Global settings g_ssl

  1. Home
  2. Knowledge Base
  3. Settings
  4. Global settings g_ssl
  1. Home
  2. Knowledge Base
  3. Security
  4. Global settings g_ssl

Table of Contents

g_ssl_allow – IP Wild card of connections to allow to use SSL

This setting controls which connecting IP numbers are permitted to use SSL on POP and IMAP. They will see TLS in the protocol extension command (ETRN for SMTPor CAPA for POP). Typically, to enable SSL you set this to “*” after getting a certificate. If you don’t have a valid certificate then turning this on can cause problems as mail clients will try to use SSL and fail. 

Syntax: g_ssl_allow string

g_ssl_allow_fix – Disable incoming ssl on ssl failure from an ip

This setting has no further documentation currently available

Syntax: g_ssl_allow_fix bool

g_ssl_allow_imap – IP Wild card list to allow SSL encryption from for imap

This setting controls which connecting IP numbers are permitted to use SSL on IMAP.

Syntax: g_ssl_allow_imap string

g_ssl_auto – Generate letsencrpt ssl certificates automatically for all domains

This setting has no further documentation currently available

Syntax: g_ssl_auto bool

g_ssl_ciphers – List permitted ciphers

This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive. If your list exceeds 800 bytes use g_ssl_ciphers_add for the second half

Syntax: g_ssl_ciphers string

g_ssl_ciphers_add – More permitted ciphers (added to g_ssl_ciphers)

This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive.

Syntax: g_ssl_ciphers_add string

g_ssl_ciphers_web – List permitted ciphers for web

This list is for web connections only, restart surgemail after changing

Syntax: g_ssl_ciphers_web string

g_ssl_disable – Disable protocols tlsv1,tlsv1_1,tlsv1_2,sslv2,sslv3

This setting has no further documentation currently available

Syntax: g_ssl_disable string

g_ssl_disable_des – Disable DES ciphers, breaks outlook on XP

This setting has no further documentation currently available

Syntax: g_ssl_disable_des bool

g_ssl_disable_port25 – Prevent ssl on port 25

May help virus fire walls to detect viruses, that’s the theory anyway…

Syntax: g_ssl_disable_port25 bool

g_ssl_disable_sslv2 – Obsolte, Disable ssl 2.0 support for enhanced security

Disables one of the older ssl protocols which slightly increases security and decreases compatibility with older clients. Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_sslv2 bool

g_ssl_disable_sslv3 – Obsolte, Disable ssl 3.0 support for enhanced security

Disables one of the ssl protocols which slightly increases security. Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_sslv3 bool

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1 bool

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1_1 bool

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1_2 bool

g_ssl_disable_web – Disable protocols for web only

This setting has no further documentation currently available

Syntax: g_ssl_disable_web string

g_ssl_dmalloc – Enable dmalloc tracking in ssl

This setting has no further documentation currently available

Syntax: g_ssl_dmalloc bool

g_ssl_fips – Enable FIPS mode crash if not available (DO NOT USE)

For future use

Syntax: g_ssl_fips bool

g_ssl_honor – Honor server cipher order

Maybe useful to force certain types of security/encryption

Syntax: g_ssl_honor bool

g_ssl_lets_exclude – Domains urls to not update, user must copy from ssl to lets folder

The certifictes must be coppied from the ssl to the lets folder manually!

Syntax: g_ssl_lets_exclude string

g_ssl_lets_path – Path to webservers /.well-known folder for letsencrypt

Use this if you have a webserver that is running on port 80 but you still wish to generate ssl certificates automatically. Folder must be writeable by user ‘mail’ on linux

Syntax: g_ssl_lets_path string

g_ssl_per_domain – Create/use an SSL certificate for each domain

SurgeMail can be set to use a single SSL certificate for the server or individual certificates on a per domain basis.

SurgeMail will create private key / certificate pairs if required on startup. Alternatively these can be created using the ‘SSL Config’ link on the global settings page. These can be replaced with your own trusted signed certificates using the web admin interface or by placing the appropriate private key and certificate pem files in the following location: <surgemail>/ssl for a single certificate for the whole server and under <surgemail>/ssl/<vdomain> for per vdomain certificates.

Some mail clients and web browsers will complain if the certificate domain does not match the domain they are connecting to.

Changing g_ssl_per_domain will require surgemail to be restarted to take affect. Changes to certificates using the web admin interface now take affect immediately.

Syntax: g_ssl_per_domain bool

g_ssl_perfect – Apply good SSL settings, best to remove g_ssl_ciphers setting too

Just an easy way of setting the ciphers etc for perfect forward secrecy

Syntax: g_ssl_perfect bool

g_ssl_require – IP Wild card of connections to require to use SSL

This forces all matching IP addresses to use SSL for SMTP, POP and IMAP connections. Typically you would use this for non local connections to increase security local connections might be comparatively safe in un-encrypted mode. 

Syntax: g_ssl_require string

g_ssl_require_imap – IP Wild card of connections to require to use SSL for IMAP

This forces all matching IP addresses to use SSL for IMAP connections.

Syntax: g_ssl_require_imap string

g_ssl_require_in – Local domains that must only receive SSL messages

This setting has no further documentation currently available

Syntax: g_ssl_require_in string

g_ssl_require_login – IP wildcard of connections fur users needing to use SSL

This setting forces all matching IP addresses to use SSL for any action that requires a user login. eg: POP, IMAP and SMTP authentication but not plain SMTP. So this is ideal if you want all users to use SSL but still want email to come in from non SSL SMTP servers.

Syntax: g_ssl_require_login string

g_ssl_require_out – Other machines we only send to using SSL

This forces all matching IP addresses to use SSL for SMTP outgoing connections. Typically you would use this for outgoing connections to increase security. 

Syntax: g_ssl_require_out string

g_ssl_require_web – Require https for most web features (excluding blogs file sharing and surgeplus)

This setting has no further documentation currently available

Syntax: g_ssl_require_web bool

g_ssl_retry_seconds – Second to try and establish ssl connection, default is 5

Best not to change generally

Syntax: g_ssl_retry_seconds int

g_ssl_sha1_sign – Obsolete, sha256 is now always used

This will probably be made the default in the near future

Syntax: g_ssl_sha1_sign bool

g_ssl_test_fail – Break ssl to test auto downgrade

Break ssl for outgoing sends

Syntax: g_ssl_test_fail bool

g_ssl_throttle_renegotiation – Slow renegotiation to prevent simple dos attack.

GEnerally this shouldn’t be used unless you have to keep some paranoid security scan happy

Syntax: g_ssl_throttle_renegotiation bool

g_ssl_try_from – Try and start ssl mode if from this user, e.g. *@xyz.com

Must also match the g_ssl_try_out rule, this lets you only do ssl when the email is ‘from’ certain domains/users

Syntax: g_ssl_try_from string

g_ssl_try_not – Skip ssl for these hosts

If the hosts match then SurgeMail Does not try ssl even if g_ssl_try_out matches.

Syntax: g_ssl_try_not string

g_ssl_try_out – Try and start ssl mode to these hosts

If the hosts match then SurgeMail tries to start SSL security on the SMTP session. Note that this may cause failures if the link is dropped by the receiving server.

Syntax: g_ssl_try_out string

g_ssl_warn – Send users weekly reminder if they keep using non SSL logins

This setting has no further documentation currently available

Syntax: g_ssl_warn bool

g_ssl_warn_ignore – Don’t give warnings if user is from this trusted host

This setting has no further documentation currently available

Syntax: g_ssl_warn_ignore string

g_ssl_warn_text – Last line of email warning sent to user if SSL not used

This setting has no further documentation currently available

Syntax: g_ssl_warn_text string

Was this article helpful?

Related Articles