Version 1.48.0

Released: 2015-05-03

ssl_redirect_host to allow port new

Relating to:

option to specify the redirect host value when http is used on an https protocol

The setting now supports an optional port at the end, eg:

in case you wanted to redirect the http connections to https somewhere else, to give them more explanation.

Note, that the redirect value must be using an https port, as "https" will still be part of the Location redirect.

Maintain previous named.conf permission and ownership new

When deleting a zone from the named.conf, DA will now read the uid/gid and mode from the old named.conf.

The fd will be set to the old uid/gid/mode, after the file is open, but before data is written to it (so it's created as desired).

This means you can set:

chmod 640 /etc/named.conf
chgrp named /etc/named.conf

if you desire.Maintain previous named.conf permission and ownership

Wildcard for domainips with SpamBlocker 4.3.x new

DA will now set:


where is the server IP, in your file:


if the feature is enabled:

DA to manage domain IPS file for exim outbound IP/interfaces

This lets you add a * character after the lsearch in the "interface" section, so it has a fallback IP.

If you want to specify a different fallback IP, other than your server IP, you can set in the directadmin.conf with the variable:


can be an IPv6, if you wish, and if exim supports it.

Both should also work:

domainips_default_ip= ; 2001:0db8:85a3::8a2e:0370:7334

Future SpamBlocker updates should have the lsearch* set by default.

For now, just add the *

If you're on LAN, and you've set the lan_ip= variable, DA will use this instead of the server IP.

If you don't like this value, then use the domainips_default_ip= option to set what you need.


you can force a rewrite of the /etc/virtual/domainips file with:

echo "action=rewrite&value=domainips" >> /usr/local/directadmin/data/task.queue

Note: this does not include:


for that, you'd have to replace lsearch with nwildlsearch in the exim.conf, where the interface is set with the domainips file.

log format combined set to COMBINED_LOG token in (TEMPLATES) new

New global token:


as set by the apcahelogdir setting in the directadmin.conf.

Changes in:





added to top section:


and change the format from:

CustomLog /var/log/httpd/domains/|DOMAIN|.log combined



Purpose for the COMBINED_LOG token is so you can do things like:

SetEnvIf Request_URI "^/favicon.ico" dontlog
|?COMBINED_LOG=combined env=!dontlog|

In the |CUSTOM| token in Custom Httpd Config, to prevent logging of things you really don't need to be logging.

Login Key logs new

The "Login Keys" feature will now be logged.

You can view the logs for a given Login Key from:

User Level -> Login Keys

in the Log column, click "View" next to key.

There is also a "Tail" button, so just view the last 10 lines.

The logs will be in:


Rotation of the log will adhere to the "Number of apache logs to keep" option, and will be rotated daily.

Tickets and Message pages are now far easier to read (SKINS) new

The large string to fill the token:


in user/ticket/view.html

will fill the tables differently.

The subject will only be shown one at the top, since it never changes.

Below that will be a list2 (slightly darker grey) with the date and from.

Below that will be list, with the message, and rounded corners at the bottom of each message.

The old Message/Tickets were hard to read due to the excessive blue headers stealing the eye's attention.

Now the messages themselves will draw the eye, for faster scanning.



Now requires:

    padding: 15px;

.message, td.message_info
    box-shadow: 1px 1px 3px #727272;

    border-top-right-radius: 10px;
    border-top-left-radius: 10px;
td.message_info_round_bottom, .message_round
    border-bottom-right-radius: 10px;
    border-bottom-left-radius: 10px;
    padding: 5px;

    COLOR: #777777;

Ability to change random password characters new

New directadmin.conf option, enabled by default:


will include characters that could look like other characters, depending on the font.

These characters are:


If you don't want DA to include those values in the random passwords, you can add:


and the above won't be included.

Relating to Ability to include special characters in random password generation (SKINS)


in some cases, you want want a reduced set of these characters.

To do this, you'd simply set:


which will offer a greatly reduced list of special characters:


Email Disk Usage opion to show true bytes rather than block usage new

By default, the E-Mail accounts page will show you the usage of each account, in terms of how much disk space the account is using up: how many blocks are used.

This may cause confusion because quota reporting for dovecot uses the file's size, rather than block usage, so the two numbers could vary by a large degree.

New option, added to DA (default)


Where you can set it to 1:


and the E-Mail usage page will instead show the sum of the file sizes, rather than the block usage.

The "hover-over" popup will show the "other" size, that isn't displayed for both 0 and 1, as:

Block Usage:

Apparent Size:

where Block Usage represents the block usage of the account, and Apparent Size represents the sum of the file sizes.

User ability to skip paths from their tar.gz backup files new

New optional file:


where User can add paths to this file that they wish to have skipped from their backup.

The format of the file must be relative to /home/user and should not include a "/home/user" prefix.

New default internal directadmin.conf setting:


can be disabled by setting it to 0 and restarting DA.

A sample line in the .backup_exclude_paths would look like:


so that the path:


is skipped from the backup.

This will add:


just after the -C /home/username option in the creation of BOTH the home.tar.gz and the user's backup tar.gz.

So using the feature will truly exclude the path, regardless of if it's in /home/user/domains, or /home/user/*.

As you may have noticed, the option uses tar's exclude-file option.

This supports patterns, eg:


so you have skip those types of files, regardless of what path they're under.


Reported that a directory name isn't sufficient, and would need to explicitly define the /path/to/files/*.gz instead of just /path/to/files

CMD_API_ADDITIONAL_DOMAINS to include php selector information new

Relating to:

PHP Version Selector (SKINS)

The command:


will now have extra info:


if yes, then additional info will be added:

php1_info=PHP 5.5 fastcgi
php2_info=PHP 5.4 fastcgi

where the version and "fastcgi" info will change in a similar fashion to the select box text in the GUI.

These php1/2 values are the currently active values.

The other related values are:


but these "select" values will not always line up with the phpX_ver/info above, if they're flipped.

The "select" values are the domain.conf conversion instructions from the CB options.conf to the displayed value.

The ver/info values are the final/post converted values, so are truly what will be used.


  • if the User has not saved anything yet, the phpX_select values won't be present.

  • if "has_php_selector=no", then the php version information won't be available, but a disk "/usr/local/bin/php -v" can be relied on for the version.


The above example is in the unchanged state where php1/2 matches the CB options.conf.

If the user were to set:


this would make:

php1_info=PHP 5.4 fastcgi

To change domain settings, including the php vesrion, use the call:


method: POST

where the numbers represent:

0: off
1: the php version from php1
2: the php version php2

webapps_ssl default to be reflect SSL= value new

Related to:

Ability to specify https for webapps scripts (SKINS)

By default the webapps_ssl default will match the SSL=0|1 value that's set in the directadmin.conf.

So if you enable SSL for DA, then webapps_ssl will also get enabled, automatically.

If you add webapps_ssl to your directadmin.conf, it will override this new default.

Cluster: Remote E-Mail Account sync new

Related thread:

Early version of the E-Mail Account cluster/sync feature.

This will simply sync the account information over to the other DA box.

It will use the API to login as this remote User (using the "login-as") and will match the commands done locally.

Currently supports:

  • create account

  • change account

  • delete accounts

  • suspend/unsuspend accounts

Currently does not support:

  • pop disk usage reported to main box

  • send count reported to main box

Optional files for fine control:



both of these lists can contain Users and/or domains.

  1. If neither file exists, all Users/Domains are synced

  2. If allow exists, no Users/Domains are synced, unless in this file. This file overrides deny.

  3. If User and/or Domain is the deny, email will not be synced.

-> Only one of the User or Domain is required in the allow file. If either is present, email is synced.

-> If either of the User or Domain is in the deny, the email will not be synced, unless already allowed via "allow"

-> if allow exists, the deny is never checked.


When you first turn on the feature, if A has accounts, but B does not, you can sync A to B with:

echo "action=rewrite&value=email_passwd" >> /usr/local/directadmin/data/task.queue

if the remote box, like the dns clustering options, DA uses a task.queue retry for all commands, as long as you set the directadmin.conf setting "remote_dns_retries" to a non-zero value.

The format of the task.queue entry is:



  • fred is the DA username that called the email command

  • host is the host that failed, so it will only retry the single failed host

  • count counts down from the directadmin.conf option remote_dns_retries, until 0. The default is 0, so retries are not enabled by default.

  • longrequest is URL encoded post from the original client request. DA basically passes it to the User in the same manner.

  • Both the DirectAdmin Username and domain must exist on both servers. This may require you shut off the MSS on both servers until the account/domain exists, then turn it back on.

  • the receiving server (mirror) does need DA 1.48.0+

  • DA will call the CMD_API_POP command on the remote server, so ensure this is allowed in your login key.

  • the "Login As" feature is used, so ensure this is allowed on the remote box, for the given login key.

Related changes:

CMD_API_POP now optionally accept the select0=fred&select1=bob method for deleting/suspending/unsuspending multiple email accounts.

Previously, it only accepted single accounts with "user=fred", which does still work if present. new

Relating to:

Include php script name is highest send count and ability to automatically chmod to 0 (TEMPLATES)


When the script is chmod to 0, you can now to additional tasks, such as renaming the script.

For this, create the custom script:


and chmod the script to 700. (run as root)

Env variables:


Sample script to rename a file:

mv ${script} ${script}.${username}.spam
exit $RET

BlockCracking 1.2 can automatically block specifc paths that send messages (TEMPLATES) new

Support for BlockCracking 1.2:

Changes to DA allow the new BC type "denied_path" in the mail_task.queue.

Requires version 20-beta2.

BC 1.2 uses a new file:


which contains a list of exim nwildlsearch regex path values, for example:


and compares the sending path against it.

If it matches, this path is dumped into the BC script block file:


just like bad sending scripts get for sending to too many bad recipients.

The regex doesn't use a trailing / after the final path, eg, we cannot use:


(this won't work)

because the cwd that exim see doesn't end with "uploads/", it just ends in "uploads".

This will run the logical risk of blocking something like:


but... I can't really seeing this as being a major issue.

Regardless, you should keep this in mind when selecting your regex.

DA is notified via the, and a message is sent out to notify everyone, in the same manner as before (same rules for script unblocking)


Use CustomBuild 2.0 to install BC 1.2 for you:


  • DirectAdmin 1.48.0 (or pre-release binaries April 24, 2015+)

  • exim.conf 4.3.3+

  • 20-beta2+



RELATED: 19 and exim.conf 4.2.3 (Manual changes) - BC 1.0 (nothing too useful here)

BlockCracking notices and unblocking (TEMPLATES) (SKINS) - directadmin.conf variables to control unblocking

BlockCrack notify admin - directadmin.conf variables to control who gets notified

Plugins area to use lan_ip option fixed

Previously, the "Admin Level -> Plugins" section did not use the lan_ip option.

Code has been added to properly bind to this IP for all outbound DA plugin calls.

-> version update and installs/updates.

Security: Various Security improvements fixed

DA-0284/0948 - safer password changing

DA-1537 - domain creation

DA-2238 - change all templates to write using mkstemp

DA-1968 - email creation and data restore

DA-1290/1797 - backup copy

DA-2483 - pointer link created as User.

DA-1104 - skin uploads

DA-1812 - subdomain creation

Templates Diff to html encode characters fixed

Html Encoded the diff output for CMD_TEMPLATE_DIFF.

Also swapped spaces with  

and tabs with 4x  


delete_messages_days was deleting all tickets fixed

Relating to:

Message System: Clear Messages (SKINS)(LANG)

The option:


when set to a value greater than 0 would delete all tickets from the tickets.list files because the "newest file" from the tickets directory was not correctly being read in.

Fixed the read to get the accurate date of the newest message, so the comparison is accurate, and the tickets are not deleted when they shouldn't be.

File Manager URLs to use location encoding, rather than html fixed

Previously the href value in the filemanager were html encoded with &#1234.

I've chagned the href values to use the %20 encoding, and left the actual html display as the html encoding.

FileManager not correctly showing long paths fixed

If a request path (directory or file) in the CMD_FILE_MANAGER was too long, DirectAdmin was not able to correctly send the file.

DKIM wasn't being added to domain pointers fixed

Creation of a domain pointer will not add the DKIM dns records to the pointer's zone.

It will use the existing /etc/virtual/*.key file.

If they don't exist, they will be created.

NOTE: this also means that if you have dkim=1 but a domain does not have any dkim keys, when a pointer is created, the main domain will obtain the DKIM keys.

So you'll need to ensure you add the DNS records for the domain domain too.

For most cases, the main domain should already have the DKIM keys created, so this shouldn't be an issue.

check_subdomain_owner to allow bypass on User restore creation fixed

A Reseller is already allowed to create a User with a value:

check_subdomain_owner to allow owner to create users with subdomains

However, the restore did not allow it.

This change allows an override to allow to be created under a Reseller's User, but only when it's in the same process when the User is being created.

A restore for an existing User should already have the domain anyway, so won't hit that point, so not as issue. (and where the Reseller owns, of course)

It will be an issue if a Reseller is restoring a User, where the User already exists prior to triggering the restore, and the tar.gz has a new domain not already in their account, but this would be a rare case. (it's essentially a merge)

For that case, just shut off the check:


or add the mentioned to the override list:

Allow domain exceptions to the check_subdomain_owner

plugin .raw downloads uses too much ram on large files fixed


Direct plugin access to connecting socket

plugin index.raw to send in chunks

The process was saving all data into ram, as it was sending.

This causes a large amount of memory usage for large files.

Since DA really doesn't need to know what the data is, the design for the .raw method has been changed to not save the data as it goes out, using much less ram.

/etc/virtual/* to backup/restore fixed

/etc/virtual/* to backup/restore

If restore with Admin Level, direct files are set, regardless of global limits.

If restore is done with Reseller or User Level, then the standard limit setting function is used, where limits/values are checked and enforced.

FONT-SIZE: 8.5pt fixed

After a recent chrome update to 41.0.2272.89, the previous 8pt value used everywhere for over a decade has now lost a pixel in height, causing the font to be small and hard to read.

It's entirely possible that the Chrome change actually "fixed" a previous issue.. or could be a newly introduced bug.

After some testing, we've changed the 8pt size to 8.5pt (roughly 11px) which seems to restore the previous look.

Firefox looks fine with either. IE looks small with both (always has), but won't put much weight on IE.

If if it a Chrome bug, we'll revert to 8pt after it's fixed.

If it's actually a fix for Chrome to make the font look as it's actually intended, then we'll leave the changed value of 8.5pt in place.

Possibly related threads:!category-topic/chrome/give-feature-feedback-and-suggestions/y0dBAL2zJRY!msg/chrome/TLA408iuLdc/GPIi_yQIAR8J

Forum thread:

CentOS 7: /etc/logrotate.d/exim to be set to 644 fixed

Default exim logrotate file on CentOS 7 was appearing with 755, which logrotate didn't like. will now set it to 644, after the rpm is installed.

Likely 755 on other CentOS boxes, but logrotate may not have had this check.

The change applies to all CentOS boxes, but only CentOS 7 complained of the issue.

CMD_API_DU_BREAKDOWN wasn\'t implemented fixed

Related to the addition of CMD_DU_BREAKDOWN, the API version (CMD_API_DU_BREAKDOWN) was missed.

Disk Usage Breakdown - CMD_DU_BREAKDOWN (SKINS)

fix, add the check for CMD_API_DU_BREAKDOWN, and call to same function.

Change handshake_timeout default to 12 seconds fixed

Relating to:

directadmin.conf option: request_timeout replaces connect_timeout, new handshake_timeout

Previous default was:


but it looks like Chrome doesn't send any SSL handshake during it's pre-connect, so the request timeout never applies.

Default now changed to:


as Chrome seems to disconnect after about 10 seconds of preconnect.

An Admin can set any per-User send limit fixed

Relating to:

Per-DA-User email send limit in interface (SKINS)

If you're logged in as an Admin, no restrictions will be in place for the value set.

0 and any high number will be accepted.

Previously, they were enforced to the same Reseller rules, where the limit could not exceed the value in /etc/virtual/limit, assuming:


was set.

The max_user_send_limit value applies to the Reseller limit,

but now admin's are exempt from this variable's value, and can always set anything.

MySQL IPv6 access hosts to use condensed format fixed

The access host check that MySQL does is only on the condensed IP.

Fix in DA is to only give the condensed for to MySQL when adding an IPv6 access host.

Existing values are unaffected, so if you use IPv6 values be sure to re-add them, where DA will swap them for the short form.

Related error:

mysql says:

ERROR 1045 (28000): Access denied for user 'db_user'@'1a43:3d02:a0d2:146::4303' (using password: YES)

Delete subdomain webalizer stats with "remove directory contents" fixed

When deleting a subdomain, with the "remove directoryt contents" checked, only awstats data was removed.

Fixed to properly delete the webalizer data as well.

addip script to depracate IPv6 IPs upon adding fixed

When an IPv6 IP is added to a device, the system sometimes likes to use it as the default IP, because it was added last.

This fix will change the script:


to have the addIPv6() function to include the /sbin/ip command, below.

The "preferred_lft 0" changes the state of the IPv6 IP.

You can view the current state of your IPs like this:

ip -6 addr show dev eth0

where you know it's depracated, if you see this beside the IP you dont want exim to bind to:

inet6 fe80::230:42ff:fd57:16b2/64 scope link deprecated

if it looks like this, then it didn't work:

inet6 fe80::230:42ff:fd57:16b2/64 scope link

Forum thread:

    MCOUNT=`echo $2 | grep -c /`
    if [ "$MCOUNT" -gt 0 ]; then

    /sbin/ifconfig $ETH_DEV inet6 add ${1}${MASK}

    /sbin/ip -6 addr change ${1}${MASK} dev $ETH_DEV preferred_lft 0 >/dev/null 2>&1

    exit 0;

Note: CentOS 5 and likely other older OSs may not support the "change" option with the ip command.

This is why I've piped everything to /dev/null.

Adding domain pointer is missing additional IPs for subdomains fixed

If a domain uses multiple IPs, subdomains records in a domain pointer zone did not receive the additional IPs.

Also found a bug in regards to linked IPs for those additional IPs (which wouldn't be very common, but a bug regardless)

SERVER_IP token wasn't present at dns_*.conf template parse time fixed

The |SERVER_IP| always worked before, but it was relying on the write-time parse of the named.db template.

If you set webmail=|SERVER_IP| in the dns_a.conf, for example, it would have returned that text, without being swapped with the correct value.

No real harm done, until you start playing with multi-IPs.

If you add a 2nd IP, webmail= would have already been present, but because ""!="|SERVER_IP|", DA allowed it to be added.

Upon the named.db write, the |SERVER_IP| is tokenized, giving you duplicate A records for webmail, with the same IP.

The fix is to make the SERVER_IP token available to all of the dns_*.conf templates, as they're tokenized.

Deleting a domain did not clear it from php_safe_mode.cache fixed

The cache rebuild for the php_safe_mode.cache file was previously given the User to update.

For each domain that the User had, it would update the php_safe_mode.cache for those domains.

However, when a domain is deleted, the remove value is no in the list, so it would linger.

Fix was to use a domain list to pass to the cache rebuild, and it will notice the domain is missing, and remove it from the list.

Similarly, deleting a User was not correctly clearing domains from the file.

A new domain_cache_list will be passed through all User deletion functions, and will update the cache in a similar manner.

Consideration was also added for the deletion of a Reseller.. the domains of the sub-Users should also be included the domain_cache_list.

Lost Password "from" email should be from creator fixed

When email are sent out for the "Lost Password" feature, previously the "from" header was the same as the "to" email, logically because it's an email from yourself, for yourself.

As many systems don't accept matching from/to headers, the from has been changed to be the email address of the creator of the account (Reseller's user.conf email value).

BlockCrack notify admin fixed

Similar to this previous bug:


the BlockCracking notices were using the per-email limit setting:


Fix is to change it to use:


Last Updated: