Global settings SMTP incoming msgs

  1. Home
  2. Knowledge Base
  3. Global settings SMTP incoming msgs

g_rcpt_bang – Allow bang characters in addresses

Allow exclamation marks in addresses. ie ‘!’

Syntax: g_rcpt_bang bool

g_rcpt_colon – Allow colon characters in addresses

Allow colon characters in addresses. ie ‘:’

Syntax: g_rcpt_colon bool

g_rcpt_max – Max recipients per message, default is 1000

Max recipients per message, default is 1000, can only be lower than 1000.

Syntax: g_rcpt_max int

g_rcpt_max_in – Limit for recipients of untrusted channels, default g_rcpt_max

This limit is only applied to untrusted sessions (incoming mail)

Syntax: g_rcpt_max_in int

g_rcpt_msg – Invalid recipient response

Response given for invalid recipient errors message is prefixed by email address..

Syntax: g_rcpt_msg string

g_rcpt_nodup – Ignore duplicate recipients to the same user

When enabled this prevents a message being delivered more than once to a single person, it’s a fairly good setting to use and will get rid of some spam for people using fallback addresses.

Syntax: g_rcpt_nodup bool

g_rcpt_ok – Whitelist for invalid rcpt addresses we will permit

This setting has no further documentation currently available

Syntax: g_rcpt_ok string

g_rcpt_quote – Allow quote character(s) in addresses

By default quotes are blocked at the SMTP level, this is because some of the authent modules don’t handle quotes in addresses so it’s best not to let them through. There is no known reason for ever turning this setting on.

Syntax: g_rcpt_quote bool

g_rcpt_trace – Add X-Rcpt-Trace headers

This will list all recipients in the message to facilitate tracing

Syntax: g_rcpt_trace bool

g_rdns_timeout – Timeout for reverse DNS lookups default is 30 seconds

Best set between 10 and 60

Syntax: g_rdns_timeout int

g_received_name – Name shown in received headers

Name shown as received “by” in the received headers this defaults to server name but can be specified if required:

eg “myservername”

 Received: from netwin.co.nz (unverified [10.0.0.5])
 by myservername (SurgeMail 1.5f) with ESMTP id 1140619
 for <marijn@netwin.co.nz>; Fri, 07 Nov 2003 10:25:59 +1300

Syntax: g_received_name string

g_received_names – List of valid received names for incoming email

This list is used when processing vanish_bad_bounces, vanish_virus_bounces and vanish_any_bounce. It defines the valid received names to expect quoted in a properly formed bounce message for a message from this server/system.

Syntax: g_received_names string

g_received_skip – Don’t write a received header for local trusted users

This setting can be used to hide sensitive local ip addresses from outgoing mail headers. This will make tracking abuse more difficult, we do not recommend using this setting generally.

Syntax: g_received_skip bool

g_received_skip_all – Skip local received header for messages that have non local recipients

Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.

Syntax: g_received_skip_all bool

g_received_skip_spf – Skip spf received header for messages that have non local recipients

Note that in the case of a message that is to a local and remote recipeient, it will skip the headers for both, even though the desire is to skip them for the remote recipient only. This not quite right, ideally one should skip this for outgoing only but since the header is added at delivery time we thought this was close enough.

Syntax: g_received_skip_spf bool

g_redirect – Redirect messages to ‘was’ to the ‘new’ address

Specifies global redirection rule. These rules are applied to local and remote addresses so should be used with ‘care’, for domain based redirection use the redirect rules within a domain. An example rule would be: fred@xx.com –> bob@yy.com or *@xx.com –> joe@xx.com 

Wild cards can be used and replaced, e.g.

g_redirect was=”*@gadget.net” to=”%1@gadget.com”
g_redirect was=”*@*.gadget.com” to=”%1-%2@gadget.com”

Would make

bob@gadget.net –> bob@gadget.com
fred@cool.gadget.com –> fred-cool@gadget.com

These rules are processed ‘before’ the domain is identified, therefore you cannot use host_alias domain values in them. Use a domain redirect rule if this is required.

You can also redirect a message to a robot or script like this:

g_redirect was=”auto@mydomain.com” to=”|/usr/local/myrobot.sh”

Your script can read the environment variables:
MAILFROM
RCPTTO
MSGSIZE

And must read the message on ‘stdin’, the message will be terminated with “crlf.crlf”

Your script can then process the message and if it want’s to respond must use smtp to send a response back etc…

Your script will run as the user ‘mail’ so if that user does not have access to the script file or work files then it will fail 

Syntax: g_redirect was=string to=string

g_redirect_cc – Carbon Copy redirect message

Same as ‘redirect’ but the message is still delivered to the original address as well. For g_redirect_cc there are two special names defined “$localdomain$” and “$remotedomain$”, which can be used in the ‘was’ paramater (requires SurgeMail 2.3). 

Syntax: g_redirect_cc was=string to=string

g_redirect_cc_attach – Redirect message as attachment if rule applies

This rule is applied at the point of delivery, so only if the original user actually gets the email, and the message is sent as an attachment, the original message is ALSO delivered

Syntax: g_redirect_cc_attach was=string to=string header=string contains=string

g_redirect_from – Redirect message if from matches

Redirect a message to another address if the from matches. 

Syntax: g_redirect_from from=string to=string

g_redirect_from_cc – Carbon Copy redirect message if from matches

Redirect a copy of the message to another address if the from matches still delivering to the original address as well.

Syntax: g_redirect_from_cc from=string to=string

g_redirect_hide – Hide the redirection in the SMTP output

Hide the redirection in the SMTP output

Syntax: g_redirect_hide bool

g_redirect_iflocal – If local domain, then apply redirect

This is for doing fancy redirection where the rule is only applied if the domain of the destination is a local domain. For example to redirect all messages to postmaster at any local domain to one particular admin user.

Syntax: g_redirect_iflocal was=string to=string

Example: g_redirect_iflocal was=”postmaster@*” to=”john@main.domain”

g_redirect_ignore_errors – Accept email even if redirected addresses fail

We consider this to be faulty behaviour as it will lead to emails vanishing with no bounce, use entirely at your own risk.

Syntax: g_redirect_ignore_errors bool

g_redirect_newmid – Generate new MID on redirection

This can help avoid loops.

Syntax: g_redirect_newmid bool

g_redirect_noautocreate_rules – Don’t create redirection rules for domains automatically

This will stop SurgeMail creating redirection rules for new domains such as postmaster,abuse and support

Syntax: g_redirect_noautocreate_rules bool

g_redirect_ses – If message is not local then apply redirect

Send all outgoing email to this address instead, useful for redirecting email to a robot (like amazon ses service), this is called for each outgoing message, once for each recipient

Syntax: g_redirect_ses from=string was=string to=string

Example: g_redirect_ses was=”*” to=”john@external.domain”

g_smtp_allow_invalid – Allow messages with invalid headers

This setting has no further documentation currently available

Syntax: g_smtp_allow_invalid bool

g_smtp_auth_debug – Auth Debug (do not use)

This setting has no further documentation currently available

Syntax: g_smtp_auth_debug bool

g_smtp_auth_ip – Ip Addresses to accept smtp authentication from

This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip

Syntax: g_smtp_auth_ip string

This prevents a hacker sending out spam by cracking a users account details, users must login from an address specified in g_smtp_auth_ip or g_relay_allow_ip, NEVER USE THIS!

Syntax: g_smtp_auth_off bool

g_smtp_big – Slow down incoming SMTP reads to get bigger packets (experimental)

This setting tries to prevent thrashing by making the server slow down the speed it reads data in an attempt to get larger packets. This seemed to have no affect when I tested it, but play with it if you want, It is only intended to be useful when you have hundreds of incoming connections all very slowly sending in data, and the server is short of CPU.

Syntax: g_smtp_big bool

g_smtp_bounce_nslow – Number of handles to use for doing slow rejections of smtp connections

If external servers are over loading your server so much that it ends up in a cpu loop rejecting connections then increaseing this might help. But beware your system must not run out of file handles so don’t set it too large, The default is 100

Syntax: g_smtp_bounce_nslow int

g_smtp_cmd_timeout – SMTP command timeout

Seconds to wait after getting a message for next command (workaround for sendmail bug)

Syntax: g_smtp_cmd_timeout int

Please note that CRAM-MD5 does have security implications, specifically it means that the local users password must be stored in a semi reversable state in the authent database. Also you must be using the new version of the NWAuth module. Also Cram-md5 cannot be used with Migration from an old server (since by definiton the old password is never sent)

Syntax: g_smtp_cram_enable bool

g_smtp_data_bug – Fail on incoming emails for debugging

This setting has no further documentation currently available

Syntax: g_smtp_data_bug bool

g_smtp_data_timeout – SMTP data timeout

Seconds to wait for SMTP data input.

Syntax: g_smtp_data_timeout int

g_smtp_delay – Seconds to wait before responding to rcpts, 1-20, this reduces load on bulk senders

Only applies if more than 2 connections from the same ip address, so it only throttles bulk senders not people

Syntax: g_smtp_delay int

g_smtp_delay_stamp – Stamp message if sender doesn’t wait for welcome

If true then if any smtp commands arrive before the ‘helo’ greeting is sent then a header is added to messages which will result in a higher spam score.

Syntax: g_smtp_delay_stamp bool

g_smtp_etrn_auth – etrn if authenticatd

Only do etrn processing if user is authenticated.

Syntax: g_smtp_etrn_auth bool

g_smtp_fast_bounce – Reject bad connections immediately

Normally SurgeMail waits 1-10 seconds before rejecting a bad connection (rbl/limits,…), this reduces cpu usage and prevents some DOS attacks, this setting disables this behaviour.

Syntax: g_smtp_fast_bounce bool

g_smtp_fix_nohead – Accept messages with no headers and try and cope

This setting tries to cope if the message contains no headers at all, it is not recommended of course but may be needed on occasion for bad scripts

Syntax: g_smtp_fix_nohead bool

g_smtp_help_disable – disable smtp help command

Disable SMTP help command (minor security percaution).

Syntax: g_smtp_help_disable bool

g_smtp_log_protocol – Log SMTP protocol

If enabled, the SMTP protocol is logged to the mail.log file as “smtp: In” and “smtp: Out” entries.

Syntax: g_smtp_log_protocol bool

g_smtp_log_size – Size of smtp.log file

This sets the smtp.log file size, default is 2mb

Syntax: g_smtp_log_size int

g_smtp_max – Max total incoming SMTP connections

This limits the channels that will be used at any one time for incoming SMTP connections. The purpose of this setting is to prevent a sudden burst of spam from using up all available channels. Generally you do not need to change this. (Default = 250). Use the related setting g_smtp_max_reason to over-write the detailed error if you don’t want spammers to know what your limits are set to.

Syntax: g_smtp_max int

g_smtp_max_nolimit – IP based exceptions to g_smtp_max

This lets you specify IP based exceptions to g_smtp_max, so if you need a certain IP to open up many connections you would add that IP here.

eg. g_smtp_max_nolimit “10.0.0.50”

Syntax: g_smtp_max_nolimit string

g_smtp_max_reason – Reason to give to user if g_smtp_max is exceeded

This is most useful when the host in question is being used for the wrong purpose (incoming when it’s intended for outgoing etc), or simply to advise the user of a potential solution

Syntax: g_smtp_max_reason string

g_smtp_maxbad – Max bad SMTP commands

The maximum number of bad commands accepted per session before SurgeMail will drop the connection.

Example: g_smtp_maxbad “10”

Syntax: g_smtp_maxbad int

g_smtp_no_brackets – Allow from/rcpt without angle brackets

Some faulty mail clients forget to put the brackets <> around the recipient, this setting allows such faulty behavior. Not generally recommended.

Syntax: g_smtp_no_brackets bool

g_smtp_noauth – Limit SMTP to just these addresses (not generally useful)

Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication. This setting is only useful if your incoming email always comes through a gateway or filter, it’s not a normally useful setting

Syntax: g_smtp_noauth string

g_smtp_noauth_msg – Message given when sender is told to use authentication because of g_smtp_noauth

Message sent to sender when they try and send to the server but are required to authenticate because of g_smtp_noauth

Syntax: g_smtp_noauth_msg string

g_smtp_noauthm – Limit SMTP to just these addresses (not generally useful)

Mail sent from other IP addresses is only accepted if user is authenticated. Typically used if your server is behind a firewall of some kind and should only allow incoming email from a particular IP address. Users will be able to send as from any IP address if they use smtp authentication.

Syntax: g_smtp_noauthm string

g_smtp_noclear – Disable smtp buffer clear after starttls command

Testing feature.

Syntax: g_smtp_noclear bool

g_smtp_plain_hide – Hide ‘plain’ from the ehlo response

This is to keep stupid scanners happy, for security you should disable non SSL logins, disabling plain is pointless and annoying.

Syntax: g_smtp_plain_hide bool

g_smtp_port – Port to listen for SMTP connections (default 25)

Typically you won’t need to change this however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:25 or 110,2110 etc… By default the mail server listens to port 25 on all adapters/addresses. Use the keyword ‘disabled’ to disable this part of the SurgeMail service.

Syntax: g_smtp_port int

g_smtp_portauth – SMTP ports which require smtp authentication, typically 587

It is recommended (by some) that users send email to port 587, and it requires smtp authentication, and port 25 be blocked from client ip addresses to prevent viruses etc using email servers. Be sure to add ,587 to the g_smtp_port setting too!

Syntax: g_smtp_portauth string

g_smtp_portforce – Block logins for ports not listed in g_smtp_portauth

Use this to prevent local users logging into port 25, this also stops many spammers abusing your system as they will try and send on port 25

Syntax: g_smtp_portforce bool

g_smtp_secure_port – Port to listen for secure SMTP connections (default 465)

Port to listen on for dedicated SSL SMTP connections.

Syntax: g_smtp_secure_port int

g_smtp_thread – Use seperate thread for incoming SMTP connections

This makes the server run a seperate thread just to process incoming smtp connections, this can help on a busy system to stop a huge load of smtp connections clogging up the pop/imap connection processing, it is rarely needed.

Syntax: g_smtp_thread bool

This setting is rarely a good idea, vrfy is best left disabled

Syntax: g_smtp_vrfy_allow string

g_smtp_vrfy_msg – VRFY response

Change Response to VRFY, e.g. 252 Not telling.

Syntax: g_smtp_vrfy_msg string

g_smtp_warning – Send manager warning if this many sessions reached (max 1 per hour)

This setting has no further documentation currently available

Syntax: g_smtp_warning int

g_smtp_welcome_delay – delays welcome message

Syntax: g_smtp_welcome_delay “seconds”

This delays the welcome message sent by SurgeMail to a connecting server. If the server sends data to SurgeMail during this waiting time SurgeMail will drop their connection. The theory is that any well behaved server will wait for prompts and check them, but a lot of spamming software never takes any notice of prompts/responses and sends blindly. We believe a value of 1-3 seconds is ideal. You can also exempt ip’s from this setting by using g_spam_allow “ip”. Settings too high will cause real mail to be lost.

Examples:
g_smtp_welcome_delay “3”
g_spam_allow “127.0.0.1”

So above, delay giving the welcome message for 3 seconds, anyone that sends data in that 3 seconds will be dropped, but anything connecting from 127.0.0.1 will be able to send immediately (you should make sure webmail is exempt).

Syntax: g_smtp_welcome_delay int

g_tarpit_badrcpt – Delay rejection of bad recipients

Delay rejection of bad recipients (in seconds, default 4s).

Syntax: g_tarpit_badrcpt int

g_tarpit_blackhole – Reject email one recipient at a time to make spammers go away

If tarpit_blackhole is true then if it was going to drop the connection to that user. Instead it will keep it and let the user talk and try and send messages, but will reject all recipients, it only does this for a max of 200 channels, any more are dropped.

Syntax: g_tarpit_blackhole bool

g_tarpit_drop – Max recipients per hour from one IP

Drop link and ban for 1 hour if g_tarpit_max or g_max_bad_to has been exceeded.

Syntax: g_tarpit_drop bool

g_tarpit_max – Max number of local recipients per hour from one IP

If this limit is exceeded, the offending client is “tarpitted”. This means the mail server starts pretending to go slowly. This is better than simply closing the connection as that will not stop the sending system from trying to reconnect rapidly or send to other systems rapidly, but tarpitting jams the sending system and limits the damage they can do to you and others. Cool huh? 

Unlike G_BOMB_MAX, the g_tarpit_max setting counts the total of all recipients to all addresses from this IP address.

A setting of about 200-10,000 is probably good but be careful with mailing lists it will break them. Use an exclusion for IP addresses of known mailing lists or set the limit higher than known mailing lists, eg: 2,000 is probably a good setting just to avoid disasters without disrupting many real users.

Use spam_allow ip.address.list to over-ride the limit for known systems (eg: mailing list servers) that would be exceed the limit.

Syntax: g_tarpit_max int

g_tarpit_max_remote – Max remote recipients from one IP

The maximum number of remote recipients before slowing down.

Syntax: g_tarpit_max_remote int

g_tarpit_retry – Send retry error, 450 if tarpit limits exceeded

This setting has no further documentation currently available

Syntax: g_tarpit_retry bool

g_tarpit_skip – Skip tarpit limit for these destination users or domains, e.g. *@xyz.com

This setting has no further documentation currently available

Syntax: g_tarpit_skip string

g_tarpit_skip_from – Skip tarpit limit for messages from these users e.g. *@xyz.com

This setting has no further documentation currently available

Syntax: g_tarpit_skip_from string

Was this article helpful?