DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Never use whitelist_domains and whitelist_senders on DirectAdmin servers

| 12:03:26 19.03.2020

Why is that a bad idea to use whitelist_domains and whitelist_senders on DirectAdmin servers? 

DirectAdmin configures Exim with numerous whitelists and blacklists, and here are two which we would suggest that you never use:

  • /etc/virtual/whitelist_domains
  • /etc/virtual/whitelist_senders

The both lists were designed and added into Exim years ago, and have never been much changed or secured since the days. 

Another point that there is a confusion, DirectAdmin developers say the /etc/virtual/whitelist_domains should list destination domains:


(a screen-shot made on https://help.directadmin.com/item.php?id=2106)

in fact it is a list of source domains. And here is where the first confusion might happen. So let's see /etc/exim.conf how is the list handled:

[root@server etc]# grep whitelist_domains /etc/exim.conf -C 3
addresslist whitelist_senders = nwildlsearch;/etc/virtual/whitelist_senders
addresslist blacklist_senders = nwildlsearch;/etc/virtual/blacklist_senders
domainlist blacklist_domains = nwildlsearch;/etc/virtual/blacklist_domains
domainlist whitelist_domains = nwildlsearch;/etc/virtual/whitelist_domains
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
--
  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}

#EDIT#31:
  accept  sender_domains = +whitelist_domains
          logwrite = $sender_host_address whitelisted in local domains whitelist
          set acl_m_is_whitelisted = 1
  accept  hosts = +whitelist_hosts
[root@server etc]#

Yes, in the config we see, they treat it as a list of senders domains: $sender_host_address whitelisted in local domains whitelist


Just a typo? 

No, not just a typo. It means, Exim will accept any email where a white-listed domain is specified in a from-address without any further check. No check is done on the destination, no check is done by anti-spam software either.

Using the list you make your server to be an open-relay for whitelisted domains.


What does it all mean for us?

Let's say you have several servers with directadmin and want to be sure that every customer on all servers of your company will receive emails from your business domain mycompany.com without an issue. And in order to achieve it you might add the domain mycompany.com into /etc/virtual/whitelist_domains. Sounds good? Yes. Emails sent from your business domain to your customers who have their emails on hosted by your company servers will be received without being marked as SPAM. That's nice!

And here is where the problem lies, anybody might do the same with your domain. It's a known fact that spammers scan servers searching for an open-relay, so it's just a matter of time when they will scan your servers and find out the domain can be used for sending emails without an authentication. And with the mentioned setup, they can send emails using your business domain without an authentication to anybody in the world, as there is no a destination validation check.

You've just opened your servers for sending without restrictions. That's the problem.

And even you don't put your own domains there, the list might contain other domains: customers' domains, partners' ones, gmail, etc. And any domain from the list can be spoofed, and your server will be used for sending outgoing SPAM.

The same is true for /etc/virtual/whitelist_senders with the only difference the list contain senders addresses, not domains. But it can turn a server to an open-relay the same way.


How to fix it?

There is no patch for exim.conf at the moment. So just make sure the listed files are empty. 

Whenever you want emails from trusted domains to be accepted without been scanned by anti-spam software you are highly advised to use:

  • /etc/virtual/skip_rbl_domains - to skip RBL (DNSBL) checks 
  • /etc/virtual/skip_av_domains - to skip check with ClamAV

 and/or

  • /etc/virtual/whitelist_hosts_ip - to accept emails from trusted IPs without checks.

That's it.

About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition