g_ssl_allow - IP Wild card of connections to allow to use SSL
This setting controls which connecting IP numbers are permitted to use SSL on POP and IMAP. They will see TLS in the protocol extension command (ETRN for SMTPor CAPA for POP). Typically, to enable SSL you set this to "*" after getting a certificate. If you don't have a valid certificate then turning this on can cause problems as mail clients will try to use SSL and fail.
Syntax: g_ssl_allow string
g_ssl_allow_fix - Disable incoming ssl on ssl failure from an ip
This setting has no further documentation currently available
Syntax: g_ssl_allow_fix bool
g_ssl_allow_imap - IP Wild card list to allow SSL encryption from for imap
This setting controls which connecting IP numbers are permitted to use SSL on IMAP.
Syntax: g_ssl_allow_imap string
g_ssl_auto - Generate letsencrpt ssl certificates automatically for all domains
This setting has no further documentation currently available
Syntax: g_ssl_auto bool
g_ssl_ciphers - List permitted ciphers
This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive. If your list exceeds 800 bytes use g_ssl_ciphers_add for the second half
Syntax: g_ssl_ciphers string
g_ssl_ciphers_add - More permitted ciphers (added to g_ssl_ciphers)
This can be used to enhance security, not recommended but is useful if you are trying to pass a security audit of some kind. A value of MEDIUM:HIGH is probably what you want to set it to. It is case sensitive.
Syntax: g_ssl_ciphers_add string
g_ssl_ciphers_web - List permitted ciphers for web
This list is for web connections only, restart surgemail after changing
Syntax: g_ssl_ciphers_web string
g_ssl_disable - Disable protocols tlsv1,tlsv1_1,tlsv1_2,sslv2,sslv3
This setting has no further documentation currently available
Syntax: g_ssl_disable string
g_ssl_disable_des - Disable DES ciphers, breaks outlook on XP
This setting has no further documentation currently available
Syntax: g_ssl_disable_des bool
g_ssl_disable_port25 - Prevent ssl on port 25
May help virus fire walls to detect viruses, that's the theory anyway...
Syntax: g_ssl_disable_port25 bool
g_ssl_disable_sslv2 - Obsolte, Disable ssl 2.0 support for enhanced security
Disables one of the older ssl protocols which slightly increases security and decreases compatibility with older clients. Use g_ssl_disable and g_ssl_disable_web instead
Syntax: g_ssl_disable_sslv2 bool
g_ssl_disable_sslv3 - Obsolte, Disable ssl 3.0 support for enhanced security
Disables one of the ssl protocols which slightly increases security. Use g_ssl_disable and g_ssl_disable_web instead
Syntax: g_ssl_disable_sslv3 bool
g_ssl_disable_tlsv1 - Obsolte, Disable tls 1.0, not recommended
Use g_ssl_disable and g_ssl_disable_web instead
Syntax: g_ssl_disable_tlsv1 bool
g_ssl_disable_tlsv1_1 - Obsolte, Disable tls 1.1 support, not recommended
Use g_ssl_disable and g_ssl_disable_web instead
Syntax: g_ssl_disable_tlsv1_1 bool
g_ssl_disable_tlsv1_2 - Obsolte, Disable tls 1.2 support, not recommended
Use g_ssl_disable and g_ssl_disable_web instead
Syntax: g_ssl_disable_tlsv1_2 bool
g_ssl_disable_web - Disable protocols for web only
This setting has no further documentation currently available
Syntax: g_ssl_disable_web string
g_ssl_dmalloc - Enable dmalloc tracking in ssl
This setting has no further documentation currently available
Syntax: g_ssl_dmalloc bool
g_ssl_fips - Enable FIPS mode crash if not available (DO NOT USE)
For future use
Syntax: g_ssl_fips bool
g_ssl_honor - Honor server cipher order
Maybe useful to force certain types of security/encryption
Syntax: g_ssl_honor bool
g_ssl_lets_exclude - Domains urls to not update, user must copy from ssl to lets folder
The certifictes must be coppied from the ssl to the lets folder manually!
Syntax: g_ssl_lets_exclude string
g_ssl_lets_path - Path to webservers /.well-known folder for letsencrypt
Use this if you have a webserver that is running on port 80 but you still wish to generate ssl certificates automatically. Folder must be writeable by user 'mail' on linux
Syntax: g_ssl_lets_path string
g_ssl_per_domain - Create/use an SSL certificate for each domain
SurgeMail can be set to use a single SSL certificate for the server or individual certificates on a per domain basis.
SurgeMail will create private key / certificate pairs if required on startup. Alternatively these can be created using the 'SSL Config' link on the global settings page. These can be replaced with your own trusted signed certificates using the web admin interface or by placing the appropriate private key and certificate pem files in the following location: <surgemail>/ssl for a single certificate for the whole server and under <surgemail>/ssl/<vdomain> for per vdomain certificates.
Some mail clients and web browsers will complain if the certificate domain does not match the domain they are connecting to.
Changing g_ssl_per_domain will require surgemail to be restarted to take affect. Changes to certificates using the web admin interface now take affect immediately.
Syntax: g_ssl_per_domain bool
g_ssl_perfect - Apply good SSL settings, best to remove g_ssl_ciphers setting too
Just an easy way of setting the ciphers etc for perfect forward secrecy
Syntax: g_ssl_perfect bool
g_ssl_require - IP Wild card of connections to require to use SSL
This forces all matching IP addresses to use SSL for SMTP, POP and IMAP connections. Typically you would use this for non local connections to increase security local connections might be comparatively safe in un-encrypted mode.
Syntax: g_ssl_require string
g_ssl_require_imap - IP Wild card of connections to require to use SSL for IMAP
This forces all matching IP addresses to use SSL for IMAP connections.
Syntax: g_ssl_require_imap string
g_ssl_require_in - Local domains that must only receive SSL messages
This setting has no further documentation currently available
Syntax: g_ssl_require_in string
g_ssl_require_login - IP wildcard of connections fur users needing to use SSL
This setting forces all matching IP addresses to use SSL for any action that requires a user login. eg: POP, IMAP and SMTP authentication but not plain SMTP. So this is ideal if you want all users to use SSL but still want email to come in from non SSL SMTP servers.
Syntax: g_ssl_require_login string
g_ssl_require_out - Other machines we only send to using SSL
This forces all matching IP addresses to use SSL for SMTP outgoing connections. Typically you would use this for outgoing connections to increase security.
Syntax: g_ssl_require_out string
g_ssl_require_web - Require https for most web features (excluding blogs file sharing and surgeplus)
This setting has no further documentation currently available
Syntax: g_ssl_require_web bool
g_ssl_retry_seconds - Second to try and establish ssl connection, default is 5
Best not to change generally
Syntax: g_ssl_retry_seconds int
g_ssl_sha1_sign - Obsolete, sha256 is now always used
This will probably be made the default in the near future
Syntax: g_ssl_sha1_sign bool
g_ssl_test_fail - Break ssl to test auto downgrade
Break ssl for outgoing sends
Syntax: g_ssl_test_fail bool
g_ssl_throttle_renegotiation - Slow renegotiation to prevent simple dos attack.
GEnerally this shouldn't be used unless you have to keep some paranoid security scan happy
Syntax: g_ssl_throttle_renegotiation bool
g_ssl_try_from - Try and start ssl mode if from this user, e.g. *@xyz.com
Must also match the g_ssl_try_out rule, this lets you only do ssl when the email is 'from' certain domains/users
Syntax: g_ssl_try_from string
g_ssl_try_not - Skip ssl for these hosts
If the hosts match then SurgeMail Does not try ssl even if g_ssl_try_out matches.
Syntax: g_ssl_try_not string
g_ssl_try_out - Try and start ssl mode to these hosts
If the hosts match then SurgeMail tries to start SSL security on the SMTP session. Note that this may cause failures if the link is dropped by the receiving server.
Syntax: g_ssl_try_out string
g_ssl_warn - Send users weekly reminder if they keep using non SSL logins
This setting has no further documentation currently available
Syntax: g_ssl_warn bool
g_ssl_warn_ignore - Don't give warnings if user is from this trusted host
This setting has no further documentation currently available
Syntax: g_ssl_warn_ignore string
g_ssl_warn_text - Last line of email warning sent to user if SSL not used
This setting has no further documentation currently available
Syntax: g_ssl_warn_text string