DirectAdmin 1.676

[wila]

Bumped into an issue where a customer reported that one of their subdomains now returned a 404 error instead of the expected application.

The issue turned out to be a wrong pointer under the subdomains setup of their account.

For domain test.example.com it looked like this:
/domains/example.com/public_html/test
whereas it should have been:
/domains/example.com/private_html/test

The public_html folder exists, but only has a single index.html instead of the full application.

Fixing the mapping resolved the issue.
So not a big issue, but figured to report it.
--
Wil

 

[Rolf B]

@wila The default Exim configuration does not log the incoming TCP port. Logging of incoming connection details can be enabled by customizing the /etc/exim.conf file and appending +incoming_interface to the log_selector field:

...
log_selector = \
  +incoming_interface \
...

In main Exim log file /var/log/exim/mainlog the log lines will have I={ip}:{port} section, authenticated connections will have P=esmtpa or P=esmtpsa (if encryption is used). Quick grep over the logs that used 25 port (with or without encryption) would be:

Since we should not modify the config file directly, how is this solved via the custom include file (/etc/exim.variables.conf.custom - there are several lines)?

Does an entry work in this form?:

log_selector = \
+incoming_interface \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery \
+arguments

what happens if the DA default configuration (for log_selector) is adjusted?

With cpanel the port is written to the logfile by default, I think that would also make sense here.

 

[Ohm J]

@Rolf B
All software logs scanner for Brute force Protection could go wrong, like csf firewall, BFM from Directadmin.

 

[kristian]

The example in @kristian's post could be slightly improved by hardening the socket permissions to be 0660 and making the socket file accessible to the mail group.

Indeed. I have edited my post above with this hardening.

 

[Richard G]

I'm seeing this when restarting Exim.

exim 4.98.2 daemon started: pid=2847512, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

So SMTP on port 25? I thought this was disabled, or only for dovecot? Or is this correct as it is?

 

[zEitEr]

So SMTP on port 25?

Why should the port 25 be disabled? Mail servers still use TCP 25 for exchanging emails, even though PLAIN AUTH might be disabled for mail clients on port 25.

 

[Richard G]

Mail servers still use TCP 25 for exchanging emails,

Yep I'm aware of that. But I didn't know that was also called SMTP. In that case all is fine, thank you!
Because it says "listening on port 25 for SMTP" I got confused. I thought Exim would just send via port 25, not stating to itself to listen for smtp on port 25 for itself.

 

[zEitEr]

Historically, Simple Mail Transfer Protocol or SMTP only used port 25. Today, port 25 is still in use for SMTP, but it can also use ports 465, 587, others.

• Port 25 is most used for connections between SMTP servers.
• Port 465 was once designated for use by SMTP with Secure Sockets Layer (SSL) encryption.
• Port 587 is now the default port for email submission. SMTP communications via this port use TLS encryption.

More reading: https://www.cloudflare.com/learning/email-security/what-is-smtp/

 

[sparek]

What will really confuse you in regards to SMTP and TLS. is whether or not if an email client (MSA) is being configured for implicit or explicit TLS.

As far as I know, Thunderbird makes a distinction (not necessarily a well described one). When you configure an outgoing mail server and choosing security it will allow you to select "SSL/TLS" or "STARTTLS".

STARTTLS is implied as being explicit TLS. This is where you connect to the SMTP server in plain text, but before the MSA actually sends anything, it issues a STARTTLS to request that the connection be upgraded to TLS.

SSL/TLS is implied (by reason of deduction from the above paragraph... this is why it's not a well described distinction) to mean an implicit TLS. Implicit TLS means that the connection is already secure when the daemon picks it up. HTTPS is an implicit TLS, the connection is already secured before the web server handles it (if you exclude the SNI part - which is effectively the same thing that the HOST header added in HTTP v1.1 allowing shared IPs among VirtualHosts).

The issue comes about when you have an MSA (some of the Windows ones come to mind) that simply configures the connection to "use a secure connection." Well... what type of secure connection is the client expecting with this? An implicit or explicit TLS connection?

If the MSA is expecting to issue a STARTTLS with the connection, then port 587 needs to be used so that a STARTTLS command can be issued.

If the MSA is expecting the entire connection to be sure - and no STARTTLS is being issued - then port 465 needs to be used. This assumes that 465 is listed as a tls_on_connect_ports in your exim.conf - /etc/exim.variables.conf on Directadmin.

What does "use a secure connection" mean in this context? Nobody knows.

If you choose wrong, then the connection's not going to do anything. If you think "use a secure connection" means that the MSA is going to issue a STARTTLS command - so you tell it to connect on port 587, but the MSA is expecting the connection to the implicit TLS - then the connection won't do anything because the TLS handshake will never complete.

If you think "use a secure connection" means that the the entire connection will be secured - implicit TLS - and tell it to connect on port 465, but the MSA is expecting to make an explicit TLS upgrade with STARTTLS then the connection won't do anything because the daemon listening on port 465 will be expecting a TLS handshake that it never gets.

This also applies with POP3 and IMAP. In whether to use an explicit STLS to upgrade a POP3 connection on port 110 or use an implicit TLS on connect on port 995. Or whether to upgrade an IMAP connection on port 143 with STARTTLS or use an implicit TLS on connect on port 993.

There really should be one de-facto standard for each of these protocols. I really thought explicit TLS was more of the standard, but I'm no longer sure.

 

[Richard G]

I don't know of it was since this or previous version, but NONE of the plugins show up in Enhanced skin anymore.
Not with admin, not reseller and not user.

Also when searching the changelog, there is no scrollbar on the right. I reported that earlier and it would be fixed, but it's still not fixed or it's re-occuring again.
Steps to reproduce:
1.) Open the changelog page.
2.) Search for something
3.) Get more results than page and see that you can't scroll down

However, it's way more important that suddenly plugins are not showing anymore, which was no problem before.

 

[romans]

I don't know of it was since this or previous version, but NONE of the plugins show up in Enhanced skin anymore.
Not with admin, not reseller and not user.

Also when searching the changelog, there is no scrollbar on the right. I reported that earlier and it would be fixed, but it's still not fixed or it's re-occuring again.
Steps to reproduce:
1.) Open the changelog page.
2.) Search for something
3.) Get more results than page and see that you can't scroll down

However, it's way more important that suddenly plugins are not showing anymore, which was no problem before.

1. About Plug-Ins - I was able to get them shown using Enhanced skin for "admin" user on Admin and User levels. But in my case I have only CSF and Installatron. I checked it in DA version 1.676. So, I cannot confirm that issue.

2. About scrollbar in ChangeLog during using "Search" option, then I can confirm that there no one and it happens for https://docs.directadmin.com/ site, but not for ChangeLog page only. I will notify developers once again about it. The current workaround is - to use "Ctrl" + "-" buttons to Zoom Out the browser's page to show all search results.

 

[Richard G]

@romans Thank you. I found the cause of the first issue.
When using opcache.enable_cli=1 then this issue occurs.
Maybe a bug because why should we not enable opcache cli?

As for 2, thank you!

 

[DirectAdmin Support]

Thanks for the bump on the search results issue.
I've tagged its css class it with a `max-height` and `overflow-y: auto` tag, which seems to do the trick.

 

[Richard G]

Thanks for the bump on the search results issue.

Thank you for fixing it. I indeed get a scrollbar now on the side, so works fine now!

 

[wila]

Bumped into another issue when upgrading from Dovecot 2.3 to 2.4
This happened a couple of weeks ago and as I hadn't been able to resolve it at that moment I just ended up reverting to dovecot 2.3 as I had more urgent things to do.

The error was as follows:
root@server:/etc/dovecot/conf# systemctl status dovecot
? dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/etc/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2025-05-03 19:43:44 CEST; 53s ago
Process: 2065335 ExecStart=/usr/sbin/dovecot -F (code=exited, status=89)
Main PID: 2065335 (code=exited, status=89)
CPU: 9ms

May 03 19:43:44 server.host.net systemd[1]: Started Dovecot IMAP/POP3 email server.
May 03 19:43:44 server.host.net dovecot[2065335]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 4: The first setting must be dovecot_config_version
May 03 19:43:44 server.host.net systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
May 03 19:43:44 server.host.net systemd[1]: dovecot.service: Failed with result 'exit-code'.

So.. tried to fix that.. no idea, so rollback it was.

Returned to it today, now that I have a bit more time and one thing I noticed was that the config file itself was still dated 2023... instead of the expected date of today.

It turns out that this error is due to a custom_build configuration setting under "options".
This server had the dovecot_conf setting set as "No".. In other words, not managed by custom_build and it did exactly what was set there and thereby broke my dovecot install due to the update.

It would have been better that the upgrade would have been cancelled due to that setting, but I guess there's always something.
Hopefully -if someone else bumps into this- they find this post and save a bit of hair pulling moments.

 

[asadkhan]

after updating custom build is not working properly i m unable to build anything using ssh

its giving this error
./build clean
Unknown command `clean'. Please specify one command of: admin, admin-backup, api-url, build, config, config-get, config-set, doveadm-quota, info, install, license, license-set, login-url, permissions, server, suspend-domain, suspend-user, taskq, unsuspend-domain, unsuspend-user, update, version or web-install
Usage:
directadmin [OPTIONS] <command>

Help Options:
-h, --help Show this help message

 

[Richard G]

i m unable to build anything using ssh

You don't really need the ./build clear normally.

Depending on what you build just try the new command and see if it works. For example if you want to build php try:
da build php
same way for other things.

For updating you can do (from any directory)
da build update
da build update_versions

 

[fln]

An update is released with a RoundCube version update from 1.6.10 to 1.6.11. Roundcube 1.6.11 fixes a security issue.

 

[vinao]

Hello
After updating

dovecot

2.4.1-4

I have a problem - mailboxes ask for a password through programs such as outlook or thunderbird.

please help

 

[ccto]

Perhaps , it relates to -

Disable POP / IMAP authentication over non-encrypted connections

Version 1.678 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Hello
After updating

dovecot

2.4.1-4

I have a problem - mailboxes ask for a password through programs such as outlook or thunderbird.

please help