Version 1.43.1

Released: 2013-06-24

CMD_API_DNS_MX allowed to be called by Reseller if User has it disabled new

Relating to:

CMD_API_DNS_MX

If "DNS Control" is disabled for a User, a Reseller is not able to use it, unless they enable it for the User, make the change, then disable it again.

This change will allow a Reseller to make an API call with CMD_API_DNS_MX, logged in as themselves, which make changes to that User (User=fred in the example below).

They must have control over that User, and must also be allowed to have "DNS Control" in their Reseller settings.

Command:

CMD_API_DNS_MX
as_user=fred
domain=domain.com
action=internal
ineternal=yes|no

Check for ruid2 with CB 1.1/1.2 new

Template changes in DA 1.43.0 added tokens for certain aspects, such as mod_ruid2, eg:

        |*if HAVE_RUID2="1"|
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid |USER| |GROUP|
                RGroups apache |SECURE_ACCESS_GROUP|
        </IfModule>

Where the HAVE_RUID2 token was new.

This token is set to 1 if:

mod_ruid2=yes

is set in the options.conf for custombuild 2.0 (1.1 and 1.2 are not checked).

Users who had manually installed mod_ruid2 and relied on the <IfModule mod_ruid2.c> would have run into issues with the 1.43.0 update.

This fix will have DA make a manual check for all 1.1 and 1.2 Custombuild systems.

The files:

/etc/httpd/conf/httpd.conf

/etc/httpd/conf/extra/httpd-includes.conf

will be checked for this text:

LoadModule ruid2_module

And if that text exists anywhere in the file (even if it's commented out), then the HAVE_RUID2 token will be set to 1.

Even if it's commented out, it doesn't matter much, as the <IfModule mod_ruid2.c> code will skip it when apache is started up.

The whole point of the token was to make the httpd.conf files smaller, and to lower the amount of ram apache uses.

It was noticed that the apache memory usage dropped quite a bit with fewer httpd.conf options.

Security Questions for extra layer of protection (SKINS) new

Ability to enable Security Questions where a valid login will take the client to another authentication page, asking for a valid answer to a pre-defined question.

Forum: https://forum.directadmin.com/threads/46176

If you're using a custom skin, It's very important to update the skin to have these changes.

If you enable this feature with a DA skin, then switch to an old skin without these changes, when you login, you'll get a "Document not Found" error, and won't be able to answer the question.. and you'll be locked out of DA (manual root ssh changes needed to turn it off for this User)

The Security Questions page can be accessed from the "Password" icon, at the top of the page (where a DA User changes their password)

Checkbox to enable/disable Security Quetions

Checkbox to allow API connections to the account with this DA username with their password: if disable no CMD_API call will work for this account when accessing the accoung with the usual password, so only disable API's if you know you don't need them.

This API checkbox does not apply to Login Keys.. so you can disable APIs with the password, but APIs will still work when using a Login Key (they're so long that they won't likely be guessed)

There is no checkbox for Login Keys. If you don't want to allow Login Keys to access the API, don't create a Login Key.

This feature is an extra layer of security, in addition to the current Brute Force Attack monitor for port 2222:

#1 from this guide https://help.directadmin.com/item.php?id=404

CMD_SECURITY_QUESTIONS

CMD_API_SECURITY_QUESTIONS

The list of questions is stored in:

/usr/local/directadmin/data/skins/enhanced/lang/en/internal/security_questions.txt

The very first line will look something like:

1=22

where index 1 will always store the number of entries in the file... in this case, the last entry is index 22=...

Basically, just take the highest number at the bottom, as use that (#1 skips itself automatically).

To add more entries, edit this file, and use:

chattr +i security_questions.txt

to lock it from update overwrites.

Language changes can have their own copy, in their own language.

New user.conf values:

security_questions=yes - Security questions will be required, if they're present.

api_with_password=yes - The API is allowed, using the current password. Login Keys and Session Keys are always allowed.. this setting does not affect them.

notify_on_all_question_failures=yes - When enabled, all incorrect answers will generate a Message to the User (not to Admins).

"no" will still send a message to Admin and User after <max_security_question_attempts> attempts.

New directadmin.conf values, these are the internal defaults:

security_questions=1
max_security_question_attempts=5
block_ip_after_failed_security_questions=0

The block_ip_after_failed_security_questions option can be set to 1, and on the last attempt, a warning will be given to the User that their IP will be blacklisted.

If you set:

block_ip_after_failed_security_questions=2

then no warning will be given.

Of course, this requires that you have the Blacklisting turned on in your Admin Settings (if it's off, go turn it on.. now!)

SKINS

old:


files_user.conf

CMD_SECURITY_QUESTIONS=user/security_questions.html

CMD_ASK_SECURITY_QUESTION=user/ask_security_question.html

passwd.html



new:


user/ask_security_question.html

user/security_questions.html

lang/en/internal/security_questions.txt

and many additions to:

lang/en/internal/*

suspension.txt

user.txt

command.txt

BFM: Option to only send an email notification new

Since Brute Force Attacks are fairly common, their notifications can often overwhelm your Message System.

This option will allow you to have DA only send you an email with the notice, instead of sending a your a System Message.

The email will contain the details of the attack (vs the ticket notifications which only send you the notice of a ticket)

It will also include a link to the server and brute force monitor, to more quickly see what's going on.

This option requires that the BFM message be enabled, and not hidden:

Ability to suppress BFM messages

Internal default:

brute_force_notifications_email_only=0

To enable it, add:

brute_force_notifications_email_only=1

to your directadmin.conf and restart DA.


DA 1.44.4 feature: Set an alternate email for notifications:

Alternate email for high-volume messages

all_backups_pre.sh new

Closely related to the all_backups_post.sh:

all_backups_post.sh

except it's called before the backups are run.

See id=1237 for more info.

Create:

/usr/local/directadmin/scripts/custom/all_backups_pre.sh

If you exit with a non-zero result, the process will be aborted.

Use the same method to retrieve the variables, eg:

cat /usr/local/directadmin/data/task.queue

immediately after issuing the backup creation.

exim.pl VERSION=13 use ids path for per-email limit new

use ids path for per-email limit, not use per-user limit.

This it to prevent double counting of sends under the per-email limit.

If you're not using the per-email limit (limits per email account), then this wouldn't apply to you.

wget -O /etc/exim.pl https://files1.directadmin.com/services/exim.pl.13

This does have a minor requirement, where the /etc/virtual/limit must be enabled.

If it's not enabled, the check on the user_ids is never done, so the attempts would pile up.

If you only have a /etc/virtual/user_limit set, and /etc/virtual/limit is 0, then this change won't work.

But 99% of the time, if the /etc/virtual/user_limit or /etc/virtual/domain.com/limit/user is set, then /etc/virtual/limit will be too (to a value greater than 0)

Option to skip Uebimiau webmail data from backups new

Skins Uebimiau is no longer included anyway, if you still have Users using it, but want to skip it from the backup, you can add this option to your directadmin.conf to speed up backup creation:

skip_uebimiau_in_backups=1

The internal default is:

skip_uebimiau_in_backups=0

It will skip the data from:

/var/www/html/webmail/tmp

This does not affect restores.. which will restore the webmail data if it exists in the backup.

load_top_string to specify the top output on high load new

New directadmin.conf option, to allow changes to the output DA gives on high load.

Internal defaults:

FreeBSD:

load_top_string=/usr/bin/top -b -d 1 all

Everything else:

load_top_string=/usr/bin/top -c -b -n 1

Related template:

load_check_message.txt

Moved the finish line in filter_base so spam is processed first new

Related thread:

https://forum.directadmin.com/posts/238173

Updated template:

/usr/local/directadmin/data/templates/filter_base

to move the BLOCKLEVEL and SPAMFILTERS sections before the line:

if error_message then finish endif

After updating to 1.43.1, all filters should automatically be rewritten with this change.

Ability to duplicate backup crons new

Simple "Duplicate" button on the Admin and Reseller backup pages, for cronjobs.

It will duplicate 1 or more pre-existing cronjobs to new ID.. in case you wanted to only change a few minor aspects of a cron in a new entry.

The variables in the form:

action=delete

has been changed to:

action=select

delete=anytext

and new entry added for this feature:

action=select

duplicate=anytext

along with the select0, select1, etc..

However, the old action=delete is still accepted for backwards compatibility.

Re-install check for ./directadmin i new

If someone accidentally runs:

./directadmin i

when DA is already installed.. DA will confirm with the user if a re-install is actually intended.

When ./directamdin i called, DA will check to see if conf/directadmin.conf exists.

If it does, then it will ask the question, and abort if 'n' is specified:

The config file already exists:

    /usr/local/directadmin/conf/directadmin.conf

Do you really want to install DirectAdmin again? (y/n): n

Aborting the re-install.

If no directadmin.conf is installed, then the question will not be asked (so automated installers don't get broken)

PHP Version Selector (SKINS) new

If you have CustomBuild 2.0 and are using 2 php versions/types, this feature will let the client select which of the 2 is associated with the .php extension.

It also allows for the 2nd php version to be specified, to use either of the 2 php types.. but the extension will change based on the version of php selected (Eg php53 or php54, etc.)

Note that the httpd.conf rewrite requires an apache restart, which can take upto 1 full minute.

The php version selector does not use .htaccess files to make the changes, rather direct changes to the tokens used in the templates.

SKINS:

user/modify_domain.html

add after the HAS_MULTIPLE_IPS section (after the |*endif|)

|*if HAS_PHP_SELECTOR="yes"|
<br>
|PHP_SELECTOR_TABLE|
|*endif|

lower the time between load spike notices from 1 day to 10 minutes new

Changed the load spike notice interval to run at most once every 10 minutes, instead of at most once per day.

add_userdb_quota for dovecot quotas new

Ability to have DA add quotas to the file:

/etc/virtual/domain.com/passwd

so that the dovecot quota plugin can use it to limit quotas within imap.

Without this option, quotas are only enforced by exim on the inbox for incoming emails.

A sample line from a passwd file with this option would look like:

fred:$1$SdbJQZ6r$R5FmKrayU3FvPksLTd.7X0:501:12::/home/username/imap/domain.com/fred/bin/false:userdb_quota_rule=*:bytes=50M

To enable DA to add the quota options, add:

add_userdb_quota=1

to your directadmin.conf, and restart DA.

The internal default is 0.

After turning on the option, to convert all existing file to use the extra format, use one of these new task.queue command:

echo "action=rewrite&value=email_passwd" >> /usr/local/directadmin/data/task.queue
echo "action=rewrite&value=email_passwd&user=fred" >> /usr/local/directadmin/data/task.queue

Dovecot how-to portion of using these changes:

https://forum.directadmin.com/threads/43782

Related to enable quota display for dovecot/imap:

https://forum.directadmin.com/threads/34464


Related forum request:

https://forum.directadmin.com/threads/46562

User notice if pop cache to be updated (SKINS) new

For many domains with hundreds of email accounts, the pop usage cache will speed up the display of the page:

email disk usage cache to speed up the pop page

However, it takes up to 1 minute after loading the page for the cache to be updated, as it's triggered by the load of the page.

To avoid confusion, a simple message is displayed if the usage.cache is to be updated, and reminding them to refresh the page in 1 minute for an updated display with correct information.

SKINS:

user/email/pop.html

added:

|*if EMAIL_MESSAGE!=""|
<b>|EMAIL_MESSAGE|</b><br><br>
|*endif|

login_as_master_name for all hook scripts new

If use use any of the pre/post.sh hook scripts in:

/usr/local/directadmin/scripts/custom/

before this change, you'd have no way of knowing if a call was made using the login-as feature, or directly as a User.

With this this change, anytime a login-as call is made, for any pre-post script, an extra variable is added with the name of the master (logged in from)

eg:

login_as_master_name=admin

in addition to the variables that were there before.

If login-as i not used, the variable will not exist at all.

load_notice_interval new

Relating to this feature:

load_spike_notice_pre.sh and load_spike_notice_post.sh

and this change:

lower the time between load spike notices from 1 day to 10 minutes

This will allow a directadmin.conf option to override the load notice internal.

The internal default is 10 minutes:

load_notice_interval=10

To override it, add it to your directadmin.conf, with a new value (in minutes)

move main ftp account creation to DA user creation fixed

Previously the system ftp account is set each time a domain is created.

This means that for Admin accounts who do not have domains at first, no ftp account exists. This could be resolved by creating a domain to add the ftp account.

The reason this is an issue is that if you set a custom ftp password for your system ftp account (when you already have a domain), and then create another domain, the main account ftp password is reset to your login value, which is not correct.

This change will move the ftp account creation code to the User creation so it's only ever set once.

Rename email: update da_roundcube.identities fixed

When changing the name of an email account, DA now also updates the da_roundcube.identities table.

It was previously just updating the da_roundcube.users table.

This fix also deletes the records from the da_roundcube.users table.

The cascade functionality automatically removes the linked entries from the da_rounducbe.identities.

A domain can have max 63 characters between dots fixed

Named requires that a domain string (any string value between the .dots.) have a max of 63 characters.

Added a check to DA's internal definition of a domain to make sure of this.

so these are valid:

63.com  (where I mean it's 63 characters long)
63.63.com

But this is not:

1.64.com
64.1.com
64.64.com

again, where the numbers are the length of the strings, not a literal string value.

Apache 2.4 disabling protected directory causes internal server error fixed

For Apache versions previous to 2.4, with regards to shutting off the password protected directory option, DA simply remove the following line from the .htaccess file:

require valid-user

With Apache 2.4, this causes an internal server error, with the following Apache error in the logs:

[Sat May 04 13:43:28.165689 2013] [authz_core:error] [pid 9673:tid 3007343504] [client 192.168.1.102:4326] AH01627: AuthType configured with no corresponding authorization directives

So the fix is to also remove the AuthType line from the .htaccess.

Patch majordomo for new perl versions fixed

The majordomo.sh install script will now apply a patch after the install of majordomo is complete.

Related forum thread:

https://forum.directadmin.com/threads/46383

Move filter skip line after blocking after high scoring spam fixed

Move the location of the filter exit (if error_message) to below the check/drop of high scoring spam.

Related to:

https://help.directadmin.com/item.php?id=215

Forum thread:

https://forum.directadmin.com/threads/46371

Reseller limit allocation not counting Users when added fixed

Bug, which seems to have been introduced in 1.41.0 and gone unnoticed until now.

A code change caused the total amount being added to be 0, when it was not 0.. so it always ended up below the allocation.

Nginx redirect domain pointer not adding entry fixed

User nginx.conf does not have an entry for redirect-type domain pointers.

Current workaround: use an "alias" type of domain pointer, until this is fixed.

Also reported that an apache VH was added to the nginx.conf.

New template file:

/usr/local/directadmin/data/templates/nginx_server_redirect.conf

which is the nginx version of redirect_virtual_host.conf, same tokens.

Move the user.conf write before user_create_post.sh fixed

During user creation, the final user config write call has been moved such that it's called before the user_create_post.sh is called.

This allows the user_create_post.sh to run API calls on that User, and check the user.conf, etc.. should be very handy to several developers.

Sample, to create a database with the User:

https://files1.directadmin.com/services/all/httpsocket/examples/example.add_database.php

Pipe both stdout and stderr in all pre/post hook scripts fixed

Previously, DA only read in stdout from all pre/post hook scripts.

If you ran anything that output to stderr, it would not be read in, and would likely overflow the read buffer and might hang whatever was trying to send that text.

Changed all calls to the script to have:

2>&1

at the end, so all stderr is piped to stdout for DA.

Security: more backup pre-checks fixed

Relating to this previous fix:

Pre-backup check for hardlinks to resolve backup errors

Several more checks are added to ensure there are no symbolic or hard links.

Thanks to www.Rack911.com for reporting these 3 significant issues.

It's recommended everyone update DirectAdmin to address the issues.

Linked IP backup/restore fixed

The User backup should not have the linked IPs in the DB files, as they won't be swapped out during the restore.

Also, at restore time, the new account should have the linked IPs set to the new domains as required.

Last Updated: