Hi everyone, I noticed that if I use a non-admin user I can't create a SPF record as TXT. If I try it I see the error: SPF is not allowed. Use the SPF button. I can add a SPF record with the SFP form but not as TXT. Admin users have no problem with this. ISPConfig Version: 3.2.8p1 I don't know the motivation behind this check about non-admin users. I looked inside the code and I found something here: Code: /ispconfig/interface/web/dns/dns_edit_base.php PHP: function onShowNew() { global $app, $conf; // we will check only users, not admins if($_SESSION["s"]["user"]["typ"] == 'user') { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); // Check if the user may add another mailbox. if($client["limit_dns_record"] >= 0) { $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = ?", $client_group_id); if($tmp["number"] >= $client["limit_dns_record"]) { $app->error($app->tform->wordbook["limit_dns_record_txt"]); } } } parent::onShowNew(); } If someone have more information maybe can explain me why this control has to be done? If there are some workaround or it is necessary for security reason. Thank you.
Yes, this has been implemented to ensure that end users add correct spf records. This file is not related to adding DNS records, it is about adding DNS zones.
Supposing I trust my users is there a simple way to remove this feature? Should I comment that IF in both files related to adding DNS records, and adding DNS zones? Thanks for your time.
You don't have to trust your users. There is nothing to gain here if they are able to create it as a TXT record. The SPF function works and ensures the record is correctly formatted. What is the benefit of adding it as TXT over the SPF menu?
yes but you overstimate the customers. 100% of the time they have no idea of what spf is, basically they just want copy&paste an spf record that a thirdy party give it to them (like in this screenshot). and as far as now, they can't do that, and 100% of the time bother the support to do for them.
I get it, but if they are not able to translate this into a simple form, they probably should not edit DNS settings at all. However as with many big providers that provide this functionality there is no way to midigate this problem. From the top of my head, when i think about DNS Control Panels of big providers, they all a different to use, and ISPConfig is no exception. This is not only the case for SPF records, you will have this issue with many records that are not set properly. I think the best way to midigate this is to provide a good form of documentation/howto to your customers.