Version 1.676

Released: 2025-04-22

Dovecot 2.4.x custombuild new

Starting with this release, the new Dovecot 2.4.x releases will be used by default.

Older Dovecot versions (2.3.x) are still supported but will only be used if the Dovecot version is explicitly customized.

Note: There are significant changes in Dovecot 2.4.x configuration. To support both versions, CustomBuild uses different configuration files depending on the Dovecot version. If the old Dovecot configuration files were customized, these customizations will not be used when building Dovecot 2.4.x. To apply the same customizations to Dovecot 2.4.x, new configuration files need to be customized as well.

New hook: setquota_post.sh new

Hook to be called after any call by DirectAdmin to the setquota or xfs_quota binaries, when setting quota limits for Users. See the setquota_post.sh hooks documentation for more information.

dns_raw_save_post.sh to include variables remote_username, remote_hostname, filename, sign_zone new

Calls to CMD_API_DNS_ADMIN?action=rawsave&username=remote_username&hostname=remote_hostname, usually called by a master DirectAdmin dns server, will now pass the remote_username, remote_hostname, filename, and sign_zone variables down to the dns_raw_save_post.sh hook script.

Templates: user_limit.txt and reseller_limit.txt now support token scripts, plus new tokens new

The user_limit.txt and reseller_limit.txt template files now support the |$/bin/sh ... DONE| method of scripting. Scripts run as root. This should allow greater control of the content of the messages send to Users/Resellers.

This change also includes new tokens for the user_limit.txt, based on the directadmin variable hard_quota_multiplier=1.1:

  • QUOTALIMITGIG_HARD
  • QUOTALIMITMEG_HARD
  • INODELIMIT_HARD

New variable: admin_ssl_cert_on_create=1 to prevent new AutoSSL certificates on creation new

If you do not wish to have DirectAdmin automatically create certificates when a new domain, subdomain, or domain pointer are created, set this new value to 0. They can still be created manually and managed normally. Existing certificates are not affected. Only the automatic trigger would be disabled when set to 0. Documentation for the admin_ssl_cert_on_create variable

New design for selected files/folders action block in File Manager evolution improved

The selected files/folders action block above the table in the File Manager has been redesigned to enhance user experience

Selected files/folders action block

‼️ Block SMTP authentication on port 25 and plain-text connections improved

The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.

The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:

  • TCP ports 587 and 465 could use custom firewall rules to only allow sending emails from trusted networks.
  • It is no longer possible to brute-force the email credentials over the TCP port 25.

In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over localhost.

This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.

The authentication availability on SMTP ports is controlled by the AUTH_ENABLE_CONDITION macro in the /etc/exim.variables.conf file. The new default policy is:

AUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}

The policy can be changed by setting it to a different value in the /etc/exim.variables.conf.custom file and rebuilding the Exim configuration with the da build exim_conf command.

Examples:

# Use old (insecure) SMTP authentication policy, authentication always available
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Use the new (secure) DirectAdmin SMTP authentication policy
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
da build exim_conf

Note: It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.

CSF: Adjusted SMTP_PORTS for SMTP_BLOCK to block 25 port only improved

The primary purpose of enabling SMTP_BLOCK was to prevent hacked websites from making direct SMTP connections to other servers for email delivery, as these were difficult to track and resolve. However, the inclusion of ports 465 and 587 in the block list often led users to disable SMTP_BLOCK when whitelisting specific users was not an option. Reducing the blocked ports list to only port 25 should eliminate the need to fully disable the feature for the most of the users.

Expose per-mailbox daily send limit and send count improved

The configuration option user_can_set_email_limit used to control much more than just users ability to set per-mailbox daily send limits. When this option was disabled:

  • The total number of emails sent today and the limit value were not visible for the users.
  • The hook email_change_pass_pre.sh did not receive the limit parameter (despite daily send limits actually being enabled).
  • The admin accounts could not set custom limits for different users on the modify user page.

However, the limits were always being set and being enforced even when the user_can_set_email_limit option was disabled.

With this release, the option user_can_set_email_limit is updated to only prevent users from changing the per-mailbox limit. Other side effects are removed. This means:

  • Users will see the effective limits and email send count in the UI.
  • Admins will be able to personalize this limit on the modify user page.
  • The hook email_change_pass_pre.sh will always receive the limit parameter.

This will make the daily per-mailbox limiting feature more transparent and easier to understand.

Default value for max_per_email_send_limit changed from -1 to 200 improved

The default max_per_email_send_limit configuration option in the directadmin.conf is changed from -1 to 200.

The old default value -1 had a special meaning that value from the /etc/virtual/user_limit file should be used instead. But the default value in the /etc/virtual/user_limit file is 200.

Simpler daily per-mailbox email limits configuration improved

There used to be two points where the maximum daily per-mailbox send limit could be controlled.

  • In the file /etc/virtual/user_limit. It is used by all mailboxes that do not yet have a daily email limit configured. Usually used on systems where users can not control mailbox limits themselves.
  • Field max_per_email_send_limit in the file directadmin.conf. It replaces the limit set in /etc/virtual/user_limit on the systems where users are allowed to change per-mailbox limits.

Starting this release everything will be controlled by the max_per_email_send_limit field in the directadmin.conf file. All mailboxes will always have a daily sending limit configured, and the file /etc/virtual/user_limit will not be used at all.

Automatic migration will take care of setting the correct value for the max_per_email_send_limit field in the directadmin.conf file by copying it from the file /etc/virtual/user_limit, but only if it was not configured already.

A new taskq action action=apply-email-per-mailbox-limits is added. When executed, it will check all mailboxes on the system and set correct per-mailbox daily send limits. If users are not allowed to set per-mailbox limits for their own email accounts, then the limit set in directadmin.conf or user.conf will be set for all their mailboxes. If users are allowed to control per-mailbox limits, then configured limits will be kept, unless they are higher than allowed by the directadmin.conf or user.conf. In that case limits will be lowered to the maximum allowed value.

When the administrator changes the user-specific per-mailbox limit (in the file user.conf), then the task to reconfigure mailboxes owned by that user will be automatically executed.

When the administrator changes the global per-mailbox limit (in the file directadmin.conf), then all system mailboxes will be checked and reconfigured if needed.

These changes allow a single configuration option in directadmin.conf to replace the previously used combination of /etc/virtual/user_limit and max_per_email_send_limit.

Note: Email limits for mailboxes will be reconfigured automatically only if changes are made in the DirectAdmin UI. If configuration files are modified directly on the system, administrator needs to run the reconfiguration task manually with the command:

da taskq --run 'action=apply-email-per-mailbox-limits'

Software version changes custombuild improved

  • composer updated from 2.8.6 to 2.8.8
  • dovecot updated from 2.3.21.1 to 2.4.1-4
  • imagick updated from 3.7.0 to 3.8.0
  • lego updated from 4.17.4-SNAPSHOT-8164e09c to 4.22.2-SNAPSHOT-7dfd0734
  • litespeed updated from 6.3.2-3 to 6.3.2-4
  • modsecurity_owasp_rules updated from 4.12.0 to 4.13.0
  • MySQL 8.0 updated from 8.0.41 to 8.0.42
  • MySQL 8.4 updated from 8.4.4 to 8.4.5
  • nginx updated from 1.27.4 to 1.27.5
  • openlitespeed updated from 1.8.3 to 1.8.3.1
  • phalcon5 updated from 5.9.0 to 5.9.2
  • PHP 8.3 updated from 8.3.19 to 8.3.20
  • PHP 8.4 updated from 8.4.5 to 8.4.6
  • xapian-core updated from 1.4.27 to 1.4.29
  • imagemagick removed

Usage history pages display non-sensical data evolution fixed

User, reseller and admin level usage history pages display garbage data if there is no prior data collected (which is collected once a month). With the added fix, for example, if a newly created user were to go to System Info & Files -> Site Summary / Statistics/ Logs -> User History, they will now instead see a message letting them know why no proper data could be displayed.

File Manager drag and drop evolution fixed

The drag and drop functionality for file uploads and the drag to move feature for relocating files or folders to other directories have been resolved and are now fully operational in this release.

Can't open menu entry in new tab evolution fixed

Menu entries which would open in a new tab could not do so on icons grid and sidebar layouts when viewport was too small. For example, if user were on mobile, going to user level -> Extra Features -> phpMyAdmin closed the modal menu but did not open phpMyAdmin in a separate browser tab.

Nginx IP virtual-host PHP fallback fixed

The Nginx template for virtual-host configuration on IP literal address (file data/templates/nginx_ips.conf) is updated. The change to the template is to try adding default PHP configuration for IPs that belongs to user that does not have a PHP-FPM config.

Always install Dovecot custom_passdb.conf file fixed

The default Dovecot configuration has an include statement for conf/custom_passdb.conf file. This file can be used for adding extra authentication configuration, but it is not really needed for standard DirectAdmin installation.

Since DirectAdmin version 1.665, this file was not installed automatically from the CustomBuild customizations directory /usr/local/directadmin/custombuild/custom.

To make it consistent with all the other configuration files, a new empty custom_passdb.conf file is added to the default configuration. This file will always be installed, either the default empty file or the customized file.

Different subdomain PHP version shown as selected from what is actually used fixed

Previously, when a subdomain was created, it would default to the PHP version that the main domain used. This resulted in a side-effect where within the Subdomain Management page (User Level -> Account Manager -> Subdomain Management) subdomain's selected PHP version was incorrectly displayed as the first available version on the server. Meanwhile, accessing a page on the subdomain that displays PHP info showed different (correct) PHP version.

With this fix, newly created subdomains will save the PHP version that the domain had at the time of said subdomain's creation. This means that changing the domain’s PHP version no longer affects its subdomains.

Create Reseller: Account IP = Global, without Share Server IP causes both to be in Reseller's IP list fixed

When creating a Reseller, if a Global IP is chosen in the "Account IP" option and "Share Server IP" is not the in the Reseller Package, the Server IP ended up in the Reseller's IP list anyway.

Documentation for Creating Resellers with Global IPs

Removed quick navigation from File Manager evolution removed

The quick navigation feature, previously located at the top of the File Manager sidebar, has been removed. This decision was made because the sidebar's existing navigation structure is sufficiently intuitive, rendering the quick navigation redundant and unnecessary.

Removed customizable version of imagemagick library custombuild removed

The CustomBuild will no longer build a custom version of the imagemagick library. Instead, the default version that comes with the system will be used.

If a custom version of the imagemagick library is already installed on the system, CustomBuild will report that it can be removed with the da build remove_imagemagick command.

Removing the locally installed imagemagick library will recompile the PHP imagick extension to be linked with the system version of this library.

If the locally installed library is not removed, then building the PHP imagick extension will continue linking against the locally installed library.

Removed crypt_method configuration option from directadmin.conf removed

The password hash functions used to hash passwords for passwd-style files will no longer be configurable. The default value (SHA-512 method, also known as $6$) will always be used.

This change will help old servers that are still stuck with weak hashing algorithms ($1$ or $5$) to migrate to stronger hashes.

OpenLiteSpeed: Password protection for subdomains fixed

Sub-domains creating using the new default path ~/domains/sub.domain.com/public_html can now use password protected directories, without needing to create the sub-domain as a full domain. Ths also addresses password protection on directories for subdomains created using a custom path. Note, the custom path should end with public_html or private_html, eg: ~/domains/custom/public_html.

Last Updated: