Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant permission to normal domain admin to create new mail domains. All new domains added by normal domain admin requires domain ownership verification, to ensure:
Mail services are disabled for pending domains, and will be activated automatically after verified.
There're few parameters used to control domain ownership verifivation, you can
find default settings in file libs/default_settings.py
under iRedAdmin-Pro
directory. If you want to change any of them, please copy the parameter to
iRedAdmin-Pro config file settings.py
, set proper value, then restart
Apache or uwsgi (if you're running Nginx) service to reload the changes.
# Require domain ownership verification if it was added by normal domain admin.
REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True
# How long should we remove verified or (inactive) unverified domain ownerships.
#
# iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin
# removed the domain and re-adds it, no verification required.
#
# Usually normal domain admin won't frequently remove and re-add same domain
# name, so it's ok to remove saved ownership after X days.
DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30
# The string prefixed to verify code. Must be shorter than than 60 characters.
DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-'
# Timeout while performing each verification.
DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10
There're several ways to verify domain ownership:
Create a text file under top directory of the web site of new domain, both
file name and file content must be same as verify code. For example, for
pending domain example.com
with verify code
iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, we will verify 2 URLs:
http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
If you visit the URL with a web browser, it's expected to display verify code as page content.
Create a TXT type DNS record of the domain name, use the verify code as its
value. For example, for pending domain example.com
with verify code
iredmail-domain-verification-5tzh5gHjU688yyWK7cSV
, DNS query by command
nslookup -type=txt example.com
should return a record which is same as
verify code.
Sample DNS query with nslookup
:
$ nslookup -type=txt example.com
Non-authoritative answer:
example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
example.com text = "v=spf1 ..."
example.com text = "..."
Sample DNS query with `dig`:
$ dig -t txt example.com
...
;; ANSWER SECTION:
iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV"
iredmail.org. 4173 IN TXT "v=spf1 ..."
iredmail.org. 4173 IN TXT "..."