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
|
||||||
example.com text = "v=spf1 ..."
|
|
||||||
example.com text = "..."
|
|
||||||
</code></pre>
|
|
||||||
|
|
||||||
<pre><code>Sample DNS query with `dig`:
|
|
||||||
</code></pre>
|
|
||||||
<pre><code>$ dig -t txt example.com
|
|
||||||
|
|
||||||
...
|
...
|
||||||
;; ANSWER SECTION:
|
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
||||||
|
...
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
<p>Sample DNS query with <code>dig</code>:</p>
|
||||||
|
<pre><code>$ dig -t txt example.com
|
||||||
|
...
|
||||||
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
|
||||||
iredmail.org. 4173 IN TXT "v=spf1 ..."
|
...
|
||||||
iredmail.org. 4173 IN TXT "..."
|
|
||||||
</code></pre><div class="footer">
|
</code></pre><div class="footer">
|
||||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -44,9 +44,12 @@
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
||||||
|
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a><ul>
|
||||||
|
<li><a href="#update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</a></li>
|
||||||
|
<li><a href="#download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</a></li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
<li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
|
<li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
|
||||||
<li><a href="#update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: domainStatus</a></li>
|
|
||||||
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a></li>
|
|
||||||
<li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
|
<li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
|
||||||
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
|
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
@ -470,36 +473,55 @@ your Amavisd config file.</p>
|
||||||
<li>Restart Amavisd service is required.</li>
|
<li>Restart Amavisd service is required.</li>
|
||||||
</ul>
|
</ul>
|
||||||
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
||||||
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
|
<h3 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h3>
|
||||||
<blockquote>
|
<p>iRedMail-0.9.6 introduces 2 new LDAP attributes:</p>
|
||||||
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
|
<ul>
|
||||||
</blockquote>
|
<li><code>domainPendingAliasName</code>: used by mail domain account, to store new alias
|
||||||
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
|
domain names which is pending for domain ownership verification. Required by
|
||||||
all mail accounts (mail users, aliases, lists) are still active and Postfix
|
iRedAdmin-Pro.</li>
|
||||||
will accept emails sent to them. Steps below fix the issue.</p>
|
<li><code>domainStatus</code>: used by mail user/alias/list accounts, to indicate domain
|
||||||
<h4 id="update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: <code>domainStatus</code></h4>
|
status.</li>
|
||||||
|
</ul>
|
||||||
|
<h4 id="update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</h4>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
<p>Please open OpenLDAP config file <code>slapd.conf</code>:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Please open OpenLDAP config file <code>slapd.conf</code>, find line below:<ul>
|
|
||||||
<li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
|
<li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
|
||||||
<li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
|
<li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
|
||||||
<li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
|
<li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
|
||||||
<li>On OpenBSD, it's <code>/etc/openldap/slapd.conf</code>. If you're running ldapd as
|
<li>On OpenBSD:<ul>
|
||||||
LDAP server, please add a new line <code>index domainStats</code> in the <code>namespace
|
<li>if you're running OpenLDAP, it's <code>/etc/openldap/slapd.conf</code>.</li>
|
||||||
xxx {}</code> block.</li>
|
<li>if you're running ldapd(8) LDAP server, please add a new line
|
||||||
|
<code>index domainStats</code> in the <code>namespace xxx {}</code> block.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>for new attribute <code>domainPendingAliasName</code>, please find line below:</p>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<pre><code>access to attrs="objectclass,domainName,mtaTransport,..."
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
<p>Add new attribute name <code>domainPendingAliasName</code> in this line (<strong>WARNING</strong>:
|
||||||
|
don't leave any whitespace between attribute names and comma):</p>
|
||||||
|
<pre><code>access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>for new attribute <code>domainStatus</code>, please find line below:</li>
|
||||||
|
</ul>
|
||||||
<pre><code>access to attrs="employeeNumber,mail,..."
|
<pre><code>access to attrs="employeeNumber,mail,..."
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
<ul>
|
<p>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
|
||||||
<li>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
|
any whitespace between attribute names and comma):</p>
|
||||||
any whitespace between attribute names and comma):</li>
|
|
||||||
</ul>
|
|
||||||
<pre><code>access to attrs="domainStatus,employeeNumber,mail,..."
|
<pre><code>access to attrs="domainStatus,employeeNumber,mail,..."
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
<h4 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h4>
|
<h4 id="download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</h4>
|
||||||
<ul>
|
<ul>
|
||||||
<li>On RHEL/CentOS:</li>
|
<li>On RHEL/CentOS:</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
@ -558,6 +580,13 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
|
||||||
rcctl restart slapd
|
rcctl restart slapd
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
|
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
|
||||||
|
<blockquote>
|
||||||
|
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
|
||||||
|
</blockquote>
|
||||||
|
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
|
||||||
|
all mail accounts (mail users, aliases, lists) are still active and Postfix
|
||||||
|
will accept emails sent to them. Steps below fix the issue.</p>
|
||||||
<h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
|
<h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
|
||||||
<ul>
|
<ul>
|
||||||
<li>On Linux and OpenBSD, run commands:</li>
|
<li>On Linux and OpenBSD, run commands:</li>
|
||||||
|
|
Loading…
Reference in New Issue