DirectAdmin 1.691 release has modsecurity part refactored. It uses a different method to enable the modsecurity for the apache webserver.

• the httpd-modsecurity.conf is now included with the httpd-modsecurity-enable.conf that gets generated dynamically, not with the httpd-phpmodules.conf as before
• httpd-modsecurity-enable.conf is always included by the httpd.conf. That file is empty when modsec is disabled, and filled with includes when enabled.
• libxml2.so is not used in apache configs anymore as it’s not needed for modsec in 2.4.

If you receive an error like this:

DirectAdmin recently has enforced stricter rules for sending mail (changelog).

The long story short is that starting with the DirectAdmin version 1.676:

• Port 25 cannot be used for the mail submission. It’s dedicated for server to server comunication.
• Authentication via port 587 works only when using StartTLS.

The changelog also provides a way to revert the full or partial functionality to the previous one in case the impact is bigger than expected.

However, the change is strongly adviced. But before jumping to the stricter mode, you may want to collect some stats to visualize how much users are actually using the forbidden settings.

Mail proxy setup to have a common mail.domain.tld that proxies IMAP and SMTP connections to the appropriate DA servers.

1
2
3
4

mail.server.tld
 ├─da1.server.tld
 ├─da2.server.tld
 └─da3.server.tld

If a user insists on maintaining support for legacy systems to enable connections using older SSL methods, one option is to set ssl_configuration=old in the options.conf file of custombuild. However, this setting changes the SSL ciphers for all web-related services as well. Alternatively, it is possible to downgrade the ciphers exclusively for mail services without affecting the web services.