Require domain TXT record verification before adding domain to Plesk.
Require domain TXT record verification before adding domain to Plesk.
Plesk need to implement an option to require domains to be verified like for example Let's Encrypt with a TXT record with a key value, that Plesk can check on an admin specified interval like 5 mins perhaps, with a self-cleaning feature that removes un-verified domains after X days.
So as Plesk administrator you can activate the domain verification option on subscription level, that requires the customers to verify their domain, when using the function "add domain".
So "add domain" should have an initial state of "awaiting verification" before it gets added as normal to the account.
High risk security case that can be misused right now on all Plesk servers:
Say you have two customers on a Plesk server, and they both use the email service.
Say customer #1 use a bank. This person communicates with the bank via email on the domain: personalbusiness@bankdomain.com.
Then say customer #2 is a "curious" person. This person creates bankdomain.com on the Plesk server and create an email account with an catch-all on the domain.
When Plesk handles email, it will look locally first, and if Plesk see the domain locally, Plesk will deliver the email locally, if the account / alias exist, regardless of DNS records.
What stops a user on your Plesk server for creating every official domain used in your country and create a catch-all mail account on each of them. They will just have to wait, untill some of the other users of the server will write any of these domains and bingo, damage is done.
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IG
-
Rasmus commented
Plesk needs to add another domain status such as "Awaiting verification" along side the others "Suspended", "Deactivated" and "Active" that simply has NO services at all, and especially not services such as email and website.
-
Rasmus commented
I just did some testing - you are NOT going to believe this.
Create a domain in Plesk.
Deactivate or Suspend the domain.And the customer can STILL create mailboxes on the domain even tho it's deactivated or suspended.
But what's even more scarier: it still overrules DNS and the email is being send to the domain locally, when it's send from other customers on the server!
What the heck Plesk?
-
Rasmus commented
If you want to make a fix to this yourself, it should be possible to make something similar to what I propose Plesk implements.
When ever the event "create domain" (both with new accounts and afterwards with additional domains, from the Plesk interface or API) happens, it should run a script that deactivates the domain.
Then it should generate a key value and match that with the customer and domain in the database. And then e-mail that to the customer, telling them to insert the TXT record into their DNS.
The server should then have a cronjob for each X mins, checking the domains in the verification database for their TXT value. And as soon as it sees the correct value, it should activate the domain in Plesk.