newCMD_API_DNS_MX allowed to be called by Reseller if User has it disabled
If "DNS Control" is disabled for a User, a Reseller is not able to use it, unless they enable it for the User, make the change, then disable it again.
This change will allow a Reseller to make an API call with CMD_API_DNS_MX, logged in as themselves, which make changes to that User (User=fred in the example below).
They must have control over that User, and must also be allowed to have "DNS Control" in their Reseller settings.
newCheck for ruid2 with CB 1.1/1.2
Template changes in DA 1.43.0 added tokens for certain aspects, such as mod_ruid2, eg:
RUidGid |USER| |GROUP|
RGroups apache |SECURE_ACCESS_GROUP|
Where the HAVE_RUID2 token was new.
This token is set to 1 if:
is set in the options.conf for custombuild 2.0 (1.1 and 1.2 are not checked).
Users who had manually installed mod_ruid2 and relied on the
<IfModule mod_ruid2.c> would have run into issues with the 1.43.0 update.
This fix will have DA make a manual check for all 1.1 and 1.2 Custombuild systems.
will be checked for this text:
And if that text exists anywhere in the file (even if it's commented out), then the HAVE_RUID2 token will be set to 1.
Even if it's commented out, it doesn't matter much, as the
<IfModule mod_ruid2.c> code will skip it when apache is started up.
The whole point of the token was to make the httpd.conf files smaller, and to lower the amount of ram apache uses.
It was noticed that the apache memory usage dropped quite a bit with fewer httpd.conf options.
newSecurity Questions for extra layer of protection (SKINS)
Ability to enable Security Questions where a valid login will take the client to another authentication page, asking for a valid answer to a pre-defined question.
If you're using a custom skin, It's very important to update the skin to have these changes.
If you enable this feature with a DA skin, then switch to an old skin without these changes, when you login, you'll get a "Document not Found" error, and won't be able to answer the question.. and you'll be locked out of DA (manual root ssh changes needed to turn it off for this User)
The Security Questions page can be accessed from the "Password" icon, at the top of the page (where a DA User changes their password)
Checkbox to enable/disable Security Quetions
Checkbox to allow API connections to the account with this DA username with their password: if disable no CMD_API call will work for this account when accessing the accoung with the usual password, so only disable API's if you know you don't need them.
This API checkbox does not apply to Login Keys.. so you can disable APIs with the password, but APIs will still work when using a Login Key (they're so long that they won't likely be guessed)
There is no checkbox for Login Keys. If you don't want to allow Login Keys to access the API, don't create a Login Key.
This feature is an extra layer of security, in addition to the current Brute Force Attack monitor for port 2222:
#1 from this guide http://help.directadmin.com/item.php?id=404
The list of questions is stored in:
The very first line will look something like:
where index 1 will always store the number of entries in the file... in this case, the last entry is index 22=...
Basically, just take the highest number at the bottom, as use that (#1 skips itself automatically).
To add more entries, edit this file, and use:
chattr +i security_questions.txt
to lock it from update overwrites.
Language changes can have their own copy, in their own language.
New user.conf values:
security_questions=yes - Security questions will be required, if they're present.
api_with_password=yes - The API is allowed, using the current password. Login Keys and Session Keys are always allowed.. this setting does not affect them.
notify_on_all_question_failures=yes - When enabled, all incorrect answers will generate a Message to the User (not to Admins).
"no" will still send a message to Admin and User after
New directadmin.conf values, these are the internal defaults:
The block_ip_after_failed_security_questions option can be set to 1, and on the last attempt, a warning will be given to the User that their IP will be blacklisted.
If you set:
then no warning will be given.
Of course, this requires that you have the Blacklisting turned on in your Admin Settings (if it's off, go turn it on.. now!)
and many additions to:
newBFM: Option to only send an email notification
Since Brute Force Attacks are fairly common, their notifications can often overwhelm your Message System.
This option will allow you to have DA only send you an email with the notice, instead of sending a your a System Message.
The email will contain the details of the attack (vs the ticket notifications which only send you the notice of a ticket)
It will also include a link to the server and brute force monitor, to more quickly see what's going on.
This option requires that the BFM message be enabled, and not hidden:
To enable it, add:
to your directadmin.conf and restart DA.
DA 1.44.4 feature: Set an alternate email for notifications:
Closely related to the all_backups_post.sh:
except it's called before the backups are run.
See id=1237 for more info.
If you exit with a non-zero result, the process will be aborted.
Use the same method to retrieve the variables, eg:
immediately after issuing the backup creation.
newexim.pl VERSION=13 use ids path for per-email limit
use ids path for per-email limit, not use per-user limit.
This it to prevent double counting of sends under the per-email limit.
If you're not using the per-email limit (limits per email account), then this wouldn't apply to you.
wget -O /etc/exim.pl http://files1.directadmin.com/services/exim.pl.13
This does have a minor requirement, where the /etc/virtual/limit must be enabled.
If it's not enabled, the check on the user_ids is never done, so the attempts would pile up.
If you only have a /etc/virtual/user_limit set, and /etc/virtual/limit is 0, then this change won't work.
But 99% of the time, if the /etc/virtual/user_limit or /etc/virtual/domain.com/limit/user is set, then /etc/virtual/limit will be too (to a value greater than 0)
newOption to skip Uebimiau webmail data from backups
Skins Uebimiau is no longer included anyway, if you still have Users using it, but want to skip it from the backup, you can add this option to your directadmin.conf to speed up backup creation:
The internal default is:
It will skip the data from:
This does not affect restores.. which will restore the webmail data if it exists in the backup.
newload_top_string to specify the top output on high load
New directadmin.conf option, to allow changes to the output DA gives on high load.
load_top_string=/usr/bin/top -b -d 1 all
load_top_string=/usr/bin/top -c -b -n 1
newMoved the finish line in filter_base so spam is processed first
to move the BLOCKLEVEL and SPAMFILTERS sections before the line:
if error_message then finish endif
After updating to 1.43.1, all filters should automatically be rewritten with this change.
newAbility to duplicate backup crons
Simple "Duplicate" button on the Admin and Reseller backup pages, for cronjobs.
It will duplicate 1 or more pre-existing cronjobs to new ID.. in case you wanted to only change a few minor aspects of a cron in a new entry.
The variables in the form:
has been changed to:
and new entry added for this feature:
along with the select0, select1, etc..
However, the old action=delete is still accepted for backwards compatibility.
newRe-install check for ./directadmin i
If someone accidentally runs:
when DA is already installed.. DA will confirm with the user if a re-install is actually intended.
When ./directamdin i called, DA will check to see if conf/directadmin.conf exists.
If it does, then it will ask the question, and abort if 'n' is specified:
The config file already exists:
Do you really want to install DirectAdmin again? (y/n): n
Aborting the re-install.
If no directadmin.conf is installed, then the question will not be asked (so automated installers don't get broken)
newPHP Version Selector (SKINS)
If you have CustomBuild 2.0 and are using 2 php versions/types, this feature will let the client select which of the 2 is associated with the .php extension.
It also allows for the 2nd php version to be specified, to use either of the 2 php types.. but the extension will change based on the version of php selected (Eg php53 or php54, etc.)
Note that the httpd.conf rewrite requires an apache restart, which can take upto 1 full minute.
The php version selector does not use .htaccess files to make the changes, rather direct changes to the tokens used in the templates.
add after the HAS_MULTIPLE_IPS section (after the |*endif|)
newlower the time between load spike notices from 1 day to 10 minutes
Changed the load spike notice interval to run at most once every 10 minutes, instead of at most once per day.
newadd_userdb_quota for dovecot quotas
Ability to have DA add quotas to the file:
so that the dovecot quota plugin can use it to limit quotas within imap.
Without this option, quotas are only enforced by exim on the inbox for incoming emails.
A sample line from a passwd file with this option would look like:
To enable DA to add the quota options, add:
to your directadmin.conf, and restart DA.
The internal default is 0.
After turning on the option, to convert all existing file to use the extra format, use one of these new task.queue command:
echo "action=rewrite&value=email_passwd" >> /usr/local/directadmin/data/task.queue
echo "action=rewrite&value=email_passwd&user=fred" >> /usr/local/directadmin/data/task.queue
Dovecot how-to portion of using these changes:
Related to enable quota display for dovecot/imap:
Related forum request:
newUser notice if pop cache to be updated (SKINS)
For many domains with hundreds of email accounts, the pop usage cache will speed up the display of the page:
However, it takes up to 1 minute after loading the page for the cache to be updated, as it's triggered by the load of the page.
To avoid confusion, a simple message is displayed if the usage.cache is to be updated, and reminding them to refresh the page in 1 minute for an updated display with correct information.
newlogin_as_master_name for all hook scripts
If use use any of the pre/post.sh hook scripts in:
before this change, you'd have no way of knowing if a call was made using the login-as feature, or directly as a User.
With this this change, anytime a login-as call is made, for any pre-post script, an extra variable is added with the name of the master (logged in from)
in addition to the variables that were there before.
If login-as i not used, the variable will not exist at all.
Relating to this feature:
and this change:
This will allow a directadmin.conf option to override the load notice internal.
The internal default is 10 minutes:
To override it, add it to your directadmin.conf, with a new value (in minutes)
fixedmove main ftp account creation to DA user creation
Previously the system ftp account is set each time a domain is created.
This means that for Admin accounts who do not have domains at first, no ftp account exists. This could be resolved by creating a domain to add the ftp account.
The reason this is an issue is that if you set a custom ftp password for your system ftp account (when you already have a domain), and then create another domain, the main account ftp password is reset to your login value, which is not correct.
This change will move the ftp account creation code to the User creation so it's only ever set once.
fixedRename email: update da_roundcube.identities
When changing the name of an email account, DA now also updates the da_roundcube.identities table.
It was previously just updating the da_roundcube.users table.
This fix also deletes the records from the da_roundcube.users table.
The cascade functionality automatically removes the linked entries from the da_rounducbe.identities.
fixedA domain can have max 63 characters between dots
Named requires that a domain string (any string value between the .dots.) have a max of 63 characters.
Added a check to DA's internal definition of a domain to make sure of this.
so these are valid:
63.com (where I mean it's 63 characters long)
But this is not:
again, where the numbers are the length of the strings, not a literal string value.
fixedApache 2.4 disabling protected directory causes internal server error
For Apache versions previous to 2.4, with regards to shutting off the password protected directory option, DA simply remove the following line from the .htaccess file:
With Apache 2.4, this causes an internal server error, with the following Apache error in the logs:
[Sat May 04 13:43:28.165689 2013] [authz_core:error] [pid 9673:tid 3007343504] [client 192.168.1.102:4326] AH01627: AuthType configured with no corresponding authorization directives
So the fix is to also remove the AuthType line from the .htaccess.
fixedPatch majordomo for new perl versions
The majordomo.sh install script will now apply a patch after the install of majordomo is complete.
Related forum thread:
fixedMove filter skip line after blocking after high scoring spam
Move the location of the filter exit (if error_message) to below the check/drop of high scoring spam.
fixedReseller limit allocation not counting Users when added
Bug, which seems to have been introduced in 1.41.0 and gone unnoticed until now.
A code change caused the total amount being added to be 0, when it was not 0.. so it always ended up below the allocation.
fixedNginx redirect domain pointer not adding entry
User nginx.conf does not have an entry for redirect-type domain pointers.
Current workaround: use an "alias" type of domain pointer, until this is fixed.
Also reported that an apache VH was added to the nginx.conf.
New template file:
which is the nginx version of redirect_virtual_host.conf, same tokens.
fixedMove the user.conf write before user_create_post.sh
During user creation, the final user config write call has been moved such that it's called before the user_create_post.sh is called.
This allows the user_create_post.sh to run API calls on that User, and check the user.conf, etc.. should be very handy to several developers.
Sample, to create a database with the User:
fixedPipe both stdout and stderr in all pre/post hook scripts
Previously, DA only read in stdout from all pre/post hook scripts.
If you ran anything that output to stderr, it would not be read in, and would likely overflow the read buffer and might hang whatever was trying to send that text.
Changed all calls to the script to have:
at the end, so all stderr is piped to stdout for DA.
fixedSecurity: more backup pre-checks
Relating to this previous fix:
Several more checks are added to ensure there are no symbolic or hard links.
Thanks to www.Rack911.com for reporting these 3 significant issues.
It's recommended everyone update DirectAdmin to address the issues.
fixedLinked IP backup/restore
The User backup should not have the linked IPs in the DB files, as they won't be swapped out during the restore.
Also, at restore time, the new account should have the linked IPs set to the new domains as required.