Version 1.680

Released: 2025-07-??

• Sender address spoofing protection new custombuild
• Removed cakey, cacert, carootcert configuration options from directadmin.conf removed

Sender address spoofing protection new custombuild

The Exim mail server configuration is extended to block user attempts to spoof the sender address. This is implemented as an additional Exim ACL for email submitted over SMTP. The ACL checks the username from the SMTP authentication against the sender address provided in the SMTP MAIL FROM command (also known as the envelope sender).

The general idea of sender address validation is to allow an email account to be able to send from any address as long as an email reply to the sender address would be routed back to the same email account.

Valid sender address examples:

• Main mailbox address is always allowed to be used as the sender address.
• Same address (local part) but a different domain is allowed to be used if the domain is an alias of the main address domain.
• Any forwarder email address can be used as a sender address if the forwarding rule is configured to deliver emails to the main address.
• Any unused email address in the same domain can be used by the mailboxes that are configured to be a catch-all mailbox for that particular domain.

The sender address spoofing protection is enabled by default. However, it can be explicitly disabled to stay backwards compatible with the old Exim configuration by setting the AUTH_BLOCK_SENDER_SPOOFING = no variable in the /etc/exim.variables.conf.custom file.

Examples:

# Disable sender address validation (insecure):
sed -i '/^AUTH_BLOCK_SENDER_SPOOFING /d' /etc/exim.variables.conf.custom
echo 'AUTH_BLOCK_SENDER_SPOOFING = no' >> /etc/exim.variables.conf.custom
da build exim_conf

# Restore sender address validation:
sed -i '/^AUTH_BLOCK_SENDER_SPOOFING /d' /etc/exim.variables.conf.custom
da build exim_conf

Removed cakey, cacert, carootcert configuration options from directadmin.conf removed

The location of server host name TLS certificate files can no longer be customised. The files will always be stored in the default locations:

• /usr/local/directadmin/conf/cakey.pem - server host name TLS key.
• /usr/local/directadmin/conf/cacert.pem - server host name TLS certificate.
• /usr/local/directadmin/conf/carootcert.pem - intermediate CA certificates.

On the servers where these options were set to non-default values, the certificate files will be automatically copied to the default location.