g_oauth_client_id "idcode"

g_oauth_client_secret "secretcode"

g_oauth_trim "true" - Trim @domain.name from user before lookup

g_oauth_url "http://your.oauth.endpoint/oauth.php"

g_authent_lookup "true" - If set then oauth is used as password check as well as account existence.

With the above settings surgemail will use nwauth to store most details about user accounts, but will check for existence, and passwords with the oauth server.

The post Oauth 2.0 support appeared first on SurgeMail.

1. Stop Surgemail
2. Make a backup of nwauth.* and surgemail.ini
3. If using nwauth, then Run ./nwauth -rename old.domain.name new.domain.name (Run this as user 'mail' from the surgemail home path)
4. If not using nwauth change the domain names in your database for each user somehow
5. Edit surgemail.ini and change the vdomain name=”OLD.DOMAIN.NAME” TO “NEW.DOMAIN.NAME”
6. And add ‘host_alias “old.domain.name” if desired.
7. Generally you shouldn't change/update mailbox_path unless you plan on renaming the physical folder to match.
8. Open 'domuser.dat' with a text editor and search/replace the old domain for the new domain.

The post Rename a domain appeared first on SurgeMail.

Some applications come with MySQLAuth already built. If you have not got a build and/or require the latest code it can be downloaded from the one of the links below:

Building From Source:

If you are building MySQLAuth from the source you will need to have a C compiler either cc or
gcc and make. To build the command line prompt would be:

make -f Makefile.mysql config=linux

Configuration Options:

MySQLAuth comes requires an mysqlauth.ini to configurate it's options. This file is located in the same directory as the MySQLAuth binary OR in a directory specified by the -path command line option.

You should consult the mysqlauth.ini that comes with the mysqlauth download this will display all the default and common settings that you will need.Here is an example of what this file should look like:

The table below display the available options are available to use:

Command Line Options:

Supported Commands

The commands below are the list of commands that this module supports. For a full description about the command see Authentication Protocol

Creating/Using a MySQL Database

MySQLAuth requires a MySQL database which is setup and working. The database that is setup must have a username and a password that is encrypted using the MySQL command PASSWORD(). You can either create a new database/table for MySQLAuth or use a current database that has usernames and passwords.

New Database:

Below are instructions on how to setup a brand new database and table to work with MySQLAuth, with all of the features that MySQLAuth provides.

Install mysql server (we used 5.1 but any version should work)
Setup a root password:
	mysqladmin -u root password secret
Set those details in mysqlauth.ini
	mysql_login root
	mysql_password secret
Create database:


	mysql -u root -p
	Password> secret
create database maildb;
use maildb;

# Note 'groups' change to 'xgroups' due to syntax change in mysql
# Translation added in mysqlauth.ini

CREATE TABLE maildb (
        username VARCHAR(128) binary DEFAULT '' NOT NULL,
        passwd VARCHAR(128) DEFAULT '*' NOT NULL,
        forward VARCHAR(255) DEFAULT '',
        quota VARCHAR(20) DEFAULT '',
        mailmask VARCHAR(18) DEFAULT '0.0.0.0' NOT NULL,
        maildrop VARCHAR(255),
        domain VARCHAR(128) DEFAULT '',

       created VARCHAR(20) DEFAULT '',
       full_name VARCHAR(128) DEFAULT '',
       phone VARCHAR(128) DEFAULT '',
       xgroups VARCHAR(255) DEFAULT '',

       smsto VARCHAR(128) DEFAULT '',
       mailaccess VARCHAR(255) DEFAULT '',
       mailstatus VARCHAR(128) DEFAULT '',
       spf_block VARCHAR(20) DEFAULT '',
       disabled VARCHAR(20) DEFAULT '',
       alias_quota VARCHAR(20) DEFAULT '',
       list_quota VARCHAR(20) DEFAULT '',
       user_access VARCHAR(255) DEFAULT '',
       send_limit VARCHAR(20) DEFAULT '',
       tohost VARCHAR(255) DEFAULT '',
       realuser VARCHAR(255) DEFAULT '',
       allow VARCHAR(255) DEFAULT '',
       friends VARCHAR(20) DEFAULT '',
       enotify VARCHAR(255) DEFAULT '',

       ddpriv VARCHAR(128) DEFAULT '',
       ddfrom VARCHAR(128) DEFAULT '',
       ccname VARCHAR(128) DEFAULT '',
       ccnumber VARCHAR(128) DEFAULT '',
       ccexpires VARCHAR(20) DEFAULT '',
       ccciv VARCHAR(128) DEFAULT '',
       cctype VARCHAR(128) DEFAULT '',
        PRIMARY KEY (username)
);
CREATE TABLE alias (
       username VARCHAR(128) binary DEFAULT '' NOT NULL,
       alias VARCHAR(128) binary DEFAULT '' NOT NULL,
       PRIMARY KEY (username)
);

# Create an example user to test with (change your.domain to match your surgemail domain name)
INSERT INTO maildb VALUES ('test@your.domain', SHA2('test',512), '','100mb', '0.0.0.0','','',''   ,'','','','','','','','','','','','','','','','','','','','','','','',''   );

To manually remove a user the command is:

DELETE FROM maildb WHERE username='test@test.org'

The inserting and deleting of users is usually taken care of by MySQLAuth. The above is to show how you would do this manually.

The mysqlauth.ini settings for the above would look like the following:

mysql_server your.sql.server
mysql_login root
mysql_password password

domain your.default.domain

mysql_mail_user_db maildb
mysql_mail_user_table maildb

field_username username
field_password passwd
field_forward forward
field_quota quota
field_mailmask mailmask
field_maildrop maildrop

info_fields created created
info_fields full_name full_name
info_fields phone phone
info_fields pass_question pass_question
info_fields pass_answer pass_answer
info_fields groups xgroups

Now test the authent module manually:

c:> mysqlauth
lookup test@your.domain
check test@your.domain test
set test2@your.domain test2
check test2@your.domain test2
quit

Using Current DataBase:

If you already have an existing database which you wish to use then as long as the usernames are unique and the password field is encrypted using the PASSWORD() MySQL command you should simply be able to change the ini settings to point to this database, table and field label names.

eg: If you have a database called 'accounts' and a table called 'mail_users' that stores all sorts of information but has the username field names 'name' and the password field called 'pwd' then the ini settings that you required are:

mysql_server your.sql.server
mysql_login login
mysql_password password

domain your.default.domain

mysql_mail_user_db accounts
mysql_mail_user_table mail_users

field_username name
field_password pwd

If you also have the ability to store the mail quota or forwarding, then you can add these ini settings as well...

ie:    field_forward forward
        field_quota quota

Converting nwauth database to mysqlauth

The MySQLAuth binary has a command line switch -convert_nwauth to convert the nwauth database into mysql, use it like this:

nwauth -size 1
set a a
del a
quit
(unix) ./mysqlauth -convert_nwauth /usr/local/surgemail ./mysqlauth
(windows) mysqlauth -convert_nwauth c:\surgemail mysqlauth

and it will produce 2 files:
nw_convert.bat
nw_input.dat

Edit mysqlauth.ini and set plain_password true

These represent 2 different ways to import the users, we'll just use the 2nd method which is faster. Before you do, you need to set the:
plain_password true setting in mysqlauth.ini, this prevents it from re-encoding the
already encoded password, once set you can run:

./mysqlauth < nw_input.dat

Edit mysqlauth.ini and set unix_password true

The post Authent Module Mysqlauth appeared first on SurgeMail.

Some applications already come with this verison already built. If you have not got a build and/or require the lastest code it can be downloaded from the one of the links below:

Building From Source:

If you are building LDAPAuth from the source you will need to have a C compiler either cc or
gcc and make. To build the command line prompt would be:

make -f Makefile.ldap

Setting up with OpenLDAP:

If your ldap server is OpenLDAP you will need to enable 'bind_v2' so that LDAPAuth will correctly bind to OpenLDAP. LDAPAuth currently only supports simple binding. You need to add the following line to openldap file 'slapd.conf':

allow bind_v2

The default schema 'person' should be used. This schema does not support the most of the surgemail default fields, and you will need to update the schema to include the fields that you wish to store.

Setting up with SurgeLDAP:

SurgeLDAP has been setup to use the 'netwinperson' schema instead of the deafult 'person' schema. In your ldapauth.ini file you should add the setting:

ldap_objectclass netwinperson

This schema has already been setup to support all the surgemail and surgeftp fields to make it easy to just include the fields that you wish to support.

Configuration Options:

LDAPAuth comes requires an ldapauth.ini to configurate it's options. This file is located in the same directory as the LDAPAuth binary OR in a directory specified by the -path command line option.

You should consult the ldapauth.ini that comes with the LDAPAuth download this will display all the default and common settings that you will need. Here is an example of what this file should look like:

Config settings

info_fields

Use setting to inform LDAPAuth of pairs of database field names. It takes a list of up to 20 comma separated pairs of field names, where each pair is two words separated by a space. In each pair the first name is the name that LDAPAuth should lookup in your LDAP database and the second is the name it should display in the output.

Syntax: info_fields db_name1 field_name1,[...]
Example: info_fields groups usergroups,diskquota ftpquota
Default: none
Required Setting: no

ldap_group_base

(Version 1.1a, DMail 3.0) These four settings are used to pass the group membership through to DNews for access control. It is much better to use the info_fields when possible (it is much more efficient). ldap_group_base defines where in the LDAP database group information is found. See below this table for more info on using this.

Example: ldap_group_base dc=netwin,dc=co,dc=nz
Default: none
Required Setting: no

ldap_group_search

A search that will find the LDAP objects that contain usergroup information, it's best to make this as specific as possible.

Example: ldap_group_search cn=group*
Default: none
Required Setting: no

ldap_group_field

Specify the field that contains the users email address in usergroup objects.

Example: ldap_group_field cn
Default: cn
Required Setting: no

ldap_group_attrib

Specify the attribute in a user group object that contains the information about each user.

Example: ldap_group_attrib uniquemember
Default: uniquemember
Required Setting: no

ldap_port

The TCPIP port to connect to the LDAP server on.

Example: ldap_port 3890
Default: 389
Required Setting: no

log_path

The file to store log files in

Example: log_path c:\logs\auth.log
Default: the location of the LDAPAuth executable ldapauth.log (older versions wrote to auth.log by default)
Required Setting: no

max_log_size

The size at which log files are rotated. Logs are numbered 1,2,3,4

Example: max_log_size 10000
Default: 100000
Required Setting: no

log_level

Controls the amount of information logged during use. One of error, info, debug.

Example: log_level debug
Default: info
Required Setting: no

ldap_host

The IP address or domain of the host to connect to, ie: the machine where the LDAP server is listening.

Example: ldap_host apples.com
Default: localhost
Required Setting: no

ldap_mgr_dn

The LDAP manager distinguished name to bind with. NB: add this field and the ldap_mgr_pw field with blank entries for anonymous login.

Example: ldap_mgr_dn cn=SurgeMail Manager
Default: cn=Directory Manager
Required Setting: yes

ldap_mgr_pw

The password for the ldap_mgr_dn entry.NB: add this field and the ldap_mgr_dn field with blank entries for anonymous login.

Example: ldap_mgr_pw secret
Default: none
Required Setting: yes

ldap_search_base

The LDAP search base to use for all interactions with the LDAP server

Example: ldap_search_base dc=apples,dc=com
(or, ldap_search_base o=apples)
Default: none
Required Setting: yes

ldap_search_name

 IMPORTANT: Specifies the attribute used for identifying the users entry in the database. eg: when set to the default of mail, lookup bob, makes LDAPAuth lookup, mail=bob in database. (Prior to version 1.0k this was only used for lookups and not on the set command)

Example: ldap_search_name uid
Default: mail
Required Setting: no

pop_domain

The domain which will be appended to any usernames not containing @domain

NB: if set then you must use the setting,
authent_domain true
in surgemail.ini (and in netauth.ini if using NetAuth);

Example: pop_domain apples.com
Default: none
Required Setting: no, but recommended

ldap_objectclass

When adding new users LDAPAuth will add the new user to this ObjectClass.

Notes:

• When using the set command, you must specify attributes (fields) and values for any attributes 'required' by the object class that you specify with this setting. You may not specify any attributes that are 'not allowed' in the objectclass.You must enter something like,
  set username pass a="x" b="y" c="z"
  , where the fields a, b and c MUST be allowed in the specified objectclass, otherwise you will get an 'objectclass violation' error message. If you get that message then generally you need to alter the fields you are trying to set. Yes we wish there was a more informative error message also! Version 1.0k of LDAPAuth (and above) at least logs exactly which attributes and their values it is trying to set.
• Often people forget to set cn="xxx" and 'violate the objectclass', so remember to place it on the end of the set command (or make NetAuth put it there if using NetAuth).
• Some older versions of LDAPAuth have the incorrect setting name,
  ldapobjectclass
  as an example in the example ldapauth.ini file.

Example: ldap_objectclass umichPerson
(umichPerson has the mail attribute that Person often does not);
Default: Person
Required Setting: no if using LDAPAuth for read-only, yes if using set command.

ldap_surgemail_forward

Name of LDAP attribute in database which will be used to store SurgeMail forwarding addresses. It can be set blank. If a value for this attribute is found when doing a lookup or check command then LDAPAuth responds with the info field,
fwd="value"
e.g.,
fwd="bob@another_domain.com"
causing mail redirection to that address.

See the SurgeMail Manual section,
Ext. Auth Fwd Field for further details.

Example: ldap_surgemail_forward alias
Default: mailForwardingAddress
Required Setting: yes, because you probably don't want that bad default!

log_name

Base of log file name. Note suffix n.log will be appended so default is ldapauth1.log

Example: log_name c:\mylogdir\
(umichPerson has the mail attribute that Person often does not);
Default: LDAPAuth
Required Setting: no

sha_hash

On set command only, take password given and use the SHA to hash it. NB: this setting is really obsoleted by SSHA, which is done by default. If you really want SHA then you need to set the two settings as per the example below.

Example (If you really do want SHA not SSHA or plaintext):
sha_hash true
ssha_hash_dont true
Default: false (ssha instead)
Required Setting: no

ssha_hash_dont

Unless this setting is set to true, on the set command only, LDAPAuth will hash the given password using SSHA and prepend the string, {ssha} to the start of it before sending to the database. That way the database knows to SSHA the password sent by the LDAPAuth check command before comparing it with that user's password in the database. Starting with version 1.0L LDAPAuth will SSHA all passwords when setting (adding) a user in the database. This setting is for turning that behaviour off.

To make LDAPAuth add users with plain text passwords as it used to, use the setting as per the example below and check that the sha_hash setting is false or not in the ini file.

Example: #sha_hash true (commented out, for plain text passwords)
ssha_hash_dont true
Default: false (ssha done automatically)
Required Setting: no

ldap_access_wild

A list of IP addresses from which POP logins are accepted if 'pop' is found in the users ldap_access_field field, this allows you to disable direct pop access and only allow POP access from your WebMail interface.

Example: ldap_access_wild 10.0.0.23,11.*,!11.1.1.2

ldap_access_field LDAP field in which to search for 'pop' if found then apply ldap_access_wild to POP logins dir_hash Makes LDAPAuth return a path for drop/bin processing, eg:

dir_hash 2 2 /var/mail

Would return /var/mail/ch/ri/chrisp instead of 'config' as the path.

ldap_search_name_alt

For example: ldap_search_name mail_alias

Would lookup the 'mail_alias' field for this user, if found, the ldap_uid field is then used to construct the drop path for this user, so this allows you to define aliases for a user. (very similar to forwarding) 

The feature is not intended for general use, avoid it if possible, it is intended for backward compatibility with pre existing LDAP databases.

ldap_uid uid Sets the UID field to use to construct a path for a user, see above setting. ldap_mailhost If a user cannot be found the normal way, LDAPAuth will try the user part of the address as a ldap_uid search, and then see if the ldap_mailhost matches it, if so it then delivers to that uid. Again this setting is not for general use it is only for backward compatibility with existing LDAP databases. strip_domain true Removes the domain name from all lookups (can be useful with active directory or other ldap databases where the domain is not in the database) ldap_map_domain

This setting is used to map a 'domain.com' setting to a seperate 'search_base_dn'. This allows you to seperate each domain into a seperate part of the LDAP tree.
When you do this you should NOT map any sub domains.

ldap_map_domain domain.com dc=domain,dc=com
ldap_map_domain netwin.co.nz dc=netwin,dc=co,dc=nz

If not map for a domain is located it will default to the 'ldap_search_base' location.

Example: ldap_group_search cn=group*
Default: none
Required Setting: no

ldap_group_field

Specify the field that contains the users email address in usergroup objects.

Example: ldap_group_field cn
Default: cn
Required Setting: no

ldap_group_attrib

Specify the attribute in a user group object that contains the information about each user.

Example: ldap_group_attrib uniquemember
Default: uniquemember
Required Setting: no

ldap_port

The TCPIP port to connect to the LDAP server on.

Example: ldap_port 3890
Default: 389
Required Setting: no

log_path

The file to store log files in

Example: log_path c:\logs\auth.log
Default: the location of the LDAPAuth executable ldapauth.log (older versions wrote to auth.log by default)
Required Setting: no

Notes on using ldap_group* settings with DNews.

Command Line Options:

Supported Commands

The commands below are the list of commands that this module supports. For a full description about the command see Authentication Protocol

How do I upgrade NWAuth to LDAPAuth

To upgrade to LDAPAuth you need to following the following steps.

Example used with Active Directory (windows)

ldap_host 10.1.1.1
ldap_port 389
ldap_mgr_dn cn=ftpadmin1,ou=mgt_info_sys,ou=CTL,ou=region_sales,dc=example,dc=com
ldap_mgr_pw secret_password
ldap_search_base OU=region_sales,dc=example,dc=com
ldap_scope LDAP_SCOPE_subtree
ldap_search_name ExampleAccountName
ldap_group_base OU=region_sales,dc=example,dc=com
ldap_group_search CN=&*
ldap_group_field CN
ldap_group_attrib member

Downloading a recommended LDAP server

OpenLDAP server, available at:
http://www.openldap.org/

We also test LDAPAuth against Netscape's LDAP server (a number of the defaults reflect this) and the University of Michigan server.

SDKs for LDAP are also available,
http://www.openldap.org/

.

The post Authent Module Ldapauth appeared first on SurgeMail.

(windows) g_authent_process "c:\surgemail\nwauth.exe -path c:\surgemail"

(linux) g_authent_process "./nwauth"

Optional Command Line Options:

Error recovery - recover lost users.

In the event of loosing some users from the database for any unknown reason (deleting a file manually etc) you can rebuild the user database like this using the journal entries it keeps.

# First copy nwauth.* files

mkdir backup

copy nwauth.* backup

# Then use this command to get a list of changes it will make:

nwauth -path . -test

# Then run it with -fix to actually add the missing users:

nwauth -path . -fix

Supported Commands

The commands below are the list of commands that this module supports.

To make passwords visible in admin

Obviously this is not recommended as it is a security risk, but on a small or home server this may be worth doing:

Use these two settings

g_authent_process "c:\surgemail\nwauth.exe -path c:\surgemail -nocrypt -decrypt -showpass"

g_authent_info name="Password" field="password" access="admin" default="" type=""

The post Authent Module NWAUTH appeared first on SurgeMail.

We provide modules for most common databases, including:

• NWAuth - The default, fast simple and reliable, always use this!
• MySQLAuth - MySQL UNIX based SQL database
• LDAPAuth - LDAP database, can also be used with windows.

Authent modules should always be tested at the command line to see if they are working. Here is an example using NWAuth, the standard NetWin module:

c:> nwauth
set bob@test.com bob
+OK bob@test.com added to database
lookup bob@test.com
+OK bob@test.com config 0
check bob@test.com xxx
-ERR bob@test.com password wrong or not a valid user
search bo*@test.com
+DATA bob@test.com
+DATA bobcat@test.com
+OK Search Complete 2 items found out of 1510
set bob@test.com bob quota="200" fwd="fred@test.com"
+OK bob@test.com added to database
lookup bob@test.com
+OK bob@test.com config 0 quota="200" fwd="fred@test.com"

Configuring the Authent Module.

This is done in surgemail.ini e.g.

g_authent_process "c:\surgemail\nwauth.exe -path c:\surgemail"

The above tells NWAuth to look in c:\surgemail for it's files nwauth.add, nwauth.txt, etc.
The same is true for any module that has an .ini file.

Extended info fields recognized by SurgeMail

SurgeMail uses the g_authent_info settings to define what fields it displays and where. Most fields have a 'hard-coded' use but others are simply there as examples of the kind of optional information you can collect about your users. The default settings are as follows:

g_authent_info name="Creation Stamp" field="created" access="none" default="" type=""
g_authent_info name="Forwarding" field="fwd" access="none" default="" type=""
g_authent_info name="SPF Block" field="spf_block" access="none" default="" type=""
g_authent_info name="Disk Quota (bytes)" field="quota" access="domadmin" default="" type=""
g_authent_info name="Full Name" field="full_name" access="user" default="" type=""
g_authent_info name="Phone" field="phone" access="user" default="" type=""
g_authent_info name="Password Retrieval Question" field="pass_question" access="createonly" default="" type=""
g_authent_info name="Password Retrieval Answer" field="pass_answer" access="createonly" default="" type=""
g_authent_info name="Access type" field="mailaccess" access="domadmin" default="" type=""
g_authent_info name="Account Status" field="mailstatus" access="domadmin" default="" type=""
g_authent_info name="Sms Number" field="smsto" access="domadmin" default="" type=""
g_authent_info name="Disabled" field="disabled" access="none" default="" type=""
g_authent_info name="User alias quota" field="alias_quota" access="domadmin" default="" type=""
g_authent_info name="User list quota" field="list_quota" access="domadmin" default="" type=""
g_authent_info name="User access settings" field="user_access" access="domadmin" default="" type=""
g_authent_info name="Msg limit per 30min" field="send_limit" access="none" default="" type=""
g_authent_info name="To host(g_proxy)" field="tohost" access="none" default="" type=""
g_authent_info name="Is an alias of" field="realuser" access="none" default="" type=""
g_authent_info name="Allowed to" field="allow" access="none" default="" type=""
g_authent_info name="Friends Enabled" field="friends" access="none" default="" type=""
g_authent_info name="Email Notification Address" field="enotify" access="none" default="" type=""
g_authent_info name="SpamPrivate private prefix" field="ddpriv" access="none" default="" type=""
g_authent_info name="SpamPrivate from prefix" field="ddfrom" access="none" default="" type=""
g_authent_info name="Card Name" field="ccname" access="user" default="" type=""
g_authent_info name="Card Number" field="ccnumber" access="user" default="" type="encrypt"
g_authent_info name="Card Expiry" field="ccexpires" access="user" default="" type=""
g_authent_info name="Card Security Code" field="ccciv" access="user" default="" type=""
g_authent_info name="Card Type" field="cctype" access="user" default="" type="" 

For example:

+OK bob@test.com config 0 fwd="fred@test.com"
+OK bob@test.com config 0 quota="200000" fwd="joe@xx.com"

Advanced settings :

Legacy settings :

Mixed

Example ldapauth.ini config used with ActiveDirectory (Windows)

ldap_host 10.1.1.1
ldap_port 389
ldap_mgr_dn cn=ftpadmin1,ou=mgt_info_sys,ou=CTL,ou=region_sales,dc=example,dc=com
ldap_mgr_pw secret_password
ldap_search_base OU=region_sales,dc=example,dc=com
ldap_scope LDAP_SCOPE_subtree
ldap_search_name ExampleAccountName
ldap_group_base OU=region_sales,dc=example,dc=com
ldap_group_search CN=&*
ldap_group_field CN
ldap_group_attrib member

The post Authent Modules appeared first on SurgeMail.

g_user_access - Allow / Restrict user access to features based on g_access_group

g_user_access group="wildcard" access="list"

This setting matches the g_access_group the user is in to the wildcard specified and applies the specified list to that user, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, "all" and "none" which mean exactly what they say, access to "all" or "none" of the features.

Example:

g_user_access group="simple" access="all,!spam,!virus"

The above setting gives users in the 'simple' group access to all the features except spam and virus features.

Syntax: g_user_access group=string access=string

g_user_access_default - Default user features granted to users

This setting is a default access list for all users on the server, it is specified in the same maner as the g_user_access settings 'access' parameter. eg:

g_user_access_default "all,!spam,!virus"

Syntax: g_user_access_default string

g_user_access_from - When sending use from for useraccess rules

When sending a message the user access rules which are applied can be based on the 'from' header, this is not secure but is sometimes useful.

Syntax: g_user_access_from bool

g_user_access_webonly - Means user_access rules only stop web interface not actual spam checking etc

This setting has no further documentation currently available

Syntax: g_user_access_webonly bool

g_user_alias - Number of aliases accounts can create

This setting specifies the maximum number of account aliases an account (optionally in specified group) can create. The format of these aliases is specified in the file specified by the g_user_alias_file setting. eg.

g_user_alias quota="10" group=""
g_user_alias quota="20" group="grp1"
g_user_alias quota="30" group="grp2"

Syntax: g_user_alias group=string quota=int

g_user_alias_file - User aliases configuration file

This setting specifies the configuration file for user aliases. This file is in the following format:

domain alias_domain,access[,access]...

where domain is the domain name eg: email.com, alias_domain is the domain in which aliases can be created, and access specifies who is allowed to create these aliases, it can have one of the following values:

Example alias.dat file:

email.com *.email.com,public
email.com sport.email.com,public
internal.email.com email.com,private
internal.email.com internal.email.com,admin

Syntax: g_user_alias_file string

g_user_blogs - Number of blogs accounts can create

Specifies blog limit based on user group.

Syntax: g_user_blogs group=string quota=int

Example: g_user_blogs group=premium quota=15

g_user_cookies - Enable browser cookies for user self management

Enable browser cookies for user self management.

Syntax: g_user_cookies bool

g_user_delete - Let users delete themselves

Enables the user delete button in the user self management page, assuming the use access rules also allow it

Syntax: g_user_delete bool

g_user_disable - Filename listing users to disable

This setting has no further documentation currently available

Syntax: g_user_disable string

g_user_domainlist - Show domains list on user pages

This setting decides who will see the drop-down list of domains on the user check, add, login, and management pages. It has three possible values: user, domadmin and admin. A value of 'user' allows everyone to see the list, 'domadmin' allows domain admins and the admin to see the list, and 'admin' allows only the admin to see the domains list.

Syntax: g_user_domainlist string

g_user_filter_early - Process user ex

The post Global settings g_user appeared first on SurgeMail.

Per default SMTP authentication is enabled. If a user matches this IP range/list they will NOT be shown the ESMTP extension for SMTP authentication. This will usually stop the mail client from prompting the user for authentication. We STRONGLY recommend you do NOT use this feature. It is much better to let users authenticate when sending email.

Syntax: g_auth_hide string

g_auth_norelay - Ignore SMTP auth for relaying purposes

This means relaying only occurs if g_relay_allow_ip matches

Syntax: g_auth_norelay bool

g_auth_path - Path to nwauth files

Needed for mirroring if using multiauth

Syntax: g_auth_path string

g_auth_skipgateway - Skip gateway rules if we get a proxy SMTP auth command

Skip gateway rules if we get a proxy SMTP auth command. This is not for general use. It can be used if you are using SurgeMail in front of another mail server with a wild card gateway to gateway all domains to a back end mail server. Then an authenticated user is a local user trying to send out so the gateway rules are ignored. (this is strongly not recommended)

Syntax: g_auth_skipgateway bool

g_authent_addip - Send ip address as third parameter to authent module

This setting has no further documentation currently available

Syntax: g_authent_addip bool

g_authent_allow_badascii - Allow ascii chars outside the range 32 < 127

By default ascii characters < 32 and >= 127 are blocked as invalid. If you require these characters set this to TRUE.

Syntax: g_authent_allow_badascii bool

g_authent_always - Always lookup user, so virtual domains can exist just in authent module

Always lookup user, so virtual domains can exist just in authent module. This allows you to support 10,000 domains on one system without a 'huge' ini file. Be careful to not create/remove real domains with the same name as existing domains that only exist in the authent database as the 'drop files/inboxes' will move when this occurs and existing mail will vanish.

Syntax: g_authent_always bool

g_authent_any - Restore buggy behaviour of looking up users in domains that don't exist

Previously surgemail would lookup a user even if the domain in question did not exist, if you need to restore this odd behaviour then you can use this setting...

Syntax: g_authent_any bool

g_authent_cachebad - Cache life of failed authent lookups

Set the life in seconds that the cached failed lookups can be used, default 60 seconds. Best left alone unless your server is being hit by thousands of failed lookups and your authent module is slow.

Syntax: g_authent_cachebad int

g_authent_cachelife - Cache life of successful authent lookups

Set the life in seconds that successful cached lookups can be used, default 2 hours. Best left alone.

Syntax: g_authent_cachelife int

g_authent_cachesize - Size of the authent cache

Set the size of the authent cache, default is 500 entries. Generally best left alone.

Syntax: g_authent_cachesize int

g_authent_case_sensitive - Make passwords case sensitive

By default surgemail avoids case sensitive passwords as they do little to increase security but causes endless frustration for users, but this is just an opinion and some people disagree so use this setting if you wish to have case sensitive passwords :-).

Syntax: g_authent_case_sensitive bool

g_authent_decrypt - Collect and store plain text passwords for migration in file pass.decrypted

This setting should only be used as part of a migration, it obviously exposes your customers passwords to risk!.

Syntax: g_authent_decrypt bool

g_authent_domain - Authent domain

If this is 'true', the virtual domain name is appended to the username before it is passed to the authent process. This lets the authent process deal with virtual domains. As a general rule, this should ALWAYS be true. 

Syntax: g_authent_domain bool

g_authent_encrypt_key - Encryption key config settings

Not for general use currently, used to partially obscure credit card info when stored in the authent module.

Syntax: g_authent_encrypt_key string

g_authent_enforce - Days till we prevent user from logging in, NOT RECOMMENDED

Days until we block logins if password is not changed. This setting will annoy your customers but not really achieve anything useful, it shouldn't be used in most situations

Syntax: g_authent_enforce int

g_authent_fwdfile - Use DMail forward files (deprecated - for backward compatibility only)

Allows old style DMail forward files to be read.

Syntax: g_authent_fwdfile bool

g_authent_info - Authent info

Defines a piece of information to store about the user in the user database (phone number, name, address etc). Each piece of information is given a name, a field, an access mode, a default and a type. The name defines what appears in the web management display. The field is what is sent to the authent_process. The access mode can be one of the following: user, domadmin, or admin, createonly, none. The default is what value is assigned upon creation of a new user. The type can be one of: date, readonly, encrypt or any custom string which you want to check for or match on the na_details.htm page with a template function like: ||ifequal||user_info_type||custom|| .. do things .. ||endif||

An access mode of 'admin' means that only the system admin can see the information, 'domadmin' means the sysadmin and any domain admin can see the information, 'user' means the user can see the information, 'createonly' means the user sets the information at creation time but cannot see it after that and 'none' ensures that no-one can see or modify the information (used for information that is handled by SurgeMail itself, either through the interface or otherwise)

e.g.
     g_authent_info      name="Phone Number" field="phone" access="user" default="" type=""

See here for a complete list of default settings.

Syntax: g_authent_info name=string field=string access=string default=string type=string

g_authent_info_grp - Fields to show to users in this group

Specifies the authent fields this user group is allowed to see and change. This applies only to the fields visible on the account properties page and the domain admin "Users" page it cannot be used to prevent access to fields which are managed by the web interface i.e. 'fwd'

Syntax: g_authent_info_grp group=string fields=string tag=string

g_authent_ip - Authent Lookup IP numbers via authent modules - enables relaying

If enabled each connecting IP address will be looked up in your user database as x.x.x.x@ip eg: "127.0.0.1@ip" and if the user is found then relaying is allowed and if 'send_limit="nn"' is defined then that will set the tarpit send limit for that user.

For per IP tarpit limits to work you need to define the g_tarpit_max and g_tarpit_max_remote settings. And g_tarpit_drop to make the limit effective.

Syntax: g_authent_ip bool

g_authent_last_login - Store users last login time in the database

This setting will cause the authent field 'last_login' to be updated when a user logs in. The field is set to a timestamp which is 'the number of seconds since midnight January 1, 1970'. This field is updated 'at most' once every 24 hours. Other features i.e. delete_user_after and disable_smtp_after will look for this field.

Syntax: g_authent_last_login bool

g_authent_logall - Turns on logging of authent requests

If enabled, authentication requests are logged in mail.log as "<day> <time> Authent[<action> <info>]".

Syntax: g_authent_logall bool

g_authent_lookup - Check if accounts exist using g_authent_pass too

This setting has no further documentation currently available

Syntax: g_authent_lookup bool

g_authent_nodomain - If true dont add @virtual.domain.name to external user lookups (NOT RECOMMENDED)

Use this at your own risk, it is provided for compatibility with dmail installations, but should be avoided if at all possible.

Syntax: g_authent_nodomain bool

g_authent_number - Authent number

The number of concurrent authent processes to run. If you are using a slow external authent module (e.g. sql) then it is probably worth running 3-4, there is no need to have more than 1 when using nwauth.exe. (Default = 1) 

Syntax: g_authent_number int

g_authent_pass - Authent process to check passwords with

This setting has no further documentation currently available

Syntax: g_authent_pass string

g_authent_prefix_sep - Authent Prefix Separator (deprecated - for backward compatibility only)

Prefix separator for prefix based separator. Only relevant if enabled on a per vdomain basis using the "prefix" setting.

Syntax: g_authent_prefix_sep string

g_authent_process - Authent process

The command line of a NetWin authentication module. You can use one of our standard modules for LDAP, ODBCAuth, MySQL etc or write your own. For more information on these modules see the authentication section of the manual .

This will typically be something like:
g_authent_process "E:\surgemail\nwauth.exe -path E:\surgemail"
or
g_authent_process "/usr/local/surgemail/nwauth -path /usr/local/surgemail"

Syntax: g_authent_process string

g_authent_reminders - Days till we remind user to change password

Days until we remind user to change password.

Syntax: g_authent_reminders int

g_authent_restart - Cycle auth modules every 1000 lookups

This is useful if there are resource allocation issues in the authentication module. Eg OBDCAuth

Syntax: g_authent_restart bool

g_authent_single - Allow local users with a single quote char in their name

This let's users exist who contain the single quote ' character. It is not supported with some authent modules though, nwauth does allow it.

Syntax: g_authent_single bool

g_authent_spaces - Allow spaces in passwords DO NOT USE

Not supported for most authent modules, requires nwauth 4.0r or later, If you have already got users with spaces in their passwords and you turn this setting on, they will no longer be able to login until they reset their passwords. Authent module must support slash encoding, for nwauth add -spaces to command line

Syntax: g_authent_spaces bool

g_authent_strip_domain - Strip domain for authent lookups

Use when your database expects one 'primary' domain to do lookups without a domain name then SurgeMail will strip that domain only from lookups. Typically this is only necessary with old DMail authent modules.

Syntax: g_authent_strip_domain string

g_authent_timeout - Timeout for authent response

Timeout for authent response, default 60 seconds.

Syntax: g_authent_timeout int

The post Global Settings g_auth appeared first on SurgeMail.

g_admin_access group="wildcard" access="list"

This setting matches the g_access_group the admin is in to the wildcard specified and applies the specified access list to that domain admin, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, "all" and "none" which mean exactly what they say, access to "all" or "none" of the features.

Example:

g_admin_access group="simple" access="all,!users,!reports"

The above setting gives admins in the 'simple' group access to all the features except the users and reports features.

Syntax: g_admin_access group=string access=string

g_admin_access_default - Default features granted to domain admins

This setting is a default access list for all domain admins on the server, it is specified in the same maner as the g_admin_access settings 'access' parameter. eg:

g_user_access_default "all,!users,!reports"

Syntax: g_admin_access_default string

g_admin_guesses - Number of guesses allowed for admin.

Syntax: g_admin_guesses "number"

This sets the number of guesses allowed for the admin username/password. Once this has been reached the ip is banned.

Syntax: g_admin_guesses int

g_admin_ip - Admin IP access

Mask of valid IP addresses for admin users (default *), this is a security setting you can use to restrict remote web admin access to trusted IP addresses. One is always allowed to use manage SurgeMail using 127.0.0.1 regardless of whether this is explicitly specified.

eg. To restrict to local network as per net mask
g_admin_ip "10.0.0.*,10.1.2.*" 

Syntax: g_admin_ip string

g_admin_localhost - Allow localhost web admin without user/pass

Allows a localhost connection to access the web admin port without using the administrator username / password. This is good if you keep forgetting the admin password like I do.

Syntax: g_admin_localhost bool

g_admin_readonly - System admins with readonly access to the management interface

This setting has no further documentation currently available

Syntax: g_admin_readonly string

g_admin_utoken_expire - Length of time a web admin session is valid for

This setting has no further documentation currently available

Syntax: g_admin_utoken_expire int

g_admin_utoken_idle - Length of time a web admin session may remain idle for

This setting has no further documentation currently available

Syntax: g_admin_utoken_idle int

The post Global Settings g_admin appeared first on SurgeMail.

g_access_group - Access groups

Access rules defining groups of IP addresses with certain POP, IMAP and SMTP privileges. When a user is authenticated access is checked against group membership defined in the "mailaccess" field in the authentication database. See accounts for more information.

eg. this could allow you to charge webmail users for pop access privileges:
g_access_group group=paid_user access_pop=* access_imap=* access_smtp=* 
g_access_group group=free_user access_pop=webmail.svr.ip access_imap=webmail.svr.ip access_smtp=webmail.svr.ip 

with "Access type" set to "free_user" on accounts page or equivalently in nwauth authentication database:
marijn@mydomain.com:{ssha}tVANQo...:created="1060034937" mailaccess="free_user" ...

To prevent webmail access for some users you would do this:

g_access_group_default "normal"
g_access_group group="normal" access_pop="*" access_imap=*" access_smtp="*"
g_access_group group="nowebmail" access_pop="*,!webmail.ip" access_imap="*,!webmail.ip" access_smtp="*"

And put the users you want to limit in a group called 'nowebmail' e.g.

lookup fred@domain
+OK fred@domaing config 0 mailaccess="nowebmail"

Syntax: g_access_group group=string access_pop=string access_imap=string access_smtp=string access_incoming=string

g_access_group_default - Access group defaults

Access group defaults for users with no access groups set. (must be used in conjunction with g_access_group)

Syntax: g_access_group_default string

g_access_surgeweb - Apply g_access_group rules to surgeweb sessions based on client's address

This setting has no further documentation currently available

Syntax: g_access_surgeweb bool

g_access_webonly - Users in this group can only use web not imap or pop

This setting has no further documentation currently available

Syntax: g_access_webonly string

The post Global Settings g_access settings appeared first on SurgeMail.