1. Use the config checker and apply the recommended settings
2. Make sure you have g_friends_safer "true"
3. Make sure you ahve g_responder_safer "true"

In addition you should consider banning forwarding settings to problem domains, e.g.
forward_illegal to="*@gmail.com" apply="user"

This rule prevents users adding a forwarding rule to a gmail account. You might do this if gmail is seeing incoming forwarded spam from your server and blacklisting it.

The post Back Scatter (Backscatter) appeared first on SurgeMail.

This file contains only basic settings in the form:

<setting_name><space><setting_value>

e.g.

quota_default 100mb
ssl_require_login true

The post Domain defaults appeared first on SurgeMail.

g_oauth_client_id "idcode"

g_oauth_client_secret "secretcode"

g_oauth_trim "true" - Trim @domain.name from user before lookup

g_oauth_url "http://your.oauth.endpoint/oauth.php"

g_authent_lookup "true" - If set then oauth is used as password check as well as account existence.

With the above settings surgemail will use nwauth to store most details about user accounts, but will check for existence, and passwords with the oauth server.

The post Oauth 2.0 support appeared first on SurgeMail.

Create a Twilio account

https://www.twilio.com/try-twilio

(Note the above link is a referral link).

Copy your SID, Token and Phone number.

Login to your Twilio console, on the dashboard you will find:

And if you go to the phone numbers tab, you should have a phone number, if not you will need to add one:

Copy these three things into your surgemail.ini settings:

g_twilio_from "+13xxxxxxx"
g_twilio_sid "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
g_twilio_token "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Test the SMS gateway is working

tellmail sms_test +1nnnnnnnnn (your cell phone number)

Within 30 seconds you should get a test message.

Configure your personal phone number

Lookup your account, click on 'password' and configure your SMS number, or in the admin console just fill in the 'sms_to' setting, be sure to specify your full phone number including + and international code, e.g. for U.S. numbers +1.... for New Zealand it would be +64....

https//your.server/cgi/user.cgi

Test the SurgeWeb forgot link

Now if you go to surgeweb login and press 'forgot' you should be able to use an SMS confirmation to reset your password:

http://your.server/surgeweb

Add SMS notification rules

First add user_sms "true" to each domain:

user_sms "true"

Lookup your account, go to the 'sms' config page, and add a rule.

if Subject contains Urgent

Now send yourself an email with the subject "Urgent issue". It should arrive on your phone.

Configure a quota rule

Add a default number of messages per user per day, this is a domain level setting so will need to be added to each domain:

user_sms_quota initial="10" period="24"

Typically SMS messages cost about 1 cent, so factor this into your cost structure to decide what sort of limits you need. This limit only applies to the notify feature. Password resets do not count against the users SMS quota.

The post SMS Twilio Gateway appeared first on SurgeMail.

Define class of user for following commands to apply to

hidden

Syntax: class type=string from=string users=string groups=string name=string

comment

Management notes and comments about the domain

This is a dummy setting that lets you store information in the ini file that will survive setting changes from the web admin tool.

Syntax: comment date=string name=string comment=string

abook

Define surgeweb shared address books for this domain

The read/write fields should be a list of valid usergroups or * for all users

Syntax: abook name=string read=string write=string type=string

alias_file

Alias file

In addition each domain has it’s own ‘alias’ file (domain.name/alias.dat). You can create alias files using the same syntax as used in UNIX systems /etc/aliases. The format is:

username:   destination
bob:            fred@domain.com
joe:             joesmith

This file only exists for backward compatibility.

Syntax: alias_file string

alias_max

Maximum number of aliases for this domain

Limits the ..total number of aliases allowed in this domain to the value specified.

Syntax: alias_max int

access_group_default

Default group to place users in

Specifies the default g_access_group to place users in this domain into.

Syntax: access_group_default string

admin_access_default

Default features granted to domain admins in this domain

This setting allows you to specify default access to certain SurgeMail features. It is specified in the same maner as the g_admin_access settings ‘access’ parameter. eg:

admin_access_default “all,!users,!reports”

Syntax: admin_access_default string

assume_created_epoch

If user has no ‘created’ field assume they were created an arbitrarily large time in the past

This setting effect the g_disable_smtp_after and g_delete_user_after settings which, by default, ignore users who have not logged in and have no created field.

Syntax: assume_created_epoch bool

blogs_max_per_user

Number of blogs each account can create

This setting has no further documentation currently available

Syntax: blogs_max_per_user int

Example: blogs_max_per_user 10

broad_sync

Broadsoft Sync Enable

Customer specific feature

Syntax: broad_sync bool

encrypt_rule

Default if no domain level rule

If this rule matches then the message will be encrypted before it is sent to the user. method=server or inline, we recommend ‘server’ mode as it’s much simpler.

Syntax: encrypt_rule header=string contains=string from=string to=string noconfirm=bool method=string

encrypt_subject

Subject when encrypted message sent – default is original subject

Not yet implemented

Syntax: encrypt_subject string

encrypt_limit

Max encrypted msgs per user per day

Per user limit per day, (used to be per hour)

Syntax: encrypt_limit int

encrypt_limitsz

Max size of encrypted msgs per user per day

Per user dayly limit, e.g. 10mb

Syntax: encrypt_limitsz int

encrypt_token

This setting is not used, instead use smart and ifnew settings

This feature is not controlled by this setting, it’s part of the smart features and controlled by the surgeweb options if enabled, instead set encrypt_ifnew and encrypt_smart

Syntax: encrypt_token bool

encrypt_smart

Encrypt smart features enabled for this domain

Not for general use

Syntax: encrypt_smart bool

encrypt_noconfirm

Disable confirmation for encrypted messages

Disables the automatic confirm reading message

Syntax: encrypt_noconfirm bool

encrypt_ifnew

Allow surgeweb ifnew options

Not for general use

Syntax: encrypt_ifnew bool

encrypt_surgeweb_hide

Hide lock icon on surgeweb

This setting has no further documentation currently available

Syntax: encrypt_surgeweb_hide bool

fallback

Fallback Email address or account

Specifies a default account to deliver Email to. This is sent to a non existent account. If not defined the Email will be bounced. Setting fallback to “/dev/null” will drop messages (both UNIX and Windows).

Syntax: fallback string

fallback_relay

Fallback host to relay non existent accounts to

Specifies a default host to send messages to that are not found in the local user database. This allows you to transition between two mail systems, as new accounts are created the emails will be delivered to SurgeMail, and ones that don’t exist will be sent on to the old system automatically. There are several options to make this work using servers that only accept mail if they can do a reverse lookup.

Syntax: fallback_relay string

fallback_mx

Use mx lookup to find ip address for fallback_relay setting

This setting has no further documentation currently available

Syntax: fallback_mx bool

fallback_users

Path to file listing all users to user fallback_relay for

Useful to remove load from backend server as it doesn’t have to be checked for non existent users, the file can contain user@domain or just usernames

Syntax: fallback_users string

fallback_check

Fallback check

Check if user exists on fallback relay host before accepting it.

Syntax: fallback_check bool

fallback_always

Also relay to old system even if user does exist – not recommended

This setting can be used when bringing up a new system if you want to be able to backout. It is not recommended

Syntax: fallback_always bool

fallback_force

Use fallback even if user does exist as migration not started yet

Use fallback address even if user does exist. Useful before migration occurs.

Syntax: fallback_force bool

fallback_domain

Fallback domain, rcpt is rewritten @ this domain name

Use fallback address even if user does exist. Useful before migration occurs.

Syntax: fallback_domain string

friends_at_rcpt

Whether to check users friends list at rcpt stage

This setting is automatically added/removed by the web admin when domain level friends defaults are configured. It allows us to check friends at rcpt stage without paying a disk access cost for non-friends users.

Syntax: friends_at_rcpt bool

friends_pending_name

The imap name of the friends_pending folder default is ‘Friends Pending’

This shouldn’t be changed unless this feature has not been used before as it will confuse your users as they will have the old imap folder too. Ensure you have enabled this feature with g_imap_friends setting

Syntax: friends_pending_name string

friends_url

Specify full url for friends release http://domain.name:port domain specific setting

Normally the default will work.

Syntax: friends_url string

status_url

Specify full url for status message e.g. http://domain.name:port domain specific setting

This setting has no further documentation currently available

Syntax: status_url string

from_exact

Check from matches authenticated user

Checks that the from header perfectly matches the authenticated user

Syntax: from_exact bool

centipaid

see 

Specifies accounts that can charge for incoming email.

Syntax: centipaid match=string acct=string pass=string https=string lang=string amount=int enabled=bool friends=bool smite=int

create_block

Block new users from this IP

Stops users from specific IP addresses from registering in this domain (assuming that you have allowed users to register themselves). Use this to stop known spammers from re-registering on your system. 

Syntax: create_block string

create_user

Method for adding new users

Can be one of:

In ‘open’ mode users account are created instantly. In ’email’ mode they recieve an email and use a link to create their account. In ‘manager’ mode the manager recieves an email and via a link sends the user an email which they use to create their account. In ‘manager_new’ mode the account is created disable and the manager receives an email with a link to activate the account.

Syntax: create_user string

create_cleanup

Cleanup existing data before adding a user

This causes a delete to be actioned for a user before/as they are created. This ensures the new user does not end up with any files, on any mailing lists, with any aliases etc from a previous user of the same name/address. If you delete users from the authent database directly i.e. not using the surgemail web admin or calling ‘tellmail delete_user’ then this setting will cleanup the users files when their address is re-used.

Syntax: create_cleanup bool

create_max

Maximum signups from one IP in a day

This setting stops spammers registering hundreds of accounts on your system before sending out a lot of spam. A setting of 2-3 is probably a good idea. 

Syntax: create_max int

create_subdomain

Allows users to create an account that belongs to it’s own unique domain.

If true this allows users to create accounts with a unique subdomain i.e. firstname@lastname.domain. SurgeMail uses the domuser system to handle sub-doamin users. Wildcard MX records are required to ensure delivery to subdomain users.

Syntax: create_subdomain bool

create_reqd

Required fields for new users

A comma separated list of field names. Allowable field names are the “field” value(s) of the g_authent_info setting.

For example, if your setting is:
       name,phone
then when a new user is created they will be forced to fill in the name and phone fields in the registration form.

NOTE: A g_authent_info setting is required to make the field appear on the signup page, eg.

g_authent_info name=”Phone” field=”phone” access=”user” default=””

the above setting causes a field for phone to appear on the signup page and in the user details page.

Syntax: create_reqd string

create_tpl_dir

Relative path to user create pages

The relative path from the web directory to the user creation and user self management pages, these pages are typically called na_*.htm and stored in the /web directory. If you want a different look and feel for a domain simply set this and copy the pages to a directory in /web then modify them.

For example, if your setting is:
       otherdomain/

Then you would:
       cd /surgemail/web
       mkdir otherdomain
       copy na_*.htm otherdomain
       CD otherdomain
       notepad na_login.htm

Syntax: create_tpl_dir string

create_repass

User enters password twice on creation

If true this will show a “Password Again” input in addition to the “Password” input on the user signup page. The user is required to type the password in twice and the passwords are compared to ensure they are identical.

Syntax: create_repass bool

create_disable_days

Number of days new accounts remain active for

New accounts when created are set to expire after the specified number of days. When this occurs they can no longer login or recieve email.

Syntax: create_disable_days int

create_delete_days

Number of days a disabled new account remains before deletion

Accounts disabled with create_disable_days remain until the specified number of days at which point they are deleted.

Syntax: create_delete_days int

create_linkto

Link to redirect to after successful live account creation

This is the web url/link that the user creation process links to once it has created a new and active email account (active means it is ready for use, i.e. not disabled, verified my manager etc)

Syntax: create_linkto string

create_image

Use verification image on signups

This adds a verification image to the signup process. The user will be required to correctly enter the value shown in the image to signup

Syntax: create_image bool

dmail_deliver

Deliver messages into dmail drop directories (not supported)

This setting has no further documentation currently available

Syntax: dmail_deliver bool

dmail_drop_path

Path for drop files to automatically convert

Path for DMail / sendmail style drop files to automatically convert. This allows you to import delivered but unpopped mail from standard drop files. While this is set a check is done whether a drop file needs to be imported each time a user logs on. Any mail is converted on the fly and added to the users SurgeMail inbox.

Syntax: dmail_drop_path string

dmail_drop_prefix

Whether prefix is used on dmail drop files

Prefix on dmail drop files for dmail_drop_path conversion.

Syntax: dmail_drop_prefix bool

dmail_bin_path

Path for DMail bin files to automatically convert

Path for DMail style bin files to automatically convert. This allows you to import delivered but unpopped mail from DMail bin and mailbox files. While this is set a check is done whether this import needs to be done each time a user logs on. Any mail is converted on the fly and added to the users SurgeMail inbox.

Syntax: dmail_bin_path string

dmail_hash

Hashing scheme used by dmail_drop_path and dmail_bin_path

DMail style hashing scheme used by dmail_drop_path and dmail_bin_path.

Syntax: dmail_hash string

dmail_skip_imap

Skip conversion of old imap *.mbx folders

This setting is usually not needed

Syntax: dmail_skip_imap bool

disable_smtp_after

Number of days an account can remain unread before delivery is disabled

Specifies a number of days an account can remain ‘unread’ before it stops recieving new emails. This is intended to stop mail piling up for abandoned email accounts.

Syntax: disable_smtp_after int

delete_user_after

Number of days an account can remain unread before it is deleted

DO NOT USE THIS SETTING IN A MIRROR/CLUSTER SETUP

Number of days an account can remain unread before it is deleted. This setting cannot be used on an authent_domain FALSE domain unless it has a prefix setting.

Syntax: delete_user_after int

enotify_from

From address to use in email notification messages

Users can set an email address to send a notify to when they get an email. This setting sets the ‘from’ header for such messages.

Syntax: enotify_from string

expire_age

Expire undeleted mail older than specified age left in INBOX

Use this to trim messages that are left in the INBOX, this means messages that are unread and messages which are read but not moved to another folder. The deleted messages are replaced with a single message explaining which items have been deleted (with from, subject and date of each message deleted). You should define both age and size to enable expiration. 

Currently expire ONLY affects ‘newmail’ ie: mail that is waiting to be read not mail stored in IMAP folders.

Syntax: expire_age int

expire_size

Expire undeleted mail larger than specified size (units=bytes)

Use this to trim messages that are not read by users. The deleted messages are replaced with a single message explaining which items have been deleted (with from, subject and date of each message deleted so that anything really important can be recovered). You should define both age and size to enable expiration.

Syntax: expire_size int

expire_rule

Expire rules for specific folders

These rules let you specify and expire rule for any folder. The folder match is not case sensitive

e.g. to delete all spam message over 30 days old and larger than 3k and to empty the trash can each day.

expire_rule folder=”Spam” age=”30″ size=”3k”
expire_rule folder=”Trash” age=”1″

You can use wild cards, e.g. Delete all messages over 90 days old larger than 10k unless in the new or archive* folders.

expire_rule folder=”*,!new,!archive*” age=”90″ size=”10k” 

Syntax: expire_rule folder=string age=int size=int alert=bool

footer_file

Footer file for plain text messages

Footer file for all plain text messages ‘from’ this domain based on from address.

Syntax: footer_file string

footer_html

Text footer file

Footer file for all HTML messages ‘from’ this domain based on from address.

Syntax: footer_html string

forward_illegal

Prevents users setting forward rules to certain addresses

Syntax: g_forward_illegal to=”address” apply=”user type “

This setting allows you to specify some addresses as being illegal for certain users. This stops users setting up forwarding rules to these addresses. They can still send mail to these addresses manually with their email client. These rules _ONLY_ apply to non local domains.

Some examples:

If you want to stop your users setting up forward rules that redirect to aol.com.
g_forward_illegal to=”*@aol.com” apply=”user”

If you want to stop your users setting a forward to all domains except aol.com
g_forward_illegal to=”*,!*@aol.com” apply=”user”

Stop domain admins sending to aol.com
g_forward_illegal to=”*@aol.com” apply=”domadmin”

Stop admins sending to netwinsite.com
g_forward_illegal to=”*@netwinsite.com” apply=”admin”

Syntax: forward_illegal to=string apply=string

gateway_to

Send all email to another server

Useful when migrating if you want email to go to another server while users can still login and read existing email on this server, the messages will be sent even if the user does not exist locally

Syntax: gateway_to string

header_add

Add header to posts ‘from’ this domain

Adds headers, the headers are added based on the ‘from’ domain of the message.

Syntax: header_add string

host_alias

Alias name(s) for this virtual domain

When a user sends to ‘bob@xx.your.domain.name’ or ‘bob@yy.your.domain.name’ you need to have the alias host names ‘xx.your.domain.name’ etc, defined or the mail server will reject the message. Wild card’s can be used for this setting. Example: host_alias “*.your.domain.name”  This can also be used to accept mail directly to the servers ip address eg ‘bob@123.4.5.’

Syntax: host_alias string

ssl_wildcard

Use if your ssl certificate accepts wildcards, e.g. *.my.domain

This setting has no further documentation currently available

Syntax: ssl_wildcard string

imap_public

Share IMAP folders between users

This setting allows folders to be shared between users. See g_imap_acl, Requires surgemail 3.9d or later!. e.g. imap_public name=”INBOX” alias=”lances_inbox” user=”lance” users=”*”

Syntax: imap_public name=string alias=string user=string subfolder=bool users=string group=string readonly=bool

Also the global setting g_imap_acl must be enabled “True”

imap_public_show

Auto subscribe public folders

This setting has no further documentation currently available

Syntax: imap_public_show bool

imap_max_sync

Limit remote imap sync to this many items (not recommended)

This setting has no further documentation currently available

Syntax: imap_max_sync int

inbox_archive

Archive old messages to Archives/yyyy/INBOX folder, age in days

This setting has no further documentation currently available

Syntax: inbox_archive int

sent_archive

Archive old messages to Archives/yyyy/Sent folder, age in days

This setting has no further documentation currently available

Syntax: sent_archive int

late_forward

Apply domain users forwarding rules after friends, spam, and filtering

By default users forwarding rules are applied before friends, spam and user filter rules. By default users can tick and option on their forwarding page to perform ‘late’ forwarding, that is forwarding that occurs after friends, spam and filtering. This option overrides the user option and causes domain users forwarding rules to be applied after friends, spam and filtering.

Syntax: late_forward bool

ldap_disable

Stops ldap logins by users of this domain

If ldap is enabled for this system, then this setting disables it for this specific domain

Syntax: ldap_disable bool

ldap_anydomain

Lets users search other than their own domain in ldap

If ldap is enabled for the system (g_ldap_port) then this lets users of this domain lookup users in any domain not just this domain.

Syntax: ldap_anydomain bool

loginfails

Disconnect after failed logins

Disconnect user after this many bad password guesses.

Syntax: loginfails int

lookup_relay_on_from

Lookup from addresses for relay allowed

Looks up local authenticated smtp from addresses to check for relay is allowed flag (relay=”true”).

Syntax: lookup_relay_on_from bool

list_max

Maximum number of mailing lists for this domain

Set this to the maximum number of mailing lists to allow for this domain.

Syntax: list_max int

list_disable

Disables creation of mailing lists

When set to “TRUE” this disables mailing list creation for this domain.

Syntax: list_disable bool

list_max_users

Maximum number of users allowed in all lists in this domain

This is a quota of users/members for all lists in this domain. The maximum number of members in each list in this domain must total to less or equal to this setting.

eg:
list_max_users “100”
list_max “2”

In this scenario, 100 users could be used in 2 lists. So one list might have 80 users the other 20, but the combined total must be less than or equal to 100 users.

Syntax: list_max_users int

language_default

Default language for user web interface

If the user has not yet selected a language then this language is used as a default. If the language specified here does not exist in the language files, or nothing is specified here then English is used as the default language.

Syntax: language_default string

manager_email

Managers Email

This is the manager’s Email address for this domain.  When users register themselves, if you have set create_user to the ‘manager’ method, an Email will be sent to this Email address to await confirmation of the user creation.

Syntax: manager_email string

manager_username

Domain managers username (for web based domain administration)

Specifies the local users which have manager rights for this domain. These users can login to the user self management interface and will recieve special domain manager options. If you specify an account without the @domain part i.e. ‘admin’ it assumes admin@.

Syntax: manager_username string

manager_anyuser

Allow first domain admin to login to any users account

This setting has no further documentation currently available

Syntax: manager_anyuser bool

mailbox_path

Path to mailbox maildir (inbox) files

Specifies the root directory for users in this domain for their incoming mail messages and mail folders (for IMAP), maildir structure is used and hashing will also be applied so if you specify d:\spool, then ‘bob’s Email will appear in d:\spool\xx\yy\bob\mdir… where ‘xx’ and ‘yy’ are hashing numbers for that user. (Hashing is required to keep directory performance at a high level when you have millions of users). 

Syntax: mailbox_path string

legal_archive_disable

Disable legal archive for this domain (experimental)

This setting has no further documentation currently available

Syntax: legal_archive_disable bool

legal_archive_hide

Hide legal archive for this domain (experimental)

This setting has no further documentation currently available

Syntax: legal_archive_hide bool

legal_archive_keep

Days to keep legal archive, units=days unless you specify years or months

default is g_legal_archive_keep

Syntax: legal_archive_keep int

legal_archive_admin

Enable archive searching for domain admins

This setting has no further documentation currently available

Syntax: legal_archive_admin bool

old_pophost

Old pop host for pop intercept mode based migration

Specifies an old POP host that can be used when migrating users from an old mailserver to a new mailserver. This will create a local accounts with a identical username/passwords and retrieve all mail from the old server for the old account when the user logs into SurgeMail for the first time and they are not yet in the SurgeMail user database. Mail on the old server is deleted.

The use of old_pophost adds an additional check (based on partial rcpt delivery – see g_badfrom_check) to user account self creation to prevent user creating accounts that clash with existing accounts that have not been popped on SurgeMail. This means that the old server should only accept delivery to actual accounts or all user account self creation will be disabled.

Syntax: old_pophost string

old_pophost_always

Always attempt to suck mail on each login

Suck mail from old_pophost on each login (account information is not set at each login). This allows the user to be using the new mail server and still retrieve mail from the old server if mail is delivered there. This is useful in two cases:
1) if the user is already using SurgeMail but some mail is still delivered to the old server due to delays in MX record propagation.
2) To allow incremental migration. Some users can be using the SurgeMail and some users can be using the old server. Users still on the old server sending mail to users on SurgeMail would deliver to the old server. When a user on SurgeMail logs into SurgeMail any such mail is retrieved from the old server.

Note: This will obviously stop retrieving mail if the user changes their password in SurgeMail but not on the old server.

Syntax: old_pophost_always bool

old_pophost_createuser_disable

Disable user creation in database on login

If you have already got your user in your authentication database and do not wish to setup this setting can be used to prevent user creation upon first login to SurgeMail using POP.

Syntax: old_pophost_createuser_disable bool

old_pophost_nodomain

Strip domain when logging in to old_pophost

This can be used if you are migrating from a server that uses username only (without domain) logins.

Syntax: old_pophost_nodomain bool

old_pophost_nodelete

Leave mail on the old server

This setting will leave mail on the old server just in case there are problems with the migration. Note: the use of this setting will disable the use of old_pophost_always.

Syntax: old_pophost_nodelete bool

old_pophost_sep

Login separator

Seperater, default is ‘@’. e.g. some systems use %

Note: The old_pophost_iffirst and old_pophost_makeuser have now been replaced by the more consistent old_pophost_createuser_disable setting.

Syntax: old_pophost_sep string

old_pophost_bind

Bind outgoing connection during pop migration

This binds to the specified local port during a migration

Syntax: old_pophost_bind string

old_pophost_inbox

Use pop to migrate the inbox and maintain uidls

This skips the imap migration of the inbox, IF the user logs in via POP, and instead uses pop to migrate the inbox. This means it can maintain the uidl’s correctly

Syntax: old_pophost_inbox bool

old_pophost_nofetch

Disable fetching messages from pop host

Useful if you want to migrate the account user/password, but not the messages

Syntax: old_pophost_nofetch bool

old_inbox_both

Use pop & imap to migrate the inbox

This may create duplicates, you should only use it when the old server keeps the imap and pop inboxes as sepereate entities.

Syntax: old_inbox_both bool

old_imaphost

Intercept mode migration for IMAP folders servers

The old_pophost settings will create a local account and download many mail in your inbox. However in the event that your old server also was an IMAP server you will be able to migrate your stored message folders using the old_imaphost setting. This download is only ever attempted once and does so asynchronously. A 300MB mailbox with 15000 messages will would be expected to take around 20 minutes. While IMAP folders are bing downloaded the mailbox can already be used. Note: the mail on the old server gets deleted.

Upon IMAP login an old_pophost check is also performed if defined. This is specifically so that WebMail accessing SurgeMail using IMAP (recommended configuration) will allow the retrieval of mail from old POP servers.

Syntax: old_imaphost string

old_imaphost_always

Always attempt to suck mail on each IMAP login (slow)

This setting will force the download of mail and folders from the old server upon each IMAP login. Note: that this should only be used if specifically required as this will happen for example each time that a WebMail change made.

Note: This will obviously stop retrieving mail if the user changes their password in SurgeMail but not on the old server.

Syntax: old_imaphost_always bool

old_imaphost_createuser_disable

Disable user creation in database on login

If you have already got your users in your authentication database and do not wish to add new users logging in using intercept mode this setting can be used to prevent user creation upon first login to SurgeMail using POP.

Syntax: old_imaphost_createuser_disable bool

old_imaphost_nodomain

Strip domain when logging in to old_imaphost

This can be used if you are migrating from a server that uses username only (without domain) logins.

Syntax: old_imaphost_nodomain bool

old_imaphost_nodelete

Leave mail on the old server

This setting will leave mail on the old server just in case there are problems with the migration. Note: the use of this setting will disable the use of old_imaphost_always.

Syntax: old_imaphost_nodelete bool

old_imaphost_prefix

Mail prefix for old imap server when using old_imaphost

IMAP prefix for old imap server. eg. mail/.

Syntax: old_imaphost_prefix string

old_imaphost_file

Migration based on file

Specialist setting for one specific system, not for general use.

Syntax: old_imaphost_file string

old_imaphost_user

Migration based on file – user field

Specialist setting for one specific system, not for general use.

Syntax: old_imaphost_user string

old_imaphost_lowercase

Lowercase all migrated folders

Lowercase all migrated folders.

Syntax: old_imaphost_lowercase bool

old_imaphost_skip

Skip folders

Comma seperate wild card list of migrate folders to skip past.

Syntax: old_imaphost_skip string

old_imaphost_dom

Migration – Alternative domain on old server for login, also set fallback_domain.

This setting has no further documentation currently available

Syntax: old_imaphost_dom string

old_smtphost

Old smtp host

SMTP host to check for existing users (when creating new accounts).

Syntax: old_smtphost string

old_smtphost_skip

Skip old_smtphost checks for administrators

Who to skip old_smtphost checks for. Valid values are “admin” and “domadmin”.

Syntax: old_smtphost_skip string

old_xfile

Migration – Copy xfile data across

Only valid if the old server is also running surgemail. And requires old_pophost settings to work

Syntax: old_xfile bool

pop_welcome

Welcome message for POP/IMAP

This is the string displayed to the user when they connect to this domain before they login. The same string is also used in IMAP response. See also smtp_welcome. 

Syntax: pop_welcome string

pop_min_time

Min seconds between pop logins (see warning)

This setting confuses some clients, and results in the user having to login again. The error is not always shown to the end user by some dumb email clients

Syntax: pop_min_time int

prefix

Prefix for usernames in database

This prefix is used in the user database to distinguish these virtual domain users. This setting is for backward compatibility and not generally recommended. It is better to store user@domain.name in the userdatabase rather than just ‘username’. 

Syntax: prefix string

proxy_pop_nodomain

Strip domain when talking to proxy POP host

This setting causes the domain name to be stripped from user login names when talking to the proxy POP host. This does not apply to surgewall, see surgewall_options for details

Syntax: proxy_pop_nodomain bool

quota_default

Default Email quota for users

This setting allows you to limit disk usage of each user a setting of 100mb to 1000mb is typical.

Syntax: quota_default string

quota_domain

Total quota for the domain, e.g. 300mb, 2gig

Limits the total usage (used quota) for the entire domain. Note that the command tellmail quota_rebuild_domain domain.name may be used to reset these figures.

Syntax: quota_domain string

rcpt_msg

Response given for invalid recipient errors, message is prefixed by email address.

This setting has no further documentation currently available

Syntax: rcpt_msg string

redirect

Redirect Email to another account

This redirects mail from one user to another. The destination can be a full Email address with another domain name. 

Syntax: redirect was=string to=string

redirect_max

Limits the number of redirect rules

This setting applies a limit to the number of redirect rules which are allowed in this domain (only applies to domain admins)

Syntax: redirect_max int

redirect_cc

CC & Redirect Email to another account

This carbon copy redirects a message so the original user receives it as well as the new user you have specified. This is good for keeping a record of incoming emails for a particular account. 

Syntax: redirect_cc was=string to=string

redirect_hash

Share incoming message evenly between several accounts

The sharing is done based on a hash of the ‘from’ address so that the same ‘from’ address will always go to the same recipient, if windows specified then it is random after that many seconds

Syntax: redirect_hash was=string to=string window=int sequential=bool

msg_max_out

Max size of outgoing messages for smtp authenticated users

Sets the size of messages for this domain, as the email client may have already seen the value of g_msg_max or msg_max_in it may not help setting this value ‘larger’ than those other values. We do not recommend using this setting, it is best to choose a g_msg_max value that all domains can live with.

Syntax: msg_max_out int

msg_max_in

Max size of incoming messages for this domain.

Sets the size of messages for this domain, note that this may affect the ehlo response but only for ‘address’ based virtual domains, so you must ensure your g_msg_max setting is sufficiently large. Also since this figure may be shown before the msg_max_out value is determined you must also make it larger than the msg_max_out value. We don’t recommend using this setting unless it is totally necessary. It is better to choose a g_msg_max setting that all domains can live with.

Syntax: msg_max_in int

security_suffix

Suffix for smtp/imap/pop login

This setting stops the username matching the email address by requiring a different suffix for logging in, so user@xyz.mail.server instead of user@mail.server. This is like an alias for the domain that only works for logging in.

Syntax: security_suffix string

sent_store

Store users message in named folder automatically, e.g. Sent

This setting has no further documentation currently available

Syntax: sent_store string

smtp_auth_off

Disable SMTP AUTH from unknown ip addresses

This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip

Syntax: smtp_auth_off bool

smtp_welcome

Welcome message for SMTP

This is the string displayed to the user when they connect to this domain, before they login. See also pop_welcome 

Syntax: smtp_welcome string

smtp_welcome_name

SMTP welcome connection hostname

This setting has no further documentation currently available

Syntax: smtp_welcome_name string

smtp_from_ip

Require incoming email from matching ip

This is used to ensure all incoming email comes direct from a filter system and not from the internet, only authenticated email will bypass this (and g_spam_allow)

Syntax: smtp_from_ip string

spam_strip

Strip spam headers for this domain

Strip spamdetect headers for this domain. 

Syntax: spam_strip bool

spam_block

Default for this domain to block spf etc failures

This setting sets the default behavior for this domain, if g_spam_block is not set, then this setting can turn on blocking as the default for this entire domain. Individual users can still set their own settings to block or not block for spf.

Syntax: spam_block bool

spam_noblock

Disable spf blocking for this domain

This is the opposite of spam_block, this can be used if g_spam_block is true and you wish to disable spf blocking for one domain.

Syntax: spam_noblock bool

ssl_pop_domain

Domain to use for ssl certificates for POP and IMAP

If you have multiple aliases for this domain then this setting lets you choose which one to use for the SSL certificate

Syntax: ssl_pop_domain string

ssl_allow

IP Wild card list to allow SSL encryption from

This setting remove the capability so clients won’t attempt ssl, it is only really functional for ip based virtual domains

Syntax: ssl_allow string

ssl_require_login

Require ssl for this domain

This setting has no further documentation currently available

Syntax: ssl_require_login string

ssl_require_web

Require https for most web features (excluding blogs file sharing and surgeplus)

This setting has no further documentation currently available

Syntax: ssl_require_web bool

ssl_hsts

Send HSTS header to prevent accidental http access for this domain, also rejects self signed certificates

This setting has no further documentation currently available

Syntax: ssl_hsts bool

surgewall

gewall-surgewall-mailproxy-feature-version-1-4a-or-greater-required" >

This allows SurgeMail to be placed as a “filter” in front of an existing mailserver to apply friends rules, spam filtering and/or virus scanning. All you need to do is set this to the existing server address. POP3 will be routed through to the existing server and users can login to the SurgeMail web interface to configure their friends, spam and virus options eg:

surgewall “1.2.3.4”

This setting should be an IP address not an IP and port. Use surgewall_options if you need to specify non-standard ports or a different IP for POP, SMTP and/or IMAP. You may specify a comma seperated list of IP addresses. SurgeWall will connect to each in turn until it gets a successful login. To modify this behaviour see the proxy_failover option of the surgewall_options setting.

See here for more details.

Syntax: surgewall string

surgewall_auth

SurgeWall SMTP authentication

Defines the username and password to use for SMTP authentication when sending to SurgeWall’ed server.

Syntax: surgewall_auth user=string pass=string

surgewall_local_too

For web domain admin try local database too

Allows local user accounts to be created for domain admin

Syntax: surgewall_local_too bool

surgewall_options

SurgeWall miscellaneous options (Version 1.4c or greater required)

This setting controls the SurgeWall miscellaneous configuration options it has several parameters:

The POP, SMTP and IMAP options allow you to configure SurgeWall to connect to different IPs and/or ports for each interface that it proxies. So for example you can run SurgeWall on the same machine as the old mail server provided the old mail server is configured to run on non-standard ports. eg:

surgewall_options strip_domain=”TRUE” pop=”127.0.0.1:111″ smtp=”127.0.0.1:26″ imap=”127.0.0.1:144″

or perhaps you have the pop, smtp and imap components of the server running on several machines, eg.

surgewall_options strip_domain=”TRUE” pop=”1.2.3.4:111″ smtp=”2.3.4.5:26″ imap=”3.4.5.6:144″

You may specify several different IPs in a comma seperated list in the POP, SMTP and IMAP options if you do this SurgeWall will connect to each in turn until it gets a successful login. The same is true for the SurgeWall setting.

To modify this behaviour you can set proxy_failover to TRUE this causes SurgeWall to only use the next address if it fails to connect to the preceeding address, meaning it will use each server specified only if the previous server is not responding.

Syntax: surgewall_options strip_domain=bool proxy_failover=bool auth_local=bool pop=string smtp=string imap=string usercgi=string

surgewall_capa_local

Just return local imap capa response rather than remote

Note that it can only guess the right imap host if you are using ip based virtual domains.

Syntax: surgewall_capa_local bool

surgewall_saveusers

Save users in the local database as they login

This can be used with auth_local=true option to create the local accounts…

Syntax: surgewall_saveusers bool

suspend

Disable logins for entire domain

Use this where a domain is not being paid for and you want to suspend all users in the domain. This prevents users checking mail NOT users sending mail or other domains sending to this domain

Syntax: suspend bool

suspend_incoming

Disable delivery and give 450 retry message

Useful to temporarily disable a domain while moving it

Syntax: suspend_incoming bool

user_alias

Number of aliases accounts can create

This setting specifies the maximum number of account aliases an account in this domain is allowed to create. The format of these aliases is specified in the file specified by the g_user_alias_file setting.

Default is disabled (0) which disables the alias creation interface in the user.cgi pages.

Syntax: user_alias int

user_auto_pass

Auto create users with this password on message delivery

Exceedingly dangerous setting only intended for closed systems not open to internet! Accounts are created on message delivery if they don’t exist with the specified password. Broadsoft Extentsion account autoprovisioning (Broadsoft feature)

Syntax: user_auto_pass string

user_auto

Auto create users when a login attempt occurs

Exceedingly dangerous setting only intended for closed systems not open to internet! Accounts are created when someone tries to login via imap/pop etc… If the account already exists it is not modified unless it is currently set with the password defined in user_auto_pass (broadsoft feature)

Syntax: user_auto bool

user_auto_always

Auto create users when a login attempt occurs and always accept any password

Exceedingly dangerous setting only intended for closed systems not open to internet! Account is created and then allowed to login with any password (used in closed broadsoft setup)

Syntax: user_auto_always bool

user_sms

Enable users to setup SMS notifications

This setting allows users to setup an SMS notification of email whose subject matches the user defined keyword.

Syntax: user_sms bool

user_sms_quota

Number of sms messages per account

This setting allows you to configure either a quota or a ‘number of credits’ system for SMS messages. This setting has 2 parameters ‘initial’ and ‘period’.

If you set ‘period’ to 0 then ‘initial’ is the number of credits a user will begin with they are decremented when they send an SMS and not increased unless you increase them manually.

If you set ‘period’ to any value other than 0, then ‘initial’ is the users quota, which is re-set after the time period specified by ‘period’. Valid ‘period’ values are a number of hours, or suffix the value with d, w or y to indicate a number of days, weeks or years respectively, eg: 5w equals 5 weeks.

Syntax: user_sms_quota initial=int period=string

user_centipaid

see 

Specifies the various CentiPaid options a user is allowed to configure for themselves.

Syntax: user_centipaid string

user_max

Maximum user allowed in this domain

This setting specifies the maximum number of users in this domain. Domain admins and users are blocked from adding more users than specified in this setting. The admin can still add users.

Syntax: user_max int

user_status_send

How often to send user status messages (0 = never)

When the user enables friends then this setting will send them a regular report on what is pending and what filter rules have done. Files status_html.eml

Syntax: user_status_send int

user_send_max

ser@domain>

Reports the number of emails the user has sent in the last 24 hour period.

user_list_quota

Number of mailing lists users can create

This setting configures the number of mailing lists a user of this domain can create. See also g_user_list_quota which can set quota globally or by user group. Also the list_quota authent field can set quota per user.

Syntax: user_list_quota int

user_hide_security

Hide security logs from users

This setting has no further documentation currently available

Syntax: user_hide_security bool

user_report

Daily,Weekly,Monthly, emailed to manager

This setting has no further documentation currently available

Syntax: user_report string

url_host

Mail host A Record name (if different from MX Record name)

This name is used in URLs to this domain. It is important that the hostname specified here will resolve to this physical host running SurgeMail at all times.

It is used by WebMail in the email sent to user upon signup. The email sent to the manager when a user signs up and is the host passed to WebMail when auto-logging a user in. If your auto-logins are failing because of a “cannot connect error” then you may need to set this to the correct host.

Syntax: url_host string

ssl_alias

Alternate ssl host names, e.g. mail.xyz.com,pop.xyz.com,smtp.xyz.com

This setting has no further documentation currently available

Syntax: ssl_alias string

send_helo

Mail host A Record name used when sending helo to other servers – requires g_send_helo_from true

This is only used if g_send_helo_from is also true

Syntax: send_helo string

url_blogs

BLOGS host A Record name (if different from MX Record name – eg. blogs.mydomain.com)

This is used when generating the ‘view’ link, if you don’t specify a port (:nnn) then it will use the first webmail port by default, by default the url_host setting will be used, failing that the domain name is used

Syntax: url_blogs string

url_alias

Allows translation from one URL to another

Allows translation from one URL or beginning of a URL to another. eg:

url_alias from=”/cgi-bin/” to=”/scripts/”

will cause the URL http://localhost:7025/cgi-bin/fred.cgi to reference the same file as http://localhost:7025/scripts/fred.cgi would have, the fred.cgi in the SurgeMail ‘scripts’ directory. These settings are checked before the g_url_alias settings, the first matching rule is used, settings are checked in the order specified.

Syntax: url_alias from=string to=string ports=string

user_access_default

Default user features granted to users in this domain

This setting allows you to specify default access to certain SurgeMail features. It is specified in the same maner as the g_user_access settings ‘access’ parameter. eg:

user_access_default “all,!spam,!virus”

Syntax: user_access_default string

webmail_url

Url to the WebMail cgi

If WebMail is not in the default place and/or is not on the SurgeMail machine then this setting tells SurgeMail where it is so links to WebMail from SurgeMail function correctly.

Syntax: webmail_url string

webmail_urladd

Url data to append to WebMail auto-login link

This setting allows you to specify additional information and settings which are passed to WebMail when SurgeMail links to it. Example: Different colors to use for this domain.

Syntax: webmail_urladd string

webmail_workarea

Path to WebMail workarea

If WebMail is not installed in the default location on this SurgeMail machine this setting tells SurgeMail where to find it.

Syntax: webmail_workarea string

webmail_host

The IP address of the mail server

SurgeMail sets the imaphost/smtphost address in surgehost.ini for WebMail. First it checks for a virtual domain ip, then it checks for a specifically bound ip address in the imap/smtp port settings, if neither are specified it defaults to 127.0.0.1. The webmail_host will override this process and assign a value directly. You require this when using a Smart Router or Load Balancer, please read this.

Syntax: webmail_host string

web_path

Path to web admin pages

Path to web admin and user self management pages. This setting allows you to give each domain a different set of pages and thus a different look and feel. To enable this, copy the entire ‘web’ directory then set web_path to the path of the copied files. Lastly modify the copied files to have the new look and feel you desire.

Syntax: web_path string

web_url_path

Url to path translation with access specifier

This lets you set up aliases and translations of urls partly based on the access rights of the user.

Syntax: web_url_path url=string path=string access=string

web_access_ip

Restrict access to web ports based on ip

Specifies a list of ports and a wildcard list of valid ip addresses who can connect to those ports.

Syntax: web_access_ip ports=string ip=string

webdav_quota

Webdav quota per user in this domain, e.g. 100mb

Limits the webdav storage area for this user, default is the users email quota

Syntax: webdav_quota string

surgeweb_backend_server

Backend server to connect to

This specifies the backend machine where Surgeweb connects for email and to store user settings. Surgeweb will cache data here but store the master copy of anything on the backend machine.

Syntax: surgeweb_backend_server string

surgeweb_backend_smtp

Backend smtp access (if non default)

per default connects to 127.0.0.1:25

Syntax: surgeweb_backend_smtp string

surgeweb_backend_web

Backend web access – for usercgi /surgeplus (if non default)

If no backendserver specified is ‘/’, default with backend is ‘http://backend_server/’. For non default port / machine specify say: ‘server.name:7080’

Syntax: surgeweb_backend_web string

surgeweb_custom

Surgeweb customisation level

This setting has no further documentation currently available

Syntax: surgeweb_custom string

xfile_url

Url to xfile files (see surgeplus utility)

Use to override the url that users are told they can access their shared SurgePlus files at via a web browser. The default location is on the port specified by the webmail_port setting.

Syntax: xfile_url string

Example: https://your.domain.name:7443

disable_surgeplus

Disable SurgePlus Calendar and File Sharing client

Disable users from logging in using the SurgePlus Calendar and File Sharing client. See SurgePlus

Syntax: disable_surgeplus bool

surgeplus_pop_server_name

Default POP server for SurgePlus clients

New installs of the SurgePlus client will be automatically configured to use this specified POP server. If you don’t specify a value for this setting, then the POP server will default to what you have specified by the url_host setting, or the domain name if you don’t specify a url_host setting. You will need to do a ‘tellmail surgeplus rebuild’ command after changing this setting and if you are downloading the new build via your web browser be aware that web browsers sometimes cache the old download.

Syntax: surgeplus_pop_server_name string

Example: pop.your.domain.name

surgeplus_smtp_server_name

Default SMTP server for SurgePlus clients

New installs of the SurgePlus client will be automatically configured to use this specified SMTP server. If you don’t specify a value for this setting, then the POP server will default to what you have specified by the url_host setting, or the domain name if you don’t specify a url_host setting. You will need to do a ‘tellmail surgeplus rebuild’ command after changing this setting and if you are downloading the new build via your web browser be aware that web browsers sometimes cache the old download.

Syntax: surgeplus_smtp_server_name string

Example: pop.your.domain.name

The post All Domain Settings appeared first on SurgeMail.

Access groups

Access rules defining groups of IP addresses with certain POP, IMAP and SMTP privileges. When a user is authenticated access is checked against group membership defined in the “mailaccess” field in the authentication database. See accounts for more information.

eg. this could allow you to charge webmail users for pop access privileges:
g_access_group group=paid_user access_pop=* access_imap=* access_smtp=* 
g_access_group group=free_user access_pop=webmail.svr.ip access_imap=webmail.svr.ip access_smtp=webmail.svr.ip 

with “Access type” set to “free_user” on accounts page or equivalently in nwauth authentication database:
marijn@mydomain.com:{ssha}tVANQo…:created=”1060034937″ mailaccess=”free_user” …

To prevent webmail access for some users you would do this:

g_access_group_default “normal”
g_access_group group=”normal” access_pop=”*” access_imap=*” access_smtp=”*”
g_access_group group=”nowebmail” access_pop=”*,!webmail.ip” access_imap=”*,!webmail.ip” access_smtp=”*”

And put the users you want to limit in a group called ‘nowebmail’ e.g.

lookup fred@domain
+OK fred@domaing config 0 mailaccess=”nowebmail”

Syntax: g_access_group group=string access_pop=string access_imap=string access_smtp=string access_incoming=string

g_access_group_default

Access group defaults

Access group defaults for users with no access groups set. (must be used in conjunction with g_access_group)

Syntax: g_access_group_default string

g_access_webonly

Users in this group can only use web not imap or pop

This setting has no further documentation currently available

Syntax: g_access_webonly string

g_access_surgeweb

Apply g_access_group rules to surgeweb sessions based on client’s address

This setting has no further documentation currently available

Syntax: g_access_surgeweb bool

g_acctlog_sum_inactive

Summarise local accounts that have not logged in yet as not_loggedin_yet@domain.com

This setting has no further documentation currently available

Syntax: g_acctlog_sum_inactive bool

g_admin_readonly

System admins with readonly access to the management interface

This setting has no further documentation currently available

Syntax: g_admin_readonly string

g_admin_ip

Admin IP access

Mask of valid IP addresses for admin users (default *), this is a security setting you can use to restrict remote web admin access to trusted IP addresses. One is always allowed to use manage SurgeMail using 127.0.0.1 regardless of whether this is explicitly specified.

eg. To restrict to local network as per net mask
g_admin_ip “10.0.0.*,10.1.2.*” 

Syntax: g_admin_ip string

g_admin_localhost

Allow localhost web admin without user/pass

Allows a localhost connection to access the web admin port without using the administrator username / password. This is good if you keep forgetting the admin password like I do.

Syntax: g_admin_localhost bool

g_admin_guesses

Number of guesses allowed for admin.

Syntax: g_admin_guesses “number”

This sets the number of guesses allowed for the admin username/password. Once this has been reached the ip is banned.

Syntax: g_admin_guesses int

g_alias_login_disable

Disable user login as alias

Stops the user login to pop or imap as the alias account

Syntax: g_alias_login_disable bool

g_apple_bug1

Apple bug allow content-length headers

This setting has no further documentation currently available

Syntax: g_apple_bug1 bool

g_apple_bug2

Apple bug2 don’t try and return bad if looping

This setting has no further documentation currently available

Syntax: g_apple_bug2 bool

g_archive

rchive-on-delete-off-disables-archive-and-instead-deletes-the-files-immediately" >

Purged monthly or by tellmail purge_deleted_users

Syntax: g_archive_on_delete_off bool

g_archive_tcpip

Rules for TCPIP archive process

Contact netwin for more details of this mechanism if you wish to use it.

Syntax: g_archive_tcpip to=string from=string path=string dom=string

g_archive_tcpip_host

Host to send archive data too

When using an archive server this defines the host that is running the archive server. Contact netwin if you need more info on this feature.

Syntax: g_archive_tcpip_host string

g_archive_bucketsize

Size for archive bucket files. Default is 1mb

Sets the size of the archive buckets used by the circular archives. If set too large then editing the buckets manually is awkward.

Syntax: g_archive_bucketsize int

g_archive_early

Apply all archive rules before content filtering is applied (obsolete)

This will apply the archive rules before content filtering is applied. This can be user to capture the source message if it is getting stored or bounced unnecessarily by any of the SurgeMail filters. The early flag on individual archive rules should be used instead of this setting.

Syntax: g_archive_early bool

g_archive_on_delete_off

Disables archive and instead deletes the files immediately

Purged monthly or by tellmail purge_deleted_users

Syntax: g_archive_on_delete_off bool

g_archive_on_delete_dir

Directory to archive user files to on delete

Directory to archive deleted users files to. Defaults to ‘archive_deleted’ in the SurgeMail installation folder.

Syntax: g_archive_on_delete_dir string

g_archive_files

Archive attachments to a directory

Each message to the named account will have it’s attachments removed and placed in the named directory. The path can contain the symbols $month$ $year$ $day$ $second$. The ‘second’ is only within this day. Together these variables can be used to ensure a unique path is used for each file if the names might conflict. Use g_redirect_cc to archive email going to an existing account because if you set ‘to’ equal to a real account then the real account will stop receiving messages!

Syntax: g_archive_files path=string to=string files=string

g_atrest_all

Auto encrypt all msgs when users next login

This setting has no further documentation currently available

Syntax: g_atrest_all bool

g_atrest_enable

At rest encryption. Unwise usually!

This setting has no further documentation currently available

Syntax: g_atrest_enable bool

g_atrest_crazy

No recovery admin password needed

This setting has no further documentation currently available

Syntax: g_atrest_crazy bool

g_atrest_api

Enabe api for enabling atrest encryption – not needed

This setting has no further documentation currently available

Syntax: g_atrest_api bool

g_attach_convert

Process matching attachments with specified command. Passed two files names

This setting has no further documentation currently available

Syntax: g_attach_convert to=string from=string subject=string files=string output=string command=str

g_atrn_server

On Demand Mail Relay settings to define user/pass for clients to fetch mail

This allows a client on a dynamic IP to connect and request mail for a specific domain after authenticating by using the ATRN command. Typically this is done on the special port 366

Syntax: g_atrn_server domain=string user=string pass=string

g_atrn_client

Define a rule for fetching email using ATRN protocol

This is the setting for clients to define to fetch mail from an upstream server. Typically this is done on the special port 366, to specify another port use host:port in the host setting. E.g. host=”smtp.upstream.com:25″

Syntax: g_atrn_client domain=string user=string pass=string host=string

g_atrn_port

Port to listen for ‘atrn’ (On Demand Relay) requests

See g_atrn_server for more details, the default is port 366, atrn is not obeyed on port 25

Syntax: g_atrn_port string

g_assume_created_epoch

If user has no ‘created’ field assume they were created an arbitrarily large time in the past

This setting effect the g_disable_smtp_after and g_delete_user_after settings which, by default, ignore users who have not logged in and have no created field.

Syntax: g_assume_created_epoch bool

g_backtrace_disable

Backtrace Disable

Disable backtrace information for unix systems.

Syntax: g_backtrace_disable bool

g_bad_login_mins

Minutes to block login for, if consecutive bad ones received

Minutes to block login for, if consecutive g_badlogin_allow or g_badlogin_ip_allow bad logins received=.

Syntax: g_bad_login_mins int

g_bad_login_allow

Number of consecutive bad logins for a user before blocking that user

Number of consecutive bad logins for a user before blocking that user.

Syntax: g_bad_login_allow int

g_bad_login_ip_allow

Number of bad logins from an IP before blocking that IP

Number of bad logins from a single IP before blocking that IP.

Syntax: g_bad_login_ip_allow int

g_bad_login_ip_ignore

IP address(es) to allow any number of bad logins from

Use for webmail system or other local gateway to stop bad login counter from locking out all users.

Syntax: g_bad_login_ip_ignore string

g_bad_login_dumb

Give login failures even if known address

This disables the smart feature so this setting will probably catch real users

Syntax: g_bad_login_dumb bool

g_bad_login_lockout

Lockout addresses permenantly – use if DOS attack

This can reduce load during DOS attack.

Syntax: g_bad_login_lockout bool

g_bank_url

URL to charge a credit card (experimental)

This allows automated monthly charging of users

Syntax: g_bank_url string

g_bank_user

Username for authenticated web request to banks system

See g_bank_url for details

Syntax: g_bank_user string

g_bank_pass

Password for authenticated web request to banks system

See g_bank_url for details

Syntax: g_bank_pass string

g_bank_ok

Find this in response, if found then charge was successful

See g_bank_url for details

Syntax: g_bank_ok string

g_bank_reason

This line is returned to user if it is found

See g_bank_url for details

Syntax: g_bank_reason string

g_bank_log

Log lines matching this in response.

See g_bank_url for details

Syntax: g_bank_log string

g_bank_debug

Log request to bank server

Use when trying to debug the g_bank_url post/response

Syntax: g_bank_debug bool

g_bank_group

Create price groups with descriptions

See g_bank_url for details

Syntax: g_bank_group group=string price=string desc=string

g_block_wild

Block wildcards in usernames

Block the ‘*’ wildcard character in usernames.

Syntax: g_block_wild bool

g_body_filter

Enable user email body filtering

Allows the user to configure filters which filter the body of incoming messages

Syntax: g_body_filter bool

g_broad_url

URL to this server

Customer specific feature

Syntax: g_broad_url string

g_broad_server

URL to BroadSoft server

Customer specific feature

Syntax: g_broad_server string

g_broad_user

BroadSoft user

Customer specific feature

Syntax: g_broad_user string

g_broad_pass

BroadSoft pass

Customer specific feature

Syntax: g_broad_pass string

g_broad_port

BroadSoft port

Customer specific feature

Syntax: g_broad_port string

g_broad_noadd

Disable buttons on message

Disables the added buttons for voice messages

Syntax: g_broad_noadd bool

g_bull_rule

Post bulletins to this domain

Senders must be authenticated user that matches the sender, domain can be blank to send to all domains, the to field is the address you will send posts to, typically something like: bulletins@your.domain.name

Syntax: g_bull_rule to=string domain=string sender=string

g_no_bull

Special accounts that should not get bulletins

This setting has no further documentation currently available

Syntax: g_no_bull string

g_calendar_version

CalDAV / SabreDAV calendaring configuration version number

This setting has no further documentation currently available

Syntax: g_calendar_version int

g_comment

Management notes and comments about the server

This is a dummy setting that lets you store information in the ini file that will survive setting changes from the web admin tool.

Syntax: g_comment date=string name=string comment=string

g_centipaid

see 

Authentication server and port for CentiPaid.

Syntax: g_centipaid string

g_country_ip

Tag messages with country of origin

Downloads a ip to country database and then adds a header based on that to each message to show where it came from. This file iptocountry2.csv.enc should appear in your surgemail home directory after enabling this setting (restart surgemail too), if the file doesn’t appear you can download it via http://updates.netwinsite.com/updates/iptocountry2.csv.enc , tellmail aspam_update may trigger the download!

Syntax: g_country_ip bool

g_country_login

List of countries to allow logins from, 2 letter codes

Make sure g_country_ip is enabled

Be aware that country based rules are only 99% reliable as the database for converting ip addresses to countries is never perfect

Syntax: g_country_login string

g_country_allow

user@domain list to bypass country_login rule

This setting has no further documentation currently available

Syntax: g_country_allow string

g_country_allowip

Ip addresses to bypass country_login rule

This setting has no further documentation currently available

Syntax: g_country_allowip string

g_cpu_slow

Email warning if no cpu for this many seconds

Default is 10 seconds, helps detect system lockups and alert the manager

Syntax: g_cpu_slow int

g_create_apply

List of user groups to apply create_* settings for.

This setting allows you to apply create_* settings to domain admin accounts. Specify g_access_group names and domain admins in these groups will have create_* settings applied to them when adding users in the domain admin interface.

Syntax: g_create_apply string

g_create_apply_admin

Apply allow* rules to the administrator

Without this setting the admin can create usernames that contain any characters pretty much

Syntax: g_create_apply_admin bool

g_create_allow

List of characters allowed in usernames/passwords

Defaults to A-Za-z0-9\-_. meaning usernames/password may contain letters, numbers, -, _ and . and nothing else.

Syntax: g_create_allow string

g_create_cleanup

Cleanup existing data before adding a user

This causes a delete to be actioned for a user before/as they are created. This ensures the new user does not end up with any files, on any mailing lists, with any aliases etc from a previous user of the same name/address. If you delete users from the authent database directly i.e. not using the surgemail web admin or calling ‘tellmail delete_user’ then this setting will cleanup the users files when their address is re-used.

Syntax: g_create_cleanup bool

g_create_allow_pass

List of characters allowed in passwords

Settting overriding g_create_allow just for passwords.

Syntax: g_create_allow_pass string

g_create_strict

Whether to apply strict rules to usernames/passwords

Checking this causes surgemail to check passwords do not contain words longer than 4 characters from g_create_dictionary as well as requiring the password to be 6+ characters, and usernames/passwords to contain more than 1 character.

Syntax: g_create_strict bool

g_create_pass_digit

Require one digit and letter in a password

This setting has no further documentation currently available

Syntax: g_create_pass_digit bool

g_create_pass_recheck

Recheck passwords during login and warn user if g_hack_touser is true

This setting has no further documentation currently available

Syntax: g_create_pass_recheck bool

g_create_pass_recheck_text

Added to end of recheck email to give users a url to a help page

This setting has no further documentation currently available

Syntax: g_create_pass_recheck_text string

g_create_strict_admin

Enforce strict rules for admins too, set g_create_strict AS WELL!!

This setting has no further documentation currently available

Syntax: g_create_strict_admin bool

g_create_dictionary

File containing dictionary words to compare passwords to

Text file containing one word per line, passwords are compared to all words longer than 4 characters in this file, if a username or password contains a word in this file it is not allowed. Only takes effect if g_create_strict is checked.

Syntax: g_create_dictionary string

g_create_badnames

List of illegal usernames

Comma separated list of illegal usernames, may contain wild cards, if username contains part of a non-wild card or matches a wildcard it is disallowed.

Syntax: g_create_badnames string

g_create_record_ip

Causes surgemail to store ipnum in the authent database

This setting has no further documentation currently available

Syntax: g_create_record_ip bool

g_create_user_length

Limit the length of usernames

This is applied during user self creation. Set admin to true to restrict the domain and global admin also.

Syntax: g_create_user_length min=int max=int admin=bool

g_create_pass_length

Limit the length of user passwords

This is applied during user self creation and when users change passwords. Set admin to true to restrict the domain and global admin also.

Syntax: g_create_pass_length min=int max=int admin=bool

g_create_pass_slack

Slacken restrictions on trivial password creation

Useful sometimes for provisioning, allows username=password

Syntax: g_create_pass_slack bool

g_create_pass_mixed

Require mixed case passwords

Require mixed case passwords

Syntax: g_create_pass_mixed bool

g_create_pass_special

Require special character, e.g. !@#$%^&*(){}[];:?><.,

Require a special character

Syntax: g_create_pass_special bool

g_create_pass_notuser

Ban password containing username

Ban password if it conains the username

Syntax: g_create_pass_notuser bool

g_pass_force

Force user to reset password if admin changes it

Makes the user change the password on the next login to user.cgi or surgeweb

Syntax: g_pass_force bool

g_pass_twofactor

factor-life-session-life-in-minutes-dflt-4-hours" >

Allow users to enable two factor authentication.

Syntax: g_pass_twofactor_life int

g_pass_twofactor_life

Session life in minutes, dflt 4 hours

Allow users to enable two factor authentication.

Syntax: g_pass_twofactor_life int

g_pass_twofactor_merged

Require +code for imap/pop logins sometimes

Requires merged login.

Syntax: g_pass_twofactor_merged bool

g_recover_noquestions

Remove question based password recovery system

This setting has no further documentation currently available

Syntax: g_recover_noquestions bool

g_recover_reminder

Send users reminder email monthly until they set a recovery email address

This setting has no further documentation currently available

Syntax: g_recover_reminder bool

g_disable_smtp_after

Number of days an account can remain unread before delivery is disabled

DO NOT USE THIS SETTING IN A MIRROR/CLUSTER SETUP

Number of days an account can remain unread before delivery is disabled. 

Syntax: g_disable_smtp_after int

g_disable_skip

Ip address of senders to accept email from even if user account is disabled due to g_disable_smtp_after

Useful to ensure delivery for important company notices

Syntax: g_disable_skip string

g_disable_exclude

Field and value that excludes an account from g_disable_smtp_after

If the authent response includes this field/value pair then the user account will not be disabled from receiving messages

Syntax: g_disable_exclude field=string value=string

Example: field=”noexpire” value=”true”

g_delete_user_after

Number of days an account can remain unread before it is deleted

Number of days an account can remain unread before it is deleted. This setting cannot be used on an authent_domain FALSE domain unless it has a prefix setting.

e.g.
DELETE_USER_AFTER “30”
Then issue the command:
tellmail expire_accounts
Then examine users_delete.rec to see it is a valid list of old accounts, then use:
tellmail delete_user FILE users_delete.rec

To actually delete the accounts.

Syntax: g_delete_user_after int

g_delete_user_mode

What to do when an account is unread

You can set this to “file” or “suspend”. “file” causes accounts to be written to the users_delete.rec file, which you can action by running “tellmail delete_user FILE” or “tellmail delete_user FILE users_delete.rec” (optionally specify the file). “suspend” causes accounts to be suspend, it does this by setting the field and value specified in the g_delete_user_suspend setting.

If this setting is blank the default is to use ‘file’ mode, accounts are NEVER deleted automatically except in the very oldest versions of surgemail (before version 3)

Syntax: g_delete_user_mode string

g_delete_user_suspend

If suspending an unread account set this field/value

Set the field and value to use when suspending an account due to g_delete_user_after and the g_delete_user_mode “suspend” settings.

Example: Disable accounts after 1 year 
       g_delete_user_after "365"
       g_delete_user_mode "suspend"
       g_delete_user_suspend field="mailstatus" value="closed"

Syntax: g_delete_user_suspend field=string value=string

g_delete_exclude

Field and value that excludes an account from g_delete_user_after

If the authent response includes this field/value pair then the user account will not expire

Syntax: g_delete_exclude field=string value=string

Example: field=”noexpire” value=”true”

g_diskio_abort

Shutdown if diskIO failure on queue files

Intended to make server die rather than to pretend to keep running when a major disk fault has occurred

Syntax: g_diskio_abort bool

g_disk_debug

Log slow disk access n

This setting has no further documentation currently available

Syntax: g_disk_debug bool

g_disk_warning

Give manager warning if disk % exceeded, default 95%

This setting has no further documentation currently available

Syntax: g_disk_warning string

g_dns_paranoid

Compare sender forward and reverse dns lookup and see if they match

Does a forward DNS lookup on the sender’s domain and matches this with a reverse lookup of the senders IP address. If these do not match the message is either bounced or stamped with the header “X-DNS-Paranoid: <explanation>”. Valid values for this field are “STAMP”,”RETRY” and “REJECT”.

STAMP = Add the X-DNS-Paranoid header if it fails

RETRY = Bounce the message with a 450 error. (so if the failure was temporary the sending server will retry)

REJECT = Bounce the message with a 550 error

Set g_dns_lookup_msg or g_dns_match_msg to define the reject/stamp strings respectively.

g_dns_match_msg

Message for stamp or bounce if forward and reverse lookup don’t match

The message given to the user when the forwar/reverse dns lookup doesn’t match

Syntax: g_dns_match_msg string

Example: “Sorry your ip address doesn’t translate into a name that translates into your ip address”

g_dns_noptr

Set to reject or retry, for ip addresses with no reverse dns entry (rdns)

If the ip number of a connecting user has no associated name in the reverse dns database then the connection is rejected or told to retry later.

Syntax: g_dns_noptr string

Example: “retry”

g_dns_noptr_skip

Skip RDNS for these ip addresses

This is an over-ride for local addresses which you trust.

Syntax: g_dns_noptr_skip string

Example: “retry”

g_dns_noptr_msg

Message for stamp or bounce if DNS lookup fails on ip address

See short description.

Syntax: g_dns_noptr_msg string

g_dns_nocache

Disables DNS cache for spf lookups (20 minute life)

This setting disables the small cache used for SPF lookups to improve performance.

Syntax: g_dns_nocache bool

g_dns_disk

Enables DNS disk cache

Not normally needed unless dns server is flakey…

Syntax: g_dns_disk bool

g_dns_cache_size

Set size of forward dns cache, default 7000

Best not to change this normally

Syntax: g_dns_cache_size int

g_dns_system

Use system code to do reverse lookups

If all channels hang in a state ‘lookup’ then turn this off so it will use the surgemail code for reverse dns lookups. This setting used to be g_dns_lookup and had the opposite meaning, we reversed it because the system dns code was faulty so often

Syntax: g_dns_system bool

g_dns_threaded

Enable threaded dns lookups

This setting has no further documentation currently available

Syntax: g_dns_threaded bool

g_dns_test_blank

Break dns lookups to test how it’s handled

This setting has no further documentation currently available

Syntax: g_dns_test_blank bool

g_dotstuff_fix

Convert the way mail is stored on disk from dotstuffed to non dot stuffed (beta)

In the dotstuffed format any attachments that have content (in encoded format) starting with a . get corrupted, as all single ‘.’ characters at the start of a line are converted to ‘..’. This is only very seldomly an issue as encoded text doesn’t usually have . characters. This feature can only be enabled and still need furhter production level testing to make sure there are no side effects… so if you play with it consider yourself adequately warned

Syntax: g_dotstuff_fix bool

g_domain_create_auto

Auto create domain if it doesn’t exist when creating a user

This setting has no further documentation currently available

Syntax: g_domain_create_auto bool

g_domain_create_route

Auto create route to mx mail server

This setting has no further documentation currently available

Syntax: g_domain_create_route bool

g_encrypt_disable

Disable encryption

Disable encryption mechanism

Syntax: g_encrypt_disable bool

g_encrypt_config

Encrypt some config settings (passwords)

This can be used if naked passwords in the config are a problem. This setting currently applies to g_gateway, and may apply to others in future. You must manually copy the file config.key from master to slave.

Syntax: g_encrypt_config bool

g_encrypt_path

Path to encrypted files, this is not supported when mirroring!

DO NOT USE

Syntax: g_encrypt_path string

g_encrypt_ssl_force

Require ssl on incoming encrypted messages

When a message is going to be encrypted this setting ensures it is sent from the user to the server via SSL

Syntax: g_encrypt_ssl_force bool

g_encrypt_ssl_noforce

Exceptions, e.g. surgeweb or localhost

When a message is going to be encrypted this setting ensures it is sent from the user to the server via SSL

Syntax: g_encrypt_ssl_noforce string

g_encrypt_expire

Days to keep encrypted messages, default 60

When a message is sent via encryption it is deleted after this many days

Syntax: g_encrypt_expire int

g_encrypt_inline

Use INLINE method by default

Sets the default encryption method when a rule does not apply

Syntax: g_encrypt_inline bool

g_encrypt_reply_plain

Send plain message for local replies

By default a reply to a local user is also encrypted this makes it not encrypt the reply as user should be reading the message via SSL so the data is secure anyway.

Syntax: g_encrypt_reply_plain bool

g_encrypt_pw_key

Central host password key

DO NOT USE

Syntax: g_encrypt_pw_key string

g_encrypt_pw_host

Central host for encryption password storage

DO NOT USE

Syntax: g_encrypt_pw_host string

g_encrypt_surgeweb_show

Show SurgeVault in SurgeWeb

Enables the display of surgevault encryption in the surgeweb interface (can be modified using encrypt_hide on surgeweb customisation page)

Syntax: g_encrypt_surgeweb_show bool

g_encrypt_max

Max encrypted per day server wide

Server wide limit to prevent abuse (or accidental over use)

Syntax: g_encrypt_max int

g_encrypt_none

Don’t encrypt if subject starts with this

Only significant if the setting to lock all messages is enabled.

Syntax: g_encrypt_none string

g_encrypt_noip

Don’t encrypt if from this ip range

Only significant if the setting to lock all messages is enabled.

Syntax: g_encrypt_noip string

g_encrypt_nofwd

Don’t encrypt forwarded

Known fault, this affects all recipeients, not generally good to use

Syntax: g_encrypt_nofwd bool

g_encrypt_nowater

Show this if no water mark defined yet

e.g. No watermark defined, please complete this form

Syntax: g_encrypt_nowater string

g_encrypt_limit

Max encrypted msgs per user per hour

Per user limit

Syntax: g_encrypt_limit int

g_encrypt_reset_safe

When users password is reset, delete all messages to them

This setting increases security and should be used if your server allows public account registrations.

Syntax: g_encrypt_reset_safe bool

g_encrypt_reset_user

Msg to person when they click on reset password button

The sender has been emailed a link they can use to reset your password

Syntax: g_encrypt_reset_user string

g_encrypt_reset_msg

Msg Body sent when password has been reset

Message body sent to end user when password is reset

Syntax: g_encrypt_reset_msg string

g_encrypt_reset_sender

Msg Body sent to sender when password reset requested

Message body sent to sender password reset is requested

Syntax: g_encrypt_reset_sender string

g_encrypt_rule

Matches will be encrypted when sent

If this rule matches then the message will be encrypted before it is sent to the user. method=server or inline, we recommend ‘server’ mode as it’s much simpler.

Syntax: g_encrypt_rule header=string contains=string from=string to=string noconfirm=bool method=string

g_encrypt_unlock

Unlock for these destinations. e.g. user@domain

Not for general use

Syntax: g_encrypt_unlock string

g_encrypt_reminders

Days before we send users a reminder to change passwords, not recommended

Not for general use, keywords (expire password reminder)

Syntax: g_encrypt_reminders int

g_encrypt_smart

Smart Encrypt Private Feature (not available)

Encrypt all messages except g_encrypt_unlock and surgeweb defined addresses – this feature not generally available till 9/March/2013, encrypt_smart per domain must also be turned on.

Syntax: g_encrypt_smart bool

g_encrypt_nodomain

Allow encryption for users without local domains

This lets you create accounts for domains that don’t exist, these users can then send encrypted messages.

Syntax: g_encrypt_nodomain bool

g_encrypt_nolate

Disable encryption on late forwarding

If default encrpting is enabled then you might need this setting to stop it for late forwarding.

Syntax: g_encrypt_nolate bool

g_encrypt_wall

Encrypt surgewall msgs

Normally surgewall skips encryption

Syntax: g_encrypt_wall bool

g_enotify_from

From address to use in email notification messages

This setting has no further documentation currently available

Syntax: g_enotify_from string

g_error_xlate

Change error messages

If wild card string matches smtp response code, then replace with ‘to’ response code, use %1 to replace the first wild card match etc…

Syntax: g_error_xlate was=string to=string

g_expire_trash

Expire any messages found in trash folders

Expires any messages more than 7 days old found in the ‘trash’ folder.

Syntax: g_expire_trash bool

g_expire_silent

Don’t send users emails telling them what was expired.

Some users get upset when they find messages have expired, this setting makes the expiration silent so the users don’t even notice. I think this is a bit nuts myself but some admins prefer it

Syntax: g_expire_silent bool

g_expire_every

Only expire spool once every ‘n’ days

Reduce load spent expiring old messages.

Syntax: g_expire_every int

g_expire_warning

Give warning ‘n’ days before deleting each file

This will help warn users before a file is actually deleted.

Syntax: g_expire_warning int

g_expire_onlyunread

For the inbox only expire message if they are unread

Useful if you only want to expire message the user never read

Syntax: g_expire_onlyunread bool

g_expire_all_rules

Scan all users for rule files (not needed usually)

Used if rule files added manually

Syntax: g_expire_all_rules bool

g_fallback

Fallback address

Default address for all local domains. If a local delivery is not to any valid user Emails will be delivered to this address. There is also a per domain default. 

We want to stress that this is a dangerous setting, you use at your own peril.
Spammers will turn up to your server and test sending to accounts, they will just run through a dictionary of names, with a fallback setting you will be telling the spammer that all these accounts exist. The spammer will then deliver spam to these addresses in volumes that can cripple a server almost.

Syntax: g_fallback string

g_fast_time_off

Disable faster time function

This setting has no further documentation currently available

Syntax: g_fast_time_off bool

g_from_valid

Require an @ and dotted domain in all return addresses

This forces the sender to either give ‘no’ reply address or a valid one with an @ and a dotted domain

Syntax: g_from_valid bool

g_to_valid

Require an @ and dotted domain in all dest addresses

This forces all destination addresses to contain a domain name (breaks cron job emails on unix)

Syntax: g_to_valid bool

g_from_header

From header used in delivery bounces

From header used in delivery bounces.

Syntax: g_from_header string

g_from_must_exist

Require local from addresses to exist or reject mail

Can be useful in blocking dumb spam robots

Syntax: g_from_must_exist bool

g_from_rewrite

Rewrite from envelope for outgoing email, e.g. *@this.domain -> %1@another.domain

This lets you change the ‘from’ address from an internal domain name to a valid public domain name. The change is performed on the From envelope (return path), not the from header. And the chanage does not affect the return path written in local deliveries, only outgoing email. Mfilter rules can be used to rewrite the actual message headers.

Syntax: g_from_rewrite was=string to=string

g_from_rewrite_header

Rewrite the from header as well

Replaces the From: header in the mesage with the new address.

Syntax: g_from_rewrite_header bool

g_from_rewrite_sender

Rewrite the sender header as well

Replaces the Sender: header in the mesage with the new address.

Syntax: g_from_rewrite_sender bool

g_from_force

From address for all sent messages

Used when you want to make all messages use the same valid bounce address, reply-to header will contain original from if it doesn’t exist

Syntax: g_from_force string

g_from_list_too

Also enforce from rules from lists

Doesn’t allow lists to bypass forge rules

Syntax: g_from_list_too bool

g_forward_illegal

Prevents users setting forward rules to certain addresses

Syntax: g_forward_illegal to=”address” apply=”user type “

This setting allows you to specify some addresses as being illegal for certain users. This stops users setting up forwarding rules to these addresses. They can still send mail to these addresses manually with their email client. These rules _ONLY_ apply to non local domains.

Some examples:

If you want to stop your users setting up forward rules that redirect to aol.com.
g_forward_illegal to=”*@aol.com” apply=”user”

If you want to stop your users setting a forward to all domains except aol.com
g_forward_illegal to=”*,!*@aol.com” apply=”user”

Stop domain admins sending to aol.com
g_forward_illegal to=”*@aol.com” apply=”domadmin”

Stop admins sending to netwinsite.com
g_forward_illegal to=”*@netwinsite.com” apply=”admin”

Syntax: g_forward_illegal to=string apply=string

g_forward_attach

When late forwarding send as attachment to these domains

Useful with hotmail.com, aol.com etc so that forwarded messages are not mistaken for spam

Syntax: g_forward_attach string

g_forward_fixfrom

When late forwarding rewrite from/return path as local user

This prevents problems with spf/identity checking as the forwarded message is sent with valid from and return path

Syntax: g_forward_fixfrom bool

g_forward_oops

Internal testing setting, not for general use sorry

Testing setting, please do not use.

Syntax: g_forward_oops string

g_about_disable

Disable about web page

This setting has no further documentation currently available

Syntax: g_about_disable bool

g_admin_access

Allow / Restrict domain admin access to features based on 

g_admin_access group=”wildcard” access=”list”

This setting matches the g_access_group the admin is in to the wildcard specified and applies the specified access list to that domain admin, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, “all” and “none” which mean exactly what they say, access to “all” or “none” of the features.

Example:

g_admin_access group=”simple” access=”all,!users,!reports”

The above setting gives admins in the ‘simple’ group access to all the features except the users and reports features.

Syntax: g_admin_access group=string access=string

g_admin_access_default

Default features granted to domain admins

This setting is a default access list for all domain admins on the server, it is specified in the same maner as the g_admin_access settings ‘access’ parameter. eg:

g_user_access_default “all,!users,!reports”

Syntax: g_admin_access_default string

g_allow_bodyless

Allow bodyless email

This will allow bodyless email to be accepted. These are usually spam.  In particular Norton Antivirus in autoprotect mode closes the POP link which makes it appear that SurgeMail has terminated the connection when a bodyless email is encountered.

Syntax: g_allow_bodyless bool

g_allow_user_authent_field_get

A space separated list of authent process fields that users are allowed to view for themself using the POP xauthent_field_get command

This provides limited access to the user database for applications like webmail and surgeplus.

Syntax: g_allow_user_authent_field_get string

g_allow_user_authent_field_set

A space separated list of authent process fields that users are allowed to set for themself using the POP xauthent_field_set command

This provides limited access to the user database for applications like webmail and surgeplus.

Syntax: g_allow_user_authent_field_set string

g_allow_passzip_to

A list of addresses to allow unmonitorable archive messages to be sent to

These may of course contain viruses as they cannot be scanned, but some people still need to be able to accept such files.

Syntax: g_allow_passzip_to string

g_allow_passzip_from

A list of addresses to allow unmonitorable archive messages to be sent from

These may of course contain viruses as they cannot be scanned, but some people still need to be able to accept such files.

Syntax: g_allow_passzip_from string

g_aspam_headers

Add aspam information messages to messages.

Adds informational aspam headers to all messages.

Syntax: g_aspam_headers bool

g_aspam_need_ip

Require good matches to match external ip address

This prevents poluted bad messages in aspam_good causing spam to bypass the filters, but reduces effectiveness of the notspam address.

Syntax: g_aspam_need_ip bool

g_authent_always

Always lookup user, so virtual domains can exist just in authent module

Always lookup user, so virtual domains can exist just in authent module. This allows you to support 10,000 domains on one system without a ‘huge’ ini file. Be careful to not create/remove real domains with the same name as existing domains that only exist in the authent database as the ‘drop files/inboxes’ will move when this occurs and existing mail will vanish.

Syntax: g_authent_always bool

g_authent_any

Restore buggy behaviour of looking up users in domains that don’t exist

Previously surgemail would lookup a user even if the domain in question did not exist, if you need to restore this odd behaviour then you can use this setting…

Syntax: g_authent_any bool

g_authent_allow_badascii

Allow ascii chars outside the range 32 < 127

By default ascii characters < 32 and >= 127 are blocked as invalid. If you require these characters set this to TRUE.

Syntax: g_authent_allow_badascii bool

g_authent_case_sensitive

Make passwords case sensitive

By default surgemail avoids case sensitive passwords as they do little to increase security but causes endless frustration for users, but this is just an opinion and some people disagree so use this setting if you wish to have case sensitive passwords :-).

Syntax: g_authent_case_sensitive bool

g_authent_decrypt

Collect and store plain text passwords for migration in file pass.decrypted

This setting should only be used as part of a migration, it obviously exposes your customers passwords to risk!.

Syntax: g_authent_decrypt bool

g_authent_prefix_sep

Authent Prefix Separator (deprecated – for backward compatibility only)

Prefix separator for prefix based separator. Only relevant if enabled on a per vdomain basis using the “prefix” setting.

Syntax: g_authent_prefix_sep string

g_authent_process

Authent process

The command line of a NetWin authentication module. You can use one of our standard modules for LDAP, ODBCAuth, MySQL etc or write your own. For more information on these modules see the authentication section of the manual .

This will typically be something like:
g_authent_process “E:\surgemail\nwauth.exe -path E:\surgemail”
or
g_authent_process “/usr/local/surgemail/nwauth -path /usr/local/surgemail”

Syntax: g_authent_process string

g_authent_pass

Authent process to check passwords with

This setting has no further documentation currently available

Syntax: g_authent_pass string

g_authent_lookup

Check if accounts exist using g_authent_pass too

This setting has no further documentation currently available

Syntax: g_authent_lookup bool

g_authent_cachelife

Cache life of successful authent lookups

Set the life in seconds that successful cached lookups can be used, default 2 hours. Best left alone.

Syntax: g_authent_cachelife int

g_authent_cachebad

Cache life of failed authent lookups

Set the life in seconds that the cached failed lookups can be used, default 60 seconds. Best left alone unless your server is being hit by thousands of failed lookups and your authent module is slow.

Syntax: g_authent_cachebad int

g_authent_cachesize

Size of the authent cache

Set the size of the authent cache, default is 500 entries. Generally best left alone.

Syntax: g_authent_cachesize int

g_authent_domain

Authent domain

If this is ‘true’, the virtual domain name is appended to the username before it is passed to the authent process. This lets the authent process deal with virtual domains. As a general rule, this should ALWAYS be true. 

Syntax: g_authent_domain bool

g_authent_nodomain

If true dont add @virtual.domain.name to external user lookups (NOT RECOMMENDED)

Use this at your own risk, it is provided for compatibility with dmail installations, but should be avoided if at all possible.

Syntax: g_authent_nodomain bool

g_authent_encrypt_key

Encryption key config settings

Not for general use currently, used to partially obscure credit card info when stored in the authent module.

Syntax: g_authent_encrypt_key string

g_authent_number

Authent number

The number of concurrent authent processes to run. If you are using a slow external authent module (e.g. sql) then it is probably worth running 3-4, there is no need to have more than 1 when using nwauth.exe. (Default = 1) 

Syntax: g_authent_number int

g_authent_info

Authent info

Defines a piece of information to store about the user in the user database (phone number, name, address etc). Each piece of information is given a name, a field, an access mode, a default and a type. The name defines what appears in the web management display. The field is what is sent to the authent_process. The access mode can be one of the following: user, domadmin, or admin, createonly, none. The default is what value is assigned upon creation of a new user. The type can be one of: date, readonly, encrypt or any custom string which you want to check for or match on the na_details.htm page with a template function like: ||ifequal||user_info_type||custom|| .. do things .. ||endif||

An access mode of ‘admin’ means that only the system admin can see the information, ‘domadmin’ means the sysadmin and any domain admin can see the information, ‘user’ means the user can see the information, ‘createonly’ means the user sets the information at creation time but cannot see it after that and ‘none’ ensures that no-one can see or modify the information (used for information that is handled by SurgeMail itself, either through the interface or otherwise)

e.g.
     g_authent_info      name="Phone Number" field="phone" access="user" default="" type=""

See here for a complete list of default settings.

Syntax: g_authent_info name=string field=string access=string default=string type=string

g_authent_info_grp

Fields to show to users in this group

Specifies the authent fields this user group is allowed to see and change. This applies only to the fields visible on the account properties page and the domain admin “Users” page it cannot be used to prevent access to fields which are managed by the web interface i.e. ‘fwd’

Syntax: g_authent_info_grp group=string fields=string tag=string

g_authent_addip

Send ip address as third parameter to authent module

This setting has no further documentation currently available

Syntax: g_authent_addip bool

g_authent_ip

Authent Lookup IP numbers via authent modules – enables relaying

If enabled each connecting IP address will be looked up in your user database as x.x.x.x@ip eg: “127.0.0.1@ip” and if the user is found then relaying is allowed and if ‘send_limit=”nn”‘ is defined then that will set the tarpit send limit for that user.

For per IP tarpit limits to work you need to define the g_tarpit_max and g_tarpit_max_remote settings. And g_tarpit_drop to make the limit effective.

Syntax: g_authent_ip bool

g_authent_single

Allow local users with a single quote char in their name

This let’s users exist who contain the single quote ‘ character. It is not supported with some authent modules though, nwauth does allow it.

Syntax: g_authent_single bool

g_authent_spaces

Allow spaces in passwords DO NOT USE

Not supported for most authent modules, requires nwauth 4.0r or later, If you have already got users with spaces in their passwords and you turn this setting on, they will no longer be able to login until they reset their passwords. Authent module must support slash encoding, for nwauth add -spaces to command line

Syntax: g_authent_spaces bool

g_authent_strip_domain

Strip domain for authent lookups

Use when your database expects one ‘primary’ domain to do lookups without a domain name then SurgeMail will strip that domain only from lookups. Typically this is only necessary with old DMail authent modules.

Syntax: g_authent_strip_domain string

g_authent_restart

Cycle auth modules every 1000 lookups

This is useful if there are resource allocation issues in the authentication module. Eg OBDCAuth

Syntax: g_authent_restart bool

g_authent_logall

Turns on logging of authent requests

If enabled, authentication requests are logged in mail.log as “<day> <time> Authent[<action> <info>]”.

Syntax: g_authent_logall bool

g_authent_fwdfile

Use DMail forward files (deprecated – for backward compatibility only)

Allows old style DMail forward files to be read.

Syntax: g_authent_fwdfile bool

g_authent_timeout

Timeout for authent response

Timeout for authent response, default 60 seconds.

Syntax: g_authent_timeout int

g_authent_last_login

Store users last login time in the database

This setting will cause the authent field ‘last_login’ to be updated when a user logs in. The field is set to a timestamp which is ‘the number of seconds since midnight January 1, 1970’. This field is updated ‘at most’ once every 24 hours. Other features i.e. delete_user_after and disable_smtp_after will look for this field.

Syntax: g_authent_last_login bool

g_authent_reminders

Days till we remind user to change password

Days until we remind user to change password.

Syntax: g_authent_reminders int

g_authent_require

Days till we require user to change password

This is the one to use, only requires change in surgeweb, expire password

Syntax: g_authent_require int

g_authent_enforce

Days till we prevent user from logging in, NOT RECOMMENDED

Days until we block logins if password is not changed. This setting will annoy your customers but not really achieve anything useful, it shouldn’t be used in most situations

Syntax: g_authent_enforce int

g_auth_hide

Disable SMTP Authentication

Per default SMTP authentication is enabled. If a user matches this IP range/list they will NOT be shown the ESMTP extension for SMTP authentication. This will usually stop the mail client from prompting the user for authentication. We STRONGLY recommend you do NOT use this feature. It is much better to let users authenticate when sending email.

Syntax: g_auth_hide string

g_auth_norelay

orelay-webok-allow-surgeweb-sessions-anyway" >

This means relaying only occurs if g_relay_allow_ip matches

Syntax: g_auth_norelay_webok bool

g_auth_norelay_webok

Allow surgeweb sessions anyway.

This means relaying only occurs if g_relay_allow_ip matches

Syntax: g_auth_norelay_webok bool

g_auth_skipgateway

Skip gateway rules if we get a proxy SMTP auth command

Skip gateway rules if we get a proxy SMTP auth command. This is not for general use. It can be used if you are using SurgeMail in front of another mail server with a wild card gateway to gateway all domains to a back end mail server. Then an authenticated user is a local user trying to send out so the gateway rules are ignored. (this is strongly not recommended)

Syntax: g_auth_skipgateway bool

g_auth_path

Path to nwauth files

Needed for mirroring if using multiauth

Syntax: g_auth_path string

g_autologin_pop

Enables WebMail Autologin using POP when on another server

Webmail needs the ability to automatically login to SurgeMail to changes passwords etc. This setting will do this via an extension to the pop protocol allowing WebMail to autologin whilst running on another server. (Normally this is done using a temporary file)

Syntax: g_autologin_pop bool

g_autologin_file

File to use to share auto login information on NFS based cluster

This allows webmail to autologin when using an nfs based cluster and a load sharing device.

Syntax: g_autologin_file string

g_autologin_imap_disable

Disable IMAP based autologins

IMAP autologins allow autologin to surgeweb.

Syntax: g_autologin_imap_disable bool

g_badfrom_noip

Check envelope from domain exists and is a valid IP number

Check envelope from domain exists and is a valid ip number, if not bounce message.

Syntax: g_badfrom_noip bool

g_badfrom_noip_temp

Makes g_badfrom_noip return a temporary error instead of a 501 error

Use g_verify_mx_skip to bypass/whitelist ip addresses from this check

Syntax: g_badfrom_noip_temp bool

g_badfrom_check

Check if ‘from’ envelope can be delivered to

If this is set to “true” then SurgeMail will connect back to the envelope ‘from’ address and check that the address is valid, a cache is used to improve performance, if it cannot connect then the message is bounced as probable spam. It’s nicer to use the following setting “g_badfrom_stamp” as well, then if SurgeMail cannot connect back or the user is invalid then a header is added to indicate this, and our SmiteSpam rules will use this to increase the spam weighting.

You can use g_spam_allow to exempt an IP from this check as well as g_badfrom_whitelist for a domain. Please note that by default SurgeMail uses a blank mail from to do its check.
MAIL FROM: <>
Some servers might reject this, though they shouldn’t because its a standard bounce, however if they do you can use g_badfrom_from to set a mail from address to be used for this check.

Syntax: g_badfrom_check bool

g_badfrom_stamp

If ‘g_badfrom_check’ is bad then stamp a header on the message

g_badfrom_check must also be set to true. If this is set to “true” then SurgeMail will connect back to the envelope ‘from’ address and check that the address is valid, a cache is used to improve performance, if it cannot connect then a header is added to indicate this, and our SmiteSpam rules will use this to increase the spam weighting.

Syntax: g_badfrom_stamp bool

g_badfrom_badmx

Drop message if this MX

If mx host is one of these addresses then drop the message, it’s definitely spam (e.g. 127.*).

Syntax: g_badfrom_badmx string

g_badfrom_from

Mail from account for g_badfrom_check

From to use when doing the g_badfrom_check check, not normally needed, if set must be set to valid account.

Syntax: g_badfrom_from string

g_badfrom_whitelist

Whitelist of domains to skip from checks

Whitelist of “from” address domains to skip g_badfrom_* checks.

eg.
g_badfrom_whitelist “specialdomain.com”

Syntax: g_badfrom_whitelist string

g_ban_helo

Ban any machine that gives a matching ‘helo’ string

This is a simple spam protection system to block known spam/problem users based on the ‘helo’ name they send to your system. This name is recorded in the ‘received’ header along with the IP address. This name is very easy to ‘fake’ so is not a high security level of protection, but it is simple for stopping stupid robots etc, that have gone insane.

Example: *junkmail.com 

Syntax: g_ban_helo string

g_ban_from

Ban any matching MAIL FROM: envelope

Same as ‘ban_helo’ but applies to the from (return address) part of the mail envelope. This is NOT the same as the from/sender header in the message itself!!! This equates to the ‘Return-path:’ header that the mail server adds. 

Syntax: g_ban_from string

g_ban_rcpt

Ban any matching RCPT TO: envelope

Same as ‘ban_helo’ but applies to the recipient part of the envelope (destination users) this is NOT the same as the ‘To:’ header in the message itself!!! This can sometimes be used to block really simple spamming programs that always send to the same invalid users. 

Syntax: g_ban_rcpt string

g_ban_blackhole

Leave connected but reject all recipients without looking them up

Leave connected but reject all recipients without looking them up. This is good of dealing with high volume spammers without wasting resources doing user lookups. 

Syntax: g_ban_blackhole bool

g_bind_byfromip

Bind outgoing SMTP connections to the specified IP based on the sender IP

This setting has no further documentation currently available

Syntax: g_bind_byfromip fromip=string bindip=string

g_bind_to

Bind outgoing SMTP if to address matches

This setting has no further documentation currently available

Syntax: g_bind_to string

g_bind_to_ip

The address to bind to

This setting has no further documentation currently available

Syntax: g_bind_to_ip string

g_bind_to_name

The name to use in the ehlo

This setting has no further documentation currently available

Syntax: g_bind_to_name string

g_bind_out

Bind outgoing smtp connections to IP

Bind outgoing smtp connections to this IP number. 

Syntax: g_bind_out string

g_bind_from

Bind outgoing SMTP connections based on ‘from’ envelope

Bind outgoing SMTP connections based on the IP of the virtual domain in ‘from’ envelope. This is only useful if you are using IP based virtual domains. 

Syntax: g_bind_from bool

g_bind_incoming

Bind outgoing SMTP connections based on incoming ip address

So if the incomnig mail came in on interface address 1.2.3.4 then that same address is used to send the email

Syntax: g_bind_incoming bool

g_bind_in_always

Bind on incoming in preference to g_bind_from

So if the incomnig mail came in on interface address 1.2.3.4 then that same address is used to send the email

Syntax: g_bind_in_always bool

g_bind_authent_default

Bind to default if authenticated

So authenticated users get the default binding not g_bind_byfromip

Syntax: g_bind_authent_default bool

g_black_above

Level for spam detection for g_black_count

Level for spam detection for blacklisting IP number e.g. 7. 

Syntax: g_black_above int

g_black_count

Blacklist sender IP based on spam sent

Number of spam in a row before IP blacklisted for 30 minutes eg: 30 (default = disabled)

Syntax: g_black_count int

g_black_to

Blacklist sender IP based on catch addresses

Blacklist senders IP address for 30 minutes if they deliver to these spam catch email addresses.

eg. g_black_to “smith@mydomain.com,catcher@myotherdomain.com”

Syntax: g_black_to string

g_black_isspam

Blacklist ip address for any spam training event

This setting has no further documentation currently available

Syntax: g_black_isspam bool

g_black_nbad

Blacklist ip address if this many bad recipients in a row (e.g. 8)

There is no default. The ip is blacklisted for the time specified by G_MAX_BAD_IP_TIME or one day. Whitelist with G_BLACK_WHITE for ip address or from matches. This limit is related to a single connection, not all errors from an ip over time.

Syntax: g_black_nbad int

g_black_white

Whitelist to prevent blacklisting, e.g. 1.2.3.*,mail*.aol.com

This setting has no further documentation currently available

Syntax: g_black_white string

g_blogs_enable

Surgemail blogs

Allow users to create blogs

Syntax: g_blogs_enable bool

g_blogs_maximum_image_width

Default maximum image width

Images larger than this that are posted to blogs are scaled down, default is 390, per blog setting can overide this.

Syntax: g_blogs_maximum_image_width int

g_blogs_maximum_image_size

Default maximum image size

Images larger than this (in largest dimension) that are posted to blogs are scaled down, default is 390, per blog setting can overide this.

Syntax: g_blogs_maximum_image_size int

g_blogs_maximum_items_in_top_page

Maximum number of items on the top blog page

Maximum number of post bodies to appear on a blog top page, default is 10

Syntax: g_blogs_maximum_items_in_top_page int

g_blogs_max_per_user

Maximum number of blogs per user

Maximum number of blogs per user, default is 5

Syntax: g_blogs_max_per_user int

g_blogs_default_template

Default template set that is used by newly created blogs

This setting can have a value of the name of any directory in the SurgeMail blogtpl directory

Syntax: g_blogs_default_template string

g_blogs_use_sub_domains

Make blogs accessible at http://blog_name.domain/

If you’re DNS entry supports it, turn on this setting to make blogs accessible at http://blog_name.blogs.domain/ instead of http://domain/blogs/blog_name

Syntax: g_blogs_use_sub_domains bool

g_blogs_sub_domain_prefix

Prefix to use instead of blogs. for blog subdomains. use ! to have no prefix.

Experimental feature do not use

Syntax: g_blogs_sub_domain_prefix string

g_blogs_not_unique

Allow the same blog name in multiple domains

If set you can create different blogs with the same name in different virtual domains, this is not recommended.

Syntax: g_blogs_not_unique bool

g_blogs_not_global

Only allows access to a blog onthe domain it is defined on

Only allows access to a blog on the domain it is defined on, this is not recommended. (probably want to use g_blogs_not_unique, g_blogs_domonly too)

Syntax: g_blogs_not_global bool

g_blogs_no_suffix

Shortens URL, url_blogs must be defined for each domain

This shortens http://a.com/blog/juggling to http:/a.com/juggling, but does require that you define a specific name for the blogs in the domain based url_blogs setting

Syntax: g_blogs_no_suffix bool

g_blogs_ping

Sites to ping on each post

Host and path to ping on each blog post. eg: host=rpc.weblog.com path=/RPC2

Syntax: g_blogs_ping host=string path=string

g_blogs_domonly

Only list blogs in a users domain

By default all blogs in all domains are listed/shown to the user. This setting causes it to only list blogs in the users domain.

Syntax: g_blogs_domonly bool

g_blogs_image_optional

Allow users to specify if image verification is required for comments

By default image verification is now required, this prevents spammers from abusing the many ‘test’ blogs set up by your users.

Syntax: g_blogs_image_optional bool

g_blogs_allow_links

Allow users to post comments that contain urls

Due to widespread abuse of blogs this is not recommended.

Syntax: g_blogs_allow_links bool

g_blogs_cleanup_links

Delete existing posts that contain urls

This setting will help cleanup existing spam postings to your users blogs.

Syntax: g_blogs_cleanup_links bool

g_blogs_comment_rev

Show blog comments newest first

Helps if there are lots of comments, this is a global setting not per blog..

Syntax: g_blogs_comment_rev bool

g_blogs_https

Use https for blog urls

This setting has no further documentation currently available

Syntax: g_blogs_https bool

g_bomb_max

Max messages to a single address per hour

Simple system to prevent intentional or more likely, accidental mail loops or mail bombs where thousands of Emails are sent to a single user. A setting in the range of 100-1000 is generally good depending on your sensitivity to incorrectly blocking real mail.  We suggest 1000 is a good setting if you are unsure.

This counts the messages from a single IP address to a single recipient. If a single IP sends more than this many messages to any single recipient then they will be tarpitted (slowed down and rejected).

Use spam_allow ip.address.list to over-ride the limit for known local systems that might exceed this limit (unlikely anything will).

Syntax: g_bomb_max int

g_bomb_max_from

Max msgs from a single email address/hour

Max msgs from a single email address/hour.

Syntax: g_bomb_max_from int

g_bomb_white

don’t apply bomb_max limit if to address matches

Useful for robots etc that expect high volume

Syntax: g_bomb_white string

g_bounce_disable

Bounce Disable

Disable all bounces. This is particularly useful when under spam attack. This is for outgoing bounces it stops SurgeMail generating bounces it won’t affect incomming bounces from other servers.

example:
g_bounce_disable “true”

Syntax: g_bounce_disable bool

g_bounce_redirect

Send all bounces to a local address

This can be used to avoid ‘back scatter’ which can get your server listed in various black listed sites. In general your server should not generate bounces so if you get lots you may find changing config settings can stop them. Note this only redirects bounces to non local recipients, so your users sending outgoing mail will still get their own bounce messages.

Syntax: g_bounce_redirect string

g_bounce_reject

Reject bounces by ip address from known dumb mail servers

Some mail servers (exchange) will accept email, then bounce it, this is now considered a ‘crime’ and will get your server black listed, so if you have surgemail running as a gateway for such servers you can tell it to reject any bounce that server is foolish enough to send you.

Syntax: g_bounce_reject string

g_bounce_limit

Max size of bounce messages

Max size in bytes of message to send back as bounce message is truncated if necessary.

Syntax: g_bounce_limit int

g_bounce_some_stop

Disables locally generated bounces for partial message failure – NEVER use this!

This can decrease back scatter, but it has other bad effects, it can result in duplicate messasges arriving. Never never use this setting

Syntax: g_bounce_some_stop bool

g_bounce_nodrop

Enables locally generated bounces for non local users

This setting makes bounces occur normally, the reason bounces are normally dropped for non local users is that they are almost always spam bouncing off another server due to forwarding settings, and as such sending a bounce email will get your server black listed, so we decided it was best to drop them by default since they are rarely useful. Turn this setting on at your own risk :-). Instead use g_bounce_to to list domains that it is safe to bounce to.

Syntax: g_bounce_nodrop bool

g_bounce_to

Domains to treat as local and send bounces to

This setting makes bounces occur normally, the reason bounces are normally dropped for non local users is that they are almost always spam bouncing off another server due to forwarding settings, and as such sending a bounce email will get your server black listed, so we decided it was best to drop them by default since they are rarely useful. Turn this setting on at your own risk :-). Instead use g_bounce_to to list domains that it is safe to bounce to. e.g. *@a.com,*@b.com

Syntax: g_bounce_to string

g_warning_to

Addresses to treat as local and send warning bounces to

This may cause back scatter to use with caution

Syntax: g_warning_to string

g_bounce_to_recipient

Bounce suregewall failure to the recipient

This can help prevent message loss in rare cases where quota/size limits prevent a delivery from surgewall server to destination server.

Syntax: g_bounce_to_recipient bool

g_bounce_bind

Use a specific ip address for outgoing bounces

Some RBL sites blacklist machines for sending bounces, which is probably a good thing. But even with spf running your server may occasionally send a bounce to a forged address, and so you can use an alternate ip address for these bounces to avoid blacklisting your main mail server address. First you must assign the ip address to your network interface etc

Syntax: g_bounce_bind string

g_bounce_suggest

Send bounces to postmaster if spf cannot be verified

This may help stop black listing for backscatter while still alerting the sending domain admin that one of their users emails to your server bounced, You can specify a template file suggest.eml if you don’t like the default message suggesting the postmaster add spf records for their domain

Syntax: g_bounce_suggest bool

g_bounce_paranoid

Prevent external bounces going through surgemail

This can help stop back scatter from another server going through your server to an external domain

Syntax: g_bounce_paranoid bool

g_bounce_safe

Only send bounces to local domains

This may result in lost messages, but can also avoid backscatter issues

Syntax: g_bounce_safe bool

g_block_files

Block certain attachments

Allow you to block any mail with certain files attached. 

g_block_files “*.exe,*.cmd,*.com”

Syntax: g_block_files string

g_block_skip

From or To address to bypass g_block_files

Some users will need to send various attachments, these users are excempt to the g_block_files rule

Syntax: g_block_skip string

g_block_longok

If true allow long file names (more than 180 char)

By default files names over this length are ALWAYS blocked if g_block_files is used, in rare situations these are not just viruses attempting to get around the filter.

Syntax: g_block_longok bool

g_breakin_enable

Stop multiple ip logins for one account in a few seconds

When a hacker guesses a password on your system they will often send outgoing spam to your server from multiple ip addresses, Surgemail detects this and emails the administrator when it occurs, use g_breakin_white to enable specific users who need to do this (this is very unusual though)

Syntax: g_breakin_enable bool

g_breakin_short

Match on 1.2.3.* for ip addresses, helps with google sending

When a hacker guesses a password on your system they will often send outgoing spam to your server from multiple ip addresses, Surgemail detects this and emails the administrator when it occurs, use g_breakin_white to enable specific users who need to do this (this is very unusual though)

Syntax: g_breakin_short bool

g_breakin_white

Email addresses that can send concurrently from mulltiple ips (use * to allow everyone)

When a hacker guesses a password on your system they will often send outgoing spam to your server from multiple ip addresses, Surgemail detects this and emails the administrator when it occurs, use this setting to enable specific users who need to do this (this is very unusual though), it also accepts wild cards, e.g. * if you wish to disable teh feature. A list is given as “user@domin,user2@domain2”

Syntax: g_breakin_white string

g_breakin_n

Number of different ip’s that trigger a lockout, default is 8

Only lower numbers are valid.

Syntax: g_breakin_n int

g_breakin_window

Window in seconds, default is 300

The window in which the multiple logins are counted

Syntax: g_breakin_window string

g_byname_old

Enable old slow domain lookup functions

This setting should not be needed.

Syntax: g_byname_old bool

g_convert_percent

Convert % signs top @ in recipient addresses

Some Spam tests send mail user%spamdomain.com@localdomain.com to see if a server is an open relay. If a default address is set up for the local domain this will be delivered to this local address and the test assumes the mail server is an open relay. This setting prevents this. 

Syntax: g_convert_percent bool

g_crash_normal

Crash without catching exceptions

Crash without catching signals 10,11. In particular this will generate correct core files on FreeBSD systems.

Syntax: g_crash_normal bool

g_crash_simple

Crash simpler for solaris to avoid deadlock situation

This setting has no further documentation currently available

Syntax: g_crash_simple bool

g_crash_nomini

Crash without minidump on windows

This setting has no further documentation currently available

Syntax: g_crash_nomini bool

g_cid_skip_to

Skip CID score, good for lawyers etc

Some users will trigger CID matches due to the nature of their business (accountants/lawyers) for these people you may want to list them here. CID is content matching, usually scams which often use legal language.

Syntax: g_cid_skip_to string

g_mailstatus_message

Error message to give when mailstatus is set to specified state

This allows you to specify the error message given to the user when they are set to certain states, you may use other authent fields in the message, for example:

g_mailstatus_message state=”payup” message=”Payment is due $full_name$, please pay here: http://your.site/path/file.htm”

Syntax: g_mailstatus_message state=string message=string

g_manager_username

Global domain managers username (for web based domain administration)

Specifies the local users which have manager rights for all domains. These users can login to the user self management interface and will recieve special domain manager options. This setting works slightly different to the domain level ‘manager_username’ setting in that if you specify an account without the @domain part i.e. ‘admin’ it gives all admin users in all domains domain rights over all domains.

Syntax: g_manager_username string

g_mirror_host

Mirror host 

This unique SurgeMail feature allows you to setup two identical mail servers across a local or widearea network. The waiting mail messages & folders etc are duplicated continuously between the two systems, so users can use either system. If either system fails for any hardware reason the other acts as an instant on line replacement without any interruption to the user. In addition when the faulty system is replaced the two automatically re-synchronize. 

See this page for Mirror overview

Syntax: g_mirror_host string

g_mirror_nossl

Disable SSL for mirror protocol connection

This is best turned off unless your servers are talking over a wide area untrusted network. 

Syntax: g_mirror_nossl bool

g_mirror_nwauth

Mirror NWAuth data files (deprecated – for backward compatibility only)

This setting is no longer used (as of SurgeMail 1.7d), the g_mirror_mode setting is used instead to decide whether do mirror the NWAuth database.

Syntax: g_mirror_nwauth bool

g_mirror_nwauth_always

Mirror nwauth database files

Set this if you’re using multiauth to run nwauth and you want those files mirrored. Requires you to add -isslave2 to multiauth.ini nwauth command line. Requires the nwauth files to be located in the surgemail root/install directory.

Syntax: g_mirror_nwauth_always bool

g_mirror_mode

Master / slave mirror system

Certain actions may only be run on the mirror master system (such as expire processing) or are different in behaviour between the master and slave (such as NWAuth mirrorring and dlist mirorring). This setting must be set to MASTER on one system and SLAVE on the other system for correct operation. (Note basic mirrorring of delivered mail will happen if this setting is the same on both systems it is just some of the special mirrorring functionality that this is required for)

Syntax: g_mirror_mode string

g_mirror_secret

Mirror secret shared password

This password is required to prevent the mirroring mechanisms being abused. We recommend a random string of letters at least 10 characters long. e.g. “urcajfielsjfs” 

Syntax: g_mirror_secret string

g_mirror_prune_age

Mirror minimum age for items to be pruned during sync_prune

Mirror minimum age for items to be pruned during sync_prune, default 14 days. 

Syntax: g_mirror_prune_age int

g_mirror_threads

Max threads we can use during resync_fast, default 6

During resync fast four threads are used, this is usually sufficient, more may overload your system and result in failures, if your system is not under load you could set it as high as eight, but this would only be sensible if your disk array has more than 4 drives in it!

Syntax: g_mirror_threads int

g_mirror_live

Mirror: Send incoming messages immediately

Enables a faster mirroring mechanism, strongly recomended, this setting will be the default in a future release

Syntax: g_mirror_live bool

g_mirror_live_max

Limit size of mirror_live default 60k

This prevents smtp delays when mirroring over a slowish link. The default is 60k

Syntax: g_mirror_live_max int

g_mirror_nsend

Sending threads to use, default 8

Sending threads for normal queue

Syntax: g_mirror_nsend int

g_mirror_config

Mirror surgemail.ini

Syntax: g_mirror_config “true/false”

You put this on both machines and it will attempt to mirror the surgemail.ini. There will be some settings that you do not wish to mirror and these can be exempted by using:

g_mirror_config_except “setting,setting,setting”

Some settings are not mirrored by default these are: g_mirror_host, g_mirror_nwauth*, g_mirror_mode, g_authent_path, g_dlist_path, g_log_path, g_record_path, g_home, g_authent_process, g_mfilter_file, g_webmail_work, g_work, g_virus_cmd, g_atrn_port, g_imap_port, g_imap_secure_port, g_ldap_port, g_manager_port, g_manager_secure_port, g_monitor_port, g_pop_port, g_pop_secure_port, g_ppd_port, g_smtp_port, g_smtp_secure_port, g_webmail_port, g_webmail_secure_port, g_surgeplus_port, g_surgeplus_secure_port, g_surgeplus_web_port, g_bind_out, g_virus_avast, dmail_drop_path, dmail_bin_path, web_path, webmail_work

(it is possible we will update this list over time)
* g_mirror_nwauth is obsolete don’t use it.

Syntax: g_mirror_config bool

g_mirror_config_except

Mirror surgemail.ini

Syntax: g_mirror_config “setting,setting,setting”

This will tell the server not to import the specified settings from the other mirror.

Example:
g_mirror_except “g_spam_allow”

This will tell the server not to change this setting. This only affects the machine its on, if the other server does not have this set, it will continue to mirror the setting. This setting accepts wildcards. This setting accepts a special case value “address” that will prevent mirroring of existing domain ip addresses, allowing different ips on each mirror machine. There are a number of settings which are not mirrored by default these are specified above in g_mirror_config.

In addition the mailbox_path setting is not mirrored, unless, the existing setting is a sub directory of the g_mailbox_path and the new setting is a sub directory of the g_mailbox_path from the other server, in which case the mailbox_path is set to the same sub directory using the existing g_mailbox_path setting eg.

[recieving server]
g_mailbox_path “c:\surgemail\mbox”
mailbox_path “c:\surgemail\mbox\domain”

[sending server]
g_mailbox_path “d:\surgemail\mbox”
mailbox_path “c:\surgemail\mbox\domain_moved_here”

[result on recieving server]
g_mailbox_path “c:\surgemail\mbox”
mailbox_path “c:\surgemail\mbox\domain_moved_here”

Syntax: g_mirror_config_except string

g_mirror_trash

Normally on a resync the trash folder is ignored.

This can be useful when you want to compare results so you want everything even if it’s a bit pointless

Syntax: g_mirror_trash bool

g_mirror_debug

Log more info to mirror log.

Helps when tracking down fault with nwauth or mirroring, never leave turned on as it can lead to mutex crashing

Syntax: g_mirror_debug bool

g_mirror_debug3

NEVER USE, MAKES MIRROR FAIL.

Helps when tracking down fault with nwauth or mirroring, never leave turned on as it can lead to mutex crashing

Syntax: g_mirror_debug3 bool

g_mirror_repair

Run resync_prune once per month, only set on master, TURN OFF DURING FAILURES

This setting runs a nighly resync to keep the cluster in sync. Maybe be resource intensive on a large system! This should always be disabled during a failure as it could cause messages loss when the master is re connected.

Syntax: g_mirror_repair bool

g_mirror_email

Email manager list of fixes sent

This is a debug setting to spot issues with mirroring, it emails the manager a log of the files that were resynced, set G_MIRROR_PRUNE_AGE 1 as well to cut down on false positives.

Syntax: g_mirror_email bool

g_mirror_max

Max items in one folder to mirror, default 160k currently

This setting has no further documentation currently available

Syntax: g_mirror_max int

g_mirror_lock

Lock master during slave bursts

This setting has no further documentation currently available

Syntax: g_mirror_lock bool

g_mirror_others

BETA Other hosts, for 3,4 host mirrors,(DO NOT USE)

This setting has no further documentation currently available

Syntax: g_mirror_others string

g_mirror_resync_inbox

BETA Resync inbox for active users once a day

This setting has no further documentation currently available

Syntax: g_mirror_resync_inbox bool

g_mtasts

Enable MTA-STS ssl/tls rules

Use DNS entries to discover if receiving server should have a signed SSL certificate

Syntax: g_mtasts bool

g_mtasts_white

Domains to ignore MTA-STS rules

Whitelist for destination domains we should just send to anyway

Syntax: g_mtasts_white string

g_mtasts_report

Alert manager on MTASTS failures

Most failures will be due to something other than real hackers, so this alert helps you resolve issues, and add whitelist rules g_mtasts_white settings for problem domains

Syntax: g_mtasts_report bool

g_callhome_disable

Disable misc features that reference netwinsite

Useful if you are paranoid about information

Syntax: g_callhome_disable bool

g_con_peruser

Connection limit per user for imap/pop. Set above 20

This setting has no further documentation currently available

Syntax: g_con_peruser int

g_con_peruser_except

Exception users to g_con_peruser, include domain name

This setting has no further documentation currently available

Syntax: g_con_peruser_except string

g_con_perip

Connections per IP

Maximum number of connections allowed per IP address. Primarily this is used to prevent simple denial of service attacks where one user could otherwise use up all the channels your system can support and then do nothing with them. 

Syntax: g_con_perip int

g_con_gateway

Connection limit per ip also applies to gateways

This setting has no further documentation currently available

Syntax: g_con_gateway int

g_con_perip_except

Connections per IP exception

IP list of exception addresses to g_con_perip. 

Syntax: g_con_perip_except string

g_con_persubnet

Maximum concurrent connections per subnet

Maximum number of concurrent connections per subnet. This limits concurrent connections from a sub net, great for automatically stopping professional spammers who use multiple addresses. A typical setting might be 20. Subnet is /24.

Syntax: g_con_persubnet int

g_date_add_utc

Add UTC if date header is missing it

Add timezone if date header is missing one

Syntax: g_date_add_utc bool

g_dbabble_smtp_port

DBabble SMTP port (do not manually change this setting – it should be set from the DBabble section of the web admin interface only)

This setting specifies the port that DBabble listens on. DBabble looks at surgemail.ini and if it sees this setting, overrides it’s own setting with this value. When you save changes to this setting from within the SurgeMail DBabble admin interface, SurgeMail automatically sets appropriate values for the g_redirect_iflocal and g_gateway settings.

Syntax: g_dbabble_smtp_port int

g_dbabble_smtp_prefix

DBabble SMTP prefix (do not manually change this setting – it should be set from the DBabble section of the web admin interface only)

This setting is used in conjunction with the dbabble_smtp_port setting to forward all mail with the specified prefix on to DBabble.

Syntax: g_dbabble_smtp_prefix string

g_dbabble_links

Add web links to DBabble from other web interfaces (and vice versa)

This causes links to appear in the DBabble interface to switch to using WebMail (and SurgePlus if you have the g_surgeplus_links setting on).

Syntax: g_dbabble_links bool

g_debug_block

For catching bugs in block file processsing

For catching bugs in block file processsing.

Syntax: g_debug_block bool

g_debug_crt

Some CRT debugging on windows, do not use

This setting has no further documentation currently available

Syntax: g_debug_crt bool

g_debug_ini

Debugging, don’t use this

This is a temp setting used for testing

Syntax: g_debug_ini bool

g_debug_vanished

Name of file to check for, if file vanishes, crash

This is for tracking a particular bug, not for general use

Syntax: g_debug_vanished string

g_debug_free

Check free memory isn’t corrupted – slows performance slightly

This is for tracking a particular bug, not for general use

Syntax: g_debug_free bool

g_debug_imap

Log imap folder renames and deletes in kmsg.log

This is for tracking a particular bug or user error

Syntax: g_debug_imap bool

g_debug_ncpy

Debug ncpy function

This makes ncpy clear the entire destination buffer to increase the chance of a crash if the buffer length is wrong

Syntax: g_debug_ncpy bool

g_debug_timing

Record dfopen timing, tellmail dfopen_stats

This makes ncpy clear the entire destination buffer to increase the chance of a crash if the buffer length is wrong

Syntax: g_debug_timing bool

g_debug_image

Save image thumbnail files to find bug

This setting has no further documentation currently available

Syntax: g_debug_image bool

g_debug_body

Save msg body during processing

This setting has no further documentation currently available

Syntax: g_debug_body bool

g_debug_check

Use more dmalloc debugging, some performance impact. Also set g_debug_free

This setting has no further documentation currently available

Syntax: g_debug_check bool

g_demo

Demo mode lock unsafe admin features

This setting has no further documentation currently available

Syntax: g_demo bool

g_demo_to

Demo mode valid external destinations

This setting has no further documentation currently available

Syntax: g_demo_to string

g_deny

can clutter log

This setting has no further documentation currently available

Syntax: g_deny_log bool

g_deny_country

Block email from some countries, use 2 digit code not the full name, see IpToCountry.csv, turn on g_country_ip!

Block countries, examine the file IpToCountry.csv for the abbreviations, g_country_ip must be set true, and issue tellmail aspam_update

Syntax: g_deny_country string

g_deny_smtp

Deny SMTP based on IP address

Block users from some IP ranges connecting to SMTP only. 

Syntax: g_deny_smtp string

g_deny_login

Block users from some ip ranges logging in

This setting has no further documentation currently available

Syntax: g_deny_login string

g_deny_msg

Deny message

Message to give to users who are disconnected due to the above ‘deny’ setting. 

Syntax: g_deny_msg string

g_deny_log

Log g_deny rejections to msg.log – can clutter log

This setting has no further documentation currently available

Syntax: g_deny_log bool

g_download

Fetch an http file and do an ini reload

Can be used with g_include to have settings fetched from a central location, the file is fetched once an hour.

Syntax: g_download url=string user=string pass=string local=string

g_domainkeys_check

Check incoming DomainKeys signatures (obsolete turn off)

See domainkeys.htm

Syntax: g_domainkeys_check bool

g_domainkeys_sign

Sign outgoing messages (obsolete, turn off)

To turn off domainkeys for some domains see the per domain setting, domainkeys_disable. See domainkeys.htm for more info.

Syntax: g_domainkeys_sign bool

g_domainkeys_selector

Policy name for your server (used creating dns entry for domainkeys)

This defines the dns entry name for your policy record and public key entry in your dns. See domainkeys.htm for details

Syntax: g_domainkeys_selector string

g_domainkeys_only

Domains to sign for outgoing email

Normally all local domains are signed, but if this setting exists then it is used instead so you must list local domains as well as non local ones you want to sign messages for. G_domainkeys_sign must also be set to true!

Syntax: g_domainkeys_only string

g_domainkeys_headers

List which headers to sign

This will help get the message through gateways without breaking the signature, try a single header, e.g. from

Syntax: g_domainkeys_headers string

g_dkim_check

DKIM Check incoming DKIM signatures

See domainkeys.htm

Syntax: g_dkim_check bool

g_dkim_sign

DKIM Sign outgoing messages

To turn off dkim for some domains see the per domain setting, dkim_disable. See domainkeys.htm for more info.

Syntax: g_dkim_sign bool

g_dkim_selector

DKIM Policy name for your server (used creating dns entry for dkim)

This defines the dns entry name for your policy record and public key entry in your dns. See domainkeys.htm for details

Syntax: g_dkim_selector string

g_dkim_only

DKIM Domains to sign for outgoing email (default is all)

Normally all local domains are signed, but if this setting exists then it is used instead so you must list local domains as well as non local ones you want to sign messages for. G_dkim_sign must also be set to true! Never set to *

Syntax: g_dkim_only string

g_dkim_exclude

DKIM Domains to not sign for outgoing email

This can be used to exclude some domains

Syntax: g_dkim_exclude string

g_dkim_headers

DKIM List which headers to sign (blank=default, and is usually best)

This will help get the message through gateways without breaking the signature, try a single header, e.g. from

Syntax: g_dkim_headers string

g_dkim_skip

DKIM Destination Domains to not sign

This is useful if the destination server is faulty with it’s dkim processing

Syntax: g_dkim_skip string

g_dkim_nogateway

Don’t sign if gateway rule used

Useful to avoid double signing incoming messages

Syntax: g_dkim_nogateway bool

g_dkim_alt_domains

Use selector ‘alt_name’ for these domains

Use if you need to use a different selector when forwarding for a domain (so you can define a different dkim private key)

Syntax: g_dkim_alt_domains string

g_dkim_alt_name

Name of selector to use

Use if you need to use a different selector when forwarding for a domain (so you can define a different dkim private key)

Syntax: g_dkim_alt_name string

g_dkim_return

Sign if ‘return path’ matches g_dkim_only

Useful when you want to act as a signing gateway

Syntax: g_dkim_return bool

g_domain_templates

Check for domain specific templates

This setting has no further documentation currently available

Syntax: g_domain_templates bool

g_dlist_nostart

Disable dlist

If set disable (do not attempt to start) dlist for DMail compatibility mode.. 

Syntax: g_dlist_nostart bool

g_dlist_nolocal

Remove add local button from mailing lists

Prevents address havesting etc by users – strongly recommended on public servers, not necessary on small or private servers

Syntax: g_dlist_nolocal bool

g_dlist_path

Path for dlist

DList Path normally defaults to $g_home/dlist.

Syntax: g_dlist_path string

g_dlist_one

Only allow one recipient if message is to a mailing list

This setting has no further documentation currently available

Syntax: g_dlist_one bool

g_dmail_filter

Run DMail compatible filter files (deprecated – for backward compatibility only)

Run DMail compatible filter files. Mfilter rule files should be used instead.

Syntax: g_dmail_filter string

g_dns_blank_fail

NEVER USE! Bounce email if dns response blank rather than retry

This setting has no further documentation currently available

Syntax: g_dns_blank_fail bool

g_dns_host

DNS host(s) for MX lookups

This setting can normally be left blank as the mail server will find your system DNS settings. However, you can specify one or more DNS servers for the mail server to use instead to lookup names. 

DNS lookups are cached to disk so SurgeMail will generally continue to work even if your dns server is temporarily unavailable.

Test your dns server with this command. If working it should return two ip addresses for that domain.

 	tellmail dns_test "netwinsite.com"

Prior to SurgeMail 2.0h dns lookups were done using tcp instead of udp, they are now down with UDP unless the response exceeds UDP packet size (as per RFC).

NOTE: All dns servers listed in this setting must be fully recursive, a non recursive dns server will create many dns lookup failures!

Syntax: g_dns_host string

g_dns_nlookup

Concurrent MX lookups

Concurrent DNS lookups to send to DNS server (Default=20) (not used after version 2.0h)

Syntax: g_dns_nlookup int

g_dns_require

Require reverse DNS names match

Require MAIL FROM header to match the reverse dns lookup based of the sender based on the sender’s IP.

eg. from=*@hotmail.com hosts=*hotmail.com

Syntax: g_dns_paranoid string

g_dns_translate

If mx response is x.x.x.x translate to y.y.y.y:port

Useful for translating ip numbers inside a local intranet and doing other fancy routing of various sorts.

Syntax: g_dns_translate from=string to=string

g_dsn_loggedin

Enable DSN (Delivery Status Notification) for trusted senders.

Safer alternative to real DSN as it only applies to local users. This guesses if the user is trusted based on previous logins

Syntax: g_dsn_loggedin bool

g_dsn_enable

Enable DSN (Delivery Status Notification) esmtp extension.

Not recommended. Delivery Status Notification is used by spammers to find addresses to spam to.

Syntax: g_dsn_enable bool

g_dsn_nofinal

Try not to show real final recepients but just original recipients

This setting helps hide internal addresses in bounce messages (after forwarding etc). Not recommended.

Syntax: g_dsn_nofinal bool

g_domain_separator

Separator characters for virtual POP

For POP logins where your virtual domain is NOT distinguished by IP address users can login with ‘user@domain’ or user/domain.name etc and the mail server will pickup the domain name correctly. By default only ‘user@domain.name’ is accepted unless this setting is used which can be useful for brain dead mail clients which don’t allow the user to specify ‘user@domain.name’ as the username eg:

g_domain_separator “/”

Syntax: g_domain_separator string

g_domain_list_max

Maximum number of domains to list at once

Maximum number of domains to list at once in the admin user interface. 

Syntax: g_domain_list_max int

g_domain_default

Default domain when POP/IMAP user does not specify one

This is probably not what you think it is, generally the ‘first’ domain in surgemail.ini is used in this situation, but in some instances, when using domuser.dat for example to translate users back to virtual domains, you will want the default domain to be a ‘generic’ made up domain that doesn’t really exist.

For example lets say you have users fred@a.com, bob@b.com, then in domusers.dat you have

fred@a.com fred@a.com
bob@b.com bob@b.com
bob@xxx bob@b.com
fred@xxx fred@a.com

And the result is that users who login to pop as bob or fred, will be correctly mapped to the correct virtual domain user even though the actual domain is different in those two cases.

Clear as mud I expect?

Syntax: g_domain_default string

g_domuser_file

Domain users to thousands of virtual domains easily

Specifies a file which contains lines that translate an email address to the username that should be looked up in the database. This file can contain a domain name not previously specified in surgemail.ini allowing you to create unique sub-domain addresses. eg:

g_domuser_file “c:\surgemail\domuser.dat”

Example entries…

*@domain.com postmaster@domain.com
userA@domain.com userB@domain.com
firstname@lastname.domain.com firstname@lastname.domain.com

Syntax: g_domuser_file string

g_dotlock_minutes

NFS lock waits

Minutes to wait for nfs lock file, default 20 minutes.

Syntax: g_dotlock_minutes int

g_drop_use_len

Use the content-len header for drop file processing

For use on Solaris when using sendmail for incoming mail delivery.

Syntax: g_drop_use_len bool

g_encrypt_prefix

Prefix for encrypted messages must match encrypt rule so replies are encrypted

This setting has no further documentation currently available

Syntax: g_encrypt_prefix string

g_ehlo_simple

Ip addresses to give simple ehlo respone to

This is a debugging setting, do not use.

Syntax: g_ehlo_simple string

g_ehlo_8bitmime

Enable 8bit mime in ehlo response (not recommended)

This is probably a bad idea, it is best to reject 8bit mime and stop people sending it as the destination server may not support it

Syntax: g_ehlo_8bitmime bool

g_ehlo_log

Log ehlo/bind to msg*.rec logs

This setting has no further documentation currently available

Syntax: g_ehlo_log bool

g_event_url

Send msg events to a url

The parameters sent include, (given url)&mode=xx&mid=xx&from=x&to=xx&qnum=xx

Syntax: g_event_url string

g_event_list

Events wanted by url

e.g. New,Sent,Bounced,Later,Failed,Stored,Dropped,Rejected

Syntax: g_event_list string

g_emailreg_enable

Enable whitelist http://www.emailreg.org register to use

Be aware that this setting will not work until you register on their server and tell them the ip address of your server/dns to permit lookups. They charge $20 to verify your domain and this will help to get your email delivered more reliably

Syntax: g_emailreg_enable bool

g_external_warn

Tag external messages from non friends

This tags any external email with a warning

Syntax: g_external_warn bool

g_external_all

Tag messages from friends too

This tags any external email with a warning

Syntax: g_external_all bool

g_external_msg

Msg to insert at the top of external mails

This tags any external email with a warning

Syntax: g_external_msg string

g_external_style

css style for the warning

Used to set the color/font etc…

Syntax: g_external_style string

g_external_spam

Tag messages in spam folder too

Tags most msgs placed in the spam folder too.

Syntax: g_external_spam bool

g_external_white

Disable for return path matches

This setting has no further documentation currently available

Syntax: g_external_white string

g_external_only

Enable only these destionations

e.g. *@xyz.com,*@fred.com

Syntax: g_external_only string

g_external_white_to

Disable for these recipients

People who don’t need warning.

Syntax: g_external_white_to string

g_external_ip_disable

Do not add X-External-IP header

Removes external ip address from headers.

Syntax: g_external_ip_disable bool

g_fallback_relay_if_exists

Use FALLBACK_RELAY if not logged in but user exists (OLD_POPHOST_CREATEUSER_DISABLE)

This can be used to relay users where you have a user database that can be checked on the front end system directly (odbcauth, tcpauth, etc)

Syntax: g_fallback_relay_if_exists bool

g_feat_testing

Testing setting do not use

Used to test alternate spam filter weigtings

Syntax: g_feat_testing bool

g_filter_pipe

Filter pipe allowing external message processing

This allows external applications to filter and modify incoming messages. Example: Integration with Spam Assassin (on UNIX) could be achieved as follows:

g_filter_pipe “/usr/local/bin/spamassassin -P”

it expects a normal unix ‘filter’ so, read the message on ‘stdin’ and write the identical (or modified) message to ‘stdout’.

The input will be ‘crlf’ terminated and so should the output file.

That’s all you can do with this mechanism, if you want to bounce the message or flag it as spam you ‘add’ a header and then use something in surgemail to detect and act on the header you’ve added (mfilter)

Syntax: g_filter_pipe string

g_filter_pipe_skip

Skip filter if ip matches this

Set this for local servers that don’t need filtering, e.g. mailing list servers, local trusted robots.

Syntax: g_filter_pipe_skip string

g_filter_pipe_noauth

Skip for auth users

Skip for authenticated users

Syntax: g_filter_pipe_noauth bool

g_filter_pipe_headers

Re-read headers after pipe finishes

Needed if you want headers to be seen by later surgemail processing

Syntax: g_filter_pipe_headers bool

g_filter_max

Max size of messages to send through the filter pipe

Messages over this size (in bytes) are skipped. default = no limit

Syntax: g_filter_max int

g_filter_n

Number of filters to run simultaneously

Default is 20, when this limit is reached the incoming thread waits a few seconds then skips the filter if necessary, this is intended to prevent a log jam/melt down effect.

Syntax: g_filter_n int

g_filter_timeout

Filter pipe timeout

Filter timeout (g_filter_pipe) in seconds, default is 360.

Syntax: g_filter_timeout int

g_fix_crcrlf

Fix email messages containing crcrlf for line termination

This is best not used, it’s best to fix the faulty email application, results are not gauranteed.

Syntax: g_fix_crcrlf bool

g_fix_imap_lf

During IMAP import fix email messages containing lf

This is best not used, it’s best to fix the faulty email server, results are not gauranteed.

Syntax: g_fix_imap_lf bool

g_friends_spf

Refine friends matching using spf/dmarc when possible

This setting has no further documentation currently available

Syntax: g_friends_spf bool

g_friends_only

Friends system

An anti-spam feature which screens incoming mail to ensure it comes from a human. For incoming mail from unknown addresses a message is sent to this person requesting them to reply to confirm they are human and the original message will be delivered. See this page for more details.

Syntax: g_friends_only bool

g_friends_bounce_rej

Reject blank return path as friends failures

This setting has no further documentation currently available

Syntax: g_friends_bounce_rej bool

g_friends_bounce_friend

Allow exception rules to bounce a mesesage from a friend

This setting has no further documentation currently available

Syntax: g_friends_bounce_friend bool

g_friends_cleanup

Cleanup/repair large friend.lst files

This setting has no further documentation currently available

Syntax: g_friends_cleanup bool

g_friends_daemon_ok

Accept emails from any mailer deamon

This setting has no further documentation currently available

Syntax: g_friends_daemon_ok bool

g_friends_name

What to call the friends system

This specifies what to call the friends system when referring to it on web pages and in email to our users, you can call it whatever you like

Syntax: g_friends_name string

g_friends_pending_name

The imap name of the friends_pending (and spam store) quarantine folder – should match surgeweb imap_spam_folder – default is ‘Friends Pending’

This shouldn’t be changed unless this feature has not been used before as it will confuse your users. Any matching folder the user has of the same name will become invisible. So at least make it something other than simply Spam!!

Syntax: g_friends_pending_name string

g_friends_silent

Disable friends responses to users

This setting is to simply disable the confirm emails, not generally recommended as this makes friends a bit pointless.

Syntax: g_friends_silent bool

g_friends_silent_level

If spam score above this then don’t send friends message

Not generally recommended.

Syntax: g_friends_silent_level int

g_friends_ignore

List of addresses considered friends for all users on the system

List of addresses considered friends for all users on the system eg: the system manager email address

Syntax: g_friends_ignore string

g_friends_skip_ip

List of ip addresses considered friends for all users on the system

This setting has no further documentation currently available

Syntax: g_friends_skip_ip string

g_friends_confirm_subject

String to use as the subject of a friends confirmation email

String to use as the subject of a friends confirmation email. Defaults to: “Please reply to ||confirm|| message and allow delivery”. This value must contain the text ||confirm||, this text is replaced by the unique message id that allows SurgeMail to find the message to release eg. confirm(1150419513.1880_1180.domain). It is also advisable to place the ||confirm|| near the start of the string as some clients will truncate long subjects and any truncation of the ||confirm|| value will result in failure to release the message.

Syntax: g_friends_confirm_subject string

g_friends_default_mode

Default friends mode, smite (recommended) silent, or list

Valid settings are kids,disabled,smite,silent,list. Recommended silent or smite, in silent mode no challenge email is sent, in smite mode a challenge email is sent if the score is exceeded.

Syntax: g_friends_default_mode string

g_friends_default_autoadd

Default auto addition when sending (recommended)

This setting has no further documentation currently available

Syntax: g_friends_default_autoadd bool

g_friends_msg

Message used for friends bounce.

e.g. Delivery pending, to deliver you must send an email to

Syntax: g_friends_msg string

g_friends_msg_link

Message used for friends link bounce.

e.g. Note: Delivery will ONLY occur if you click on this link

Syntax: g_friends_msg_link string

g_friends_latest_headers

Friends system re-read message headers

Causes friends to re-read message headers, allowing rules based on headers added during delivery

Syntax: g_friends_latest_headers bool

g_friends_lang_auto

Set users language settings automatically based on observed emails from friends

This setting improves spam handling

Syntax: g_friends_lang_auto bool

g_friends_pending_keep

Time to keep friend pending messages

How long to store users friends pending messages before deleting them (days)

Syntax: g_friends_pending_keep int

g_friends_pending_max

Max items in pending before deleting them

The default is 10000 Items

Syntax: g_friends_pending_max int

g_friends_pending_vanish

Enable auto-vanish of pending messages on confirmation bounce

When a bounce for a confirmation message is received we vanish it, this setting will also delete the original message.

Syntax: g_friends_pending_vanish bool

g_friends_at_rcpt

Whether to check users friends list at rcpt stage

This setting is automatically added/removed by the web admin when global friends defaults are configured. It allows us to check friends at rcpt stage without paying a disk access cost for non-friends users.

Syntax: g_friends_at_rcpt bool

g_friends_allow_spf

Allow all email through as if it was a friend during temporary allow

The user click on a button to disable friends for a few hours, during this time all messages will get treated as a friend and thus bypass SPF too.

Syntax: g_friends_allow_spf bool

g_friends_spf_fail_bounce

Bounce SPF failures, do not send friends confirmations (Not recommended)

The default behaviour is to only send confirmations if SPF checks pass, if they fail friends checking is skipped, no confirmation request is sent and the email is not blocked by friends.

Syntax: g_friends_spf_fail_bounce bool

g_friends_check_spf

Disable friends bounces if SPF headers missing/failed to avoid backscatter.

If the incoming message may be forged it will bounce messages using an smtp error code to deny delivery but it will allow any real sender to bypass this. This settings is good if spamcop block your domain for sending friends challenges as it cuts down on the number of such messages. This avoids backscatter

Syntax: g_friends_check_spf bool

g_friends_safer

Make friends always avoid back scatter.

By using a rejection during the incoming message instead of sending an email back scatter is completely avoided.

Syntax: g_friends_safer bool

g_friends_always

Always use friends list.

This enables the “Add all outgoing email addresses to list” feature and always checks incoming messages against the friends list so that SurgeMail can correctly tag or filter it.

Syntax: g_friends_always bool

g_friends_add_trusted

Add to friends list when if sender is trusted

This is useful if senders are not using smtp auth but you still want friends to be added, typically used with surgewall…

Syntax: g_friends_add_trusted bool

g_friends_global_add

Add to a global friends list if ip matches and sender doesn’t match authenticated user

Used when you wish to whitelist outgoing addresses even though the sender/reply address does not match the authenticated user (e.g. messages sent via exchange)

Syntax: g_friends_global_add string

g_friends_global_exclude

Addresses not to auto add, e.g. *@paypal.com

This is good for avoiding meaningless entries or obvious entries that people might send email to by mistake

Syntax: g_friends_global_exclude string

g_friends_confirm_debug

Log sucessful friends confirmation responses

This enables us to examine suspect replies to friends confirmations for indications that they were sent by spammers or mail robots.

Syntax: g_friends_confirm_debug bool

g_friends_rotate

Rotate user level log file, default 30k

Set log size, the log is also rotated when a friends report email is sent (if configured)

Syntax: g_friends_rotate int

g_friends_long

In friends web release addresses use a longer url

Uses an older style link

Syntax: g_friends_long bool

g_friends_ignore_trusted

If from trusted ip still apply friends

Useful when you have a gateway that is sending to surgemail

Syntax: g_friends_ignore_trusted bool

g_friends_url

Specify default global url for friends release http://domain.name:port

Normally the default will work.

Syntax: g_friends_url string

g_friends_testurl

Test g_friends_url and status_url and url_host work externally

Reports to manager if any fail

Syntax: g_friends_testurl bool

g_friends_autodom

Auto whitelist friends based on domain/ip

This means a friend or trained message will whitelist the entire domain/ip address combination until contradicted for all users

Syntax: g_friends_autodom bool

g_speech_cmd

Command to convert sound file to text (append .txt to filename)

This setting has no further documentation currently available

Syntax: g_speech_cmd string

g_speech_from

Only attempt conversion if from this email address

This setting has no further documentation currently available

Syntax: g_speech_from string

g_speech_size

Default 10mb, will not convert larger files

This setting has no further documentation currently available

Syntax: g_speech_size int

Example: 10mb

g_status_url

Specify default global url for status messages

Normally the default will work.

Syntax: g_status_url string

g_status_view_html

Obsolete setting

Setting is no longer used.

Syntax: g_status_view_html bool

g_status_login

Require login for spam status actions

This setting has no further documentation currently available

Syntax: g_status_login bool

g_friends_byemail

Use old email based friends rejections

This restores the old beahviour, you would normally only use this if your mail server was unaccessable via http as email based rejections are not as easy to use or as reliable as web based human confirmations

Syntax: g_friends_byemail bool

g_friends_bounce_second

Bounce the next time the user sends a message if waiting for confirm still

This can make it clearer that email is not getting through to the destination

Syntax: g_friends_bounce_second bool

g_friends_old_status_email

Use older status email & processing

Use status.eml instead of status_html.eml

Syntax: g_friends_old_status_email bool

g_friends_obey_spf

If SPF failed then no friends match allowed for local domains

If spf failed then don’t allow a friends match

Syntax: g_friends_obey_spf bool

g_friends_local_match

If from!=returnpath and one is local, then block friends match

This setting has no further documentation currently available

Syntax: g_friends_local_match bool

g_friends_spam_score

Default level to quaranteen message in spam folder (Recommended 8 or 10)

This sets the default when no friends.ini file exists, a level of 8 will give best all round results, a level of 10 will stop less spam but avoid false positives.

Syntax: g_friends_spam_score int

g_friends_status_sort

Sort friends status messages with low scores at the top

This setting has no further documentation currently available

Syntax: g_friends_status_sort bool

g_friends_release_wash

Clean any subject marking (ie stars) when releasing/allowing

This setting has no further documentation currently available

Syntax: g_friends_release_wash bool

g_friends_warnonce

Give bounce on only the first message

This used to be the default, but it meant people thought delivery was occurring!

Syntax: g_friends_warnonce bool

g_friends_debug1

NEVER USE, only for NetWin testing

This makes surgemail always send an email bounce rather than a safe reject, only intended for testing bounce messages

Syntax: g_friends_debug1 bool

g_footer_file

Footer file

Footer file which is appended to all plain text mail messages.

Syntax: g_footer_file string

g_footer_html

Footer file (HTML mail)

Footer file which is appended to all HTML mail messages.

Syntax: g_footer_html string

g_footer_send

Footer file (outbound only)

Plain text footer file which is appended to all outbound mail messages only.

Syntax: g_footer_send string

g_footer_sendonly

Enable outbound footer

Add g_footer_send to all messages when sending to non local users.

Syntax: g_footer_sendonly bool

g_footer_auth

Only add footer for authenticated local users

This essentially adds the footers to ‘outgoing’ email… if the user is a member of the group nofooter then the footer is also skipped.

Syntax: g_footer_auth bool

g_footer_skip

Skip footers for these users

This skips the footer for matching users (e.g. cell phones etc)

Syntax: g_footer_skip string

g_footer_trusted

Only add footers if sender is trusted

This prevents the footer from being added for a message that pretends to come from your domain.

Syntax: g_footer_trusted bool

g_footer_notfound

Only add footer if footer is not in message already

This works by examining the message contents to try and find part of the footer.

Syntax: g_footer_notfound bool

g_footer_skipfound

Only add footer if this text is not already in the message, requires g_footer_notfound

This can be used to make the footer optional

Syntax: g_footer_skipfound string

g_from_bl

Domain Based Blacklist Zones, lookups FROM domain in dns

The ‘from’ domain is checked against the specified RBL which must be a special ‘FROM’ based rbl which lists spammers by from address. Most spammers fake from addresses so this is a fairly marginally useful method.

Syntax: g_from_bl name=string stamp=string

g_from_bounce

Bounce if from is probably faked

Bounce if from address is probably faked.

This check is activated for any mail with a local domain in the from address but not using SMTP authentcation, relay allow IP address or spam allow IP address.

Syntax: g_from_bounce bool

g_from_body_bounce

Reject if local from header address is probably faked

Checks if the sender is authenticated or from an address that can relay, if not then the message is bounced if it claims to be from a local domain. One of the settings to prevent forgery

Syntax: g_from_body_bounce bool

g_from_stamp

Stamp if from is probably faked

Stamp message with “X-Verify-Failed:” header if from address is probably faked.

eg: X-Verify-Failed: <user@mydomain.com> From mydomain.com is local but user not authenticated or from g_relay_allow_ip

This check is activated based on the same conditions as g_from_bounce.

Syntax: g_from_stamp bool

g_from_timeout

Timeout on g_badfrom_* checks

Timeout in seconds of g_badfrom_* checks. Default = 60 seconds. If this timeout is reached the g_badfrom check will be classed as having failed.

Syntax: g_from_timeout int

g_from_check

Check from matches valid local domain

Check from domains match valid local domains if user is authenticated, or g_from_allow.Should be used with g_from_bounce “true” which basically forces them to authenticate and then makes this setting work properly.

Syntax: g_from_check bool

g_from_noforge

If envelope or from is local domain then the other must be too

This can prevent many common forms of forgery, this will bounce some real email, so probably better to use the noforgeme setting instead. One of the settings to prevent forgery

Syntax: g_from_noforge bool

g_from_noforge_some

If from matches this then from/envelope must match

Prevent forgeries of important local addresses, e.g. *support*

Syntax: g_from_noforge_some string

g_from_noforgeme

If to==from then from and env from must match

This can prevent many common forms of forgery, this is safer than the noforge setting above, and generally almost as effective. One of the settings to prevent forgery

Syntax: g_from_noforgeme bool

g_from_noforgename

If from contains two addresses the domains must match

Prevents forgery where the descriptive name is a fake email address that doesn’t match the real address

Syntax: g_from_noforgename bool

g_from_nofriend

If forge setting would bounce message then allow message but don’t allow friend match

This setting modifies the g_from_noforgeme behaviour so it doesn’t block the message but does prevent a friend match occurring

Syntax: g_from_nofriend bool

g_notlocal

Add ALERT to message subject if domain is local but origin is external

This setting has no further documentation currently available

Syntax: g_notlocal bool

g_notlocal_message

ALERT text to add to suspect messages that appear to be from a local domain

This setting has no further documentation currently available

Syntax: g_notlocal_message string

g_from_allow

-allow-ip-ip-addresses-to-bypass-local-from-check" >

This setting has no further documentation currently available

Syntax: g_from_allow_ip string

g_from_allow_ip

IP addresses to bypass local from check

This setting has no further documentation currently available

Syntax: g_from_allow_ip string

g_from_allow_to

destination user to bypass local from check

This setting has no further documentation currently available

Syntax: g_from_allow_to string

g_from_exact

Check from matches authenticated user

Check from matches authenticated user. If user is not authenticated the setting is skipped.

Should be used with g_from_bounce “true” which basically forces them to authenticate and then makes this setting work properly.

Syntax: g_from_exact bool

g_from_relay

If not authenticated and g_relay_allow_ip matched then block if not local domain or whitelisted

This one helps prevent a local virus sending out spam. It basically says non authenticated users who can relay due to a g_relay_allow_ip rule must send from one of your domains or use smtp authentication or be in a white list. Note this test is performed on the message envelope not the body. We recommend insisting on smtp authentication to reduce your risk of this type of problem.

Syntax: g_from_relay bool

g_from_relay_white

White list of domains for g_from_relay setting

This is domains that can be used as a ‘from’ address for non authenticated users, in addition to local domains

Syntax: g_from_relay_white string

g_from_domain

Default domain for from envelope

Fixes the ‘from’ envelope if the email client failed to specify a domain name, this doesn’t fix the from header currently but we may change that in future!

Syntax: g_from_domain string

g_gateway

Gateway messages to a particular domain (Or smarthost)

Used to gateway messages to another local mail server.  Typically this other server is inside a fire wall so it’s local IP address is not known by the DNS server.  You specify the domain and IP address to send messages to and this server is treated as ‘local’ rather than remote in terms of open relay restrictions. eg: nonauthenticated users are able to send in mail. Open relay restrictions do not apply to messages sent to this domain because they are considered as if they were local users and not ‘relaying’. 

This setting has the fields domain(required), to(required), user(optional), pass(optional), relay=true/false(optional),check=true/false (optional)

Normally “domain” and “to” are the only fields that need to be filled in. eg. To relay mail from anyone to user accounts in the domain somedomain.com to the host 1.2.3.4.
g_gateway domain=”somedomain.com” to=”1.2.3.4″

user=”username” pass=”password”

If SMTP authentication is required on the destination server the user and pass fields need to be completed.check=true

The check=true setting tells surgemail to actually connect to the server and check that recipients exist before accepting an incoming email for that user, this is STRONGLY recommended, as it stops the server having to bounce thousands of messages when spammers send to invalid addresses on your server. If SurgeMail cannot connect it will assume the user does exist so nothing is bounced except when the connection is successful.

Classic smarthost setting

This is where you want to send all outgoing email to another server, that may require authentication, note that we don’t use relay=”true” as that would make the server an open relay.

g_gateway domain=”*” to=”isp.mail.server” user=”user@isp.server” pass=”xxx”

relay=”true” (warning, usually not needed or wise, this can make your server into an open relay for spammers to abuse!)

As a safety measure to prevent accidental openrelays, SurgeMail will not relay for non authenticated users or trusted users (users that are allowed to relay due to relaying settings eg g_relay_allow_ip) if the domain is “*”. This can be overridden by placing “true” in the “relay” field. eg: To relay all mail for all users to host 1.2.3.4:

g_gateway domain=”*” to=”1.2.3.4″ relay=”false”

It is possible to use domain=”c:\domains.txt” where domains.txt is a file listing the domains to be gatewayed, this should only be done for one gateway rule, and is only worth doing if you have thousands of domains to gateway.

local=”true”

Requires that the destination addresses exist in the local account database.

g_gateway_open

Allows an open relay setting in g_gateway

This lets you set g_gateway domain=* and relay=true, this makes your server an open relay so is never a good idea!

Syntax: g_gateway_open bool

g_gateway_allow

Known hosts that act as incoming SMTP or surgewall servers for us

Some spam prevention mechanisms which use the ip address of the incoming system must be disabled for incoming SMTP servers/surgewall/firewall boxes so that stupid limits don’t block all the incoming messages from your backup mx server etc. Settings this affects: g_tarpit_max, g_tarpit_max_remote, g_con_perip, RBL checks,

Syntax: g_gateway_allow string

g_gateway_auth

Send SMTP auth requests to another host

Send SMTP auth requests to another host.

Syntax: g_gateway_auth string

g_gateway_always

Always send to gateway even if local domain exists

Always send to gateway even if local domain exists. Not sure why you would want to use this setting other than to temporarily send mail on to another server whilst keeping the local domain and accounts intact and untouced.

Syntax: g_gateway_always bool

g_gateway_data

Gateway at the data stage

To allow bounces to be handled cleanly gateway messages before responding to the data comman so bounces can go direct without being generated and creating back scatter.

Syntax: g_gateway_data bool

g_gateway_ifnot

Send mail to gateway in preference to local delivery unless IP matches

The use of g_gateway_ifnot will deliver mail to the g_gateway rule in preference to local delivery unless the IP number matches. This would typically be used to pass mail through an external SMTP server for certain or all domains for scanning purposes etc.

Syntax: g_gateway_ifnot string

g_gateway_ignorewild_ip

Ignore * gateway rules if from ip matches (allows outbound email scanning using gateway * to external scanner)

This setting has no further documentation currently available

Syntax: g_gateway_ignorewild_ip string

g_gateway_helo

Header that must exist in incoming bounces (g_send_helo) or bounces are dropped

An incoming filter can discard the majority of incoming bounces by using this setting to figure out if a bounce is valid without having to do a user lookup first! Usually this would be the setting g_send_helo from your ‘outgoing’ mail server, this setting can be a list of host names.

Syntax: g_gateway_helo string

g_gateway_orcpt

Writes an original receipt header when forwarding a message, this may disclose multiple recipients, cc/bcc etc use only for tracking faults

This writes a header X-Rcpt-Original: …, when forwarding a message to another server, good for tracking problems. This may disclose multiple hidden recipients, it should not be used normally

Syntax: g_gateway_orcpt bool

g_gateway_from

Pass ‘from’ header thru during gatewawy check

In some cases to verify an email address the correct ‘from’ must be passed through, normally this is a bad idea as it will cause spf failures, but it is sometimes necessary

Syntax: g_gateway_from bool

g_gateway_mx

If specified IP address is found in mx record for destination then allow relay (not recommended)

This can be useful if you have thousands of servers using your machine for mx backup and you want to allow them simply because the mx records exist, it’s much better to use g_gateway or g_relay settings instead as this saves lookups and makes the results entirely more predictable

Syntax: g_gateway_mx string

g_gateway_shuffle

Round robbin shuffle of to ip addresses for gateway rules

Use if you wish to spread outgoing load evenly to multiple outgoing servers.

Syntax: g_gateway_shuffle bool

g_group_field

Group Field from authentication database

Based upon a match on an arbitrary field in the authentication database a user can be defined as being part of an access_group. All fields (field, value, group) are required. eg: To add the user to the access_group “paid_user” if the field “mystatus” has the value “fullaccess”:

g_group_field field=”mystatus” value=”fullaccess” group=”paid_user”

Syntax: g_group_field field=string value=string group=string

g_gzip_disable

Disable gzip web compression

This setting has no further documentation currently available

Syntax: g_gzip_disable bool

g_hack_detect_disable

Stop admin emails when users login with a weak password

Useful if you must have weak passwords for some reason

Syntax: g_hack_detect_disable bool

g_hack_touser

Send warnings about hacking directly to users

Send warnings directly to users

Syntax: g_hack_touser bool

g_hack_url

Url for users to change password

Url to your server for users to change password, if not given the user.cgi url will be generated

Syntax: g_hack_url string

g_hack_msg

Message to send to users with a weak password

Message to send to users with a weak password

Syntax: g_hack_msg string

g_hack_report

Address to send weak password reports to

This setting has no further documentation currently available

Syntax: g_hack_report string

g_hack_noemail

Disable weak password reports

This setting has no further documentation currently available

Syntax: g_hack_noemail bool

g_hacker_max

Login guesses for one ip address before we lockout the ip address

Stops hackers from guessing passwords every day until they find one, use tellmail unlock ip.number to unlock, or whitelist it…

Syntax: g_hacker_max int

g_hacker_whitelist

Ip addresses to avoid guessing issues

Whitelist for gateways or other systems that you expect multiple failed logins from (e.g. webmail host)

Syntax: g_hacker_whitelist string

g_hacker_poison

Poison accounts. Instantly blacklist ip address e.g. root@*

If user tries to login with this account then their ip address is blocked from further logins. Give full domain name or wild card, e.g. root@your.domain,staff@*

Syntax: g_hacker_poison string

g_hacker_weak

If user tries weak password, lockout ip address

If someone is ‘guessing’ weak passwords their ip address will be locked out

Syntax: g_hacker_weak bool

g_hacker_password

If hacker attempts to login with account name as password, then blacklist ip

Good for stopping robots guessing accounts

Syntax: g_hacker_password bool

g_hacker_passwords

Failed logins that use these passwords will lockout the ip address

List commonly guessed passwords, e.g. 12345678

Syntax: g_hacker_passwords string

g_hacker_alert

Email manager if address is locked out

This setting has no further documentation currently available

Syntax: g_hacker_alert bool

g_hacker_fwd

Email manager if user sets fowarding rule

Useful to identify a spammer trying to set a bounce address to pickup incoming email

Syntax: g_hacker_fwd bool

g_hacker_days

Days to keep ipaddress locked out, default 7

This setting has no further documentation currently available

Syntax: g_hacker_days int

g_hacker_more

Be more restrictive, don’t allow /24 netblocks based on loginip

This setting has no further documentation currently available

Syntax: g_hacker_more bool

g_header_out

Header to add to outgoing posts

Mail header to add to outgoing mailing list posts.

Syntax: g_header_out string

g_help_local

Make all help references to the local help files

This setting has no further documentation currently available

Syntax: g_help_local bool

g_help_url

Link to another website for help instead of surgemail.com

This setting has no further documentation currently available

Syntax: g_help_url string

g_helo_optional

Make the SMTP Helo optional

Helo is optional for SMTP protocol (not recommended).

Syntax: g_helo_optional bool

g_home

Root directory of the mail server

This setting controls where the mail server runs including the many sub directories it creates below this directory for work files and log files for each domain. Not something you should generally change. 

Syntax: g_home string

g_honeypot_key

Key for HTTP RBL service www.projecthoneypot.org – not recommended

Do not share your key you can get a key for free from this web site. By defining this setting you will enable honeypot lookups, which in turn will block web imap pop and smtp authentication connections from listed sites, it does not block normal incoming email, but does reduce the permitted guess count to ‘1’. You can whitelist an ip address using g_spam_allow or g_hacker_whitelist, this setting will tend to cause false positives which will stop users logging in, we don’t recommend you use this setting currently.

Syntax: g_honeypot_key string

g_honeypot_rbl

RBL name to lookup, typically dnsbl.httpbl.org

This is the name of the rbl database we are going to query

Syntax: g_honeypot_rbl string

g_host_redirect

Redirection based on host for surgeweb’s https_required redirection

This setting has no further documentation currently available

Syntax: g_host_redirect from=string to=string

g_http_proxy

Proxy web server for fetching files via HTTP

Proxy web server for fetching files if direct access fails. (mainly for updates to the spam prevention rules from netwinsite.com and for downloading the latest version of the SurgePlus Windows client to make available to your users.) 

Syntax: g_http_proxy string

g_http_11

Use http 1.1 requests to netwinsite (do not use)

Experimental setting do not use

Syntax: g_http_11 bool

g_ipv6_enable

Enable IPV6 networking only use if you have an IPV6 address for some reason

Enable IPV6 networking, Best avoided unless your mail server is in ipv6 address space.

Syntax: g_ipv6_enable bool

g_ipv6_notrim

Prevent automatic conversion of ::ffff:x.x.x.x to x.x.x.x

Disables the automatic conversion of addresses to ipv4 format strings on linux

Syntax: g_ipv6_notrim bool

g_imap_acl

Enable ACL (shared folders) in imap

This setting allows folders to be shared between users. See the domain setting ‘imap_public’. Requires surgemail 3.9d or later! For this to work you will need an imap client that supports ACL’s to create and map shared folders (.e.g. thunderbird)

Syntax: g_imap_acl bool

g_imap_auto_create

Create folders matching this list in response to ‘select’ commands

Some imap clients assume certain folders exist, this setting can be used to let surgemail auto create such folders when the imap client requests some action involving the folder

Syntax: g_imap_auto_create string

g_imap_auto_subscribe

Auto subscribe folders for users

This setting has no further documentation currently available

Syntax: g_imap_auto_subscribe bool

g_imap_blacklist

Test if imap users are in rbl’s and email admin

This lets you find any of your users who’s ip address has been blacklisted, at most it will email once a day, any additional entries are logged in mail.err log file (search for ‘blacklist’)

Syntax: g_imap_blacklist bool

g_imap_cram_enable

Enable CRAM-MD5 authentication (requires nwauth 4.0h or greater)

Please note that CRAM-MD5 does have security implications, specifically it means that the local users password must be stored in a semi reversable state in the authent database. Also you must be using the new version of the NWAuth module.

Syntax: g_imap_cram_enable bool

g_imap_capa

Where to get the CAPABILITY value from

When you have suffix based domains and you’re using SurgeWall the CAPABILITY request comes before the domain of the user is known. As such SurgeMail cannot determine whether to send the real servers CAPABILITY or it’s own. This setting will choose the default behaviour, valid values are: Local, . By default SurgeMail defaults to the behaviour of the primary domain, if it’s surgewall then it obtains the real server capability. “Local” defaults to SurgeMails own capability, and defaults to the real server capability.

Syntax: g_imap_capa string

g_imap_capa_strip

Capability values to hide

In some situations you might not want to advertise server capabilities, for example SURGEMAIL and XFLDDATA when they cause problems with SurgeWall operations. Or perhaps the IDLE capability. Specifying the capability strings to hide here will cause SurgeMail to stop advertising those capabilies.

Syntax: g_imap_capa_strip string

g_imap_debug

For NetWin use only

This setting has no further documentation currently available

Syntax: g_imap_debug bool

g_imap_expunge_close

Expunge on every close, not recommended

This setting has no further documentation currently available

Syntax: g_imap_expunge_close bool

g_imap_folder

folder-create-auto-create-default-folders-for-trash-sent-etc" >

Warning this may change the default folder currently used by creating one the user didn’t previously have

Syntax: g_imap_folder_create bool

g_imap_folder_create

Auto create default folders for Trash/Sent etc

Warning this may change the default folder currently used by creating one the user didn’t previously have

Syntax: g_imap_folder_create bool

g_imap_idle_free

Releases threads in ‘idle’ state

This setting has no further documentation currently available

Syntax: g_imap_idle_free bool

g_imap_inactive_free

Releases threads not active

This setting has no further documentation currently available

Syntax: g_imap_inactive_free bool

g_imap_log_protocol

Log IMAP protocol

Log IMAP protocol and other IMAP information to the mail.log file.

Syntax: g_imap_log_protocol bool

g_imap_log_main

Log imap to mail.log too (not recommended)

This setting has no further documentation currently available

Syntax: g_imap_log_main bool

g_imap_log_size

Size of imap.log file

This sets the imap.log file size, default is 2mb

Syntax: g_imap_log_size int

g_imap_log_flush

IMAP log flush

Flush IMAP log on every write (for debugging).

Syntax: g_imap_log_flush bool

g_imap_log_copy

Log imap copy commands to msg*.rec log files

This setting has no further documentation currently available

Syntax: g_imap_log_copy bool

g_imap_log_header

Log imap fetch header commands to msg*.rec log files (not usually needed)

This logs rather a lot so may create excessive logging. Probably the log body setting is more wise.

Syntax: g_imap_log_header bool

g_imap_log_body

Log imap fetch body commands to msg*.rec log files

This only logs when a body or body part is read via imap

Syntax: g_imap_log_body bool

g_imap_loop_report

Report imap loops of bad email clients

This only logs when a body or body part is read via imap

Syntax: g_imap_loop_report bool

g_imap_move

IMAP move extension

This setting has no further documentation currently available

Syntax: g_imap_move bool

g_imap_maxdup

Max duplicate imap fetch commands before we throttle connection, default 500

This setting has no further documentation currently available

Syntax: g_imap_maxdup int

g_imap_port

IMAP Port (default 143)

Specifies the PORT to listen for IMAP connections on. IMAP is an alternative to POP protocol where the messages and folders all exist on the server. This is ideal when sharing a mail account between several users or when using Email from more than one computer.  Use the keyword ‘disabled’ to disable this part of the surgemail service.

Syntax: g_imap_port int

g_imap_delay

Glob data into bigger packets, never use this

This setting has no further documentation currently available

Syntax: g_imap_delay bool

g_imap_secure_port

IMAP Port (default 993)

Specifies the PORT to listen for dedicated SSL IMAP connections.

Syntax: g_imap_secure_port int

g_imap_search_noattach

Skip non text attachments when searching

This setting has no further documentation currently available

Syntax: g_imap_search_noattach bool

g_imap_search_index

Build and use indexes for imap header searching

This setting has no further documentation currently available

Syntax: g_imap_search_index bool

g_imap_search_body

Build and use indexes for imap body searching

This setting has no further documentation currently available

Syntax: g_imap_search_body bool

g_imap_search_text

Use only body and header indexes, fast but won’t get all matches

This setting has no further documentation currently available

Syntax: g_imap_search_text bool

g_imap_search_timeout

Limit on imap search, default is 180 seconds

This setting has no further documentation currently available

Syntax: g_imap_search_timeout int

g_imap_spam_train

Train if moving message to ‘spam’ folder, or from ‘spam’ folder to inbox

This setting has no further documentation currently available

Syntax: g_imap_spam_train bool

g_imap_status_cache

Cache imap status responses (Obsolete, use _stored setting)

Improves performance/reduces disk IO for imap

Syntax: g_imap_status_cache bool

g_imap_status_stored

Keep imap folder counts stored on disk

Improves performance/reduces disk IO for imap

Syntax: g_imap_status_stored bool

g_imap_no_internal_date

Disable the internal date output on IMAP commands

The RFC implementation of internal dateis broken wiht MS outlook. SurgeMail has been modified to conform to the outlook inplementation of internal date making this setting redundant..

Syntax: g_imap_no_internal_date bool

g_imap_maxbusy

Limit for concurrent requests per user, user is throttled if exceeded

This setting has no further documentation currently available

Syntax: g_imap_maxbusy int

g_imap_throttle

Limit for sustained imap commands per second before warning admin, default is 5

Useful for detecting an email client in a loop wasting your resources

Syntax: g_imap_throttle int

g_imap_throttle_speed

Limit to this speed in bytes per second when throttling, e.g. 50k

This setting has no further documentation currently available

Syntax: g_imap_throttle_speed int

g_imap_throttle_limit

-limit-for-sustained-imap-commands-per-second-before-warning-admin-default-is-5" >

Useful for detecting an email client in a loop wasting your resources

Syntax: g_imap_throttle int

g_imap_throttle_exclude

Users who are not limited

This setting has no further documentation currently available

Syntax: g_imap_throttle_exclude string

g_imap_timezone

Timezone to display – for testing purposes only

as per title

Syntax: g_imap_timezone string

g_imap_timeout

Time, in minutes for imap timeout, RFC required default is 30

You may in some cases wish to reduce this below the RFC required default if your server is under very heavy load. Results may be unexpected when breaking RFC behavior!

Syntax: g_imap_timeout int

g_imap_timeout_login

Timeout prior to login in seconds

You may in some cases wish to reduce this below the RFC required default if your server is under very heavy load. Results may be unexpected when breaking RFC behavior!

Syntax: g_imap_timeout_login int

g_imap_trash_nocopy

Prevent copying from Trash to Trash folder

This setting has no further documentation currently available

Syntax: g_imap_trash_nocopy bool

g_imap_uidl_nofix

Disable UIDL auto repair of duplicate entries

If true disable auto repair of identical UIDL entries.

Syntax: g_imap_uidl_nofix bool

g_imap_unsub_auto

Unsubscribe if a folder doesn’t exist

Helps dumb email clients that get confused

Syntax: g_imap_unsub_auto bool

g_imap_size_fetch

If true, will display message sizes on fetch command. (ie * 123 EXISTS)

Displays message size in IMAP responses

Syntax: g_imap_size_fetch bool

g_imap_idle_nsf

The number of seconds before a complete directory rescan. To be used on NFS network drives

Number of seconds for IMAP IDLE to do directory rescan – , note setting is miss spelled, do not correct it!

Syntax: g_imap_idle_nsf int

g_imap_testing

Test imap module instead of normal one (not functional)

Replace normal imap with a test one, this is not functional, do not use this setting.

Syntax: g_imap_testing bool

g_imap_old

Revert to old imap module

Replace normal imap with old imap module, not recommended/supported

Syntax: g_imap_old bool

g_imap_old_ip

Revert to old imap module for some ip’s

Replace normal imap with old imap module, not recommended/supported

Syntax: g_imap_old_ip string

g_imap_pop_burst

Always burst using imap code

Prevents redownloading messages if file indicating user is using imap is lost. Generally this setting is not needed and should not be used. Turning it on/off will result in users getting duplicate messagese if they are using POP and have leave on server ticked

Syntax: g_imap_pop_burst bool

g_imap_friends

Make the friends_pending folder visible in imap

Setting to map the friends_pending folder into an imap folder. There is no corresponding setting for the ‘held’ folder as we believe people should always use the friends mechanism as it is a superset of the held folder in functionality

Syntax: g_imap_friends bool

g_imap_user_flags

This setting may confuse some email clients (mac) use with cautioun

This may confused some email clients if multiple clients are used on a single account as the user flags can conflict

Syntax: g_imap_user_flags bool

g_imap_max_messages

The number of messages in a single imap folder, default 200000

This setting helps limit impact when a user has a large folder, it will fail to load a folder larger than this and report errors in the log, it also will prevent new deliveries once this limit is reached.

To resolve do NOT increase this setting, the correct solution is to use one of the builtin archving features to clean up the mailbox automatically, large folders create SERIOUS performance issues.

Syntax: g_imap_max_messages int

g_imap_max_limit

Limits messages being put in folders

This setting helps limit impact when a user has a large folder, it will fail to load a folder larger than this and report errors in the log, it does not prevent the folder from having messages added to it, and it does not inform the user that the problem has occurred, this setting is primarily to limit impact of a crazy user :-), see also G_MAILDIR_MAX

Syntax: g_imap_max_limit int

g_imap_warn_big

Warn user if inbox or sent has more than this many messages

We recommend setting this at about 10000, users should use the auto cleanup features (via user.cgi) to archive older messages to another folder

Syntax: g_imap_warn_big int

g_imap_sync_nomax

Exception to imap_max_sync setting

This setting has no further documentation currently available

Syntax: g_imap_sync_nomax string

g_imap_sync_all

Apply imap_max_sync to all folders

This setting has no further documentation currently available

Syntax: g_imap_sync_all bool

g_imap_allow_trailing

Allow leading/trailing spaces on folder names on linux, not a good idea

This setting has no further documentation currently available

Syntax: g_imap_allow_trailing bool

g_imap_log_user

Log imap info to imap.log in users mdir folder

This setting has no further documentation currently available

Syntax: g_imap_log_user bool

g_recycling

ycling-imap-make-visible-to-imap-users-default-is-now-only-surgeweb-users" >

This setting has no further documentation currently available

Syntax: g_recycling_imap bool

g_recycling_life

Days to keep imap deleted messages, default 30

This setting has no further documentation currently available

Syntax: g_recycling_life int

g_recycling_visible

Only allow members of this group to see recycling folder

This setting has no further documentation currently available

Syntax: g_recycling_visible string

g_recycling_imap

Make visible to IMAP users, default is now ONLY surgeweb users

This setting has no further documentation currently available

Syntax: g_recycling_imap bool

g_recycling_del

Allow usergroup to delete messages from the recycle folder

This setting has no further documentation currently available

Syntax: g_recycling_del string

g_recycling_pop

Do recycling for POP deletes too

This setting has no further documentation currently available

Syntax: g_recycling_pop bool

g_inbox_archive

Archive old messages to Archives/yyyy/Inbox folder, age in days

Trigger with tellmail mail_rules (or it will run once a week)

Syntax: g_inbox_archive int

g_sent_archive

Archive old messages to Archives/yyyy/Sent folder, age in days

Trigger with tellmail mail_rules (or it will run once a week)

Syntax: g_sent_archive int

g_inbox_max

Max messages permitted in inbox e.g. 5000

This setting will stop users leaving lots of message in their inbox. Valid range would be 1000 to 10000 depending on the nature of your users. A smaller number can reduce load on your server. The user is warned when the reach 70% and 95% of the limit. Users can cleanup their inbox automatically by enabling the auto archive feature in their web self admin settings. or with g_inbox_archive globally.

Syntax: g_inbox_max int

g_inbox_nolimit

Users with no limit on inbox

Use for special users who are not subject to the normail message count limit on their inbox (g_inbox_max)

Syntax: g_inbox_nolimit string

g_include

Include another ini file global settings only

Unlike the include command this setting will allow editing of the ini file in web admin, but settings included via this setting will not appear in the admin interface

Syntax: g_include string

g_iplimit

Untrusted local ip addresses e.g. web servers, special sending limits applied.

These limit settings let you control untrusted sources which may get viruses or cgi scripts that open them up to abuse. By throttling the remote addreses limit this will prevent any significant abuse. Authenticated sessions are ‘not’ limited!.

Syntax: g_iplimit string

g_iplimit_local

Max sends from untrusted ip to local domains per 30 minutes.

See explanation of g_iplimit

Syntax: g_iplimit_local int

g_iplimit_remote

Max sends from untrusted ip to remote domains per 30 minutes.

See explanation of g_iplimit

Syntax: g_iplimit_remote int

g_iplimit_islocal

Add domains to list of domains considered local for limit counting

See explanation of g_iplimit

Syntax: g_iplimit_islocal string

g_iplimit_whitelist

List of ‘from’ addresses that should bypass limits

This lets you bypass the iplimit restrictions for a known trusted user/form that needs to send a lot of local/remote emails

Syntax: g_iplimit_whitelist string

g_kann_test

Testing spam module do not use

Testing a new feature do not use

Syntax: g_kann_test bool

g_keepalive

Attempts to use keepalive for the web sessions (experimental & faulty currently)

Don’t use this yet, we are still working on it.

Syntax: g_keepalive bool

g_key_manual

Try and activate automatically when the key expires

When you purchase updates you must activate to get the expire date reset in surgemail, if this setting is not turned on then surgemail will try and do this automatically for you.

Syntax: g_key_manual bool

g_key_nowarning

Disable reminders to update your license

Disables the email reminding you to pay for updates for virus and spam filter and new versions etc…

Syntax: g_key_nowarning bool

g_known_skip

Disable the bypass of known ip addresses from spf failures

Purely for testing

Syntax: g_known_skip bool

g_last_login

Create last_login.time files

If true then when users login via pop or imap or webmail the file last_login.time is created/touched, this can then be used by local scripts to determine which user directories are not in active use.

Syntax: g_last_login bool

g_last_login_days

If last login is more than this many days then reject email – do not use on mirrors

This can be used on a shared disk cluster to establish which users are inactive. On a normal mirror or stand alone system you should use DISABLE_SMTP_AFTER

Syntax: g_last_login_days int

g_late_forward

Apply all users forwarding rules after friends, spam, and filtering

By default users forwarding rules are applied before friends, spam and user filter rules. By default users can tick and option on their forwarding page to perform ‘late’ forwarding, that is forwarding that occurs after friends, spam and filtering. This option overrides the user option and causes all user forwarding rules to be applied after friends, spam and filtering.

Syntax: g_late_forward bool

g_late_skiplocal

Skip late forwarding for local destinations

This setting has no further documentation currently available

Syntax: g_late_skiplocal bool

g_ldap_port

LDAP Port (normally 389)

If specified this enables the mini ldap server inside surgemail which allows users with email clients that can do ‘ldap’ directory lookups to search for other users on the system. Obviously this should NEVER BE turned on for a public mail server, it is only appropriate with private mail servers where all users who can access the system are trusted.

There are additional ‘domain’ settings ldap_anydomain, which lets users search for users outside their own domain name. And ldap_disable which can disable ldap for specific domains.

Syntax: g_ldap_port int

g_ldap_forward

Remote ldap server to forward requests to (only for testing do not use)

Forwards all ldap requests to another host, primarily intended for testing, use at your own risk.

Syntax: g_ldap_forward string

g_ldap_outlook_browse_max

Basic outlook ldap address browsing, max items (KEEP THIS SMALL eg <50): default=0 (disabled)

numeric maximum items to return default=0 (ie disabled)

Syntax: g_ldap_outlook_browse_max int

g_ssl_auto

Generate letsencrpt ssl certificates automatically for all domains

This setting has no further documentation currently available

Syntax: g_ssl_auto bool

g_ssl_lets_slave

Run letsencrypt on SLAVE too

Also exclude url_host on the mirroring exclude settings

Syntax: g_ssl_lets_slave bool

g_ssl_lets_path

Path to webservers /.well-known folder for letsencrypt

Use this if you have a webserver that is running on port 80 but you still wish to generate ssl certificates automatically. Folder must be writeable by user ‘mail’ on linux

Syntax: g_ssl_lets_path string

g_ssl_lets_exclude

Domains urls to not update, user must copy from ssl to lets folder

The certifictes must be coppied from the ssl to the lets folder manually!

Syntax: g_ssl_lets_exclude string

g_ssl_guess_domain

Guess domain using SSL hostname to allow login without @domain.name

The certifictes must be coppied from the ssl to the lets folder manually!

Syntax: g_ssl_guess_domain bool

g_letsencrypt

Path to find letsencrypt certificates (obsolete)

This setting has no further documentation currently available

Syntax: g_letsencrypt string

g_local_skipgateway

Skip gateway rule for local messages

If true skip gateway rule for local messages (bounces etc). 

Syntax: g_local_skipgateway bool

g_log_fakemid

Header to use instead of message-id in log files

This setting has no further documentation currently available

Syntax: g_log_fakemid string

g_log_flush

Flushing log – flush on every write

This makes the server flush log data after every write to the file. This affects performance but can sometimes be the only way to track down an unusual fault eg: if the server dies the log is completely up to date and shows the last thing the server did before dying. 

Syntax: g_log_flush bool

g_log_fwd

Log fwd/redirection rules associated in msg.rec

Log fwd/redirection rules associated with g_log_rcpt in msg.rec files. 

Syntax: g_log_fwd bool

g_log_level

Set logging level

Set the logging level. This is primarily intended for finding faults with the server. Info level logging is the default. Alternatives are ‘error’ and ‘debug’ 

Syntax: g_log_level string

g_log_disable

Disable most logging – not recommended

This setting has no further documentation currently available

Syntax: g_log_disable bool

g_log_path

Path for log files

Sets the path for all SurgeMails generated logfiles. (except the delivery record logs)

Syntax: g_log_path string

g_log_password

Log password failures to login_failed.log

It is considered bad form to do this, but it can be very useful, so it’s up to you!

Syntax: g_log_password bool

g_log_pid

Log pid

Log PID along with thread-id in the UNIXlog files.

Syntax: g_log_pid bool

g_log_thid

Log thread id in .rec files

Logs the thread id in the msg*.rec files, this is good for some types of debugging.

Syntax: g_log_thid bool

g_log_reject_disable

Disable the logging of rejected mail

SurgeMail will normally log failed deliveries due to MFilter / SmiteSpam / etc in the delivery logs. This setting will restrict this logging to accepted mail only.

Syntax: g_log_reject_disable bool

g_log_bounce_disable

Stop bounce reject entries filling up log (typically from spam bounces)

Disables useless logging in msg*.rec files, only recommended for busy servers

Syntax: g_log_bounce_disable bool

g_log_dropped_disable

Don’t log if no ‘data’ command sent

Disables useless logging in msg*.rec files, only recommended for busy servers

Syntax: g_log_dropped_disable bool

g_log_norcpt

Don’t log individual recipients in msg.rec files

Log individual recipients in msg.rec files

Syntax: g_log_norcpt bool

g_log_size

Size of the mail.log files before they are rotated

The mail.log files are a fixed size rotating log of what is happening inside SurgeMail. Dependant on the load of your server this may contain a few days worth of activity or a few minutes worth. This setting allows you to change the default 2MB before rotation size.

Syntax: g_log_size int

g_log_dns

Log dns responses in gory detail

Useful when debugging unexpected DNS results, search for ‘dns’ in mail.log to find the results.

Syntax: g_log_dns bool

g_log_slow

Do slower logging system

Forces logging to disk even if it may slow things down. Not recommended.

Syntax: g_log_slow bool

g_log_start_norotate

Don’t rotate log on startup

By default the mail.log is rotated to mail2.log… on startup.

Syntax: g_log_start_norotate bool

g_log_user

Log pop/imap/smtp protocol for specified user

Creates a file for each user that matches this list, user_user@domain.log

Syntax: g_log_user string

g_log_quota

Log quota for specified user

Creates a file for each user that matches this list, user_user@domain.log

Syntax: g_log_quota string

g_log_date

Log full date in log files

Makes log lines more complete

Syntax: g_log_date bool

g_log_date_msg

Log full date in msg log files (g_log_date required too)

Makes log lines more complete with the full date

Syntax: g_log_date_msg bool

g_log_syslog

Send ‘msg.rec’ entries to syslog

This is useful to ‘merge’ log information on a single host, on unix you specify the destination in your syslog configuration rather than specifying a host. On windows you can specify the remote host as you may not have a local syslog daemon

Syntax: g_log_syslog bool

g_log_syslog_debug

Send ‘mail.log’ entries to syslog as ‘mail.debug’ data

This data is probably not worth sending to syslog, it’s really debugging information of no long term value and too much to store.

Syntax: g_log_syslog_debug bool

g_log_syslog_only

Disable writing to msg.rec

This prevents the local logs from being written

Syntax: g_log_syslog_only bool

g_log_syslog_host

Specify host to send syslog entries to (windows only)

On windows this lets you tell surgemail where the syslog deamon is, on unix you can do this in your syslog config file.

Syntax: g_log_syslog_host string

g_policy_enable

Enable policy.dat rules, still testing

This setting has no further documentation currently available

Syntax: g_policy_enable bool

g_safe_smtp

Force users to prove they are real if logging in from unknown sources via smtp

This feature is intended to prevent spamers/hackers from harvesting accounts on your system and then using them to send out spam, the user is sent an email to enable logins

Syntax: g_safe_smtp bool

g_safe_smtp_email

Email manager as remote ip addresses are added

This feature is intended to prevent spamers/hackers from harvesting accounts on your system and then using them to send out spam

Syntax: g_safe_smtp_email bool

g_safe_alert

Email manager when user fails to login from new ip

Useful to keep an eye on users and hackers

Syntax: g_safe_alert bool

g_safe_warning

Email user for logins from new ip addresses

Helps alert users if their account has been hacked, will also cause confusion though. This is not the same as g_safe_smtp which also generates user level warnings…

Syntax: g_safe_warning bool

g_safe_country_nowarning

Whitelist countries for just this setting

This setting has no further documentation currently available

Syntax: g_safe_country_nowarning string

g_safe_text

The first line of the warning email when a new login occurs

This lets you explain to the user what this email is about.

Syntax: g_safe_text string

g_safe_imap

Force users to prove they are real if logging in from pop/imap NEVER NEVER USE

This feature is intended to prevent spamers/hackers from harvesting accounts on your system and then using them to send out spam. This setting should never be used as users often never see the error and just get prompted for a new password.

Syntax: g_safe_imap bool

g_safe_white

White list for g_safe* settings

These ip addresses are always considered to safe, typically internal networks, 10.*.*.* .

Syntax: g_safe_white string

g_safe_country

White list use 2 char country code, e.g. US,NZ,AU a list is ok

This whitelists your entire country, which can help prevent user confusion by blocking logins while still blocking logins from the rest of the world

Syntax: g_safe_country string

g_safe_message

First line of email sent to user when login blocked

The default is ‘Sorry logins are not permitted from unknown ip addresses’

Syntax: g_safe_message string

g_sent_store

Store all sent messages in IMAP folder if smtp authenticated

If user is authenticated then store message in a folder, note that duplicates may occur if the client is also doing this (disable in the client) or use a name like System_Sent to avoid confusion

Syntax: g_sent_store string

g_sent_nodup

Drop duplicates in Sent folder due to sent_store

This setting has no further documentation currently available

Syntax: g_sent_nodup bool

g_subject_blank

Subject header if one is missing

Used if the message has no Subject header

Syntax: g_subject_blank string

g_lookup_names

Lookup names for connecting IP addresses

This is one of those things that you very likely do not want to turn on. It makes the mail server lookup the IP name of any connecting user, however lookups can take 30-90 seconds so it can negatively impact apparent performance. Most of the access rules in the server can accept IP names if this setting is enabled, e.g. instead of specifying local users are 153.2.3.* you can say ‘*.netwinsite.com” 

Syntax: g_lookup_names bool

g_lookup_reject_fails

If lookup cannot get a name, reject user (not generally recommended)

If lookup cannot get a name, reject user (not generally recommended) 

Syntax: g_lookup_reject_fails bool

g_lowdisk_warning

Disk space level below which to warn the manager

SurgeMail checks available disk space on startup and every half hour whilst running on all the mail, temp and home directories. If any is found to be low an email is sent to the system manager.  The recommended level is at least 100MB (default is 10MB).

Syntax: g_lowdisk_warning string

g_language_default

Default language for user web interface

If the user has not yet selected a language then this language is used as a default. If the language specified here does not exist in the language files, or nothing is specified here then English is used as the default language.

Syntax: g_language_default string

g_lf_fix_off

If input contains naked ‘lf’ characters then reject with error instead of stripping as usual

This setting has no further documentation currently available

Syntax: g_lf_fix_off bool

g_eof_fix_off

Turns off auto stripping of control+Z

These characters can break some mail clients and should not appear in normal emails

Syntax: g_eof_fix_off bool

g_everyone

Create alias $everyone@domain.name

Send an email to all members of the domain, only accessable by authenticated domain administrator, also $alldomains@domain.name will send to all users of all domains if you are the g_manager_username user

Syntax: g_everyone bool

g_maildir_netwin

Use NETWIN proprietry storage format – Not Recommended

This changes the storage format from one message per file, to a proprietry format, the spool is converted automatically when you restart surgemail. As a new feature which reformats all messages stored this settings has some risks, we suggest caution particularly on an existing server, ensure you have a backup mechanism of some kind in place!. Although this setting can give performance gains we think generally the gains do not out weigh the risk introduced, personally I prefer a simple ‘directory of files’ for each mail folder

Syntax: g_maildir_netwin bool

g_maildir_standard

Use more standard maildir format

The maildir format is flawed in that it is not designed to be used on Windows systems. This setting will force SurgeMail to use a more standard maildir format, but does mean you cannot just copy mail from a UNIX box to a Windows box as the “:” character is a reserved character on Windows systems. 

Syntax: g_maildir_standard bool

g_maildir_max

Max messages in a POP folder, do not adjust

The default is 30,000. When exceeded additional messages are invisible until some are deleted. We strongly recommend you don’t change this limit as large folders are gemoetrically inefficient and users should take steps to avoid this limit rather than increasing it.

Syntax: g_maildir_max int

g_maildir_imap_max

Use imap max setting, defaults to 100,000

This setting has no further documentation currently available

Syntax: g_maildir_imap_max bool

g_maildir_report

Email manager on ndb errors

This is for debugging and not for general use

Syntax: g_maildir_report bool

g_mailbox_path

Default directory to store mail

Default directory to store mail this is used to set mailbox_path when creating domains. 

Syntax: g_mailbox_path string

g_mailbox_inbox

Path for inboxes (experimental, do not use!)

This setting has no further documentation currently available

Syntax: g_mailbox_inbox string

g_manager

Email address of manager

Email address to send reports to. 

Syntax: g_manager string

g_manager_port

Manager port (default 7026)

This is the port the web manager and web mail access will run on. By default it is port 7026. Use the keyword ‘disabled’ to disable this part of the surgemail service.

Syntax: g_manager_port int

g_manager_secure_port

Manager secure port (default 143)

This should be the main server management port and provides a secure server management connection. By default it is port 7025. https://your.mail.server:7025. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.

Syntax: g_manager_secure_port int

g_monitor_disable

Disable the monitor process

This allows the monitor process to be completely disabled. The monitor process is the swatch executable and can be setup to monitor and automatically restart SurgeMail if it crashes. The monitor process is also used to start SurgeMail from the using the web interface if it has been shutdown.

Syntax: g_monitor_disable bool

g_monitor_port

SurgeMail monitor port (default 7027)

The port SurgeMail monitor runs on allowing SurgeMail to be remotely started. Typically you won’t need to change this, however you can specify an IP address to bind to or a list of alternate ports, e.g. 10.3.2.3:7027 or 7027,8027 etc…  

Syntax: g_monitor_port int

g_manager_smtp

SMTP server for manager Emails about failures

For obvious reasons, if the server is not working it cannot use itself to send the manager an Email message, so for highest reliability you may want to define another mail server for fault reports to be Emailed to. 

Syntax: g_manager_smtp string

g_max_bad_to

Max bad recipients in a row

If a system sending your system Email sends more than the specified number of bad addresses in a row then it is assumed to be incoming spam and further messages are rejected. 

Syntax: g_max_bad_to string

g_max_bad_ip

Max bad recipients per ip address before blocking that ip

This setting is important to stop hackers fishing for email addresses by guessing, I recommend you start with a low setting like 5, but increase to 100 if it causes problems. If you have a firewall or spam filter in front of surgemail add G_SPAM_ALLOW to whitelist it’s ip address

Syntax: g_max_bad_ip int

g_max_bad_ip_skip

Skip g_max_bad_ip tests

Use to disable g_max_bad_ip tests for specific ip addresses

Syntax: g_max_bad_ip_skip string

g_max_bad_ip_time

Seconds to block guessing hackers

The default is 1 day (used to be 1 hour). Units is seconds

Syntax: g_max_bad_ip_time int

g_max_bad_nolookup

Max bad recipients in a row if exceeded skip user lookup

Max bad recipients in a row if exceeded skip user lookup – useful when tarpitting a spammer. 

Syntax: g_max_bad_nolookup int

g_mdir_prefix

Maildir folder prefix

Prefix for maildir folders defaults to ‘mdir’, use ‘.’ for compatibility with qmail. 

Syntax: g_mdir_prefix string

g_mdir_hash

SurgeMail hashing mode

Hashing mode for SurgeMail, default is 5, for compatibilty with /b/o/bob use 2. 

Syntax: g_mdir_hash int

g_mfilter_file

Path to mfilter.rul spam rule processing

This is the full path to the Mfilter rule file which provides advanced message filtering capabilities. See Mfilter.htm for more details.

Syntax: g_mfilter_file string

g_mfilter_bounces

Run mfilter on bounce messages and responders etc

Run the mfilter processing even on bounces

Syntax: g_mfilter_bounces bool

g_mfilter_maxlen

Mfilter Max message length

Size to truncate messages to before processing with Mfilter.

Syntax: g_mfilter_maxlen int

g_mfilter_addonly

Add headers only

If true then only allow ‘adding’ headers, not changing them.

Syntax: g_mfilter_addonly bool

g_mfilter_localonly

Only filter local deliveries

If true then only run Mfilter on local deliveries.

Syntax: g_mfilter_localonly bool

g_mfilter_trace

Log trace lines in Mfilter

Log trace lines in Mfilter for debugging .

Syntax: g_mfilter_trace bool

g_mfilter_noisey

Do log anything in mfilter

Logs the real details of mfilter, never user on a live busy system this is only intended for debugging an mfilter script. It logs every line of the script!

Syntax: g_mfilter_noisey bool

g_mfilter_skip_ip

Skip mfilter for messages from these ip’s

This allows you to add a comma separated list of ip’s to skip running mfilter on. This is based on the ip of the sender. Wild cards and ranges can be used.

Example:
g_mfilter_skip “10.0.0.2,210.56.43.*,193.1.16-24.0-255”

Syntax: g_mfilter_skip_ip string

g_mfilter_skip_from

From addresses (envelope) to skip mfilter processing for

This setting has no further documentation currently available

Syntax: g_mfilter_skip_from string

g_mfilter_skip_to

To addresses to skip mfilter processing for

If one matches then mfilter is skipped for entire message

Syntax: g_mfilter_skip_to string

g_mfilter_disable

Disable mfilter.rul completely

Performance feature

Syntax: g_mfilter_disable bool

g_migrate_email

Send each user email on start/end of migration

Gives the user some indication of when the migration has finished. You can modify the templates migration_started.eml and migration_finished.eml

Syntax: g_migrate_email bool

g_migrate_skip

Skip imap folders matching this, use for shared folders

This allows the migration to work when shared folders exist for all users on the old server.

Syntax: g_migrate_skip string

g_migrate_translatet

Translate folder names during migration

e.g. inbox.* –> %1 would change inbox.folder to folder

Syntax: g_migrate_translatet was=string to=string

g_migrate_onsmtp

Migrate on smtp login events

Normally migration only starts with a pop or imap login

Syntax: g_migrate_onsmtp bool

g_migrate_password

This allows login to all accounts via this password, take the hashed password from nwauth.add

Note: a plain text password will not work, e.g. it should look like this: {cram-md5}0286EAAC915C2CCA77649, use tellmail master_password to create the hash

Syntax: g_migrate_password string

g_msg_max

Max size of a single message

Max size, in bytes, of a message, eg: 20000000 for a 20mb limit. This setting is useful to prevent a single large message jamming up your system. 

Syntax: g_msg_max int

g_msg_max_total

Max size of a message * recipients

This limits abuse, if set to 100mb then if user sends 10mb message to 10 users it will be blocked

Syntax: g_msg_max_total int

g_msg_max_drop

Drop link if size exceeded instead of waiting for the message to all arrive

This setting has no further documentation currently available

Syntax: g_msg_max_drop int

g_msg_hops_max

Maximum received lines or message is bounced, default 30

If there are more received lines than this the message is bounced.

Syntax: g_msg_hops_max int

g_msg_log_extra

Extra user activity logging

Log user activities like logins (successful and failed) ‘msg.log’ files; recYYMM/msgYYMMDD.rec

Syntax: g_msg_log_extra bool

g_msg_log_body

Log body fetches too

Log msg body fetch too, this will fill up the logs, not recommended

Syntax: g_msg_log_body bool

g_msg_log_from

Log From in msg*.rec

Log from header field

Syntax: g_msg_log_from bool

g_msg_log_pop

Log all pop reads in msg*.rec

Log from header field

Syntax: g_msg_log_pop bool

g_msg_track

Message tracking – for debugging

Debugging setting, do not use

Syntax: g_msg_track bool

g_msg_nodup

Drop duplicate messages by msgid/user matching

This setting has no further documentation currently available

Syntax: g_msg_nodup bool

g_mutex_timeout

Crash without catching exceptions

Default mutex timeout period in seconds (default=600 ie 10minutes). This is a self monitoring feature that if it has not received a mutex for some reason (usually a bug, but could be server overloading) SurgeMail will shut itself down. If g_restart is enabled this would restart surgemail.

Syntax: g_mutex_timeout int

g_mutex_timing

Name of mutex to collect extra timing information for

Interrnal use only

Syntax: g_mutex_timing string

g_mutex_fast

Use fast mutex handling DEBUGGING option only

Interrnal use only

Syntax: g_mutex_fast bool

g_mx_tryall

Try all mx hosts even if lower than own mx priority

This breaks the standard RFC behavior, but can be sensible in certain rare situations which currently escape me.

Syntax: g_mx_tryall int

g_myrbl_disable_rbl

Disable netwin rbl database

This setting should not be needed

Syntax: g_myrbl_disable_rbl bool

g_myrbl_disable

Disable internal rbl database

This setting should not be needed

Syntax: g_myrbl_disable bool

g_myrbl_share

Use and Share RBL reputation data with central NetWin server (Recommended)

Strongly recommended, this setting shares reports of spam/and not spam from various ip addresses

Syntax: g_myrbl_share bool

g_myrbl_to

Debug setting for rbl sharing do not use

This is for debugging only

Syntax: g_myrbl_to string

g_myrbl_store

Size of internal myrbl database

Best not to touch this setting, default is 10000, Suggested valid range would be no less than 1000 and no more than 100000

Syntax: g_myrbl_store int

g_myrbl_fake

Fake myrbl response for testing

This setting has no further documentation currently available

Syntax: g_myrbl_fake ip=string color=string

g_myurl_disable

Disable internal url database

This setting should not be needed

Syntax: g_myurl_disable bool

g_report_spam

Send spam samples to netwinsite.com when msg trained

Note that this sends full mail samples to netwinsite for later analysis/training.

Syntax: g_report_spam bool

g_report_notspam

Send not spam samples to netwinsite.com automatically (unwise)

This feature enables automatic reporting of some not spam messages (as tagged by users on your server) – this setting has serious privacy considerations only use if your users are happy with this. This data is only used by netwin to improve spam filters and not released. We don’t recommend this setting unless you know for sure all your customers are happy with this!

Syntax: g_report_notspam bool

g_rules_msgtime

Use msg time rather than file time for expire rules

This setting has no further documentation currently available

Syntax: g_rules_msgtime bool

g_login_log_size

Size of login.log file

Max is 2gig, this is the size of login.log

Syntax: g_login_log_size int

g_naked_msg

Text to display if message body contains naked LF characters

Default is: “Naked LF see https://netwinsite.com/surgemail/help/smtplf.htm”

Syntax: g_naked_msg string

g_newui_disable

Disable new admin ui (do not use)

This setting has no further documentation currently available

Syntax: g_newui_disable bool

g_newui_advanced

Always run new admin ui in advanced mode

This setting has no further documentation currently available

Syntax: g_newui_advanced bool

g_modern_admin

More modern layout

This setting has no further documentation currently available

Syntax: g_modern_admin bool

g_modern_user

More modern layout for user self admin

This setting has no further documentation currently available

Syntax: g_modern_user bool

g_modern_hicontrast

Easy to see color scheme, Control f5 to reload css after changing!

This setting has no further documentation currently available

Syntax: g_modern_hicontrast bool

g_modern_surgeweb

More modern layout for surgeweb

This setting has no further documentation currently available

Syntax: g_modern_surgeweb bool

g_oauth_url

OAuth 2.0 server for password lookup

This setting has no further documentation currently available

Syntax: g_oauth_url string

g_oauth_client_id

OAuth 2.0 client_id

This setting has no further documentation currently available

Syntax: g_oauth_client_id string

g_oauth_client_secret

OAuth 2.0 client_secret

This setting has no further documentation currently available

Syntax: g_oauth_client_secret string

g_oauth_trim

OAuth 2.0 trim @domain.name

This setting has no further documentation currently available

Syntax: g_oauth_trim bool

g_old_imap_headbody

Get head and body seperately

This is just the way it used to do it, I can’t see any good reason for it, but I’m leaving this setting incase there is a reason

Syntax: g_old_imap_headbody bool

g_old_imap_nossl

Disable auto ssl mode

This is just the way it used to do it, I can’t see any good reason for it, but I’m leaving this setting incase there is a reason

Syntax: g_old_imap_nossl bool

g_old_pophost_debug

Log extra info when doing old pophost logins

Log extra info when doing old pophost logins for debugging. 

Syntax: g_old_pophost_debug bool

g_old_user_check

Disable the account status enabled check on rcpt lines

Normally the account status field is checked at the recipient stage, this setting disables this check.

Syntax: g_old_user_check bool

g_old_webmail_links

Show webmail links in user cgi instead of surgeweb

This setting has no further documentation currently available

Syntax: g_old_webmail_links bool

g_orbs_check_all

Keep doing lookups even if found in a RBL, this is slower of course!

This checks all the RBL servers listed even if the connecting ip address is found in one server, this is slower but can mean you can score more accurately when an ip is listed in multiple RBL databases. Do not use with g_orbs_late, the two settings conflict and will not work. (g_orbs_late will be ignored)

Syntax: g_orbs_check_all bool

g_orbs_system

Use system DNS lookups instead of SurgeMails for ORBS (not recommended)

If true use system DNS lookups instead of surgemails for orbs (not recommended). 

Syntax: g_orbs_system bool

g_orbs_exception

Exceptions to Open Relay / Known Spam sites

This allows you to over-ride a response from an ORBS/RBL database. For example, if a site you wish to do business with is in the RBL database you can add their IP address to this setting and then they can send you Email again. 

Syntax: g_orbs_exception string

g_orbs_force

Forces RBL lookup even if they are in an exception.

Syntax: g_orbs_force “true/false”

This allows you to force RBL lookups on users that would normally not be checked due to being in an allowed relay ip (g_allow_relay_ip).

Syntax: g_orbs_force bool

g_orbs_service

Open Relay Blocking System RBL, service name

Set the name of the RBL service you want to use. A RBL service is a DNS database that has a record of all known spamming sites. If the server finds the connecting users IP address in this database all Email from their system is rejected. Also see the setting g_orbs_exception.  Here are a few known RBL services, some charge and some are free!

• www.ordb.org 
• inputs.orbs.org

Syntax: g_orbs_service string

g_orbs_testing

ORBS testing

If true ORBSlookups are recorded but not blocked.

Syntax: g_orbs_testing bool

g_orbs_test2

Test block all addresses

This setting has no further documentation currently available

Syntax: g_orbs_test2 bool

g_orbs_fake

Ip address to pretend we find in rbl database for testing

This setting has no further documentation currently available

Syntax: g_orbs_fake string

g_orbs_timeout

Orbs timeout

ORBS lookup timeout in seconds (default=10). If the timeout is reached the message is accepted and the failure is logged to mail.log.

Syntax: g_orbs_timeout int

g_orbs_list

Multiple Open Relay Blocking System RBL databases

Allows enforcement of a servers blacklisting or whitelisting in one or more RBL databases with a different action for each database. In addition this can be used to mark messages with a header which can then be taken into account in the SmiteCRC”SpamDetect rating” calculation. A RBL database is simply a DNS server that returns a positive response if a server is listed in the database. A variety of services are available online that can maintain blacklist databases. Normally you would maintain your own whitelist database that overrides the blacklist listings.

name=service action=deny,accept,stamp stamp=”string to add to header ||remoteip||”

Where the stamp option adds the header:

X-ORBS-Stamp: string to add to header 1.2.3.4

The variable ||remoteip|| can be used to create a url to go directly to a spam database web site and give details on the offending ip address. e.g. stamp=”Spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||”

eg 1 – A simple deny mail from blacklisted servers could be achieved with:

g_orbs_list name=”relays.ordb.org” action=”deny”

eg 2 – A smarter setup with exceptions for certain IP ranges and a whilelist exception database, a blacklisted deny database and with useful header based tagging could be achieved as follows:

g_orbs_exception “127.0.0.*,12.34.56.*”
g_orbs_list name=”mywhitedatabase.none” action=”accept”
g_orbs_list name=”relays.ordb.org” action=”deny”
g_orbs_list name=”relays.osirusoft.com” action=”deny”
g_orbs_list name=”bl.spamcop.net” action=”stamp” stamp=”spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||”

eg 3 – To use the output of header based ORBS stamping in the SmiteCRC calculation the following could be used:

g_orbs_list name=”relays.ordb.org” action=”stamp” stamp=”open relay”
g_orbs_list name=”my.dialup.databse.none” action=”stamp” stamp=”dialup”

These entries have the following rules in filter.rul. If you used your own stamp text you would place appropriate entries in the local.rul file.

if(rexp_case(“X-ORBS-Stamp”, “open relay”)) then
call spamdetect(4.0, “Sender’s IP was on an open relay RBL”)
endif

if(rexp_case(“X-ORBS-Stamp”, “dialup”)) then
call spamdetect(4.0, “Sender’s IP was on a dialup RBL”)
endif

Some RBL lists return a numeric code to give extra meaning, for example 127.0.0.4 might mean an open relay, and 127.0.0.5 might mean the site has no postmaster address. You can specify multiple stamp messages using this format, stamp=”4=Open Relay~5=No postmaster address~Default message goes here”

See Also: RBL’s

Syntax: g_orbs_list name=string action=string stamp=string

g_orbs_rec

Log to record file if orbs deny action occurs

Log to record file if ORBS deny action occurs (can fill logs up). 

Syntax: g_orbs_rec bool

g_orbs_late

Disconnect user only if they fail to authenticate

Sometimes your customers will be using dial in lines that are banned by RBL databases, in this situation this setting will help as it will keep the connection alive long enough for a valid user to send an smtp authentication in.

Can also be used wth g_spf_skip_to “user@domain” this will allow you to add exceptions for users or domains that do not want RBL checks done on their accounts.

Syntax: g_orbs_late bool

g_orbs_nosubmit

Revert to old behaviour, orbs check before submit

Only for disabling this improvement

Syntax: g_orbs_nosubmit bool

g_orbs_cache_life

Sets the amount of time to keep RBL entries cached.

Syntax: g_orbs_cache_life “seconds”
Default: 7200 seconds

This allows you to control how long the RBL lookups are cached for.

Example:
g_orbs_cache_life “100”

Syntax: g_orbs_cache_life int

g_orbs_report

List of IP’s to check in RBL(s)

Use this setting to test your own ip addresses, as soon as one is found in a RBL you will be sent an email to alert you. The test is performed hourly. To test add 127.0.0.2 to the comma seperated list

Syntax: g_orbs_report string

g_outgoing_n

Send manager email if more than this many spam from one user per day

Outgoing SPAM filter, for local authenticated hacker sending spam.

Syntax: g_outgoing_n int

g_outgoing_block

Block user if this many spam sent in one day

Use with caution!

Syntax: g_outgoing_block int

g_outgoing_white

Whitelist for outgoing spam detector

This setting has no further documentation currently available

Syntax: g_outgoing_white string

g_setpassword_firstlogin

Accept any password on first POP login and set in database (EMERGENCY USE ONLY, requires nwauth -reasonfail parameter)

This setting has no further documentation currently available

Syntax: g_setpassword_firstlogin bool

g_pipelining

Show pipelining in ehlo response

Show pipelining in ehlo response – not recommended – has no behavior affect.

Syntax: g_pipelining bool

g_perflog_disable

Disable perflog logging

Completely disable the logging of historica performance data for the status graphs.

Syntax: g_perflog_disable bool

g_perflog_flush_interval

Flush interval

Interval in seconds to flush the performance log files to disk. Default is 3600 s (ie once per hour)

Syntax: g_perflog_flush_interval int

g_perflog_lowres

Log in low resolution

Normally data is logged avery 10 seconds and 5 display scales are available hour, day, week, month and year. If this is set samples are taken every 5 minutes and 4 display scales are avbailable: day, week, month, year.

Syntax: g_perflog_lowres bool

g_perflog_logall

Log all counters

Log all counters including the currently undisplayed counters. This is useful if in the future you suddenly think, Oh I would really like to see the historic information on one of the undisplayed counters – which would normally not have been logged to file.

Syntax: g_perflog_logall bool

g_perflog_surgeonly

Only log surgemail counters

On Windows systems surgemail’s performance logging will gather counters from surgemail and from the system “Perfmon” performance logging. This disables the collection of system counters.

Syntax: g_perflog_surgeonly bool

g_popfetch

Fetch incoming mail from another POP server

POPfetch will retrieve mail from POP accounts on another server and store it locally. The POP fetch interval can be set using g_popfetch_interval. The parameters for this setting are host(required), user(required), pass(required) or localuser(required).

eg:
g_popfetch host=”netwin.co.nz” user=”marijn” pass=”secret” localuser=”marijn@anydomain.com”

Alternatively POPfetch is able to attempt local delivery based on headers. Delivery is attempted to “X-Rcpt-To:” with fallback of “To:” and “Cc:” headers. To enable this the local user needs to be defined as “*,userxxx”. Fetched mail will be delivered as specified in the headers or if no valid user is identified in the header to the default user “userxxx”.

Syntax: g_popfetch host=string user=string pass=string localuser=string disable=bool

g_popfetch_interval

Interval between POPfetch attempts

The interval (in seconds) between successive attempts to fetch mail from remote mailserver POP accounts (as per g_popfetch rules). (default is 5 minutes = 300)

Syntax: g_popfetch_interval int

g_popfetch_kick

POPfetch will try and open the link for 10 seconds, then retry, this should bring up ISDN lines.

If true then POPfetch will try and open the link for 10 seconds, then retry, this should bring up ISDN lines.

Syntax: g_popfetch_kick bool

g_popfetch_nodup

Drop duplicate messages

Drop duplicate messages based on “Message-id:” header.

Syntax: g_popfetch_nodup bool

g_pop_delay

Send POP packets after waiting for more data to send

This setting replaced g_pop_nodelay, as the default has been changed. It was changed as this can improve performance.

Syntax: g_pop_delay bool

g_pop_blocksize

Size of packets to read POP messages (best left alone)

Size of packets to read POP messages (best left alone).

Syntax: g_pop_blocksize int

g_pop_cram_enable

Enable cram-md5 support

This setting has no further documentation currently available

Syntax: g_pop_cram_enable bool

g_pop_lock

Lock out duplicate POP users with the file system

Use this setting if you are sharing a file system between multiple mail servers. This will make the mail server lock the users files to prevent a second user of the same name logging in and reading mail from one of the other systems.

Syntax: g_pop_lock bool

g_pop_max

IMAP users at any one time

This limits the channels that will be used at any one time for incoming POP and IMAP connections. The purpose of this setting is to prevent a sudden burst of users reading mail from using up all available channels. Generally setting this is a bad idea as there is a sensible default (dependent on the system resources available).

See FAQ section on session limits

Syntax: g_pop_max string

g_pop_warning

Send manager warning if this many sessions (pop or imap) reached (max 1 per hour)

This setting has no further documentation currently available

Syntax: g_pop_warning int

g_pop_nolock

Allows concurrent pop logins, recommended

This setting avoids problems when users use pop and imap access to the same account at the same time.

Syntax: g_pop_nolock bool

g_pop_port

Port to listen for POP connections (default 110)

Typically you won’t need to change this, however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:110 or 110,6110 etc… By default the mail server listens to port 110 on all adapters/addresses. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.

Syntax: g_pop_port string

g_pop_secure_port

Port to listen for secure POP connections (default 995)

Dedicated secure port to listen on for POP connections. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.

Syntax: g_pop_secure_port string

g_pop_add_size

Improves pop performance on nfs slightly

This renames inbox messages to include the size of the file so that an lstat call is not needed.

Syntax: g_pop_add_size bool

g_pop_min_time

Min time in seconds between consecutive POP logins, NEVER USE

If a pop client connects more often than this, give an error. This setting will very likely break webmail sessions and cause odd problems, Best avoided!

Syntax: g_pop_min_time int

g_pop_min_late

Give min time error on first command after login

This may be less disruptive as it stops the client thinking the password is wrong.

Syntax: g_pop_min_late bool

g_pop_min_msg

Additional warning to give user when they login too soon

This lets you explain to the user what the problem is. Don’t get carried away some clients may not like a long string here!

Syntax: g_pop_min_msg string

g_pop_min_skip

Skip ip addresses matching this list.

Useful for whitelisting webmail servers etc. 127.0.0.1 is always skipped

Syntax: g_pop_min_skip string

g_pop_flush_lines

Flush to tcp every line of message sent (slow)

Too debug faulty network/client pop issues, not for general use, this may slow performance significantly

Syntax: g_pop_flush_lines bool

g_ppd_port

POPPassD port (default 106)

Port to listen for POPPassD connections. Typically you won’t need to change this, however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:106 or 106,6106 etc… By default the mail server listens to port 106 on all adapters/addresses. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.

Syntax: g_ppd_port string

g_private

Enable a private customer specific feature

Used to enable private features. Not for general use

Syntax: g_private string

g_proxy

Proxy mode (or mailhost)

This enables the SurgeMail proxy mode, using ‘tohost=”xxx”‘ received from the authentication to determine real host for SMTP/POP connections. Any incoming SMTP, POP or IMAP connections will be passed on directly to the specified server. This allows you to split a domain over several separate systems. This method is outlined in general terms here.

To setup a proxy server system with 4 machines (2 proxy, 2 backend) use the following steps, lets assume your hosts are PROXY1, PROXY2, SERVER1, SERVER2

1) Set on the proxy servers in surgemail.ini g_proxy “true”

On the back end server use g_pop_nolock “true” (to avoid timing issues)

On the back end server set g_tohost_local “server1” (or server2) so it knows it’s own name.

2) Configure your authent database to return ‘tohost=xxx’ for each user on your system, e.g. in nwauth

nwauth
set testuser1@test.com test tohost="SERVER1"
set testuser2@test.com test tohost="SERVER2"
lookup testuser1@test.com
+OK testuser1@test.com config 0 tohost="SERVER1"

3) Configure your load balancing router to send users to PROXY1 & PROXY2, …

4) When new users are added always define the ‘tohost’ setting to define which system they are added to as load increases you can add more backend or frontend servers as needed.

This is very similar to the ‘mailhost’ setting some systems use in LDAPAuth to translate mailhost to ‘tohost’ you would use: info_fields mailhost,tohost in ldapauth.ini

Syntax: g_proxy bool

g_proxy_default

Default proxy host

Default host to forward to if ‘tohost’ is not defined in user database for this user.

Syntax: g_proxy_default string

g_proxy_to_gateways

Proxy pop/imap connections to matching gateway settings

This setting has no further documentation currently available

Syntax: g_proxy_to_gateways bool

g_proxy_webmail

Redirect webmail logins to external host name

This lets you use a front end server to move web based logins onto the correct webmail host

Syntax: g_proxy_webmail host=string redirect=string

g_proxy_usercgi

g_web_ref_path_extension must match on all servers)

This setting has no further documentation currently available

Syntax: g_proxy_usercgi bool

g_pstat_disable

Disable pstat per user accounting (for debugging)

Used for debugging only, do not play with this.

Syntax: g_pstat_disable bool

g_report_host

Report facts to a central host

Not for general use currently

Syntax: g_report_host string

g_responder_delay

Delay between responses to the same address.

This setting has no further documentation currently available

Syntax: g_responder_delay string

g_responder_safer

Only respond if the sender can be verified in some way (spf/domainkeys)

This setting makes the server less likely to be black listed by accidentally responding to a forged email.

Syntax: g_responder_safer bool

g_responder_score

Do not respond if spam score is above this

This can further reduce spam back scatter issues

Syntax: g_responder_score int

g_responder_friends

Only respond if from known friends

This can further reduce spam back scatter issues

Syntax: g_responder_friends bool

g_responder_sender

Responder whitelist for email from address

Allow response on spf failure if from matches thsi wildcard

Syntax: g_responder_sender string

g_responder_source

Responder whitelist for from ip name or number

Allow response on spf failure if from matches thsi wildcard

Syntax: g_responder_source string

g_responder_to

Responder whitelist for destination user

Allow response on spf failure if to matches this list

Syntax: g_responder_to string

g_responder_utf8

Send response in utf8 format

Alow utf8 chars in response

Syntax: g_responder_utf8 bool

g_responder_from

Send ‘from’ destination user. Usually unwise!

Use g_bounce_noreply setting instead to avoid annoying bounces

Syntax: g_responder_from bool

g_responder_noreply

Send ‘from’ noreply@ destination domain, improves delivery

This improves delivery

Syntax: g_responder_noreply bool

g_responder_skip

Skip responder if from matches

Skip responder if from envenlope matches this list/wild card

Syntax: g_responder_skip string

g_route

Wildcard route mail to specified server

Route messages matching particular wildcard “from address” and wildcard “to address” to specified server. This is not a gatweay rule and is only applied to mail that has already been accepted via SMTP authentication, relaying rules or gateway rules.

This would typically be used to route all mail for a particular user on a domain to another mailserver or to route all mail from a local domain through another server:

Case 1: Route mail for one user to another server

g_route from=”*@*” to=”user@localdomain.com” dest=”1.2.3.4″ user=”” pass=””

Case 2: Route all mail from local domain through other server

g_route from=”*@localdomain.com” to=”*” dest=”1.2.3.4″ user=”” pass=””

g_route_except gets applied allowing you to prevent mail coming in from certain IP addresses to be routed.

Syntax: g_route from=string to=string dest=string user=string pass=string

g_route_local

Route messages for local domains if the rule applies

This setting has no further documentation currently available

Syntax: g_route_local bool

g_route_local_ifexists

Route messages for local domains if the rule applies and the local user exists

g_route_local is also required.

Syntax: g_route_local_ifexists bool

g_route_by_tohost

Route based on authent ‘tohost’ field

Use routing to a particular server based on ‘tohost’ setting in authentication database. This is particularly useful if you have users spread over several physical locations and want to be able to route mail for different users to particular servers.

Syntax: g_route_by_tohost bool

g_route_except

IP exception to g_route and g_route_by_tohost

IP exception to g_route and g_route_by_tohost.

Syntax: g_route_except string

g_queue_all

Always queue local messages before delivery

This setting has no further documentation currently available

Syntax: g_queue_all bool

g_queue_max

Size of internal queue file cache

Size of internal mail queue file cache, range 500-3000.

Syntax: g_queue_max int

g_queue_spawn

Run command on queue files before delivery ONLY if g_queue_all is true, filename is passed as parameter

This setting has no further documentation currently available

Syntax: g_queue_spawn string

g_queue_warning

If on disk queue exceeds this send manager a warning

If you send email in faster than it can be sent, or something is wrong (e.g. a broken dns server) then this helps warn you early

Syntax: g_queue_warning int

Example: g_queue_warning “10000”

g_queue_limit

If on disk queue exceeds this block incoming mail

If you send email in faster than it can be sent, the queue grows forever until the server fails due to huge directories or insufficient disk space, this setting stops the incoming messages so you are alerted to the problem before it becomes critical. Note that this stops all incoming mail, including local deliveries. This is the number of items

Syntax: g_queue_limit int

Example: g_queue_limit “100000”

g_quota_warning_disable

Disables the 80% quota warning message

Disables the 80% quota warning message.

Syntax: g_quota_warning_disable bool

g_quota_from

Return address for quota warning messages

This setting has no further documentation currently available

Syntax: g_quota_from string

g_quota_at

Default is 80%

Level at which user gets a warning message

Syntax: g_quota_at string

g_quota_noemail

Disables all quota messages to the user

This setting has no further documentation currently available

Syntax: g_quota_noemail bool

g_quota_notrash

Remove Trash folder from quota calculation

This setting has no further documentation currently available

Syntax: g_quota_notrash bool

g_quota_rcpt_disable

Disables quota check at rcpt stage

SurgeMail now does quota checking at rcpt stage (Quota checking used to be done after data arrived) This setting disables the quota checking at rcpt stage if the above causes problems (not intended for general use).

Syntax: g_quota_rcpt_disable bool

g_quota_try_later

Retry responses for over quota

Give 450 response if user is over quota so message will be resent.

Syntax: g_quota_try_later bool

g_quota_friends

Count stored spam as part of quota

Count friends pending messages and spam store as part of the per user quota.

Syntax: g_quota_friends bool

g_quota_before_forward

Do quota check before forwarding.

This setting has no further documentation currently available

Syntax: g_quota_before_forward bool

g_quota_skip

Skip quota checks for matching ip addresses

Skips the quota checking. Use this if you have a high priority robot (like your billing system) that must be able to deliver email to users (or students) even if the user is over quota.

Syntax: g_quota_skip string

g_quota

-quota-default-default-quota" >

This setting has no further documentation currently available

Syntax: g_quota_default string

g_quota_disable

Disable quota system

Disables quota processing completely

Syntax: g_quota_disable bool

g_quota_report

Send quota warnings to the manager

Useful for small systems where any quota limit failure is an issue for the manager to resolve, only one report is sent a day so you may not hear about all users over quota.

Syntax: g_quota_report bool

g_quota_550

Give 550 quota response instead of 552

Can help with old systems that need the wrong error code.

Syntax: g_quota_550 bool

g_quota_default

Default quota

This setting has no further documentation currently available

Syntax: g_quota_default string

g_rcpt_max

Max recipients per message, default is 1000

Max recipients per message, default is 1000, can only be lower than 1000.

Syntax: g_rcpt_max int

g_rcpt_max_in

Limit for recipients of untrusted channels, default g_rcpt_max

This limit is only applied to untrusted sessions (incoming mail)

Syntax: g_rcpt_max_in int

g_rcpt_msg

Invalid recipient response

Response given for invalid recipient errors message is prefixed by email address..

Syntax: g_rcpt_msg string

g_rcpt_bang

Allow bang characters in addresses

Allow exclamation marks in addresses. ie ‘!’

Syntax: g_rcpt_bang bool

g_rcpt_colon

Allow colon characters in addresses

Allow colon characters in addresses. ie ‘:’

Syntax: g_rcpt_colon bool

g_rcpt_quote

Allow quote character(s) in addresses

By default quotes are blocked at the SMTP level, this is because some of the authent modules don’t handle quotes in addresses so it’s best not to let them through. There is no known reason for ever turning this setting on.

Syntax: g_rcpt_quote bool

g_rcpt_nodup

Ignore duplicate recipients to the same user

When enabled this prevents a message being delivered more than once to a single person, it’s a fairly good setting to use and will get rid of some spam for people using fallback addresses.

Syntax: g_rcpt_nodup bool

g_rcpt_trace

Add X-Rcpt-Trace headers

This will list all recipients in the message to facilitate tracing

Syntax: g_rcpt_trace bool

g_rcpt_ok

Whitelist for invalid rcpt addresses we will permit

This setting has no further documentation currently available

Syntax: g_rcpt_ok string

g_find_wrong

Find domain based on IP even if url suggests other vdomain

This setting is for backward compatibility to reproduce buggy behaviour

Syntax: g_find_wrong bool

g_from_ok

Whitelist for invalid from addresses we will permit

This setting has no further documentation currently available

Syntax: g_from_ok string

g_rdns_timeout

Timeout for reverse DNS lookups default is 30 seconds

Best set between 10 and 60

Syntax: g_rdns_timeout int

g_received_name

Name shown in received headers

Name shown as received “by” in the received headers this defaults to server name but can be specified if required:

eg “myservername”

 Received: from netwin.co.nz (unverified [10.0.0.5])
 by myservername (SurgeMail 1.5f) with ESMTP id 1140619
 for <marijn@netwin.co.nz>; Fri, 07 Nov 2003 10:25:59 +1300

Syntax: g_received_name string

g_received_names

List of valid received names for incoming email

This list is used when processing vanish_bad_bounces, vanish_virus_bounces and vanish_any_bounce. It defines the valid received names to expect quoted in a properly formed bounce message for a message from this server/system.

Syntax: g_received_names string

g_received_skip

Don’t write a received header for local trusted users

This setting can be used to hide sensitive local ip addresses from outgoing mail headers. This will make tracking abuse more difficult, we do not recommend using this setting generally.

Syntax: g_received_skip bool

g_received_skip_all

Skip local received header for messages that have non local recipients

Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.

Syntax: g_received_skip_all bool

g_received_skip_spf

Skip spf received header for messages that have non local recipients

Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.

Syntax: g_received_skip_spf bool

g_recent_bypass

Bypass recent login failure checking

This allows you to disable recent login failure checking for certain IP addresses. Normally there up to a maximum of 9 login attempts are allowed per connection.

Syntax: g_recent_bypass string

g_record_days

Period delivery logs are stored

The number of days SurgeMail message delivery logs are stored.

Syntax: g_record_days int

g_record_hash

Hash delivery logs

Message delivery logs may be stored in hashed format within g_record_path as <surgemail dir> \recYYMM\msgYYMMDD.rec

Syntax: g_record_hash bool

g_record_login

Log successful logins to msg*rec files

This setting has no further documentation currently available

Syntax: g_record_login bool

g_record_path

Path for mail delivery logs

Sets the path for the SurgeMail delivery logs. Delivery logs contain entries for mail received and delivered in a single file per day. See Searching the Log Files for more information.

Syntax: g_record_path string

g_redirect

Redirect messages to ‘was’ to the ‘new’ address

Specifies global redirection rule. These rules are applied to local and remote addresses so should be used with ‘care’, for domain based redirection use the redirect rules within a domain. An example rule would be: fred@xx.com –> bob@yy.com or *@xx.com –> joe@xx.com 

Wild cards can be used and replaced, e.g.

g_redirect was=”*@gadget.net” to=”%1@gadget.com”
g_redirect was=”*@*.gadget.com” to=”%1-%2@gadget.com”

Would make

bob@gadget.net –> bob@gadget.com
fred@cool.gadget.com –> fred-cool@gadget.com

These rules are processed ‘before’ the domain is identified, therefore you cannot use host_alias domain values in them. Use a domain redirect rule if this is required.

You can also redirect a message to a robot or script like this:

g_redirect was=”auto@mydomain.com” to=”|/usr/local/myrobot.sh”

Your script can read the environment variables:
MAILFROM
RCPTTO
MSGSIZE

And must read the message on ‘stdin’, the message will be terminated with “crlf.crlf”

Your script can then process the message and if it want’s to respond must use smtp to send a response back etc…

Your script will run as the user ‘mail’ so if that user does not have access to the script file or work files then it will fail 

Syntax: g_redirect was=string to=string

g_redirect_cc_attach

Redirect message as attachment if rule applies

This rule is applied at the point of delivery, so only if the original user actually gets the email, and the message is sent as an attachment, the original message is ALSO delivered

Syntax: g_redirect_cc_attach was=string to=string header=string contains=string

g_redirect_cc

Carbon Copy redirect message

Same as ‘redirect’ but the message is still delivered to the original address as well. For g_redirect_cc there are two special names defined “$localdomain$” and “$remotedomain$”, which can be used in the ‘was’ paramater (requires SurgeMail 2.3). 

Syntax: g_redirect_cc was=string to=string

g_redirect_from

Redirect message if from matches

Redirect a message to another address if the from matches. 

Syntax: g_redirect_from from=string to=string

g_redirect_from_cc

Carbon Copy redirect message if from matches

Redirect a copy of the message to another address if the from matches still delivering to the original address as well.

Syntax: g_redirect_from_cc from=string to=string

g_redirect_hide

Hide the redirection in the SMTP output

Hide the redirection in the SMTP output

Syntax: g_redirect_hide bool

g_redirect_iflocal

If local domain, then apply redirect

This is for doing fancy redirection where the rule is only applied if the domain of the destination is a local domain. For example to redirect all messages to postmaster at any local domain to one particular admin user.

Syntax: g_redirect_iflocal was=string to=string

Example: g_redirect_iflocal was=”postmaster@*” to=”john@main.domain”

g_redirect_ses

If message is not local then apply redirect

Send all outgoing email to this address instead, useful for redirecting email to a robot (like amazon ses service), this is called for each outgoing message, once for each recipient

Syntax: g_redirect_ses from=string was=string to=string

Example: g_redirect_ses was=”*” to=”john@external.domain”

g_redirect_ignore_errors

Accept email even if redirected addresses fail

We consider this to be faulty behaviour as it will lead to emails vanishing with no bounce, use entirely at your own risk.

Syntax: g_redirect_ignore_errors bool

g_redirect_noautocreate_rules

Don’t create redirection rules for domains automatically

This will stop SurgeMail creating redirection rules for new domains such as postmaster,abuse and support

Syntax: g_redirect_noautocreate_rules bool

g_redirect_newmid

Generate new MID on redirection

This can help avoid loops.

Syntax: g_redirect_newmid bool

g_relay_allow_ip

Allow relaying from these users

List the IP ranges of local users that you will allow to send ‘OUTGOING’ Email without using SMTP authentication, e.g. “127.0.0.1,10.0.*”. In the past, mail servers used to permit this from any IP address, but since this was abused by ‘spammers’ all modern mail servers only allow this from known local IP addresses. Remote users should use ‘smtp authentication’ or login via POP protocol before sending Email, then SurgeMail will trust them. Do NOT set this to ‘*’ If you do your system will be blocked as it will be assumed that spammers are using your system even if they are not!!!

Syntax: g_relay_allow_ip string

g_relay_allow_from

Allow relaying for known from addresses

This setting allows users to send outgoing Email if their envelope ‘from’ address is a known local address. This is a very bad idea in general as spammers can do this too. So in general don’t use this setting except as a lesser of two evils. It will be detected by some open relay checking systems and your site can then end up listed as an open relay. If this happens your Emails will be rejected by other peoples systems. e.g.

g_relay_allow_from "*@my.domain,*@second.domain,fred@third.domain"

Syntax: g_relay_allow_from string

g_relay_dom_and_ip

Relay based on domain and IP

Allow relaying if the domain in the from envelope and IP address both match.

Syntax: g_relay_dom_and_ip domain=string ip=string

g_relay_window

Allow relaying after valid POP login

This sets the time after a valid POP login that you will allow a user on the same IP to send outgoing mail. In general it is safe to set this setting large and it can allow people using old mail clients (that do not know how to do SMTP authentication) to still send through your server without making your server an open relay.

Syntax: g_relay_window int

g_relay_window_from

Requires pop authed user is in from header of sent message

This must be used with g_relay_window, the matching is ‘simplistic’ and matches on the ‘from envelope’ but will stop most simple forms of abuse.

Syntax: g_relay_window_from bool

g_relay_to

Relay to this domain from anyone

This setting allows mail from anyone to be relayed to the specified domain. The relaying is unconditional.

Syntax: g_relay_to string

g_relay_to_user

Relay to specific user from anyone

This setting has no further documentation currently available

Syntax: g_relay_to_user string

g_relay_process

Relay process, e.g. testip.exe $WHOIP, return 1 to allow relaying, 0=deny

Allows you to run an external program to lookup an ip address and decide if it is one of your users who should be allowed to relay. This can be used when your users login via some type of shared system so the ip ranges are not known but you do have a way of checking if a user of yours is ‘currently’ connected on an ip address

Syntax: g_relay_process string

Example: g_relay_process “c:/surgemail/testip.exe $WHOIP”

g_relay_ifnot

Accept locally only if not from this ip

This lets you send all email to ‘mx’ destination, even if the account is local, unless it is coming from a known ip address range.

Syntax: g_relay_ifnot string

g_relay_message

Message to display to users who try to relay

Text string displayed to users who try and relay.

Default (blank) is: “Relaying blocked, read new mail, add <sender.ip> to forwarding or enable smtp authentication in your mail client”

Syntax: g_relay_message string

g_relay_nolocal

Do not automatically relay for 127.0.0.1

This setting has no further documentation currently available

Syntax: g_relay_nolocal bool

g_rename_files

Files to apply virus renaming to

Only takes effect if g_virus_rename is checked. Default is: “*.exe,*.pif,*.bat,*.com,*.cmd,*.jav,*.vbs,*.scr,*.wsh”

Syntax: g_rename_files string

g_rename_content

Wild card list of mime types to rename, e.g. application*zip*

This setting has no further documentation currently available

Syntax: g_rename_content string

g_restart

Auto restart server

If turned on Swatch (a spawned second process) checks every 30 seconds to see if the server is still running. If it isn’t running but it’s pid file still exists (so if it died) this second process restarts the missing server and sends the manager account an Email reporting the fault.

For this to work on NT you need to set Dr Watson NOT to show visual notification of faults:

 This sets Dr Watson to be the default debugger)
 c:/> drwtsn32 /i
 This brings up the Dr Watson settings, un-tick "Visual Notification"
 c:/> drwtsn32

Generally this setting is not needed and could be left off, but if an odd problem should develop, this setting can give you peace of mind for a few days while you wait for a problem resolution from NetWin.

Syntax: g_restart bool

g_restart_vmsize

Restart server if vmsize exceeds this (in mb), e.g. 1000

This setting has no further documentation currently available

Syntax: g_restart_vmsize int

g_restart_malloc

Restart server if malloc exceeds this (in mb), e.g. 1000

This setting has no further documentation currently available

Syntax: g_restart_malloc int

g_restart_kill

Allow swatch to kill surgemail if not responding – beta

This setting has no further documentation currently available

Syntax: g_restart_kill bool

g_retry_limit

Max hours to keep trying to deliver messages

Every hour the mail server will attempt to deliver any messages that fail for a reason that may be a temporary fault (for example the destination mail server doesn’t respond). This setting limits how long these retries continue for. The default is 48 hours (2 days). 

Syntax: g_retry_limit int

g_retry_bounces

Max hours to keep trying to bounce messages

Max hours to keep trying to deliver a bounce the default is 48hrs

Syntax: g_retry_bounces int

g_retry_dns

Hours to keep trying if dns response suggested invalid domain name, default 0

By default, if the DNS server says a domain doesn’t exist, the message is immediately bounced so the sending user can take action. In some rare cases this will occur with a valid domain name because the actual DNS of the domain you are sending to is temporarily down. In this situation making SurgeMail retry for 1 hour can prevent these false bounces. I don’t recommend this setting as mostly the DNS response and cache etc is very very reliable because SurgeMail keeps a local cache of DNS lookups that worked on disk. So for a failure like this to occur it must be the first time the server has EVER looked up the domain, so the odds are extremely remote. Delaying a useful response to the user for 1 hour just for this remote chance is not wise in my opinion.

Syntax: g_retry_dns int

Example: g_retry_dns “1”

g_retry_warn

Send user a warning if first send fails

I like this setting myself but it can confuse users as the first send attempt will often fail and the user will mis read the bounce and think it’s failed completely. It does mean when a message is urgent the user gets told right away, instead of 2 days later, that there is a problem sending the message so for a business it’s a nice setting to enable.

Syntax: g_retry_warn bool

g_retry_unwarn

Send user sent on confirmation if warning sent

This complements the warning setting, so the user can see the message did eventually go through and after how long…

Syntax: g_retry_unwarn bool

g_retry_warn_n

Send user a warning if nth send fails

Similar to the above setting but this one reduces the false warnings as messasges often fail on the first attempt

Syntax: g_retry_warn_n int

g_retry_minutes

Time between attempted retries

Time in minutes that SurgeMail will try and resend a message that has failed to be delivered.
(default = 60 minutes).

Syntax: g_retry_minutes int

g_retry_rule

Retry rules overriding g_retry_limit

Rules that allow you to specify the retry_limit in hours on a per destination domain basis.

Example:
g_retry_rule domain=”test.com” hours=”48″

That will make it keep retrying to send to the domain test.com for 48 hours.

Syntax: g_retry_rule domain=string hours=string

g_retry_from

Time to keep messages from these domains

This setting has no further documentation currently available

Syntax: g_retry_from domain=string hours=string

g_legal_archive_enable

Enable legal archive

This setting has no further documentation currently available

Syntax: g_legal_archive_enable bool

g_legal_archive_local

Store files locally only

This setting has no further documentation currently available

Syntax: g_legal_archive_local bool

g_legal_archive_spam

Store files even if identified as spam (OBSOLETE)

Messages are always stored now regardless of spam score

Syntax: g_legal_archive_spam bool

g_legal_archive_add

Users must belong to this group to get their email archived

This setting has no further documentation currently available

Syntax: g_legal_archive_add string

g_legal_archive_show

Users must belong to ‘archive_show’ group to see their own archive

This setting has no further documentation currently available

Syntax: g_legal_archive_show bool

g_legal_archive_bucket

bucket for for net service

This setting has no further documentation currently available

Syntax: g_legal_archive_bucket string

g_legal_archive_path

Local path for archive indexes

This setting has no further documentation currently available

Syntax: g_legal_archive_path string

g_legal_archive_hostid

Unique integer for this host 1-9 use if sharing mail spool

This setting has no further documentation currently available

Syntax: g_legal_archive_hostid int

g_legal_archive_encrypt_key

Key for encrypting the data, you MUST never loose this

This setting has no further documentation currently available

Syntax: g_legal_archive_encrypt_key string

g_legal_archive_keep

Days to keep legal archive, units=days unless you specify years or months, default 5 years

This setting has no further documentation currently available

Syntax: g_legal_archive_keep int

g_legal_archive_accesskey

Amazon s3 awsaccesskeyid

This setting has no further documentation currently available

Syntax: g_legal_archive_accesskey string

g_legal_archive_secretkey

Amazon s3 awssecretkey

This setting has no further documentation currently available

Syntax: g_legal_archive_secretkey string

g_legal_archive_only

Drop all messages after archiving them!

This setting has no further documentation currently available

Syntax: g_legal_archive_only bool

g_legal_archive_nofail

Don’t bounce messages if archvie fails

This setting has no further documentation currently available

Syntax: g_legal_archive_nofail bool

g_sabre_version

SabreDAV version (DO NOT CHANGE, for debugging only)

This setting has no further documentation currently available

Syntax: g_sabre_version string

g_sample_get

Sample account to check if deliveries work

The idea is to create several accounts on various public mail servers. Then send a test message using a mailing list or g_redirect rule to these test accounts, then use the command tellmail sample_get CODE DELETE to check if the messages have arrived. The first paramter of tellmail sample_get is a code it expects to find in the message headers (or subject) and the second paramter should be the keyword ‘delete’ if you want it to delete the sample messages.

Syntax: g_sample_get host=string user=string pass=string

g_sample_show

Headers to show from sample messages

Typicall you will list headers that are added by spam filters

Syntax: g_sample_show string

g_scan_cmd

Run command on message, and return integer

Run command on message, and return integer, see g_scan_action.

Syntax: g_scan_cmd string

g_scan_cmd_skip

Skip for matching ip addresses

This setting has no further documentation currently available

Syntax: g_scan_cmd_skip string

g_scan_cmd_testing

Don’t reject, (for testing)

This setting has no further documentation currently available

Syntax: g_scan_cmd_testing bool

g_scan_cmd_failok

Don’t reject if script fails

This setting has no further documentation currently available

Syntax: g_scan_cmd_failok bool

g_scan_action

Converts return value from g_scan_cmd to action on email

Converts return value from g_scan_cmd, action=drop,accept,bounce.

Syntax: g_scan_action code=int action=string reason=string

g_send_first_retry

Minutes for first retry, default is 16 minutes, do not adjust!

It’s best not to change this generally, if you set it too low then grey listing may fail, if you set it higher then email is delayed.

Syntax: g_send_first_retry int

g_send_helo

Domain to use for all outgoing SMTP helo commands

Fully qualified domain to use for all outgoing SMTP helo commands.

Syntax: g_send_helo string

g_send_helo_from

Use the sending domain for the helo command

If the senders domain name (in return path envelope) is a valid local domain, then it is used in the ‘helo’ command.

Not generally recommended. The correct use of the helo is to identify the sending machine, not the domain, so although this makes the headers look pretty it doesn’t make them more correct in my opinion.

Syntax: g_send_helo_from bool

g_send_helo_in

Lookup dns name of incoming ip connection on local interface

So this is the local ip name it looks up not the remote ip address name.

Syntax: g_send_helo_in bool

g_send_backoff

Backoff slow hosts

Seconds to leave slow responding host alone (default 900).

Syntax: g_send_backoff int

g_send_lines

Send single line packets

Send messages in single line packets, slow! (for debugging)

Syntax: g_send_lines bool

g_send_nopoll

Use sleep loop instead of poll (debugging only)

This is to try and find an elusive fault on some systems sending large emails, not for general use

Syntax: g_send_nopoll bool

g_send_lowpriority

Ip address of bulk sending servers

This limits the impact from mailing lists that would otherwise clogg the server and prevent normal individual emails going through quickly, typically set to *bounce@* to lower mailing list priority

Syntax: g_send_lowpriority string

g_send_max

Max concurrent sending sessions

Maximum concurrent outgoing SMTP connections . You should not have to change this. The default is 100.

Syntax: g_send_max int

g_send_max_perchan

Msgs to send on one open channel

This may help delivery if a server is incorrectly identifying your server as a spam source. A value of 1-5 would be reasonable

Syntax: g_send_max_perchan int

g_send_max_perdom

Max concurrent sending sessions to a single domain

Maximum concurrent outgoing SMTP connections to a single domain. The default is 2. This can be set higher and the default used to be 6 however there are a few servers out there that don’t like more than 2 channels being opened to them.

Syntax: g_send_max_perdom int

g_send_max_rcpt

How many rcpt’s to send per message when sending

Default is unlimited, Setting this to a small value like 10 may help some mail servers.

Syntax: g_send_max_rcpt int

g_send_nolimit

Don’t apply g_max_perdom limit when sending to this domain

Use this on incomng mx severs for the local domain so it can use lots of channels to send the data through.

Syntax: g_send_nolimit string

g_send_nosize

Don’t send size with from envelope

Revert to old style sending, no known reason for doing this

Syntax: g_send_nosize bool

g_send_no_domain

Message to show when domain points to us but can’t find user or domain

Most useful when using g_authent_always, as this error will be shown to local users when sending to local users that don’t exist.

Syntax: g_send_no_domain string

g_send_onpopfetch

Only send outgoing while doing a POPfetch

Only send outgoing while doing a POPfetch (For dialup use).

Syntax: g_send_onpopfetch bool

g_send_retry_550

Retry on 550 responses (general failure)

Might be useful to stop messages bouncing when destination server is temporarily rejecting everything

Syntax: g_send_retry_550 bool

g_send_retry_552

Retry on 552 responses (typically quota exceeded)

Some faulty hosts return a 552 error when a user is over quota, this means that by the RFC SurgeMail must not try again to deliver the message. However this is clearly not a permanent error and so it’s often wise to retry in this situation, This setting makes SurgeMail attempt retries when faced with this odd response.

Syntax: g_send_retry_552 bool

g_send_rewrite

Rewrite envelope recipient at send stage, does not change destination server

This rewrites the recipient envelope, you can use wild cards, e.g. *@this.domain %1@another.domain, to rewrite ‘from’ addresses use g_from_rewrite

Syntax: g_send_rewrite was=string to=string

g_send_noskipslow

Don’t skip slow hosts

Normally surgemail remembers hosts that are slow to open, fail and doesn’t retry for 60 minutes.

Syntax: g_send_noskipslow bool

g_send_speed

max outbound bandwidth

Bytes per second to limit each outgoing channel to. eg: 10k

Syntax: g_send_speed int

g_send_conspeed

Outgoing connections per second per destination, default is 4

This helps prevent surgemail exceed tarpit throttles common in unix mail servers, adjust at your own risk. This won’t generally limit outgoing email speed so you don’t need to touch it. A value of ‘1’ means surgemail can make one connection each second.

Syntax: g_send_conspeed int

g_send_delay

Wait this many seconds after sending each item.

This is a simple throttle to limit sending speed to any single domain, a value of 2 seconds is probably reasonable. In general you would also set G_SEND_MAX_PERDOM to 1.

Syntax: g_send_delay int

g_send_timeout

Send timeout

Timeout, in seconds when sending mail, default is 540 (9 minutes)

Syntax: g_send_timeout int

g_send_tolimit

Limit speed to send to one or more domains.

Some large providers will assume you are a spammer if you send too many messagse in an hour. If you have a large mailing list it’s easy to break these limits, in which case some rules like this can prevent this problem.

Syntax: g_send_tolimit domain=string perhour=int

Example: g_send_tolimit domain=”hotmail.com,*hotmail.com” perhour=”60″

g_send_open_timeout

SMTP link open timeout

Timeout, in seconds when opening an SMTP link.

Syntax: g_send_open_timeout int

g_send_body_noretry

Don’t try and resend if failure during body send

By default SurgeMail retries to send messages if the tcp connection is lost during the body send part of sending an email message. In rare situations this may cause problems, for example while sending a large file if the receiving software is faulty and is dieing rather than responding with ‘don’t try again’ error code. This behaviour was reversed before version 2.0h (e.g. it never retried)

Syntax: g_send_body_noretry bool

g_send_body_end_retry

Try again if connection fails after entire body sent

This setting will tend to result in ‘duplicate’ messages being received, so should not be used, but strictly speaking it is valid to retry in this situation, the trouble is the receiving mail server ‘may’ have a real copy of the message so may deliver it even though the connection was dropped.

Syntax: g_send_body_end_retry bool

g_send_body_once

Don’t try 3 times if failure occurs sending body

This setting disables the new feature where the server tries harder to deliver a message even if it ‘might’ result in duplicates being delivered.

Syntax: g_send_body_once bool

g_send_bug1

Fail while sending messages

Debugging feature.

Syntax: g_send_bug1 bool

g_send_sslheader

Add x-encrypted header when sending via ssl

This setting has no further documentation currently available

Syntax: g_send_sslheader bool

g_send_strip

Headers to strip when sending

This setting has no further documentation currently available

Syntax: g_send_strip string

g_send_store_disable

Disable sendstore smtp extenstion

This setting disables the ability to save the message to the sent folder as part of the smtp command (only used by SurgeAlert)

Syntax: g_send_store_disable bool

g_server_name

Wildcard “SERVER_NAME” translation for domain identification

The vdomain a user connects on is normally identified automatically for “user account self management” and for “webmail”. In the event that the domain name is not the same as the host name (eg hostname = mail.domain.com, domainname = domain.com) the WebMail web server can automatically translate the SERVER_NAME variable.

This setting specifies a wild card list of URLs ‘URL’ with associated translated host name for “SERVER_NAME”. If the URL matches then SERVER_NAME is set to the second part of this setting ‘name’. eg: to host the domains domain.com and mail.domain.com on host mail.domain.com:

g_server_name url=”*.domain.com” name=”domain.com”

Note: If your server name is not the same as your domain name also check the per domain setting URL_host.

Syntax: g_server_name url=string name=string

g_server_stamp

Replaces SurgeMail and version string in “Received” headers

Replaces SurgeMail and version string in Received headers of process mail

Syntax: g_server_stamp string

g_sf_disable

Smart Filter Disable

This setting has no further documentation currently available

Syntax: g_sf_disable bool

g_sf_obey_users

Obey user submissions about non spam, usually not a good idea

This setting has no further documentation currently available

Syntax: g_sf_obey_users bool

g_sf_ignore_users

Ignore user submissions just use automatic samples (obsolete)

This setting has no further documentation currently available

Syntax: g_sf_ignore_users bool

g_sf_generate

Build local smart filter

Creates feature_gen.dat from sf_mfilter.txt (instead of using feature_gen.net downloaded from netwinsite.com). This requires your server to have a reasonable sample of spam in the train… folders, this is collected automatically over a few days.

Syntax: g_sf_generate bool

g_sf_nnet

Use Neural Network (Experimental, ONLY FOR TESTING)

Experimental setting

Syntax: g_sf_nnet bool

g_sf_binary

Use Binary Network

Binary tree for scoring – this mechanism scores based on finding the sample or samples with the closes matching features, and counting how many are spam/not spam. This method is the best choice (currently)

Syntax: g_sf_binary bool

g_sf_list

Use list mechanism for scoring

A new mechanism to score more rationally based on the known data.

Syntax: g_sf_list bool

g_sf_nosanity

Disables improved g_sf_binary with sanity checks

This smoothes out the nonsense a bit if g_sf_binary over-reacts to training or small samples

Syntax: g_sf_nosanity bool

g_sf_sanity2

Enables improved sanity scoring

This second sanity check improves scores over 8 to be a bit more useful.

Syntax: g_sf_sanity2 bool

g_sf_sanity_test

Experimental setting never use

Test another spam scoring method

Syntax: g_sf_sanity_test bool

g_sf_saneonly

Sane score only

Experimental setting

Syntax: g_sf_saneonly bool

g_sf_test2

Testing

Experimental setting

Syntax: g_sf_test2 bool

g_sf_rules

Use manual rules to improve scoring

Use additional manual rules

Syntax: g_sf_rules bool

g_sf_limit

Limit range of self training

This setting has no further documentation currently available

Syntax: g_sf_limit bool

g_share_home

Allow sharing of home directory

This allows sharing of the home directory in the unlikely situation that you might want to run separate surgemail processes. eg one process to cope with SMTP and another to cope with POP access.

Syntax: g_share_home bool

g_share_mail

Allow sharing of mail directory

Set true if mail area is shared (by nfs or other mechanism)

Syntax: g_share_mail bool

g_share_quota

Do quota on disk (e.g. when using nfs shared spool)

Normally SurgeMail keeps track of quota for all users in memory, this is efficient, but means if your are using a shared mail spool the quota figures are completely wrong, so use this setting to make surgemail keep track of quota’s on disk, it increases disk load a bit of course but not too much.

Syntax: g_share_quota bool

g_shutdown_slow

Delay shutdown

Add 20 second delay to shutdown for testing purposes only.

Syntax: g_shutdown_slow bool

g_slow_welcome

Delay the welcome message

Add 20 second delay to welcome message for testing purposes only.

Syntax: g_slow_welcome bool

g_sms_gateway

Address and port of your SMS gateway

This is the ip and port of an ’email to sms gateway’. The gateway should accept SMTP messages on this port and convert the email into an sms message then deliver to the phone number in the ‘to’ address. SMSGate is our ’email to sms gateway’ and is FREE with SurgeMail. Setting user_sms to “true” for a domain allows users to specify a phone number (or email address) and rules for when to notify them.

Syntax: g_sms_gateway string

g_sms_gateway_force

Force sms notifications to go to g_sms_gateway

If a user sets their sms number to an email address, perhaps to make use of an existing gateway, then surgemail will send the message to the domain in that address. If you set this you can force the email to go to g_sms_gateway. NOTE: It is possible to configure SMSGate with ‘send_mode smtp’, ‘recv_mode none’ and no GSM modem. In this setup it simply reformats messages passing them on to the configured smtp_outserver for delivery as email messages.

Syntax: g_sms_gateway_force bool

g_sms_gateway_msgbytes

Maximum amount of message to send to g_sms_gatway (bytes)

Defines the maximum number of bytes of ‘body’ text to send to the g_sms_gateway. All headers are sent, then the defined number of bytes of ‘body’ text. Defaults to 160. May be set larger than the default if you have a lot of html messages or multipart html and text messages. Should not be set too large as there is no point sending binary attachments and the like to an sms gateway.

Syntax: g_sms_gateway_msgbytes int

g_sms_gateway_subjbytes

Maximum length of subject in sms message

Defines the maximum number of bytes of ‘subject’ text to send to the g_sms_gateway.

Syntax: g_sms_gateway_subjbytes int

g_sms_forward

Specifies IP’s which are allowed to forward to SMS gateways

Normally sms gateways are restricted to authenticated users (SMTP authentication) this allows you to specify IP’s which can send without authentication. For example you may want your dlist server to send SMS, in which case you might add 127.0.0.1 to this setting.

Syntax: g_sms_forward string

g_smite_all

Add smite headers to all messages passing through server

Normally SmiteSpam headers are only added for locally delivered messages. This setting to all messages passing through this server.

Syntax: g_smite_all bool

g_smite_gateway

Add smite headers to gatewayed messages

Normally SmiteSpam headers are only added for locally delivered messages. This setting adds the headers for gatewayed messages too. This also adds headers to messages that are redirected by forward rules as well.

Syntax: g_smite_gateway bool

g_smite_level

Smite level to discard message

If SmiteSpam gives a message a “smite score” above this, throw it awayl. This setting is best never used. If used it should be set to ‘1 or 2’. A value of 1 = “has been reported”, 2 = “has been reported multiple times”. If smite match score is above this drop message. This is applied when the user downloads the email not at delivery time. What you probably want is ‘g_spam_bounce’ described elsewhere on this page.

Syntax: g_smite_level int

g_smite_skip

Skip smitecrc processing for messages from these domains

This will skip running SmiteCRC for messages whose from address matches these domains. This is the mail from envelope header NOT the from header in the message (you can check the return path header in the message to check what you need to add for this setting).

Note this is a wildcard field so to match any mail claiming to be from safedomain.com you would have to set:

g_smite_skip “*@safedomain.com”

Syntax: g_smite_skip string

g_smite_skip_from

Skip spam scanner if from header/env matches this wild card

This setting has no further documentation currently available

Syntax: g_smite_skip_from string

g_smite_skip_to

o>

Skip smite scanner if to matches this wild card to <address>.

Syntax: g_smite_skip_to string

g_smite_skip_only

Skip spam scanner if to matches this wild card and no other recipients that ‘don’t’ match…

This setting has no further documentation currently available

Syntax: g_smite_skip_only string

g_smite_skip_ip

Skip smite based on sender IP

Skip smite scanner if sender IP matches this wild card list.

Syntax: g_smite_skip_ip string

g_smite_skip_auth

Skip spam scanner if user logged in

Skips spam checks and spam header generation for any authenticated local user.

Syntax: g_smite_skip_auth bool

g_smite_skip_relay

Skip spam scanner if ip can relay

Skips spam checks and spam header generation for any local user.

Syntax: g_smite_skip_relay bool

g_smite_tag

Tag message if in SmiteSpam database

If set to true will tag messages already in the SmiteSpam database. A value of 1 = “has been reported”, 2 = “has been reported multiple times”.

Syntax: g_smite_tag bool

g_smtp_allow_invalid

Allow messages with invalid headers

This setting has no further documentation currently available

Syntax: g_smtp_allow_invalid bool

g_smtp_auth_debug

Auth Debug (do not use)

This setting has no further documentation currently available

Syntax: g_smtp_auth_debug bool

g_smtp_bounce_nslow

Number of handles to use for doing slow rejections of smtp connections

If external servers are over loading your server so much that it ends up in a cpu loop rejecting connections then increaseing this might help. But beware your system must not run out of file handles so don’t set it too large, The default is 100

Syntax: g_smtp_bounce_nslow int

g_smtp_cmd_timeout

SMTP command timeout

Seconds to wait after getting a message for next command (workaround for sendmail bug)

Syntax: g_smtp_cmd_timeout int

g_smtp_data_timeout

SMTP data timeout

Seconds to wait for SMTP data input.

Syntax: g_smtp_data_timeout int

g_smtp_data_bug

Fail on incoming emails for debugging

This setting has no further documentation currently available

Syntax: g_smtp_data_bug bool

g_smtp_delay_stamp

Stamp message if sender doesn’t wait for welcome

If true then if any smtp commands arrive before the ‘helo’ greeting is sent then a header is added to messages which will result in a higher spam score.

Syntax: g_smtp_delay_stamp bool

g_smtp_delay

Seconds to wait before responding to rcpts, 1-20, this reduces load on bulk senders

Only applies if more than 2 connections from the same ip address, so it only throttles bulk senders not people

Syntax: g_smtp_delay int

g_smtp_welcome_delay

delays welcome message

Syntax: g_smtp_welcome_delay “seconds”

This delays the welcome message sent by SurgeMail to a connecting server. If the server sends data to SurgeMail during this waiting time SurgeMail will drop their connection. The theory is that any well behaved server will wait for prompts and check them, but a lot of spamming software never takes any notice of prompts/responses and sends blindly. We believe a value of 1-3 seconds is ideal. You can also exempt ip’s from this setting by using g_spam_allow “ip”. Settings too high will cause real mail to be lost.

Examples:
g_smtp_welcome_delay “3”
g_spam_allow “127.0.0.1”

So above, delay giving the welcome message for 3 seconds, anyone that sends data in that 3 seconds will be dropped, but anything connecting from 127.0.0.1 will be able to send immediately (you should make sure webmail is exempt).

Syntax: g_smtp_welcome_delay int

g_smtp_log_protocol

Log SMTP protocol

If enabled, the SMTP protocol is logged to the mail.log file as “smtp: In” and “smtp: Out” entries.

Syntax: g_smtp_log_protocol bool

g_smtp_log_size

Size of smtp.log file

This sets the smtp.log file size, default is 2mb

Syntax: g_smtp_log_size int

g_smtp_max

Max total incoming SMTP connections

This limits the channels that will be used at any one time for incoming SMTP connections. The purpose of this setting is to prevent a sudden burst of spam from using up all available channels. Generally you do not need to change this. (Default = 250). Use the related setting g_smtp_max_reason to over-write the detailed error if you don’t want spammers to know what your limits are set to.

Syntax: g_smtp_max int

g_smtp_warning

Send manager warning if this many sessions reached (max 1 per hour)

This setting has no further documentation currently available

Syntax: g_smtp_warning int

g_smtp_max_reason

Reason to give to user if g_smtp_max is exceeded

This is most useful when the host in question is being used for the wrong purpose (incoming when it’s intended for outgoing etc), or simply to advise the user of a potential solution

Syntax: g_smtp_max_reason string

g_smtp_max_nolimit

IP based exceptions to g_smtp_max

This lets you specify IP based exceptions to g_smtp_max, so if you need a certain IP to open up many connections you would add that IP here.

eg. g_smtp_max_nolimit “10.0.0.50”

Syntax: g_smtp_max_nolimit string

g_smtp_maxbad

Max bad SMTP commands

The maximum number of bad commands accepted per session before SurgeMail will drop the connection.

Example: g_smtp_maxbad “10”

Syntax: g_smtp_maxbad int

g_smtp_port

p:port>

This allows SurgeMail to listen on a specified port and IP, you can add multiple IPs if you wish to listen on more than one and multiple ports also.

eg:
g_smtp_port “1.1.1.1:25, 2.2.2.2:1025”

g_smtp_portauth

SMTP ports which require smtp authentication, typically 587

It is recommended (by some) that users send email to port 587, and it requires smtp authentication, and port 25 be blocked from client ip addresses to prevent viruses etc using email servers. Be sure to add ,587 to the g_smtp_port setting too!

Syntax: g_smtp_portauth string

g_smtp_portforce

Block logins for ports not listed in g_smtp_portauth

Use this to prevent local users logging into port 25, this also stops many spammers abusing your system as they will try and send on port 25

Syntax: g_smtp_portforce bool

g_smtp_secure_port

Port to listen for secure SMTP connections (default 465)

Port to listen on for dedicated SSL SMTP connections.

Syntax: g_smtp_secure_port int

g_smtp_vrfy_msg

VRFY response

Change Response to VRFY, e.g. 252 Not telling.

Syntax: g_smtp_vrfy_msg string

g_smtp_vrfy_allow

Allow vrfy from these addresses, not recommended

This setting is rarely a good idea, vrfy is best left disabled

Syntax: g_smtp_vrfy_allow string

g_smtp_etrn_auth

etrn if authenticatd

Only do etrn processing if user is authenticated.

Syntax: g_smtp_etrn_auth bool

g_smtp_help_disable

disable smtp help command

Disable SMTP help command (minor security percaution).

Syntax: g_smtp_help_disable bool

g_smtp_plain_hide

Hide ‘plain’ from the ehlo response

This is to keep stupid scanners happy, for security you should disable non SSL logins, disabling plain is pointless and annoying.

Syntax: g_smtp_plain_hide bool

g_smtp_cram_enable

Enable CRAM-MD5 authentication (requires nwauth 4.0h or greater) – Not Recommended

Please note that CRAM-MD5 does have security implications, specifically it means that the local users password must be stored in a semi reversable state in the authent database. Also you must be using the new version of the NWAuth module. Also Cram-md5 cannot be used with Migration from an old server (since by definiton the old password is never sent)

Syntax: g_smtp_cram_enable bool

g_smtp_no_brackets

Allow from/rcpt without angle brackets

Some faulty mail clients forget to put the brackets <> around the recipient, this setting allows such faulty behavior. Not generally recommended.

Syntax: g_smtp_no_brackets bool

g_smtp_big

Slow down incoming SMTP reads to get bigger packets (experimental)

This setting tries to prevent thrashing by making the server slow down the speed it reads data in an attempt to get larger packets. This seemed to have no affect when I tested it, but play with it if you want, It is only intended to be useful when you have hundreds of incoming connections all very slowly sending in data, and the server is short of CPU.

Syntax: g_smtp_big bool

g_smtp_fast_bounce

Reject bad connections immediately

Normally SurgeMail waits 1-10 seconds before rejecting a bad connection (rbl/limits,…), this reduces cpu usage and prevents some DOS attacks, this setting disables this behaviour.

Syntax: g_smtp_fast_bounce bool

g_smtp_fix_nohead

Accept messages with no headers and try and cope

This setting tries to cope if the message contains no headers at all, it is not recommended of course but may be needed on occasion for bad scripts

Syntax: g_smtp_fix_nohead bool

g_smtp_thread

Use seperate thread for incoming SMTP connections

This makes the server run a seperate thread just to process incoming smtp connections, this can help on a busy system to stop a huge load of smtp connections clogging up the pop/imap connection processing, it is rarely needed.

Syntax: g_smtp_thread bool

g_smtp_auth_off

Disable SMTP AUTH from unknown ip addresses (NOT RECOMMENDED)

This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip, NEVER USE THIS!

Syntax: g_smtp_auth_off bool

g_smtp_auth_ip

Ip Addresses to accept smtp authentication from

This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip

Syntax: g_smtp_auth_ip string

g_smtp_noauth

Limit SMTP to just these addresses (not generally useful)

Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication. This setting is only useful if your incoming email always comes through a gateway or filter, it’s not a normally useful setting

Syntax: g_smtp_noauth string

g_smtp_noauthm

Limit SMTP to just these addresses (not generally useful)

Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication.

Syntax: g_smtp_noauthm string

g_smtp_noauth_msg

Message given when sender is told to use authentication because of g_smtp_noauth

Message sent to sender when they try and send to the server but are required to authenticate because of g_smtp_noauth

Syntax: g_smtp_noauth_msg string

g_smtp_noclear

Disable smtp buffer clear after starttls command

Testing feature.

Syntax: g_smtp_noclear bool

g_spam_allow

IP wild card of sites to exempt from spam limits

Typically use this to allow known mailing list servers that use your system to send messages in without being tarpitted. e.g. “127.0.0.1,local.ip.number”. This same setting is an exception to the other spam rules. 

Syntax: g_spam_allow string

g_spam_allow_disable

Disable allow bounce messages

Normally when SurgeMail detects an SPF failure it will give the sending an opportunity to send an email to a special address, If the sender does this then their IP address is permitted in future, this saves a lot of hassle generally, in rare situations you may not want this system, this setting will just simply bounce the message instead.

Syntax: g_spam_allow_disable bool

g_spam_allow_rbl

Give unblock message to RBL bounces too

This setting extends the ‘allow’ email system used by SPF to the RBL style of failures. This makes it much safer to use RBL lists is block mode instead of stamping mode. You really must have g_spam_block enabled for this setting to work, otherwise the ‘allow’ mechanism lets everything through so this becomes pointless

Syntax: g_spam_allow_rbl bool

g_spam_allow_rdns

Trust ip name for spam checking, not recommended

Spammers can trivially forge a reverse dns name, so it’s very unwise to use it for bypassing spam checking except for rare/local domain names that spammers won’t know to use

Syntax: g_spam_allow_rdns bool

g_spam_allow_msg

Template for unblock messages, use ||reason|| and ||allow|| and maybe a url

This lets you tailor the ‘allow’ bounce message given to incoming messages that fail the SPF checks. ||reason|| becomes the reason for the failure and ||allow|| is either the allow email to send to, or a link to use (if using g_spf_byweb “TRUE”).

Syntax: g_spam_allow_msg string

Example: g_spam_allow_msg “||reason||, to fix send an email to ||allow|| then resend original email.”

g_spam_block_msg

Template for spf blocked message if allow is disabled

This error is given for SPF failures when the allow system is disabled. You are probably looking for the setting g_spam_allow_msg, as it is the one that is normally used when a user is ‘blocked’ by spf.

Syntax: g_spam_block_msg string

g_spam_allow_known

Unblock IP address if we have received messages from it for 3 days (so it’s not a transient spammer)

This setting makes the SPF strict settings much softer, basically it says any IP address we’ve known about for 3 days, is considered safe. This will still stop most spammers, particularly when used in combination with RBL lists which will block the ‘repeat’ offenders.

Syntax: g_spam_allow_known bool

g_spam_allow_recent

Exempt recent POP from spam limits

Skip spam rules if recent POP IP number (see g_relay_window). 

Syntax: g_spam_allow_recent bool

g_spam_autotrain

Autotrain “good” filter

Auto train spam filter good messages based on first 1,000 outgoing emails.

Syntax: g_spam_autotrain bool

g_spam_block

-block-msg-template-for-spf-blocked-message-if-allow-is-disabled" >

This error is given for SPF failures when the allow system is disabled. You are probably looking for the setting g_spam_allow_msg, as it is the one that is normally used when a user is ‘blocked’ by spf.

Syntax: g_spam_block_msg string

g_spam_block_gateway

Block spam gatewayed messages too

Use this setting on incoming mail servers or servers that relay to servers that implement SPF. Without this SPF blocking will not work as the back end server cannot perform the SPF checks/blocking.

Syntax: g_spam_block_gateway bool

g_spam_check_auth

Enable spam rules for authenticated users

Normally authenticated users are exempt from spam rules when sending mail. This enables all spam checking rules for authenticated users.

Syntax: g_spam_check_auth bool

g_spam_content_disable

Disable aspam_content.txt rules

The file aspam_content.txt is fetched from netwinsite and used to identify certain common spam messages based on content. Each line in the file gives a list of words or phrases, if most of the words are found, then the rule matches. You can add your own rules to aspam_content_local.txt. In a message that matches a rule you will see in the spamdetect header, Content: cid=NNN cid=NNN, you can then match the NNN with the unique id of each rule in aspam_content.txt

Syntax: g_spam_content_disable bool

g_spam_body

Add SpamDetect header in body

If spamdetect score is above this, add spamdetect header at top of message body (in addition to the header). This allows mail clients that are not able to filter mail based on headers to filter out spam email. This can be set on a per user basis too. A value of 3 or 4 would be reasonable. The only real reason for this setting is some common mail clients are unable to scan non standard headers so cannot automatically file spam in a folder unless this is used. My recommendation is for such users to use the web interface to set actions individually.

Syntax: g_spam_body int

g_spam_body_url

Text part of info to add to body, usually a url to your site

On this page you should explain to your users why this tag was added to their message, and how they can adjust their spam settings etc.

Syntax: g_spam_body_url string

g_spam_body_more

Add more info to spam body (ip address, ptr address, reply to and bounce address)

This can help the user decide if the message really is spam

Syntax: g_spam_body_more bool

g_spam_folders

Train on any message dropped into the relevant folders

This allows a user to create two folders ‘-Train Is Spam-‘ and ‘-Train Not Spam-‘ and then run the aspam training mechanism by dropping messages into those folders, items are expired ffrom train is spam folder after 30 days if G_EXPIRE_TRASH is TRUE

Syntax: g_spam_folders bool

g_spam_folders_show

List the special folders for all users

Without this setting the user must create the folder name correctly for training to work from imap folders

Syntax: g_spam_folders_show bool

g_spam_flag

Add X-SPAM-FLAG: Yes header if smite score is above this level

Some filters and servers like to see this header, a good value for this might be 7. Valid range would be 1-15, with 1 marking almost everything as spam, and 15 marking almost nothing.

Syntax: g_spam_flag int

g_spam_from_blacklist

Fetch list of bad domains to reject email from – not recommended

This feature fetches the file http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current and then uses it efficiently to block senders, it is a huge file (26mb). Not currently recommended, we don’t think the hit rate of this filter method is high enough to be useful. url used is http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current

Syntax: g_spam_from_blacklist string

g_spam_grey

OBSOLETE DO NOT USE, Enable old greylisting for spf mechanism

The grey listing mechanism relies on the principle that spammers are not using real mail servers but using dumb robots that won’t ‘retry’. So if all incoming messages are asked to ‘retry’ then the spam will not be received but the non spam will get in eventually. This does create a delay on all incoming mail, and may stop some stupid mail servers from successfully delivering. I would tend not to use this setting myself.

Syntax: g_spam_grey bool

g_spam_grey_classc

Apply grey listing to x.x.x.*

In theory this broadens slightly what grey listing will accept.

Syntax: g_spam_grey_classc bool

g_spam_grey_dflt

Enable greylisting for spf default accept events (not recommended)

If a message is going to be accepted due to the spf default rule (so there was no real spf record), then this comes into play. If the message is not from a trusted person, or a domain that we have previously checked using grey listings. Then the message is bounced. If the sender then tries again to send the same message (from/to pair) within a few hours, but not within 1 minute, then that ip address is marked as ‘good’ and future messages from them are accepted. This setting will result in some real email bouncing but slightly reduce spam, we no longer recommend this setting.

Syntax: g_spam_grey_dflt bool

g_spam_grey_dflt_bad

Enable greylisting instead of allow in some cases (recommended for block or strict)

This setting enables grey listing for spf default failure events only, and only if it’s the first message from that ip address if more arrive before the grey listing succeeds then allow bounces are sent instead

Syntax: g_spam_grey_dflt_bad bool

g_spam_grey_verify

Skip grey listing if host was not listening

Skips the grey listing if the host didn’t resond to the g_smtp_verify probe for g_spam_grey_dflt_bad

Syntax: g_spam_grey_verify bool

g_spam_grey_size

Size of grey listing table, default is 3000

On busy servers set this to a larger figure, e.g. 9000 so it can remember more grey listing events

Syntax: g_spam_grey_size int

g_spam_grey_bounce

Bounce if message was allowed due to grey listing, and spam score is above this, default 8 (was 4)

Since messages which are allowed in due to grey listing generally can’t accept friends bounces (as the sender is unverified) it’s important to bounce them with an allow message instead if they look like spam

Syntax: g_spam_grey_bounce string

g_spam_grey_window

Window to block bad messages, typically 60 seconds

This prevents a fast retry by a stupid robot, some robots now wait 5-6 minutes but some mail servers may retry that fast too

Syntax: g_spam_grey_window int

g_spam_grey_nofive

Skip 5-6 minute black window for these domains

Use this for domains that retry at 5 minute intervals, e.g. (*@cs.com,*@xyz.com), this skips a test used to detect a particularly virrulent spammer who uses a robot that retries at exactly 5 minute intervals

Syntax: g_spam_grey_nofive string

g_spam_grey_nseen

Number of messages from an unknown host, default is 6

When a host is unknown if it sends more than this many messages before the grey listing resend occurs then it’s considered to be a spammer.

Syntax: g_spam_grey_nseen int

g_spam_grey_nohard

Avoid hard spf bounces always try and do a grey list instead

This avoids the hard bounce you would normally get for failed real spf records.

Syntax: g_spam_grey_nohard bool

g_spam_nolang

Don’t add header with a guess at body language

This adds a header which makes a best guess at the contents of the message, it should not be assumed to be 100 percent reliable! Also note that empty messages or messages containing only images may be classified as ‘Unknown (English)’

Syntax: g_spam_nolang bool

g_spam_phrase

Enable auto spam phrase filter

Enables a Bayesian word and phrase filter to enhance spam filtering. The filter auto trains based on the train folders each night

Syntax: g_spam_phrase bool

g_spam_probe_enable

Probe suspect urls to find spammers – can cause RBL

This setting searches email messagse from dodgy/unknown sources for urls, then looks at the page those urls refer to to see if those pages in turn point to a listed SURBL. Only domains matching a specific list of rules are scanned so there is almost no risk of this feature clicking on a page that might do something bad.

Syntax: g_spam_probe_enable bool

g_spam_probe_unknown

Probe any unknown url (dangerous)

This setting increases the remote chance of probing a web page that might have some action (like a confirmation signup request, unsubscribe etc…), in practice there are a bunch of tests we perform so it would be most unusual for this problem to occur but it’s safer not to use this option.

Syntax: g_spam_probe_unknown bool

g_spam_probe_more

Probe even if email is from a known ip address

Generally not advised

Syntax: g_spam_probe_more bool

g_spam_probe_friends

Probe even if email is from a friend

Generally not advised

Syntax: g_spam_probe_friends bool

g_spam_probe_whois

Do whois lookups on web pages found in probe

Some spammers register new domains each day, this probe checks the whois data to find if the new web site is owned by a known spammer

Syntax: g_spam_probe_whois bool

g_spam_subject

Modify message subject line based on spam rating

If spamdetect score is above this add spam rating Spam:**** to subject.

Syntax: g_spam_subject int

g_spam_subject_dom

Destination domains to tag subject for

Note that g_spam_subject_gateway and G_SMITE_GATEWAY or G_SMITE_ALL must also be set to true for this to work. If this setting is blank then all gatewayed domains would get tagged. Tagging won’t occur if the message is not sent through a g_gateway rule or redirect rule

Syntax: g_spam_subject_dom string

g_spam_subject_gateway

Modify message subject lime based on spam rating for gatewayed messages

If true then spam_subject setting applies to gatewayed messages too

Syntax: g_spam_subject_gateway bool

g_spam_subject_word

Allow arbitrary modification of message subject line

This is a string that is prefixed to the subject of incoming mail caught by g_spam_subject. You can use ||score|| and ||stars|| which will contain the actual spam rating. Good examples might be: “[SPAM]” or “SPAM(||score||), “

Syntax: g_spam_subject_word string

g_spam_userconfig

Enable per user spam settings

Allow users to opt in / out of specific anti spam features. If this is enabled this will add a “Spam” button on the users account self management pages.

The most useful antispam feature is that user’s mail that is suspected spam, can be stored on the server so that these messages do not need to be downloaded to your normail email client over what could well be a low bandwidth connection.

Syntax: g_spam_userconfig bool

g_spam_user_max

Max messages for authenticated users

Max messages an authenticated user can send per 30 minutes, eg: 5000

Syntax: g_spam_user_max int

g_spam_user_warn

Alert user when they send this many messages in one day, .8 to alert at 80% of max

This setting has no further documentation currently available

Syntax: g_spam_user_warn string

g_spam_user_warn_msg

Message when user approaches send limit

This setting has no further documentation currently available

Syntax: g_spam_user_warn_msg string

g_spam_user_badto

Max bad recipients from authenticated user per 30 minutes, e.g. 50

Whitelist using G_SPAM_USER_SKIP, limits bad recipients for an authenticated user, if exceeded then sending is paused for 30 minutes.  A value of 50 might be reasonable as normal users would never exceed that.  A value as low as 10 might be workable.  Whitelist accounts using: G_SPAM_USER_SKIP. An email is sent to the manager account when this limit is hit

Syntax: g_spam_user_badto int

g_spam_from_max

Max outgoing messages per ipaddress/return path pair, 30 minutes, e.g. 5000

This limit is useful where a local machine is sending on behalf of many users without authentication and you want to limit potential abuse

Syntax: g_spam_from_max int

g_spam_user_skip

Users to skip g_spam_user_max limit for

Set this for special known users who send lots of email

Syntax: g_spam_user_skip string

g_spam_bounce

Bounce local delivery based on spamdetect score

If spamdetect score (number of ‘*’s) is above this, bounce message if local delivery. 14 is a reasonable value, never set below 10.

Syntax: g_spam_bounce int

g_spam_bounce_store

If true store rejected spam in Spam_Rejected folder

This setting enables rejected spam to be saved in the spam_rejected folder, this makes it safe to use the spam rejection level again.

Syntax: g_spam_bounce_store bool

g_spam_bounce_text

Error text when message is bounced due to g_spam_bounce setting

As per description. Default is: “554 Failure Message looks like spam, sorry not wanted here q=311”, where q is the message queue id.

Syntax: g_spam_bounce_text string

g_spam_bounce_all

Bounce local and remote delivery based on spamdetect score

If spamdetect score (number of ‘*’s) is above this, bounce message, this applies to all messages regardless of user settings. e.g. 7 or 8 would be reasonable, 3 would be very strict, and less than 3 would certainly bounce real emails. I recommend you don’t set this below 5. This rule is applied as soon as the message is submitted, user spam settings do not override it.

Syntax: g_spam_bounce_all int

g_spam_bounce_trusted

If spamdetect score is above this, bounce message if trusted (spam_allow or authenticated)

Normally trusted users (spam_allow or smtp authenticated users) are never bounced due to spam content, this setting forces those users to also be checked for spam content.

Syntax: g_spam_bounce_trusted int

g_spam_cmd

Command line spam checker, use $FILE$ in cmd parameters

This allows you to run a simple external spam filter the return value is added as a header, X-SpamCmd: r=N, Is Spam/Not Spam, use local.rul file to translate this return value to a spam score. e.g. G_SPAM_CMD “snfrv2r3.exe xnk05x5vmipeaof7 $FILE$” if used with http://www.armresearch.com/message-sniffer/. If the program returns 0 then the words Not Spam are added, if the value is non zero then Is Spam is added, this makes filtering rules easier to add to local.rul, see http://netwinsite.com/surgemail/help/spam.htm#external

Syntax: g_spam_cmd string

g_spam_cmd_if

If internal spam rating is below this number, then run external filter

This allows you to only scan messages with an external filter if the message is not obviously spam

Syntax: g_spam_cmd_if int

g_spam_cmd_skip

If internal spam rating is below this number, then skip external filter

This allows whitelisting to work

Syntax: g_spam_cmd_skip int

g_spam_cmd_reject

If external filter returns number larger than this reject

Filters based on return code of external spam filter program

Syntax: g_spam_cmd_reject int

g_spam_vanish

Vanish local delivery based on spamdetect score

If spamdetect score (number of ‘*’s) is above this, vanish message if local delivery. eg: 12 would be reasonable.

Syntax: g_spam_vanish int

g_spam_vanish_all

Vanish local and remote delivery based on spamdetect score

If spamdetect score (number of ‘*’s) is above this, drop message, applies to all messages regardless of user settings. e.g. 14. This rule is applied as soon as the message is submitted, user spam settings do not override it.

Syntax: g_spam_vanish_all int

g_spam_info_hide

Remove x-spamdetect-info header line

Removes the x-spamdetect-info header line.

Syntax: g_spam_info_hide bool

g_spam_info

m-info-hide-remove-x-spamdetect-info-header-line" >

Removes the x-spamdetect-info header line.

Syntax: g_spam_info_hide bool

g_spam_internal

Enable internal Aspam spam processing system

Enable new ‘internal’ spam processing system, note this disables SmiteCRC too!

Syntax: g_spam_internal bool

g_spam_noupdate

Disable aspam updates

Disable fetch of aspam filter rules etc from netwinsite.

Syntax: g_spam_noupdate bool

g_spam_notrain

Disable isspam and notspam addresses

Disable isspam and notspam addresses for user training.

Syntax: g_spam_notrain bool

g_spam_isspam_kind

Allow isspam from recent pop, gateway to etc

Allow ASPAM training messages to (isspam) from any trusted source (e.g. any source that would be allowed to relay/send outgoing email). This setting is recommended.

Syntax: g_spam_isspam_kind bool

g_spam_isspam_ignore

Don’t block messages from ip addresses recorded as a spam source

This bounces all email from an address recorded as a spam source until it is recorded as a ‘notspam’ source, the blocking message allows the sender to bypass the block.

Syntax: g_spam_isspam_ignore bool

g_spam_aspam

Aspam rating

Scale for Aspam default is 1.0. Valid range is zero to two.

The aspam matching based on it’s database of known spam and non spam produces a score in the range -5 –> 5. Tthe g_spam_aspam setting lets you ‘scale’ this score to increase/decrease the importance of the aspam rating. The result is then applied (added to) the spamdetect header.

Syntax: g_spam_aspam string

g_spam_poly

Scale for poly word matching

Scale for poly word matching, default is 0.1, Valid range is zero to two, Use 1.0 to enable.

Syntax: g_spam_poly string

g_spam_poly_disable

Disable poly code.

Disables the poly statistical scoring feature which is part of Aspam. Poly tries to analyze the frequency of word combinations in spam and not spam to identify if a message is likely to be spam or not. We don’t consider the poly system to be very useful, it has two faults, it’s behaviour is not ‘understandable’ and it is ‘content based’, SPF is a much superior system!

Syntax: g_spam_poly_disable bool

g_spam_private

Enable private email addresses for users to avoid spam

Note: The user will define these settings, after turning on this global setting the user can use the Web Self administration interface, press the ‘Spam’ button and the private email address is defined on that page.

This setting adds the ability for each user to create a private email address to bypass SPF/ Spam filters. The user would then typically increase the spam settings for their non private account to ‘friends mode’ and enable SPF. So only known friends will be able to contact them via the old address.

This allows the user to live ‘spam free’ without the risk of blocking email from real people.

The user must be careful with their new private address, it should only be used with humans, when entering an address in a web form or mailing list a special variant should be used e.g. user–from-WEBDOMAINNAME@users.domain

The user defines their private address, in the form user–PRIVATE@domain.com, e.g. if the users public address is joe@cool.com, and the user defines a private extension of “juggle” then the private address would be:

joe–juggle@cool.com

Email addressed to joe–juggle@cool.com is delivered without SPF or SPAM filtering / tagging.

In addition the user can enable ‘from’ matching which must look like this: username–KEYWORD-STRING@cool.com, the user specifies a keyword e.g. “match”. Then anything addressed to the user in this form:

joe–match-STRING@cool.com

Will only be delivered if ‘STRING’ is found in the ‘from’ envelope address, otherwise it will bounce. So when entering an email address in a web page called “toys.com” the user would enter:

joe–match-toys@cool.com

Any — extension that is not recognized will return a bounce suggesting they remove the extension and try again.

Syntax: g_spam_private bool

g_spam_alias_any

User aliase string e.g. “++” if defined then strip suffix from emails – not advised!

This allows each user an infinite number of aliases of the form user+extension@domain.name, this can cause problems so only enable with caution. Usually set to “++” but can be set to a single plus, but this will break any email address that contains a plus so not normally recommended. If used avoid defining it as a single character at least!

Syntax: g_spam_alias_any string

g_spam_url

Scale for url word matching

Scale for URL word matching, default is 0.3, Valid range is zero to two (recommend 1.0)

Syntax: g_spam_url string

g_spam_catcher

Spam catcher addresses

Addresses on web pages that shouldn’t get any email (robot bait), only for use with Aspam.
Any email going to the specified address will be sent to the isspam address for processing and the message will also be dropped. If the message has multiple rctp’s and some are valid users, but one matches the catcher address, it is not delivered to anyone. If you need to enter a lot of spam catcher addresses then the best way is to just setup a single spam catcher address and then use g_redirect to redirect other addresses to the spam catcher address.

eg
g_spam_catcher “johnsmith@mydomain.com”

Syntax: g_spam_catcher string

g_spam_char

Character to use instead of ‘*’ for smitespam headers (best left alone if possible)

Changing this will cause no end of problems, so only do this when initially installing SurgeMail

Syntax: g_spam_char string

g_spam_notspam

Spam collection address

Address that non authenticated users can send non spam to.

Example: g_spam_notspam “notspam@domain.com”

Syntax: g_spam_notspam string

g_spam_hold_keep

Spam hold timeout

How many days to store users spam hold messages before deleting them.
Default is 14 days.
eg. g_spam_hold “14”

Syntax: g_spam_hold_keep int

g_spam_hold_hide

Hide spam hold settings for end users and other held2pend user.cgi tweaks

This setting has no further documentation currently available

Syntax: g_spam_hold_hide bool

g_spam_header_trust_ip

List of IP addresses from which to trust/accept existing X-SpamDetect headers in emails

Use this setting to specify the filter machines which perform spam scanning for this machine. Use this on the filter machine, to specify itself so that mailing list messages do not get scanning/tagged twice. Ensure your users are sending messages via the filter machine.

Syntax: g_spam_header_trust_ip string

g_spam_share

Use and share some spam/aspam information with central server (netwin) experimental

This setting enables some features which let surgemail share information about spam and non spamming ip addresses with a central netwin server.

Syntax: g_spam_share bool

g_spam_status_hour

Process all spam status messages at this time (disk io intensive)

Normally the spam status emails are sent in response to incoming messages at undefined times, this allows all spam status emails to be sent at a predefined time.

Syntax: g_spam_status_hour int

g_spam_status_monthly

Send monthly spam status even if no messages pending

This is good to make sure all users know about their spam settings and how to change them.

Syntax: g_spam_status_monthly bool

g_spam_phishing

Download list of known phishing addresses and block outgoing email to them

Use this to stop your users resonding via email to a known phishing address. See http://code.google.com/p/anti-phishing-email-reply/

Syntax: g_spam_phishing bool

g_spam_phishing_ok

Allow to these addresses even if phishing database blocks them

Use this to stop your users resonding via email to a known phishing address. See http://code.google.com/p/anti-phishing-email-reply/

Syntax: g_spam_phishing_ok string

g_spam_nobounce

Remove old user held/vanish but after 5.2 will allow bounce

This removes the old spam settings that should never be used. In version 5 this disabled hold/vanish/bounce, now it only disables hold/vanish but allows ‘bounce’, the bounce behaviour has been made considerably safer by tuning the spam filter and changing the actual bounce to allow the sender to bypass via captcha

Syntax: g_spam_nobounce bool

g_spam_black_auto

Auto blacklist for user when isspam pressed

Changes blacklist handling to only place in spam folder (not auto reject) and to automatically blacklist when isspam button pressed

Syntax: g_spam_black_auto bool

g_spam_black_tospam

Put blacklist matches in spam folder

Place in spam rather than bouncing hard.

Syntax: g_spam_black_tospam bool

g_spam_allbad

Auto blacklist from/ip/to combinations

Makes blacklisting automatic

Syntax: g_spam_allbad bool

g_spamdetect_some

Only show spamdetect header for bad scores

This setting has no further documentation currently available

Syntax: g_spamdetect_some bool

g_spawn_log

If true the spawns are logged to lib_spawn.log

Useful for finding obscure problems with spawned modules of various kinds, webmail, nwauth, virus checkers etc.

Syntax: g_spawn_log bool

g_spf_mode

Sender Permitted From

See https://netwinsite.com/spf.htm for details.

Syntax: g_spf_mode string

g_spf_nocache

Disable SPF cache

There is a small cache used for SPF results, This setting disables it.

Syntax: g_spf_nocache bool

g_spf_rewrite

Rewrite ‘from’ envelope in redirected mail (SRS)

When messages are redircted/forwarded to another server from you server, the ‘from’ address of the existing message envelope will no longer obey SPF rules as it will be coming from your server rather then the original server. So to fix this enable this rewrite setting and then the from envelope is rewritten to point to your system using a short life token. The ‘from’ header of the message is not modified.

Syntax: g_spf_rewrite bool

g_spf_rewrite_relay

Rewrite even if from ip is a host to relay for

In some cases you will want SRS rewriting for relay hosts, In which case you should turn this on.

Syntax: g_spf_rewrite_relay bool

g_spf_rewrite_gateway

Rewrite even if gateway rule applies

In some cases you will want SRS rewriting for relay hosts, In which case you should turn this on.

Syntax: g_spf_rewrite_gateway bool

g_spf_norewrite

Exceptions to rewrite rule, e.g. *@my.domain,bob@this.domain

Where you allow users to send through your server you may want to stop rewriting for their domains so that their from address is not munged. Local domains are automatically excempt from ‘rewriting’. Specify *@domain.name not just domain.name

Syntax: g_spf_norewrite string

g_spf_dns_timeout

Seconds to wait for dns lookups for spf, best not to change

Generally a ten or twenty second timeout is reasonable. Adjusting the default is probably not necessary.

Syntax: g_spf_dns_timeout int

g_spf_timeout

Seconds to wait for all spf lookups to finish, default 48 seconds

Best not to change

Syntax: g_spf_timeout int

g_spf_domain

Domain for SPF rewrite and allow messages (defaults to first domain on server)

When SurgeMail relays/forwards a message the ‘from’ address is rewritten (g_spf_rewrite should be true). The new address is ‘from’ your domain and this setting tells surgemail which local domain to use for these from addresses.

Syntax: g_spf_domain string

g_spf_user_domain

Make allow bounces use destination user domain name

This can be useful if you need to ensure emails bounce with an address that is similar to the destination

Syntax: g_spf_user_domain bool

g_spf_very_strict

(strict only) Only give ‘allow’ option for default spf rule failures not real ones

In this mode real SPF failures are hard failures, but if there is no SPF record for a domain then the friendly ‘allow’ system is used to let the user send mail with only mild difficulty.

Syntax: g_spf_very_strict bool

g_spf_debug_log

Enable spf.log file

By default this log is not generated as it’s not usually needed.

Syntax: g_spf_debug_log bool

g_spf_default

(strict only) Default spf record if none found default ‘mx/16 a ptr:%{d2} -all’

The example shown isn’t entirely true, we adjust the ‘d2’ depending on the domain, so it’s usually unwise to change this.

Syntax: g_spf_default string

g_spf_default_noblock

(strict only) Only stamp headers if default spf record fails when no real spf header

This setting makes blocking occur only for REAL spf records, not for the default one applied to domains that have no SPF record defined.

Syntax: g_spf_default_noblock bool

g_spf_skip

Skip spf checks for these ip addresses, e.g. other mx hosts

List the ip addresses of your other MX servers so SPF checks wont fail when a message comes in via an mx host instead of directly. The SPF checking must therefore be done on all the MX servers.

Syntax: g_spf_skip string

g_spf_skip_from

Skip based on from, e.g. noreply@*paypal.com,…, Also skips RBL

Good for skipping SPF checking if a domain is in some way incompatible with SPF checking

Syntax: g_spf_skip_from string

g_spf_skip_to

Skips SPF checks based on rcpt address and RBL checks.

Syntax: g_spf_skip_to “user@domain.com”

This setting can be used to skip spf checks based on the rcpt address, if used with g_orbs_late “true” then it can also be used to skip rbl checks if the rcpt matches this setting.

Syntax: g_spf_skip_to string

g_spf_rev_skip

Skip SPF checks if reverse ip name matches in this list, e.g. *.yahoo.com

Where you identify a domain that does not support SPF and is often used in a manner which breaks SPF default rules this setting can safely allow the problem domain. This setting is probably not needed now most large mail systems are using SPF.

Syntax: g_spf_rev_skip string

g_spf_share

List of hosts to share allow ips with. Must all have same srs.secret file

List your other incoming mail servers (which must be running surgemail). This lets SurgeMail share the list of known IP addresses which have sent ‘allow’ emails. You must copy your srs.secret file across all of the servers in question so they can verify each other correctly.

Syntax: g_spf_share string

g_spf_header

Use g_verify_mx_skip and apply to resulting ip

If the sending host matches g_verify_mx_skip, then spf tests are performed on the first received header not listed in that setting. Only stamping is possible though since this indicates a front end gateway and a reject would cause a ‘bounce’ which would not be safe

Syntax: g_spf_header bool

g_spf_baddns_skip

If spf dns failure then allow message through (instead of giving retry error)

This setting is not normally needed as lookups generate retry failures so the sending server tries again and the dns failure (which is usually temporary) won’t occur the second time. Normally on a DNS failure SPF should give a ‘retry’ message, this is because spammers often have faulty DNS servers so that SPF checks always fail for their domain, so letting the message through will let some spam into your system. But in some situations the normal behavior might loose you real email so then using this setting at least until your dns problems are resolved might be wise.

Syntax: g_spf_baddns_skip bool

g_spf_nogrey

Skip SPF grey listing for these domains (require allow response)

This toughens spf for the domains in question, requiring that they really pass an ‘allow’ test rather than simply a grey listing test. Good for commonly forged domains which do normally obey spf.

Syntax: g_spf_nogrey string

g_spf_noallow

ignore friends

This toughens spf for critical domains (banks etc) where you don’t want any forged messages leaking through. This setting over-rides the users spf/friends settings for these domains (so should be used with some caution)

Syntax: g_spf_noallow string

g_spf_nofriend

Ignore friends for spf

This toughens spf so friends matches don’t bypass it

Syntax: g_spf_nofriend bool

g_spf_enforce

List of wildcard/domains to enforce spf for, e.g. paypal.com,*bank*

This enforces spf for domain that must be trusted.

Syntax: g_spf_enforce string

g_spf_enforce_real

Enforce spf for domains with strong spf entries

Enforces spf if the domains spf record ends with -all

Syntax: g_spf_enforce_real bool

g_spf_enforce_auto

Enforce spf for commonly forged domains paypal.com,*bank*

If enabled this will enforce spf for some common domains that get forged.

Syntax: g_spf_enforce_auto bool

g_spf_required

Require an spf entry for these domains

Used to make select domains add spf to talk to you

Syntax: g_spf_required string

g_spf_enforce_local

If spf fails and it’s a local domain then skip grey listing and bounce

This settings stops spammers who fake your own email domains, but it may upset users who are not authenticating or are using their own mail servers, so you will have to expect a few minor issues like that when you turn this on. This setting over-rides the ‘users’ spf and friends settings for local domains. (was miss documented as give allow message)

Syntax: g_spf_enforce_local bool

g_spflog_enable

Enable this if this server is a frontend for a SurgeMail server users log into.

Enable this if this server is a frontend for a SurgeMail server users log into.

Syntax: g_spflog_enable bool

g_spflog_domains

Specify which domains should get spflog entries sent to them.

If some of your backend servers are not surgemail then this setting will be needed to turn off the spflog messages to the non surgemail servers

Syntax: g_spflog_domains string

g_spf_byemail

Perform allow bounce confirmation via email.

This gives an email to the sender in the allow bounce message instead of aa url.

Syntax: g_spf_byemail bool

g_spf_web_url

Specify full url for spf byweb commands http://domain.name:port

Normally the default will work.

Syntax: g_spf_web_url string

g_spool_path

Allows SurgeMail to scan a directory for messages to send.

Syntax: g_spool_path “directory of spool”

SurgeMail will scan this directory every few seconds and check for any messages in this directory if found SurgeMail will then send them the messages (must end in the extension .msg). The format of the messages is as follows (without the quotes).

filename: test.msg

“
To: you@domain.com
From: blah@domain.com
Subject: blah blah

This is a test
“

Syntax: g_spool_path string

g_ssl_allow

IP Wild card of connections to allow to use SSL

This setting controls which connecting IP numbers are permitted to use SSL on POP and IMAP. They will see TLS in the protocol extension command (ETRN for SMTPor CAPA for POP). Typically, to enable SSL you set this to “*” after getting a certificate. If you don’t have a valid certificate then turning this on can cause problems as mail clients will try to use SSL and fail. 

Syntax: g_ssl_allow string

g_ssl_allow_imap

IP Wild card list to allow SSL encryption from for imap

This setting controls which connecting IP numbers are permitted to use SSL on IMAP.

Syntax: g_ssl_allow_imap string

g_ssl_allow_fix

Disable incoming ssl on ssl failure from an ip

This setting has no further documentation currently available

Syntax: g_ssl_allow_fix bool

g_ssl_disable

isable-renegotiation-disable-ssl-renegotiation" >

GEnerally this shouldn’t be used unless you have to keep some paranoid security scan happy

Syntax: g_ssl_disable_renegotiation bool

g_ssl_disable_web

Disable protocols for web only

This setting has no further documentation currently available

Syntax: g_ssl_disable_web string

g_ssl_disable_port25

Prevent ssl on port 25

May help virus fire walls to detect viruses, that’s the theory anyway…

Syntax: g_ssl_disable_port25 bool

g_ssl_disable_des

Disable DES ciphers, breaks outlook on XP

This setting has no further documentation currently available

Syntax: g_ssl_disable_des bool

g_ssl_test_fail

Break ssl to test auto downgrade

Break ssl for outgoing sends

Syntax: g_ssl_test_fail bool

g_ssl_require

equire-smtp-if-ip-matches-then-require-ssl-for-incoming-smtp-message" >

This setting has no further documentation currently available

Syntax: g_ssl_require_smtp string

g_ssl_require_in

Local domains that must only receive SSL messages

This setting has no further documentation currently available

Syntax: g_ssl_require_in string

g_ssl_require_smtp

If IP matches then require SSL for incoming SMTP message

This setting has no further documentation currently available

Syntax: g_ssl_require_smtp string

g_ssl_require_imap

IP Wild card of connections to require to use SSL for IMAP

This forces all matching IP addresses to use SSL for IMAP connections.

Syntax: g_ssl_require_imap string

g_ssl_require_login

IP wildcard of connections fur users needing to use SSL

This setting forces all matching IP addresses to use SSL for any action that requires a user login. eg: POP, IMAP and SMTP authentication but not plain SMTP. So this is ideal if you want all users to use SSL but still want email to come in from non SSL SMTP servers.

Syntax: g_ssl_require_login string

g_ssl_require_out

Other machines we only send to using SSL

This forces all matching IP addresses to use SSL for SMTP outgoing connections. Typically you would use this for outgoing connections to increase security. 

Syntax: g_ssl_require_out string

g_ssl_require_web

Require https for most web features (excluding blogs file sharing and surgeplus)

This setting has no further documentation currently available

Syntax: g_ssl_require_web bool

g_ssl_retry_seconds

Second to try and establish ssl connection, default is 5

Best not to change generally

Syntax: g_ssl_retry_seconds int

g_ssl_try_out

Try and start ssl mode to these hosts

If the hosts match then SurgeMail tries to start SSL security on the SMTP session. Note that this may cause failures if the link is dropped by the receiving server.

Syntax: g_ssl_try_out string

g_ssl_try_not

Skip ssl for these hosts

If the hosts match then SurgeMail Does not try ssl even if g_ssl_try_out matches.

Syntax: g_ssl_try_not string

g_ssl_try_from

Try and start ssl mode if from this user, e.g. *@xyz.com

Must also match the g_ssl_try_out rule, this lets you only do ssl when the email is ‘from’ certain domains/users

Syntax: g_ssl_try_from string

g_ssl_per_domain

Create/use an SSL certificate for each domain

SurgeMail can be set to use a single SSL certificate for the server or individual certificates on a per domain basis.

SurgeMail will create private key / certificate pairs if required on startup. Alternatively these can be created using the ‘SSL Config’ link on the global settings page. These can be replaced with your own trusted signed certificates using the web admin interface or by placing the appropriate private key and certificate pem files in the following location: <surgemail>/ssl for a single certificate for the whole server and under <surgemail>/ssl/<vdomain> for per vdomain certificates.

Some mail clients and web browsers will complain if the certificate domain does not match the domain they are connecting to.

Changing g_ssl_per_domain will require surgemail to be restarted to take affect. Changes to certificates using the web admin interface now take affect immediately.

Syntax: g_ssl_per_domain bool

g_ssl_ciphers

List permitted ciphers

This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive. If your list exceeds 800 bytes use g_ssl_ciphers_add for the second half

Syntax: g_ssl_ciphers string

g_ssl_ciphers_web

List permitted ciphers for web

This list is for web connections only, restart surgemail after changing

Syntax: g_ssl_ciphers_web string

g_ssl_ciphers_add

More permitted ciphers (added to g_ssl_ciphers)

This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive.

Syntax: g_ssl_ciphers_add string

g_ssl_disable_tlsv1

Obsolte, Disable tls 1.0, not recommended

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1 bool

g_ssl_disable_tlsv1_1

Obsolte, Disable tls 1.1 support, not recommended

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1_1 bool

g_ssl_disable_tlsv1_2

Obsolte, Disable tls 1.2 support, not recommended

Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_tlsv1_2 bool

g_ssl_disable_sslv2

Obsolte, Disable ssl 2.0 support for enhanced security

Disables one of the older ssl protocols which slightly increases security and decreases compatibility with older clients. Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_sslv2 bool

g_ssl_disable_sslv3

Obsolte, Disable ssl 3.0 support for enhanced security

Disables one of the ssl protocols which slightly increases security. Use g_ssl_disable and g_ssl_disable_web instead

Syntax: g_ssl_disable_sslv3 bool

g_ssl_sha1_sign

Obsolete, sha256 is now always used

This will probably be made the default in the near future

Syntax: g_ssl_sha1_sign bool

g_ssl_disable_renegotiation

Disable SSL renegotiation.

GEnerally this shouldn’t be used unless you have to keep some paranoid security scan happy

Syntax: g_ssl_disable_renegotiation bool

g_ssl_honor

Honor server cipher order

Maybe useful to force certain types of security/encryption

Syntax: g_ssl_honor bool

g_ssl_perfect

Apply good SSL settings, best to remove g_ssl_ciphers setting too

Just an easy way of setting the ciphers etc for perfect forward secrecy

Syntax: g_ssl_perfect bool

g_ssl_fips

Enable FIPS mode crash if not available (DO NOT USE)

For future use

Syntax: g_ssl_fips bool

g_ssl_dmalloc

Enable dmalloc tracking in ssl

This setting has no further documentation currently available

Syntax: g_ssl_dmalloc bool

g_ssl_warn

Send users weekly reminder if they keep using non SSL logins

This setting has no further documentation currently available

Syntax: g_ssl_warn bool

g_ssl_warn_ignore

Don’t give warnings if user is from this trusted host

This setting has no further documentation currently available

Syntax: g_ssl_warn_ignore string

g_ssl_warn_text

Last line of email warning sent to user if SSL not used

This setting has no further documentation currently available

Syntax: g_ssl_warn_text string

g_sstat_disable

Disable netwin statistics gathering.

We use this to keep track of which features customers use/like

Syntax: g_sstat_disable bool

g_stack

For testing only, NEVER SET THIS

Never set this, it can make the server unstable

Syntax: g_stack int

g_stack_imap

For testing only, NEVER SET THIS

Never set this, it can make the server unstable

Syntax: g_stack_imap int

g_startup_delay

Startup delay

Seconds to wait before accepting inbound connections when starting SurgeMail .

Syntax: g_startup_delay int

g_store_dropped

Store upto 5000 bad bounces in the dropped directory

This is useful to check if vanish_bad_bounces is working correctly

Syntax: g_store_dropped bool

g_header_strip

Strip listed headers from incoming messages

Useful for stripping headers that you don’t trust or don’t want for some reason

Syntax: g_header_strip string

g_surgewall_split

Split up surgewall messages, one per recipient

Split up incoming messages so subject tagging should work

Syntax: g_surgewall_split bool

g_surgewall_redirect

Allow redirect/responder for surgewall

Allows redirect/responder settings to work for surgewall

Syntax: g_surgewall_redirect bool

g_surgewall_ignore_error

Deliver even if some rule sais bounce

This setting should never be used we think…

Syntax: g_surgewall_ignore_error bool

g_surgeblog

Specialize SurgeMail as a Blog server

This setting causes SurgeMail’s interface to specialize itself for the purposes of being a Blog server.

Syntax: g_surgeblog bool

g_surbl

SURBL Spam URI Realtime Blocklists

This looks up each url found in each mail message and checks it against the SURBL database of your choice, the multi database can be used. See http://www.surbl.org/, adds headers of the form: X-Surbl: stamp urlfound nameofsurbl. PLEASE NOTE: Access to surbl is only provided freely in some conditions, larger ISP’s may need to purchase a feed, see http://www.surbl.org/usage-policy

Syntax: g_surbl name=string stamp=string

Example: g_surbl name=”multi.surbl.org” stamp=”sc.surbl.org,ws.surbl.org,phishing,ob.surbl.org,ab.surbl.org,jp”

g_surbl_reject

Reject email with SURBL hits

This can reduce spam on your server by completely rejecting all email containing surbl web links…

Syntax: g_surbl_reject bool

g_surbl_whois

Also check whois info on suspect urls – not for busy servers!

This setting searches whois information and compares what it finds to a list of known persistent spammers who register new domains regularly – if a match is found a surbl header is added. The whois servers don’t like getting heavy load so don’t use this setting if your server is very busy. A cache is used to minimize the load.

Syntax: g_surbl_whois bool

g_surbl_skip

URL’s to allow even if listed in surbl

Sometimes you will want to whitelist a url that is listed in one or more surbl databases, use this setting to do that.

Syntax: g_surbl_skip string

g_surbl_skip_ip

Skip SURBL check if sender is from listed ip

Sometimes you will want to whitelist an ip from SURBL checks. Use this setting to do this.

Syntax: g_surbl_skip_ip string

g_surbl_from

Also check the return path

Adds return path domain/from check in the surbl database, use with Spamhaus DBL

Syntax: g_surbl_from bool

g_vipre_enable

Enable vipre scanner on windows

Enable the vipre scanner module

Syntax: g_vipre_enable bool

g_notag_notascii

Don’t add x-notascii: charset to any non ascii message

This can be used by user exception rules for users that don’t expect any foreign language messages

Syntax: g_notag_notascii bool

g_notag_url_forgery

Don’t add x-UrlForgery when a ref urls seem to not match

Many scam’s will use legit urls with aref links to their own site, this tries to tag such messages which can then be scored as spam via aspam_mfilter.rul

Syntax: g_notag_url_forgery bool

g_tarpit_blackhole

Reject email one recipient at a time to make spammers go away

If tarpit_blackhole is true then if it was going to drop the connection to that user. Instead it will keep it and let the user talk and try and send messages, but will reject all recipients, it only does this for a max of 200 channels, any more are dropped.

Syntax: g_tarpit_blackhole bool

g_tarpit_badrcpt

Delay rejection of bad recipients

Delay rejection of bad recipients (in seconds, default 4s).

Syntax: g_tarpit_badrcpt int

g_tarpit_drop

Max recipients per hour from one IP

Drop link and ban for 1 hour if g_tarpit_max or g_max_bad_to has been exceeded.

Syntax: g_tarpit_drop bool

g_tarpit_retry

Send retry error, 450 if tarpit limits exceeded

This setting has no further documentation currently available

Syntax: g_tarpit_retry bool

g_tarpit_max

Max number of local recipients per hour from one IP

If this limit is exceeded, the offending client is “tarpitted”. This means the mail server starts pretending to go slowly. This is better than simply closing the connection as that will not stop the sending system from trying to reconnect rapidly or send to other systems rapidly, but tarpitting jams the sending system and limits the damage they can do to you and others. Cool huh? 

Unlike G_BOMB_MAX, the g_tarpit_max setting counts the total of all recipients to all addresses from this IP address.

A setting of about 200-10,000 is probably good but be careful with mailing lists it will break them. Use an exclusion for IP addresses of known mailing lists or set the limit higher than known mailing lists, eg: 2,000 is probably a good setting just to avoid disasters without disrupting many real users.

Use spam_allow ip.address.list to over-ride the limit for known systems (eg: mailing list servers) that would be exceed the limit.

Syntax: g_tarpit_max int

g_tarpit_max_remote

Max remote recipients from one IP

The maximum number of remote recipients before slowing down.

Syntax: g_tarpit_max_remote int

g_tarpit_skip

Skip tarpit limit for these destination users or domains, e.g. *@xyz.com

This setting has no further documentation currently available

Syntax: g_tarpit_skip string

g_tarpit_skip_from

Skip tarpit limit for messages from these users e.g. *@xyz.com

This setting has no further documentation currently available

Syntax: g_tarpit_skip_from string

g_tarpit_hacker

Slow DOS attacks in some situations

This setting has no further documentation currently available

Syntax: g_tarpit_hacker bool

g_tellmail_ip

Tellmail IP restriction

Restrict remote tellmail commands to these IP addresses.

Syntax: g_tellmail_ip string

g_tcp_read_timeout

Timeout in ‘seconds’ on POP connections (do not adjust)

Timeout in ‘seconds’ on POP connections, do not adjust. (default 600).

Syntax: g_tcp_read_timeout int

g_tcp_que_len

Length of listen queue for incoming connections

Default is 25 or 200 on windows, to reduce non paged pool on windows reduce to 20

Syntax: g_tcp_que_len int

g_tcp_proxy_ip

Enable TCP proxy protocol for specific address

Enables the tcp proxy protocol on new connections for this address for pop,imap,smtp.

Syntax: g_tcp_proxy_ip string

g_tcp_bf_size

Set tcpip snd/rcv buffer sizes, best left blank

This setting has no further documentation currently available

Syntax: g_tcp_bf_size int

g_cookie_secure

Set all cookies to secure mode on https connections

This setting has no further documentation currently available

Syntax: g_cookie_secure bool

g_token_secure

Use secure flag for surgeweb, stops http access to token, so requires https to work

This setting has no further documentation currently available

Syntax: g_token_secure bool

g_token_httponly

Use httponly flag, stop scripts using token, may break attachments

This setting has no further documentation currently available

Syntax: g_token_httponly bool

g_thread_max

Total maximum number of threads allowed

Total maximum number of threads allowed on this system. This should not normally be changed. If you do increase it start small, eg: 400 is a safe number on most systems. Generally if you need to increase it more than that then you have a performance problem that needs fixing and increasing it more is unlikely to be a good idea. On Linux if your thread_max setting is above 500 then you must modify surgemail_start.sh to increase the handle limit from 1024 to 2048 (at least twice the g_thread_max value). If you get crashes with ‘handle_limit’ recorded in the logs then it’s likely that your operating system handle limit is too small for your g_thread_max setting. On Solaris you will need the 64 bit build of SurgeMail to increase this limit as the Solaris 32 bit ‘c’ libraries are limited to 256 file handles (I kid you not

See FAQ section on session limits

Syntax: g_thread_max int

g_thread_pool

Keep all threads in a common pool

This setting has no further documentation currently available

Syntax: g_thread_pool bool

g_thread_spinlock

Spin more before sleeping when waiting for mutex

This setting has no further documentation currently available

Syntax: g_thread_spinlock bool

g_thread_smooth

Throttle thread creation as max hit to reduce peaks

This setting has no further documentation currently available

Syntax: g_thread_smooth bool

g_timezone

Timezone text

Text to be placed in the timezone part of the date string. e.g. +1200 NZT

Syntax: g_timezone string

g_timezone_force

Hours offset to local time, e.g. 5 (best left blank)

This setting has no further documentation currently available

Syntax: g_timezone_force string

g_timeout_try_later

If timeout while waiting for message to arrive tell other end to retry

This ‘may’ cause faulty servers to endlessly retry a message. But should be ok. Normally this sort of timeout is very rare but can be caused by faulty virus scanner so retrying won’t always help

Syntax: g_timeout_try_later bool

g_tohost_local

Tohost entries to deliver locally

Authentication database tohost name entry to deliver locally. This setting only applies if g_proxy or g_route_by_tohost is enabled. This is useful to allow the configuration of multisite systems using g_route_tohost with a single shared authentication database.

Syntax: g_tohost_local string

g_toscan_path

Path used for mime parts for virus scanner

The default is the toscan directory under the home path, using this setting can help sometimes if permissions are a problem

Syntax: g_toscan_path string

g_train_store

Number of messages to store in each spam training directory (1000-5000)

We recommend about 10000 – dont get carried away, more is not necessarily better!

Syntax: g_train_store int

g_url_alias

Allows translation from one URL to another

Allows translation from one URL or beginning of a URL to another. eg:

g_url_alias from=”/cgi-bin/” to=”/scripts/”

will cause the URL http://localhost:7025/cgi-bin/fred.cgi to reference the same file as http://localhost:7025/scripts/fred.cgi would have, the fred.cgi in the SurgeMail ‘scripts’ directory. The domain url_alias settings are checked before these, the first matching rule is used, settings are checked in the order specified.

Syntax: g_url_alias from=string to=string ports=string

g_url_redirect

Sends http 301 redirect to tell browser resource has moved

Typical usage to move users from http to https automatically, e.g. g_url_redirect from=”http://*/surgeweb” to=”https://%1:7443/surgeweb” ports=”80,7080″

Or you may wish to change the default page to webmail, e.g.

g_url_redirect from=”/” to=”/surgeweb” ports=”443,80″

Syntax: g_url_redirect from=string to=string ports=string

g_url_enable

Enables widearea url database

Syntax: g_url_enable <true/false>

If set then SurgeMail fetches the url database and updates from netwinsite.com every few hours. Messages which contain matches will get a header X-SpamUrl:… which will be used in the spam score. Once enabled you will contribute to Netwin’s central server and also download from their once every couple of days.
Additions to your isspam/notspam training addresses are also sent to netwinsite.com (just the url’s for white list/blacklist)

Syntax: g_url_enable bool

g_url_master

Not for general use

Used by netwin to manage the master server. Sorry this doesn’t allow you to run your own master.
Should be left blank

Syntax: g_url_master bool

g_url_master_to

Not for general use

Not for general use. Used by netwin for testing.

Syntax: g_url_master_to string

g_url_host_noscan

Disable the scan for url_host settings matching the domain in an incoming web request

SurgeMail uses g_server_name and url_host settings to determine the default domain to select for web requests, this setting stops it using the url_host settings (which may be slow on systems with a large number of domains)

Syntax: g_url_host_noscan bool

g_user_alias_file

User aliases configuration file

This setting specifies the configuration file for user aliases. This file is in the following format:

domain alias_domain,access[,access]…

where domain is the domain name eg: email.com, alias_domain is the domain in which aliases can be created, and access specifies who is allowed to create these aliases, it can have one of the following values:

Example alias.dat file:

email.com *.email.com,public
email.com sport.email.com,public
internal.email.com email.com,private
internal.email.com internal.email.com,admin

Syntax: g_user_alias_file string

g_user_alias

Number of aliases accounts can create

This setting specifies the maximum number of account aliases an account (optionally in specified group) can create. The format of these aliases is specified in the file specified by the g_user_alias_file setting. eg.

g_user_alias quota=”10″ group=””
g_user_alias quota=”20″ group=”grp1″
g_user_alias quota=”30″ group=”grp2″

Syntax: g_user_alias group=string quota=int

g_user_blogs

Number of blogs accounts can create

Specifies blog limit based on user group.

Syntax: g_user_blogs group=string quota=int

Example: g_user_blogs group=premium quota=15

g_user_domainlist

Show domains list on user pages

This setting decides who will see the drop-down list of domains on the user check, add, login, and management pages. It has three possible values: user, domadmin and admin. A value of ‘user’ allows everyone to see the list, ‘domadmin’ allows domain admins and the admin to see the list, and ‘admin’ allows only the admin to see the domains list.

Syntax: g_user_domainlist string

g_user_virus_scan

Allow users to enable / disable virus scanner for themselves

This setting adds a tickbox to the Spam page in user self administration that allows the user to enable and disable the virus scanner for them selves.

Syntax: g_user_virus_scan bool

g_user_access

Allow / Restrict user access to features based on 

g_user_access group=”wildcard” access=”list”

This setting matches the g_access_group the user is in to the wildcard specified and applies the specified list to that user, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, “all” and “none” which mean exactly what they say, access to “all” or “none” of the features.

Example:

g_user_access group=”simple” access=”all,!spam,!virus”

The above setting gives users in the ‘simple’ group access to all the features except spam and virus features.

Syntax: g_user_access group=string access=string

g_user_access_default

Default user features granted to users

This setting is a default access list for all users on the server, it is specified in the same maner as the g_user_access settings ‘access’ parameter. eg:

g_user_access_default “all,!spam,!virus”

Syntax: g_user_access_default string

g_user_access_from

When sending use from for useraccess rules

When sending a message the user access rules which are applied can be based on the ‘from’ header, this is not secure but is sometimes useful.

Syntax: g_user_access_from bool

g_user_access_webonly

Means user_access rules only stop web interface not actual spam checking etc

This setting has no further documentation currently available

Syntax: g_user_access_webonly bool

g_user_cookies

Enable browser cookies for user self management

Enable browser cookies for user self management.

Syntax: g_user_cookies bool