# iRedAdmin-Pro: Domain ownership verification [TOC] ## Summary Since iRedAdmin-Pro-SQL-2.5.0 and iRedAdmin-Pro-LDAP-2.7.0, it's able to grant permission to normal domain admin to create new mail domains. All new domains added by normal domain admin requires domain ownership verification, to ensure: * the newly added mail domain is an valid domain * the domain admin have the required privileges in the domain to manage the email services. Mail services are disabled for pending domains, and will be activated automatically after verified. ## How to enable or disable domain ownership verification There're few parameters used to control domain ownership verifivation, you can find default settings in file `libs/default_settings.py` under iRedAdmin-Pro directory. If you want to change any of them, please copy the parameter to iRedAdmin-Pro config file `settings.py`, set proper value, then restart Apache or uwsgi (if you're running Nginx) service to reload the changes. ``` # Require domain ownership verification if it was added by normal domain admin. REQUIRE_DOMAIN_OWNERSHIP_VERIFICATION = True # How long should we remove verified or (inactive) unverified domain ownerships. # # iRedAdmin-Pro stores verified ownership in SQL database, if (same) admin # removed the domain and re-adds it, no verification required. # # Usually normal domain admin won't frequently remove and re-add same domain # name, so it's ok to remove saved ownership after X days. DOMAIN_OWNERSHIP_EXPIRE_DAYS = 30 # The string prefixed to verify code. Must be shorter than than 60 characters. DOMAIN_OWNERSHIP_VERIFY_CODE_PREFIX = 'iredmail-domain-verification-' # Timeout while performing each verification. DOMAIN_OWNERSHIP_VERIFY_TIMEOUT = 10 ``` ## How to verify domain ownership There're several ways to verify domain ownership: * Create a text file under top directory of the web site of new domain, both file name and file content must be same as verify code. For example, for pending domain `example.com` with verify code `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, we will verify 2 URLs: * http: `http://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV` * https: `https://example.com/iredmail-domain-verification-5tzh5gHjU688yyWK7cSV` If you visit the URL with a web browser, it's expected to display verify code as page content. * Create a TXT type DNS record of the domain name, use the verify code as its value. For example, for pending domain `example.com` with verify code `iredmail-domain-verification-5tzh5gHjU688yyWK7cSV`, DNS query by command `nslookup -type=txt example.com` should return a record which is same as verify code. Sample DNS query with `nslookup`: ``` $ nslookup -type=txt example.com Non-authoritative answer: example.com text = "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV" example.com text = "v=spf1 ..." example.com text = "..." ``` Sample DNS query with `dig`: ``` $ dig -t txt example.com ... ;; ANSWER SECTION: iredmail.org. 4173 IN TXT "iredmail-domain-verification-5tzh5gHjU688yyWK7cSV" iredmail.org. 4173 IN TXT "v=spf1 ..." iredmail.org. 4173 IN TXT "..." ```