Version 1.676
Released: 2025-04-22
custombuild new
Dovecot 2.4.xStarting with this release, the new Dovecot 2.4.x releases will be used by default.
Older Dovecot versions (2.3.x) are still supported but will only be used if the Dovecot version is explicitly customized.
Note: There are significant changes in Dovecot 2.4.x configuration. To support both versions, CustomBuild uses different configuration files depending on the Dovecot version. If the old Dovecot configuration files were customized, these customizations will not be used when building Dovecot 2.4.x. To apply the same customizations to Dovecot 2.4.x, new configuration files need to be customized as well.
setquota_post.sh
new
New hook: Hook to be called after any call by DirectAdmin to the setquota
or xfs_quota
binaries, when setting quota limits for Users. See the setquota_post.sh hooks documentation for more information.
dns_raw_save_post.sh
to include variables remote_username
, remote_hostname
, filename
, sign_zone
new
Calls to CMD_API_DNS_ADMIN?action=rawsave&username=remote_username&hostname=remote_hostname
, usually called by a master DirectAdmin dns server, will now pass the remote_username
, remote_hostname
, filename
, and sign_zone
variables down to the dns_raw_save_post.sh hook script.
user_limit.txt
and reseller_limit.txt
now support token scripts, plus new tokens new
Templates: The user_limit.txt
and reseller_limit.txt
template files now support the |$/bin/sh ... DONE|
method of scripting. Scripts run as root. This should allow greater control of the content of the messages send to Users/Resellers.
This change also includes new tokens for the user_limit.txt
, based on the directadmin variable hard_quota_multiplier=1.1
:
- QUOTALIMITGIG_HARD
- QUOTALIMITMEG_HARD
- INODELIMIT_HARD
admin_ssl_cert_on_create=1
to prevent new AutoSSL certificates on creation new
New variable: If you do not wish to have DirectAdmin automatically create certificates when a new domain, subdomain, or domain pointer are created, set this new value to 0
. They can still be created manually and managed normally. Existing certificates are not affected. Only the automatic trigger would be disabled when set to 0
. Documentation for the admin_ssl_cert_on_create variable
evolution improved
New design for selected files/folders action block in File ManagerThe selected files/folders action block above the table in the File Manager has been redesigned to enhance user experience
improved
‼️ Block SMTP authentication on port 25 and plain-text connectionsThe Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.
The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:
- TCP ports 587 and 465 could use custom firewall rules to only allow sending emails from trusted networks.
- It is no longer possible to brute-force the email credentials over the TCP port 25.
In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over localhost
.
This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.
The authentication availability on SMTP ports is controlled by the AUTH_ENABLE_CONDITION
macro in the /etc/exim.variables.conf
file. The new default policy is:
AUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}
The policy can be changed by setting it to a different value in the /etc/exim.variables.conf.custom
file and rebuilding the Exim configuration with the da build exim_conf
command.
Examples:
# Use old (insecure) SMTP authentication policy, authentication always available
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf
# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> /etc/exim.variables.conf.custom
da build exim_conf
# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> /etc/exim.variables.conf.custom
da build exim_conf
# Use the new (secure) DirectAdmin SMTP authentication policy
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
da build exim_conf
Note: It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.
improved
CSF: Adjusted SMTP_PORTS for SMTP_BLOCK to block 25 port onlyThe primary purpose of enabling SMTP_BLOCK was to prevent hacked websites from making direct SMTP connections to other servers for email delivery, as these were difficult to track and resolve. However, the inclusion of ports 465 and 587 in the block list often led users to disable SMTP_BLOCK when whitelisting specific users was not an option. Reducing the blocked ports list to only port 25 should eliminate the need to fully disable the feature for the most of the users.
improved
Expose per-mailbox daily send limit and send countThe configuration option user_can_set_email_limit
used to control much more than just users ability to set per-mailbox daily send limits. When this option was disabled:
- The total number of emails sent today and the limit value were not visible for the users.
- The hook
email_change_pass_pre.sh
did not receive thelimit
parameter (despite daily send limits actually being enabled). - The admin accounts could not set custom limits for different users on the modify user page.
However, the limits were always being set and being enforced even when the user_can_set_email_limit
option was disabled.
With this release, the option user_can_set_email_limit
is updated to only prevent users from changing the per-mailbox limit. Other side effects are removed. This means:
- Users will see the effective limits and email send count in the UI.
- Admins will be able to personalize this limit on the modify user page.
- The hook
email_change_pass_pre.sh
will always receive thelimit
parameter.
This will make the daily per-mailbox limiting feature more transparent and easier to understand.
max_per_email_send_limit
changed from -1
to 200
improved
Default value for The default max_per_email_send_limit
configuration option in the directadmin.conf
is changed from -1
to 200
.
The old default value -1
had a special meaning that value from the /etc/virtual/user_limit
file should be used instead. But the default value in the /etc/virtual/user_limit
file is 200
.
improved
Simpler daily per-mailbox email limits configurationThere used to be two points where the maximum daily per-mailbox send limit could be controlled.
- In the file
/etc/virtual/user_limit
. It is used by all mailboxes that do not yet have a daily email limit configured. Usually used on systems where users can not control mailbox limits themselves. - Field
max_per_email_send_limit
in the filedirectadmin.conf
. It replaces the limit set in/etc/virtual/user_limit
on the systems where users are allowed to change per-mailbox limits.
Starting this release everything will be controlled by the max_per_email_send_limit
field in the directadmin.conf
file. All mailboxes will always have a daily sending limit configured, and the file /etc/virtual/user_limit
will not be used at all.
Automatic migration will take care of setting the correct value for the max_per_email_send_limit
field in the directadmin.conf
file by copying it from the file /etc/virtual/user_limit
, but only if it was not configured already.
A new taskq action action=apply-email-per-mailbox-limits
is added. When executed, it will check all mailboxes on the system and set correct per-mailbox daily send limits. If users are not allowed to set per-mailbox limits for their own email accounts, then the limit set in directadmin.conf
or user.conf
will be set for all their mailboxes. If users are allowed to control per-mailbox limits, then configured limits will be kept, unless they are higher than allowed by the directadmin.conf
or user.conf
. In that case limits will be lowered to the maximum allowed value.
When the administrator changes the user-specific per-mailbox limit (in the file user.conf
), then the task to reconfigure mailboxes owned by that user will be automatically executed.
When the administrator changes the global per-mailbox limit (in the file directadmin.conf
), then all system mailboxes will be checked and reconfigured if needed.
These changes allow a single configuration option in directadmin.conf
to replace the previously used combination of /etc/virtual/user_limit
and max_per_email_send_limit
.
Note: Email limits for mailboxes will be reconfigured automatically only if changes are made in the DirectAdmin UI. If configuration files are modified directly on the system, administrator needs to run the reconfiguration task manually with the command:
da taskq --run 'action=apply-email-per-mailbox-limits'
custombuild improved
Software version changescomposer
updated from2.8.6
to2.8.8
dovecot
updated from2.3.21.1
to2.4.1-4
imagick
updated from3.7.0
to3.8.0
lego
updated from4.17.4-SNAPSHOT-8164e09c
to4.22.2-SNAPSHOT-7dfd0734
litespeed
updated from6.3.2-3
to6.3.2-4
modsecurity_owasp_rules
updated from4.12.0
to4.13.0
MySQL 8.0
updated from8.0.41
to8.0.42
MySQL 8.4
updated from8.4.4
to8.4.5
nginx
updated from1.27.4
to1.27.5
openlitespeed
updated from1.8.3
to1.8.3.1
phalcon5
updated from5.9.0
to5.9.2
PHP 8.3
updated from8.3.19
to8.3.20
PHP 8.4
updated from8.4.5
to8.4.6
xapian-core
updated from1.4.27
to1.4.29
imagemagick
removed
evolution fixed
Usage history pages display non-sensical dataUser, reseller and admin level usage history pages display garbage data if there is no prior data collected (which is collected once a month). With the added fix, for example, if a newly created user were to go to System Info & Files -> Site Summary / Statistics/ Logs -> User History, they will now instead see a message letting them know why no proper data could be displayed.
evolution fixed
File Manager drag and dropThe drag and drop functionality for file uploads and the drag to move feature for relocating files or folders to other directories have been resolved and are now fully operational in this release.
evolution fixed
Can't open menu entry in new tabMenu entries which would open in a new tab could not do so on icons grid and sidebar layouts when viewport was too small. For example, if user were on mobile, going to user level -> Extra Features -> phpMyAdmin closed the modal menu but did not open phpMyAdmin in a separate browser tab.
fixed
Nginx IP virtual-host PHP fallbackThe Nginx template for virtual-host configuration on IP literal address (file data/templates/nginx_ips.conf
) is updated. The change to the template is to try adding default PHP configuration for IPs that belongs to user that does not have a PHP-FPM config.
custom_passdb.conf
file fixed
Always install Dovecot The default Dovecot configuration has an include statement for conf/custom_passdb.conf
file. This file can be used for adding extra authentication configuration, but it is not really needed for standard DirectAdmin installation.
Since DirectAdmin version 1.665, this file was not installed automatically from the CustomBuild customizations directory /usr/local/directadmin/custombuild/custom
.
To make it consistent with all the other configuration files, a new empty custom_passdb.conf
file is added to the default configuration. This file will always be installed, either the default empty file or the customized file.
fixed
Different subdomain PHP version shown as selected from what is actually usedPreviously, when a subdomain was created, it would default to the PHP version that the main domain used. This resulted in a side-effect where within the Subdomain Management page (User Level -> Account Manager -> Subdomain Management) subdomain's selected PHP version was incorrectly displayed as the first available version on the server. Meanwhile, accessing a page on the subdomain that displays PHP info showed different (correct) PHP version.
With this fix, newly created subdomains will save the PHP version that the domain had at the time of said subdomain's creation. This means that changing the domain’s PHP version no longer affects its subdomains.
fixed
Create Reseller: Account IP = Global, without Share Server IP causes both to be in Reseller's IP listWhen creating a Reseller, if a Global IP is chosen in the "Account IP" option and "Share Server IP" is not the in the Reseller Package, the Server IP ended up in the Reseller's IP list anyway.
Documentation for Creating Resellers with Global IPs
evolution removed
Removed quick navigation from File ManagerThe quick navigation feature, previously located at the top of the File Manager sidebar, has been removed. This decision was made because the sidebar's existing navigation structure is sufficiently intuitive, rendering the quick navigation redundant and unnecessary.
custombuild removed
Removed customizable version of imagemagick libraryThe CustomBuild will no longer build a custom version of the imagemagick
library. Instead, the default version that comes with the system will be used.
If a custom version of the imagemagick
library is already installed on the system, CustomBuild will report that it can be removed with the da build remove_imagemagick
command.
Removing the locally installed imagemagick
library will recompile the PHP imagick
extension to be linked with the system version of this library.
If the locally installed library is not removed, then building the PHP imagick
extension will continue linking against the locally installed library.
crypt_method
configuration option from directadmin.conf
removed
Removed The password hash functions used to hash passwords for passwd-style files will no longer be configurable. The default value (SHA-512 method, also known as $6$
) will always be used.
This change will help old servers that are still stuck with weak hashing algorithms ($1$
or $5$
) to migrate to stronger hashes.
fixed
OpenLiteSpeed: Password protection for subdomainsSub-domains creating using the new default path ~/domains/sub.domain.com/public_html
can now use password protected directories, without needing to create the sub-domain as a full domain. Ths also addresses password protection on directories for subdomains created using a custom path. Note, the custom path should end with public_html or private_html, eg: ~/domains/custom/public_html
.