g_rcpt_bang – Allow bang characters in addresses
Allow exclamation marks in addresses. ie ‘!’
Syntax: g_rcpt_bang bool
g_rcpt_colon – Allow colon characters in addresses
Allow colon characters in addresses. ie ‘:’
Syntax: g_rcpt_colon bool
g_rcpt_max – Max recipients per message, default is 1000
Max recipients per message, default is 1000, can only be lower than 1000.
Syntax: g_rcpt_max int
g_rcpt_max_in – Limit for recipients of untrusted channels, default g_rcpt_max
This limit is only applied to untrusted sessions (incoming mail)
Syntax: g_rcpt_max_in int
g_rcpt_msg – Invalid recipient response
Response given for invalid recipient errors message is prefixed by email address..
Syntax: g_rcpt_msg string
g_rcpt_nodup – Ignore duplicate recipients to the same user
When enabled this prevents a message being delivered more than once to a single person, it’s a fairly good setting to use and will get rid of some spam for people using fallback addresses.
Syntax: g_rcpt_nodup bool
g_rcpt_ok – Whitelist for invalid rcpt addresses we will permit
This setting has no further documentation currently available
Syntax: g_rcpt_ok string
g_rcpt_quote – Allow quote character(s) in addresses
By default quotes are blocked at the SMTP level, this is because some of the authent modules don’t handle quotes in addresses so it’s best not to let them through. There is no known reason for ever turning this setting on.
Syntax: g_rcpt_quote bool
g_rcpt_trace – Add X-Rcpt-Trace headers
This will list all recipients in the message to facilitate tracing
Syntax: g_rcpt_trace bool
g_rdns_timeout – Timeout for reverse DNS lookups default is 30 seconds
Best set between 10 and 60
Syntax: g_rdns_timeout int
g_received_name – Name shown in received headers
Name shown as received “by” in the received headers this defaults to server name but can be specified if required:
eg “myservername”
Received: from netwin.co.nz (unverified [10.0.0.5]) by myservername (SurgeMail 1.5f) with ESMTP id 1140619 for <marijn@netwin.co.nz>; Fri, 07 Nov 2003 10:25:59 +1300
Syntax: g_received_name string
g_received_names – List of valid received names for incoming email
This list is used when processing vanish_bad_bounces, vanish_virus_bounces and vanish_any_bounce. It defines the valid received names to expect quoted in a properly formed bounce message for a message from this server/system.
Syntax: g_received_names string
g_received_skip – Don’t write a received header for local trusted users
This setting can be used to hide sensitive local ip addresses from outgoing mail headers. This will make tracking abuse more difficult, we do not recommend using this setting generally.
Syntax: g_received_skip bool
g_received_skip_all – Skip local received header for messages that have non local recipients
Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.
Syntax: g_received_skip_all bool
g_received_skip_spf – Skip spf received header for messages that have non local recipients
Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.
Syntax: g_received_skip_spf bool
g_redirect – Redirect messages to ‘was’ to the ‘new’ address
Specifies global redirection rule. These rules are applied to local and remote addresses so should be used with ‘care’, for domain based redirection use the redirect rules within a domain. An example rule would be: fred@xx.com –> bob@yy.com or *@xx.com –> joe@xx.com
Wild cards can be used and replaced, e.g.
g_redirect was=”*@gadget.net” to=”%1@gadget.com”
g_redirect was=”*@*.gadget.com” to=”%1-%2@gadget.com”
Would make
bob@gadget.net –> bob@gadget.com
fred@cool.gadget.com –> fred-cool@gadget.com
These rules are processed ‘before’ the domain is identified, therefore you cannot use host_alias domain values in them. Use a domain redirect rule if this is required.
You can also redirect a message to a robot or script like this:
g_redirect was=”auto@mydomain.com” to=”|/usr/local/myrobot.sh”
Your script can read the environment variables:
MAILFROM
RCPTTO
MSGSIZE
And must read the message on ‘stdin’, the message will be terminated with “crlf.crlf”
Your script can then process the message and if it want’s to respond must use smtp to send a response back etc…
Your script will run as the user ‘mail’ so if that user does not have access to the script file or work files then it will fail
Syntax: g_redirect was=string to=string
g_redirect_cc – Carbon Copy redirect message
Same as ‘redirect’ but the message is still delivered to the original address as well. For g_redirect_cc there are two special names defined “$localdomain$” and “$remotedomain$”, which can be used in the ‘was’ paramater (requires SurgeMail 2.3).
Syntax: g_redirect_cc was=string to=string
g_redirect_cc_attach – Redirect message as attachment if rule applies
This rule is applied at the point of delivery, so only if the original user actually gets the email, and the message is sent as an attachment, the original message is ALSO delivered
Syntax: g_redirect_cc_attach was=string to=string header=string contains=string
g_redirect_from – Redirect message if from matches
Redirect a message to another address if the from matches.
Syntax: g_redirect_from from=string to=string
g_redirect_from_cc – Carbon Copy redirect message if from matches
Redirect a copy of the message to another address if the from matches still delivering to the original address as well.
Syntax: g_redirect_from_cc from=string to=string
g_redirect_hide – Hide the redirection in the SMTP output
Hide the redirection in the SMTP output
Syntax: g_redirect_hide bool
g_redirect_iflocal – If local domain, then apply redirect
This is for doing fancy redirection where the rule is only applied if the domain of the destination is a local domain. For example to redirect all messages to postmaster at any local domain to one particular admin user.
Syntax: g_redirect_iflocal was=string to=string
Example: g_redirect_iflocal was=”postmaster@*” to=”john@main.domain”
g_redirect_ignore_errors – Accept email even if redirected addresses fail
We consider this to be faulty behaviour as it will lead to emails vanishing with no bounce, use entirely at your own risk.
Syntax: g_redirect_ignore_errors bool
g_redirect_newmid – Generate new MID on redirection
This can help avoid loops.
Syntax: g_redirect_newmid bool
g_redirect_noautocreate_rules – Don’t create redirection rules for domains automatically
This will stop SurgeMail creating redirection rules for new domains such as postmaster,abuse and support
Syntax: g_redirect_noautocreate_rules bool
g_redirect_ses – If message is not local then apply redirect
Send all outgoing email to this address instead, useful for redirecting email to a robot (like amazon ses service), this is called for each outgoing message, once for each recipient
Syntax: g_redirect_ses from=string was=string to=string
Example: g_redirect_ses was=”*” to=”john@external.domain”
g_smtp_allow_invalid – Allow messages with invalid headers
This setting has no further documentation currently available
Syntax: g_smtp_allow_invalid bool
g_smtp_auth_debug – Auth Debug (do not use)
This setting has no further documentation currently available
Syntax: g_smtp_auth_debug bool
g_smtp_auth_ip – Ip Addresses to accept smtp authentication from
This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip
Syntax: g_smtp_auth_ip string
g_smtp_auth_off – Disable SMTP AUTH from unknown ip addresses (NOT RECOMMENDED)
This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip, NEVER USE THIS!
Syntax: g_smtp_auth_off bool
g_smtp_big – Slow down incoming SMTP reads to get bigger packets (experimental)
This setting tries to prevent thrashing by making the server slow down the speed it reads data in an attempt to get larger packets. This seemed to have no affect when I tested it, but play with it if you want, It is only intended to be useful when you have hundreds of incoming connections all very slowly sending in data, and the server is short of CPU.
Syntax: g_smtp_big bool
g_smtp_bounce_nslow – Number of handles to use for doing slow rejections of smtp connections
If external servers are over loading your server so much that it ends up in a cpu loop rejecting connections then increaseing this might help. But beware your system must not run out of file handles so don’t set it too large, The default is 100
Syntax: g_smtp_bounce_nslow int
g_smtp_cmd_timeout – SMTP command timeout
Seconds to wait after getting a message for next command (workaround for sendmail bug)
Syntax: g_smtp_cmd_timeout int
g_smtp_cram_enable – Enable CRAM-MD5 authentication (requires nwauth 4.0h or greater) – Not Recommended
Please note that CRAM-MD5 does have security implications, specifically it means that the local users password must be stored in a semi reversable state in the authent database. Also you must be using the new version of the NWAuth module. Also Cram-md5 cannot be used with Migration from an old server (since by definiton the old password is never sent)
Syntax: g_smtp_cram_enable bool
g_smtp_data_bug – Fail on incoming emails for debugging
This setting has no further documentation currently available
Syntax: g_smtp_data_bug bool
g_smtp_data_timeout – SMTP data timeout
Seconds to wait for SMTP data input.
Syntax: g_smtp_data_timeout int
g_smtp_delay – Seconds to wait before responding to rcpts, 1-20, this reduces load on bulk senders
Only applies if more than 2 connections from the same ip address, so it only throttles bulk senders not people
Syntax: g_smtp_delay int
g_smtp_delay_stamp – Stamp message if sender doesn’t wait for welcome
If true then if any smtp commands arrive before the ‘helo’ greeting is sent then a header is added to messages which will result in a higher spam score.
Syntax: g_smtp_delay_stamp bool
g_smtp_etrn_auth – etrn if authenticatd
Only do etrn processing if user is authenticated.
Syntax: g_smtp_etrn_auth bool
g_smtp_fast_bounce – Reject bad connections immediately
Normally SurgeMail waits 1-10 seconds before rejecting a bad connection (rbl/limits,…), this reduces cpu usage and prevents some DOS attacks, this setting disables this behaviour.
Syntax: g_smtp_fast_bounce bool
g_smtp_fix_nohead – Accept messages with no headers and try and cope
This setting tries to cope if the message contains no headers at all, it is not recommended of course but may be needed on occasion for bad scripts
Syntax: g_smtp_fix_nohead bool
g_smtp_help_disable – disable smtp help command
Disable SMTP help command (minor security percaution).
Syntax: g_smtp_help_disable bool
g_smtp_log_protocol – Log SMTP protocol
If enabled, the SMTP protocol is logged to the mail.log file as “smtp: In” and “smtp: Out” entries.
Syntax: g_smtp_log_protocol bool
g_smtp_log_size – Size of smtp.log file
This sets the smtp.log file size, default is 2mb
Syntax: g_smtp_log_size int
g_smtp_max – Max total incoming SMTP connections
This limits the channels that will be used at any one time for incoming SMTP connections. The purpose of this setting is to prevent a sudden burst of spam from using up all available channels. Generally you do not need to change this. (Default = 250). Use the related setting g_smtp_max_reason to over-write the detailed error if you don’t want spammers to know what your limits are set to.
Syntax: g_smtp_max int
g_smtp_max_nolimit – IP based exceptions to g_smtp_max
This lets you specify IP based exceptions to g_smtp_max, so if you need a certain IP to open up many connections you would add that IP here.
eg. g_smtp_max_nolimit “10.0.0.50”
Syntax: g_smtp_max_nolimit string
g_smtp_max_reason – Reason to give to user if g_smtp_max is exceeded
This is most useful when the host in question is being used for the wrong purpose (incoming when it’s intended for outgoing etc), or simply to advise the user of a potential solution
Syntax: g_smtp_max_reason string
g_smtp_maxbad – Max bad SMTP commands
The maximum number of bad commands accepted per session before SurgeMail will drop the connection.
Example: g_smtp_maxbad “10”
Syntax: g_smtp_maxbad int
g_smtp_no_brackets – Allow from/rcpt without angle brackets
Some faulty mail clients forget to put the brackets <> around the recipient, this setting allows such faulty behavior. Not generally recommended.
Syntax: g_smtp_no_brackets bool
g_smtp_noauth – Limit SMTP to just these addresses (not generally useful)
Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication. This setting is only useful if your incoming email always comes through a gateway or filter, it’s not a normally useful setting
Syntax: g_smtp_noauth string
g_smtp_noauth_msg – Message given when sender is told to use authentication because of g_smtp_noauth
Message sent to sender when they try and send to the server but are required to authenticate because of g_smtp_noauth
Syntax: g_smtp_noauth_msg string
g_smtp_noauthm – Limit SMTP to just these addresses (not generally useful)
Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication.
Syntax: g_smtp_noauthm string
g_smtp_noclear – Disable smtp buffer clear after starttls command
Testing feature.
Syntax: g_smtp_noclear bool
g_smtp_plain_hide – Hide ‘plain’ from the ehlo response
This is to keep stupid scanners happy, for security you should disable non SSL logins, disabling plain is pointless and annoying.
Syntax: g_smtp_plain_hide bool
g_smtp_port – Port to listen for SMTP connections (default 25)
Typically you won’t need to change this however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:25 or 110,2110 etc… By default the mail server listens to port 25 on all adapters/addresses. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.
Syntax: g_smtp_port int
g_smtp_portauth – SMTP ports which require smtp authentication, typically 587
It is recommended (by some) that users send email to port 587, and it requires smtp authentication, and port 25 be blocked from client ip addresses to prevent viruses etc using email servers. Be sure to add ,587 to the g_smtp_port setting too!
Syntax: g_smtp_portauth string
g_smtp_portforce – Block logins for ports not listed in g_smtp_portauth
Use this to prevent local users logging into port 25, this also stops many spammers abusing your system as they will try and send on port 25
Syntax: g_smtp_portforce bool
g_smtp_secure_port – Port to listen for secure SMTP connections (default 465)
Port to listen on for dedicated SSL SMTP connections.
Syntax: g_smtp_secure_port int
g_smtp_thread – Use seperate thread for incoming SMTP connections
This makes the server run a seperate thread just to process incoming smtp connections, this can help on a busy system to stop a huge load of smtp connections clogging up the pop/imap connection processing, it is rarely needed.
Syntax: g_smtp_thread bool
g_smtp_vrfy_allow – Allow vrfy from these addresses, not recommended
This setting is rarely a good idea, vrfy is best left disabled
Syntax: g_smtp_vrfy_allow string
g_smtp_vrfy_msg – VRFY response
Change Response to VRFY, e.g. 252 Not telling.
Syntax: g_smtp_vrfy_msg string
g_smtp_warning – Send manager warning if this many sessions reached (max 1 per hour)
This setting has no further documentation currently available
Syntax: g_smtp_warning int
g_smtp_welcome_delay – delays welcome message
Syntax: g_smtp_welcome_delay “seconds”
This delays the welcome message sent by SurgeMail to a connecting server. If the server sends data to SurgeMail during this waiting time SurgeMail will drop their connection. The theory is that any well behaved server will wait for prompts and check them, but a lot of spamming software never takes any notice of prompts/responses and sends blindly. We believe a value of 1-3 seconds is ideal. You can also exempt ip’s from this setting by using g_spam_allow “ip”. Settings too high will cause real mail to be lost.
Examples:
g_smtp_welcome_delay “3”
g_spam_allow “127.0.0.1”
So above, delay giving the welcome message for 3 seconds, anyone that sends data in that 3 seconds will be dropped, but anything connecting from 127.0.0.1 will be able to send immediately (you should make sure webmail is exempt).
Syntax: g_smtp_welcome_delay int
g_tarpit_badrcpt – Delay rejection of bad recipients
Delay rejection of bad recipients (in seconds, default 4s).
Syntax: g_tarpit_badrcpt int
g_tarpit_blackhole – Reject email one recipient at a time to make spammers go away
If tarpit_blackhole is true then if it was going to drop the connection to that user. Instead it will keep it and let the user talk and try and send messages, but will reject all recipients, it only does this for a max of 200 channels, any more are dropped.
Syntax: g_tarpit_blackhole bool
g_tarpit_drop – Max recipients per hour from one IP
Drop link and ban for 1 hour if g_tarpit_max or g_max_bad_to has been exceeded.
Syntax: g_tarpit_drop bool
g_tarpit_max – Max number of local recipients per hour from one IP
If this limit is exceeded, the offending client is “tarpitted”. This means the mail server starts pretending to go slowly. This is better than simply closing the connection as that will not stop the sending system from trying to reconnect rapidly or send to other systems rapidly, but tarpitting jams the sending system and limits the damage they can do to you and others. Cool huh?
Unlike G_BOMB_MAX, the g_tarpit_max setting counts the total of all recipients to all addresses from this IP address.
A setting of about 200-10,000 is probably good but be careful with mailing lists it will break them. Use an exclusion for IP addresses of known mailing lists or set the limit higher than known mailing lists, eg: 2,000 is probably a good setting just to avoid disasters without disrupting many real users.
Use spam_allow ip.address.list to over-ride the limit for known systems (eg: mailing list servers) that would be exceed the limit.
Syntax: g_tarpit_max int
g_tarpit_max_remote – Max remote recipients from one IP
The maximum number of remote recipients before slowing down.
Syntax: g_tarpit_max_remote int
g_tarpit_retry – Send retry error, 450 if tarpit limits exceeded
This setting has no further documentation currently available
Syntax: g_tarpit_retry bool
g_tarpit_skip – Skip tarpit limit for these destination users or domains, e.g. *@xyz.com
This setting has no further documentation currently available
Syntax: g_tarpit_skip string
g_tarpit_skip_from – Skip tarpit limit for messages from these users e.g. *@xyz.com
This setting has no further documentation currently available
Syntax: g_tarpit_skip_from string