Sync iRedMail upgrade tutorial.

en_US/iredadmin/2-iredadmin-pro.domain.ownership.verification.md

@@ -5,15 +5,16 @@
 ## Summary
 
 Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
-permission to normal domain admin to create new mail domains. All new domains
+normal domain admin permission to create new mail domains. All new domains
-added by normal domain admin requires domain ownership verification, to ensure:
+added by normal domain admin require domain ownership verification by deafult,
+to ensure:
 
-* the newly added mail domain is an valid domain
+* the newly added mail domain name is an valid domain name on internet
 * the domain admin have the required privileges in the domain to manage the
-  email services.
+  email services
 
 Mail services are disabled for pending domains, and will be activated
-automatically after verified.
+automatically after admin verified the ownership.
 
 ## How to enable or disable domain ownership verification
 
@@ -24,7 +25,8 @@ iRedAdmin-Pro config file `settings.py`, set proper value, then restart
 Apache or uwsgi (if you're running Nginx) service to reload the changes.
 
 ```
-# Require domain ownership verification if it was added by normal domain admin.
+# Require domain ownership verification if it's added by normal domain admin:
+# True, False.
 REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
 
 # How long should we remove verified or (inactive) unverified domain ownerships.
@@ -32,14 +34,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
 # iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
 # removed the domain and re-adds it, no verification required.
 #
-# Usually normal domain admin won't frequently remove and re-add same domain
+# Admin won't frequently remove and re-add same domain name, so it's ok to
-# name, so it's ok to remove saved ownership after X days.
+# remove saved ownership after X days.
 DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
 
 # The string prefixed to verify code. Must be shorter than than 60 characters.
 DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
 
-# Timeout while performing each verification.
+# Timeout (in seconds) while performing each verification.
 DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
 ```
 
@@ -48,9 +50,11 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
 There're several ways to verify domain ownership:
 
 * Create a text file under top directory of the web site of new domain, both
-  file name and file content must be same as verify code. For example, for
+  file name and file content must be same as verify code.
-  pending domain `example.com` with verify code
+
-  `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs:
+    For example, for pending domain `example.com` with verify code
+    `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, iRedAdmin-Pro will
+    verify 2 URLs:
 
     * http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
     * https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`
@@ -59,28 +63,26 @@ There're several ways to verify domain ownership:
     code as page content.
 
 * Create a TXT type DNS record of the domain name, use the verify code as its
-  value. For example, for pending domain `example.com` with verify code
+  value.
-  `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
+
-  `nslookup -type=txt example.com` should return a record which is same as
+    For example, for pending domain `example.com` with verify code
-  verify code.
+    `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command
+    `nslookup -type=txt example.com` should return a record which is same as
+    verify code.
+
+Sample DNS query with `nslookup`:
 
-    Sample DNS query with `nslookup`:
 ```
 $ nslookup -type=txt example.com
-
+...
-Non-authoritative answer:
 example.com     text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-example.com     text = "v=spf1 ..."
+...
-example.com     text = "..."
 ```
 
-    Sample DNS query with `dig`:
+Sample DNS query with `dig`:
 ```
 $ dig -t txt example.com
-
 ...
-;; ANSWER SECTION:
 iredmail.org.		4173	IN	TXT	"iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
-iredmail.org.		4173	IN	TXT	"v=spf1 ..."
+...
-iredmail.org.		4173	IN	TXT	"..."
 ```

en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md

@@ -438,36 +438,53 @@ $banned_namepath_re = new_RE(
 
 ## OpenLDAP backend special
 
-### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
+### Use the latest iRedMail LDAP schema file
 
-> This fix is applicable to OpenBSD ldapd backend also.
+iRedMail-0.9.6 introduces 2 new LDAP attributes:
 
-In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+* `domainPendingAliasName`: used by mail domain account, to store new alias
-all mail accounts (mail users, aliases, lists) are still active and Postfix
+  domain names which is pending for domain ownership verification. Required by
-will accept emails sent to them. Steps below fix the issue.
+  iRedAdmin-Pro.
+* `domainStatus`: used by mail user/alias/list accounts, to indicate domain
+  status.
 
-#### Update OpenLDAP config file to index new attribute name: `domainStatus`
+#### Update OpenLDAP config file to index new attributes
 
-* Please open OpenLDAP config file `slapd.conf`, find line below:
+* Please open OpenLDAP config file `slapd.conf`:
     * On RHEL/CentOS, it's `/etc/openldap/slapd.conf`
     * On Debian/Ubuntu, it's `/etc/ldap/slapd.conf`
     * On FreeBSD, it's `/usr/local/etc/openldap/slapd.conf`
-    * On OpenBSD, it's `/etc/openldap/slapd.conf`. If you're running ldapd as
+    * On OpenBSD:
-      LDAP server, please add a new line `index domainStats` in the `namespace
+        * if you're running OpenLDAP, it's `/etc/openldap/slapd.conf`.
-      xxx {}` block.
+        * if you're running ldapd(8) LDAP server, please add a new line
+          `index domainStats` in the `namespace xxx {}` block.
+
+* for new attribute `domainPendingAliasName`, please find line below:
+
+```
+access to attrs="objectclass,domainName,mtaTransport,..."
+```
+
+Add new attribute name `domainPendingAliasName` in this line (__WARNING__:
+don't leave any whitespace between attribute names and comma):
+
+```
+access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
+```
+
+* for new attribute `domainStatus`, please find line below:
 
 ```
 access to attrs="employeeNumber,mail,..."
 ```
 
-* Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
+Add new attribute name `domainStatus` in this line (__WARNING__: don't leave
-  any whitespace between attribute names and comma):
+any whitespace between attribute names and comma):
 
 ```
 access to attrs="domainStatus,employeeNumber,mail,..."
 ```
-
+#### Download the latest iRedMail LDAP schema file
-#### Use the latest iRedMail LDAP schema file
 
 * On RHEL/CentOS:
 
@@ -523,12 +540,20 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
 rcctl restart slapd
 ```
 
+### Fixed: mail accounts (user, alias, list) are still active when domain is disabled
+
+> This fix is applicable to OpenBSD ldapd backend also.
+
+In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+all mail accounts (mail users, aliases, lists) are still active and Postfix
+will accept emails sent to them. Steps below fix the issue.
+
 #### Update Postfix/Dovecot LDAP lookup files
 
 * On Linux and OpenBSD, run commands:
 
 ```
-cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d)
+cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
 cd /etc/postfix/ldap/
 perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
 
@@ -539,7 +564,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di
 * On FreeBSD, run commands:
 
 ```
-cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d)
+cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
 cd /usr/local/etc/postfix/ldap/
 perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
 

html/iredadmin-pro.domain.ownership.verification.html

@@ -28,22 +28,24 @@
 </div>
 <h2 id="summary">Summary</h2>
 <p>Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant
-permission to normal domain admin to create new mail domains. All new domains
+normal domain admin permission to create new mail domains. All new domains
-added by normal domain admin requires domain ownership verification, to ensure:</p>
+added by normal domain admin require domain ownership verification by deafult,
+to ensure:</p>
 <ul>
-<li>the newly added mail domain is an valid domain</li>
+<li>the newly added mail domain name is an valid domain name on internet</li>
 <li>the domain admin have the required privileges in the domain to manage the
-  email services.</li>
+  email services</li>
 </ul>
 <p>Mail services are disabled for pending domains, and will be activated
-automatically after verified.</p>
+automatically after admin verified the ownership.</p>
 <h2 id="how-to-enable-or-disable-domain-ownership-verification">How to enable or disable domain ownership verification</h2>
 <p>There're few parameters used to control domain ownership verifivation, you can
 find default settings in file <code>libs/default_settings.py</code> under iRedAdmin-Pro
 directory. If you want to change any of them, please copy the parameter to
 iRedAdmin-Pro config file <code>settings.py</code>, set proper value, then restart
 Apache or uwsgi (if you're running Nginx) service to reload the changes.</p>
-<pre><code># Require domain ownership verification if it was added by normal domain admin.
+<pre><code># Require domain ownership verification if it's added by normal domain admin:
+# True, False.
 REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
 
 # How long should we remove verified or (inactive) unverified domain ownerships.
@@ -51,14 +53,14 @@ REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
 # iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
 # removed the domain and re-adds it, no verification required.
 #
-# Usually normal domain admin won't frequently remove and re-add same domain
+# Admin won't frequently remove and re-add same domain name, so it's ok to
-# name, so it's ok to remove saved ownership after X days.
+# remove saved ownership after X days.
 DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
 
 # The string prefixed to verify code. Must be shorter than than 60 characters.
 DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
 
-# Timeout while performing each verification.
+# Timeout (in seconds) while performing each verification.
 DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
 </code></pre>
 
@@ -67,9 +69,10 @@ DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
 <ul>
 <li>
 <p>Create a text file under top directory of the web site of new domain, both
-  file name and file content must be same as verify code. For example, for
+  file name and file content must be same as verify code.</p>
-  pending domain <code>example.com</code> with verify code
+<p>For example, for pending domain <code>example.com</code> with verify code
-  <code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, we will verify 2 URLs:</p>
+<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, iRedAdmin-Pro will
+verify 2 URLs:</p>
 <ul>
 <li>http: <code>http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
 <li>https: <code>https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code></li>
@@ -79,30 +82,25 @@ code as page content.</p>
 </li>
 <li>
 <p>Create a TXT type DNS record of the domain name, use the verify code as its
-  value. For example, for pending domain <code>example.com</code> with verify code
+  value.</p>
-  <code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
+<p>For example, for pending domain <code>example.com</code> with verify code
-  <code>nslookup -type=txt example.com</code> should return a record which is same as
+<code>iredmail-domain-verification-5tzh5gHjU688yyWK7cSV</code>, DNS query by command
-  verify code.</p>
+<code>nslookup -type=txt example.com</code> should return a record which is same as
-<p>Sample DNS query with <code>nslookup</code>:</p>
+verify code.</p>
 </li>
 </ul>
+<p>Sample DNS query with <code>nslookup</code>:</p>
 <pre><code>$ nslookup -type=txt example.com
-
-Non-authoritative answer:
-example.com     text = &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
-example.com     text = &quot;v=spf1 ...&quot;
-example.com     text = &quot;...&quot;
-</code></pre>
-
-<pre><code>Sample DNS query with `dig`:
-</code></pre>
-<pre><code>$ dig -t txt example.com
-
 ...
-;; ANSWER SECTION:
+example.com     text = &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
+...
+</code></pre>
+
+<p>Sample DNS query with <code>dig</code>:</p>
+<pre><code>$ dig -t txt example.com
+...
 iredmail.org.       4173    IN  TXT &quot;iredmail-domain-verification-5tzh5gHjU688yyWK7cSV&quot;
-iredmail.org.       4173    IN  TXT &quot;v=spf1 ...&quot;
+...
-iredmail.org.       4173    IN  TXT &quot;...&quot;
 </code></pre><div class="footer">
     <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
 </div>

html/upgrade.iredmail.0.9.5.1-0.9.6.html

@@ -44,9 +44,12 @@
 </ul>
 </li>
 <li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
+<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a><ul>
+<li><a href="#update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</a></li>
+<li><a href="#download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</a></li>
+</ul>
+</li>
 <li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
-<li><a href="#update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: domainStatus</a></li>
-<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a></li>
 <li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
 <li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
 </ul>
@@ -470,36 +473,55 @@ your Amavisd config file.</p>
 <li>Restart Amavisd service is required.</li>
 </ul>
 <h2 id="openldap-backend-special">OpenLDAP backend special</h2>
-<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
+<h3 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h3>
-<blockquote>
+<p>iRedMail-0.9.6 introduces 2 new LDAP attributes:</p>
-<p>This fix is applicable to OpenBSD ldapd backend also.</p>
+<ul>
-</blockquote>
+<li><code>domainPendingAliasName</code>: used by mail domain account, to store new alias
-<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+  domain names which is pending for domain ownership verification. Required by
-all mail accounts (mail users, aliases, lists) are still active and Postfix
+  iRedAdmin-Pro.</li>
-will accept emails sent to them. Steps below fix the issue.</p>
+<li><code>domainStatus</code>: used by mail user/alias/list accounts, to indicate domain
-<h4 id="update-openldap-config-file-to-index-new-attribute-name-domainstatus">Update OpenLDAP config file to index new attribute name: <code>domainStatus</code></h4>
+  status.</li>
+</ul>
+<h4 id="update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</h4>
+<ul>
+<li>
+<p>Please open OpenLDAP config file <code>slapd.conf</code>:</p>
 <ul>
-<li>Please open OpenLDAP config file <code>slapd.conf</code>, find line below:<ul>
 <li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
 <li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
 <li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
-<li>On OpenBSD, it's <code>/etc/openldap/slapd.conf</code>. If you're running ldapd as
+<li>On OpenBSD:<ul>
-  LDAP server, please add a new line <code>index domainStats</code> in the <code>namespace
+<li>if you're running OpenLDAP, it's <code>/etc/openldap/slapd.conf</code>.</li>
-  xxx {}</code> block.</li>
+<li>if you're running ldapd(8) LDAP server, please add a new line
+  <code>index domainStats</code> in the <code>namespace xxx {}</code> block.</li>
 </ul>
 </li>
 </ul>
+</li>
+<li>
+<p>for new attribute <code>domainPendingAliasName</code>, please find line below:</p>
+</li>
+</ul>
+<pre><code>access to attrs=&quot;objectclass,domainName,mtaTransport,...&quot;
+</code></pre>
+
+<p>Add new attribute name <code>domainPendingAliasName</code> in this line (<strong>WARNING</strong>:
+don't leave any whitespace between attribute names and comma):</p>
+<pre><code>access to attrs=&quot;domainPendingAliasName,objectclass,domainName,mtaTransport,...&quot;
+</code></pre>
+
+<ul>
+<li>for new attribute <code>domainStatus</code>, please find line below:</li>
+</ul>
 <pre><code>access to attrs=&quot;employeeNumber,mail,...&quot;
 </code></pre>
 
-<ul>
+<p>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
-<li>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
+any whitespace between attribute names and comma):</p>
-  any whitespace between attribute names and comma):</li>
-</ul>
 <pre><code>access to attrs=&quot;domainStatus,employeeNumber,mail,...&quot;
 </code></pre>
 
-<h4 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h4>
+<h4 id="download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</h4>
 <ul>
 <li>On RHEL/CentOS:</li>
 </ul>
@@ -558,6 +580,13 @@ cp -f /tmp/iredmail.schema /etc/openldap/schema/
 rcctl restart slapd
 </code></pre>
 
+<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
+<blockquote>
+<p>This fix is applicable to OpenBSD ldapd backend also.</p>
+</blockquote>
+<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
+all mail accounts (mail users, aliases, lists) are still active and Postfix
+will accept emails sent to them. Steps below fix the issue.</p>
 <h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
 <ul>
 <li>On Linux and OpenBSD, run commands:</li>