Global Settings

Note: Most 'matching' settings take wild card lists as parameters, for example "fred*" will match "freddy" and "Fred@bob". And "1.2.*,2.3.*" will match 1.2.4.4 and 2.3.99.100. Many settings will also accept a ! as a "not", and are processed from left to right. eg "!*,127.*,10.*" would first "deny all" then try and match on any 127.* or 10.* domains. Settings using ip's will take ranges also like 10.0.1-120.5 and also support CIDR notation eg 10.10.1.32/27.
You can read about CIDR notation here http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing and there is an online CIDR calculator here http://www.subnet-calculator.com/cidr.php.

g_access_group - Access groups

Access rules defining groups of IP addresses with certain POP, IMAP and SMTP privileges. When a user is authenticated access is checked against group membership defined in the "mailaccess" field in the authentication database. See accounts for more information.

eg. this could allow you to charge webmail users for pop access privileges:
g_access_group group=paid_user access_pop=* access_imap=* access_smtp=* 
g_access_group group=free_user access_pop=webmail.svr.ip access_imap=webmail.svr.ip access_smtp=webmail.svr.ip 

with "Access type" set to "free_user" on accounts page or equivalently in nwauth authentication database:
marijn@mydomain.com:{ssha}tVANQo...:created="1060034937" mailaccess="free_user" ...

To prevent webmail access for some users you would do this:

g_access_group_default "normal"
g_access_group group="normal" access_pop="*" access_imap=*" access_smtp="*"
g_access_group group="nowebmail" access_pop="*,!webmail.ip" access_imap="*,!webmail.ip" access_smtp="*"

And put the users you want to limit in a group called 'nowebmail' e.g.

lookup fred@domain
+OK fred@domaing config 0 mailaccess="nowebmail"

g_access_group_default - Access group defaults

Access group defaults for users with no access groups set. (must be used in conjunction with g_access_group)

g_admin_guesses - Number of guesses allowed for admin.

Syntax: g_admin_guesses "number"

This sets the number of guesses allowed for the admin username/password. Once this has been reached the ip is banned.

g_admin_ip - Admin IP access

Mask of valid IP addresses for admin users (default *), this is a security setting you can use to restrict remote web admin access to trusted IP addresses. One is always allowed to use manage SurgeMail using 127.0.0.1 regardless of whether this is explicitly specified.

eg. To restrict to local network as per net mask
g_admin_ip "10.0.0.*,10.1.2.*" 

g_admin_access - Allow / Restrict domain admin access to features based on g_access_group

g_admin_access group="wildcard" access="list"

This setting matches the g_access_group the admin is in to the wildcard specified and applies the specified access list to that domain admin, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, "all" and "none" which mean exactly what they say, access to "all" or "none" of the features.

Example:

g_admin_access group="simple" access="all,!users,!reports"

The above setting gives admins in the 'simple' group access to all the features except the users and reports features.

g_admin_access_default - Default features granted to domain admins

This setting is a default access list for all domain admins on the server, it is specified in the same maner as the g_admin_access settings 'access' parameter. eg:

g_user_access_default "all,!users,!reports"

g_allow_bodyless - Allow bodyless email

This will allow bodyless email to be accepted. These are usually spam.  In particular Norton Antivirus in autoprotect mode closes the POP link which makes it appear that SurgeMail has terminated the connection when a bodyless email is encountered.

g_archive - Archive delivered mail

Archive rules allowing all mail delivered to be archived to either:

- Fixed size rotating archive - use this if you want to be able to get back a particular message that has recently passed thorugh the server but you do not want the mail archives to be able to grow too large

- History archive of a fixed (or unlimited) duration that can grow as much as the disk space available. Use this if you need to archive say all mail sent to / from a particular customer for the last year.

The archive is stored as a directory containing bucket files. This allows you to retrieve messages that have been delivered if you need to retrieve a particular message for any reason. To retrieve a message this needs to be extracted manually from the archive files manually using a text editor or your own script. The maximum bucket size (default if 1Mb) of the archive and the maximum individual message size can be set.

Filtering is done based upon wildcard destination and source addresses and subject. These fields provide a logical AND, with a blanks filed matching the default "*". A specific email may match multiple archive rules, and will be archived in each archive in this case. Also note that if a match is part of a larger string the match string should have wildcards surrounding it. eg: to match "important business" in the subject "Very important business for you" you should specify "*important business*".

eg. To catch all email delivered from domain.com you would specify:
g_archive to="*" from="*@domain.com" subject="" path="c:\mailarchive" size="10mb" maxitem="10k" 

You can also select whether the archiving rule is triggered before or after any filtering that is applied such as virus or spam filtering using the early flag. This can be useful to capture the original source of viruses or spam for testing purposes.

g_archive_early - Apply all archive rules before content filtering is applied (obsolete)

This will apply the archive rules before content filtering is applied. This can be user to capture the source message if it is getting stored or bounced unnecessarily by any of the SurgeMail filters. The early flag on individual archive rules should be used instead of this setting.

g_auth_hide - Disable SMTP Authentication

Per default SMTP authentication is enabled. If a user matches this IP range/list they will NOT be shown the ESMTP extension for SMTP authentication. This will usually stop the mail client from prompting the user for authentication. We STRONGLY recommend you do NOT use this feature. It is much better to let users authenticate when sending email.

g_auth_skipgateway - Skip gateway rules if we get a proxy SMTP auth command

Skip gateway rules if we get a proxy SMTP auth command. This is not for general use. It can be used if you are using SurgeMail in front of another mail server with a wild card gateway to gateway all domains to a back end mail server. Then an authenticated user is a local user trying to send out so the gateway rules are ignored. (this is strongly not recommended)

g_authent_always - Always lookup user, so virtual domains can exist just in authent module

Always lookup user, so virtual domains can exist just in authent module. This allows you to support 10,000 domains on one system without a 'huge' ini file. Be careful to not create/remove real domains with the same name as existing domains that only exist in the authent database as the 'drop files/inboxes' will move when this occurs and existing mail will vanish.

g_authent_cachebad - Cache life of failed authent lookups

Set the life in seconds that the cached failed lookups can be used, default 60 seconds. Best left alone unless your server is being hit by thousands of failed lookups and your authent module is slow.

g_authent_cachelife - Cache life of successful authent lookups

Set the life in seconds that successful cached lookups can be used, default 2 hours. Best left alone.

g_authent_cachesize - Size of the authent cache

Set the size of the authent cache, default is 500 entries. Generally best left alone.

g_authent_domain - Authent domain

If this is 'true', the virtual domain name is appended to the username before it is passed to the authent process. This lets the authent process deal with virtual domains. As a general rule, this should ALWAYS be true. 

g_authent_info - Authent info

Defines a piece of information to store about the user in the user database (phone number, name, address etc). Each piece of information is given a name, a field, an access mode, a default and a type. The name defines what appears in the web management display. The field is what is sent to the authent_process. The access mode can be one of the following: user, domadmin, or admin, createonly, none. The default is what value is assigned upon creation of a new user. The type can be one of: date, readonly, encrypt or any custom string which you want to check for or match on the na_details.htm page with a template function like: ||ifequal||user_info_type||custom|| .. do things .. ||endif||

An access mode of 'admin' means that only the system admin can see the information, 'domadmin' means the sysadmin and any domain admin can see the information, 'user' means the user can see the information, 'createonly' means the user sets the information at creation time but cannot see it after that and 'none' ensures that no-one can see or modify the information (used for information that is handled by SurgeMail itself, either through the interface or otherwise)

e.g.
     g_authent_info      name="Phone Number" field="phone" access="user" default="" type=""

See here for a complete list of default settings.

g_authent_ip - Authent Lookup IP numbers via authent modules - enables relaying

If enabled each connecting IP address will be looked up in your user database as x.x.x.x@ip eg: "127.0.0.1@ip" and if the user is found then relaying is allowed and if 'send_limit="nn"' is defined then that will set the tarpit send limit for that user.

For per IP tarpit limits to work you need to define the g_tarpit_max and g_tarpit_max_remote settings. And g_tarpit_drop to make the limit effective.

g_authent_strip_domain - Strip domain for authent lookups

Use when your database expects one 'primary' domain to do lookups without a domain name then SurgeMail will strip that domain only from lookups. Typically this is only necessary with old DMail authent modules.

g_authent_logall - Turns on logging of authent requests

If enabled, authentication requests are logged in mail.log as "<day> <time> Authent[<action> <info>]".

g_authent_number - Authent number

The number of concurrent authent processes to run. If you are using a slow external authent module (e.g. sql) then it is probably worth running 3-4, there is no need to have more than 1 when using nwauth.exe. (Default = 1) 

g_authent_process - Authent process

The command line of a NetWin authentication module. You can use one of our standard modules for LDAP, ODBCAuth, MySQL etc or write your own. For more information on these modules see the authentication section of the manual .

This will typically be something like:
g_authent_process "E:\surgemail\nwauth.exe -path E:\surgemail"
or
g_authent_process "/usr/local/surgemail/nwauth -path /usr/local/surgemail"

g_authent_restart - Cycle auth modules every 1000 lookups

This is useful if there are resource allocation issues in the authentication module. Eg OBDCAuth

g_authent_timeout - Timeout for authent response

Timeout for authent response, default 60 seconds.

g_autologin_pop - Enables WebMail Autologin using POP when on another server

Webmail needs the ability to automatically login to SurgeMail to changes passwords etc. This setting will do this via an extension to the pop protocol allowing WebMail to autologin whilst running on another server. (Normally this is done using a temporary file)

g_badfrom_badmx - Drop message if this MX

If mx host is one of these addresses then drop the message, it's definitely spam (e.g. 127.*).

g_badfrom_check - Check if 'from' envelope can be delivered to

If this is set to "true" then SurgeMail will connect back to the envelope 'from' address and check that the address is valid, a cache is used to improve performance, if it cannot connect then the message is bounced as probable spam. It's nicer to use the following setting "g_badfrom_stamp" as well, then if SurgeMail cannot connect back or the user is invalid then a header is added to indicate this, and our SmiteSpam rules will use this to increase the spam weighting.

You can use g_spam_allow to exempt an IP from this check as well as g_badfrom_whitelist for a domain. Please note that by default SurgeMail uses a blank mail from to do its check.
MAIL FROM: <>
Some servers might reject this, though they shouldn't because its a standard bounce, however if they do you can use g_badfrom_from to set a mail from address to be used for this check.

g_badfrom_from - Mail from account for g_badfrom_check

From to use when doing the g_badfrom_check check, not normally needed, if set must be set to valid account.

g_badfrom_noip - Check envelope from domain exists and is a valid IP number

Check envelope from domain exists and is a valid ip number, if not bounce message.

g_badfrom_stamp - If 'g_badfrom_check' is bad then stamp a header on the message

g_badfrom_check must also be set to true. If this is set to "true" then SurgeMail will connect back to the envelope 'from' address and check that the address is valid, a cache is used to improve performance, if it cannot connect then a header is added to indicate this, and our SmiteSpam rules will use this to increase the spam weighting.

g_badfrom_whitelist - Whitelist of domains to skip from checks

Whitelist of "from" address domains to skip g_badfrom_* checks.

eg.
g_badfrom_whitelist "specialdomain.com"

g_bad_login_allow - Number of consecutive bad logins for a user before blocking that user

Number of consecutive bad logins for a user before blocking that user.

g_bad_login_ip_allow - Number of bad logins from an IP before blocking that IP

Number of bad logins from a single IP before blocking that IP.

g_bad_login_mins - Minutes to block login for, if consecutive bad ones received

Minutes to block login for, if consecutive g_badlogin_allow or g_badlogin_ip_allow bad logins received=.

g_ban_blackhole - Leave connected but reject all recipients without looking them up

Leave connected but reject all recipients without looking them up. This is good of dealing with high volume spammers without wasting resources doing user lookups. 

g_ban_helo - Ban any machine that gives a matching 'helo' string

This is a simple spam protection system to block known spam/problem users based on the 'helo' name they send to your system. This name is recorded in the 'received' header along with the IP address. This name is very easy to 'fake' so is not a high security level of protection, but it is simple for stopping stupid robots etc, that have gone insane.

Example: *junkmail.com 

g_ban_from - Ban any matching MAIL FROM: envelope

Same as 'ban_helo' but applies to the from (return address) part of the mail envelope. This is NOT the same as the from/sender header in the message itself!!! This equates to the 'Return-path:' header that the mail server adds. 

g_ban_rcpt - Ban any matching RCPT TO: envelope

Same as 'ban_helo' but applies to the recipient part of the envelope (destination users) this is NOT the same as the 'To:' header in the message itself!!! This can sometimes be used to block really simple spamming programs that always send to the same invalid users. 

g_bind_out - Bind outgoing smtp connections to IP

Bind outgoing smtp connections to this IP number. 

g_bind_from - Bind outgoing SMTP connections based on 'from' envelope

Bind outgoing SMTP connections based on the IP of the virtual domain in 'from' envelope. This is only useful if you are using IP based virtual domains. 

g_block_files - Block certain attachments

Allow you to block any mail with certain files attached. 

g_block_files "*.exe,*.cmd,*.com"

g_black_above - Level for spam detection for g_black_count

Level for spam detection for blacklisting IP number e.g. 7. 

g_black_count - Blacklist sender IP based on spam sent

Number of spam in a row before IP blacklisted for 30 minutes eg: 30 (default = disabled)

g_black_to - Blacklist sender IP based on catch addresses

Blacklist senders IP address for 30 minutes if they deliver to these spam catch email addresses.

eg. g_black_to "smith@mydomain.com,catcher@myotherdomain.com"

g_block_wild - Block wildcards in usernames

Block the '*' wildcard character in usernames.

g_bomb_max - Max messages to a single address per hour

Simple system to prevent intentional or more likely, accidental mail loops or mail bombs where thousands of Emails are sent to a single user. A setting in the range of 100-1000 is generally good depending on your sensitivity to incorrectly blocking real mail.  We suggest 1000 is a good setting if you are unsure.

This counts the messages from a single IP address to a single recipient. If a single IP sends more than this many messages to any single recipient then they will be tarpitted (slowed down and rejected).

Use spam_allow ip.address.list to over-ride the limit for known local systems that might exceed this limit (unlikely anything will).

g_bomb_max_from - Max msgs from a single email address/hour

Max msgs from a single email address/hour.

g_bounce_disable - Bounce Disable

Disable all bounces. This is particularly useful when under spam attack. This is for outgoing bounces it stops SurgeMail generating bounces it won't affect incomming bounces from other servers.

example:
g_bounce_disable "true"

g_bounce_limit - Max size of bounce messages

Max size in bytes of message to send back as bounce message is truncated if necessary.

g_centipaid - see CentiPaid.htm

Authentication server and port for CentiPaid.

g_con_perip - Connections per IP

Maximum number of connections allowed per IP address. Primarily this is used to prevent simple denial of service attacks where one user could otherwise use up all the channels your system can support and then do nothing with them. 

g_con_perip_except - Connections per IP exception

IP list of exception addresses to g_con_perip. 

g_con_persubnet - Maximum concurrent connections per subnet

Maximum number of concurrent connections per subnet. This limits concurrent connections from a sub net, great for automatically stopping professional spammers who use multiple addresses. A typical setting might be 20. Subnet is /24.

g_convert_percent - Convert % signs top @ in recipient addresses

Some Spam tests send mail user%spamdomain.com@localdomain.com to see if a server is an open relay. If a default address is set up for the local domain this will be delivered to this local address and the test assumes the mail server is an open relay. This setting prevents this. 

g_create_strict - Whether to apply strict rules to usernames/passwords

Checking this causes surgemail to check passwords do not contain words longer than 4 characters from g_create_dictionary as well as requiring the password to be 6+ characters, and usernames/passwords to contain more than 1 character.

g_create_allow - List of characters allowed in usernames/passwords

Defaults to A-Za-z0-9\-_. meaning usernames/password may contain letters, numbers, -, _ and . and nothing else.

g_create_allow_pass - List of characters allowed in passwords

Settting overriding g_create_allow just for passwords.

g_create_dictionary - File containing dictionary words to compare passwords to

Text file containing one word per line, passwords are compared to all words longer than 4 characters in this file, if a username or password contains a word in this file it is not allowed. Only takes effect if g_create_strict is checked.

g_create_badnames - List of illegal usernames

Comma separated list of illegal usernames, may contain wild cards, if username contains part of a non-wild card or matches a wildcard it is disallowed.

g_delete_user_after - Number of days an account can remain unread before it is deleted

Number of days an account can remain unread before it is deleted. This setting cannot be used on an authent_domain FALSE domain unless it has a prefix setting.

e.g.
DELETE_USER_AFTER "30"
Then issue the command:
tellmail expire_accounts
Then examine users_delete.rec to see it is a valid list of old accounts, then use:
tellmail delete_user FILE users_delete.rec

To actually delete the accounts.

g_delete_user_mode - What to do when an account is unread

DO NOT USE THIS SETTING IN A MIRROR/CLUSTER SETUP

You can set this to "file" or "suspend". "file" causes accounts to be written to the users_delete.rec file, which you can action by running "tellmail delete_user FILE" or "tellmail delete_user FILE users_delete.rec" (optionally specify the file). "suspend" causes accounts to be suspend, it does this by setting the field and value specified in the g_delete_user_suspend setting.

If this setting is blank the default is to use 'file' mode, accounts are NEVER deleted automatically except in the very oldest versions of surgemail (before version 3)

g_delete_user_suspend - If suspending an unread account set this field/value

DO NOT USE THIS SETTING IN A MIRROR/CLUSTER SETUP

Set the field and value to use when suspending an account due to g_delete_user_after and the g_delete_user_mode "suspend" settings.

g_deny - Deny users from some IP ranges

Block known spammers etc by IP address. You can use wild cards and 'not' signs, e.g. "!*,127.*,10.*" 

g_deny_msg - Deny message

Message to give to users who are disconnected due to the above 'deny' setting. 

g_deny_smtp - Deny SMTP based on IP address

Block users from some IP ranges connecting to SMTP only. 

g_disable_smtp_after - Number of days an account can remain unread before delivery is disabled

DO NOT USE THIS SETTING IN A MIRROR/CLUSTER SETUP

Number of days an account can remain unread before delivery is disabled. 

g_disable_surgeplus - Disable SurgePlus Calendar and File Sharing client

Disable users from logging in using the SurgePlus Calendar and File Sharing client. See SurgePlus

g_disable_surgeplus_updates - Disable automated downloading of new versions of SurgePlus client from netwinsite.com

New versions of the SurgePlus client are automatically downloaded from netwinsite.com and made available for download form your server by your users. See SurgePlus

g_surgeplus_delay_tell_upgrade - Delay informing existing users about new SurgePlus versions for

Delay informing existing users about new versions of SurgePlus for this long after the new version is downloaded to your server. SurgePlus clients poll the server once an hour so they won't be informed about the new version for up to an hour longer than the value of this setting. Use this setting combined with the g_surgeplus_delay_tell_upgrade_exempt setting so that only administrator users are informed about new versions at first so you can confirm the new version works fine with your existing server configuration before everyone upgrades. Example values: "3 hours" or "2 days"

g_surgeplus_delay_tell_upgrade_exempt - Users exempt from delayed new version informing

See the above setting for information. Example value: "user1@domain.name,user2@domain.name"

g_surgeplus_port, g_surgeplus_secure_port - SurgePlus port and SurgePlus secure port.

SurgePlus uses the POP protocol to communicate with SurgeMail. However, some virus scanners running on the clients machine prevent the SurgePlus client from using POP commands that the virus scanner does not know about. In order to avoid this problem, SurgePlus uses port 7110 by default instead of port 110. However, clients not using a virus scanner (or clients using some virus scanners we have made SurgePlus work with - e.g. Norton) can safely use port 110 if they would otherwise be prevented from connecting to SurgeMail by a firewall. The SurgePlus client will quietly switch to using port 110 if it is not able to connect to the server using port 7110.

g_surgeplus_web_port - SurgePlus web port.

If you want your SurgePlus users to view shared files over a different port than WebMail uses give this setting a value.

g_dlist_nostart - Disable dlist

If set disable (do not attempt to start) dlist for DMail compatibility mode.. 

g_dlist_path - Path for dlist

DList Path normally defaults to $g_home/dlist.

g_dns_host - DNS host(s) for MX lookups

This setting can normally be left blank as the mail server will find your system DNS settings. However, you can specify one or more DNS servers for the mail server to use instead to lookup names. 

DNS lookups are cached to disk so SurgeMail will generally continue to work even if your dns server is temporarily unavailable.

Test your dns server with this command. If working it should return two ip addresses for that domain.

 	tellmail dns_test "netwinsite.com"

Prior to SurgeMail 2.0h dns lookups were done using tcp instead of udp, they are now down with UDP unless the response exceeds UDP packet size (as per RFC).

NOTE: All dns servers listed in this setting must be fully recursive, a non recursive dns server will create many dns lookup failures!

g_dns_nlookup - Concurrent MX lookups

Concurrent DNS lookups to send to DNS server (Default=20) (not used after version 2.0h)

g_dns_paranoid - Compare sender forward and reverse dns lookup and see if they match

Does a forward DNS lookup on the sender's domain and matches this with a reverse lookup of the senders IP address. If these do not match the message is either bounced or stamped with the header "X-DNS-Paranoid: <explanation>". Valid values for this field are "STAMP","RETRY" and "REJECT".

STAMP = Add the X-DNS-Paranoid header if it fails

RETRY = Bounce the message with a 450 error. (so if the failure was temporary the sending server will retry)

REJECT = Bounce the message with a 550 error

Set g_dns_lookup_msg or g_dns_match_msg to define the reject/stamp strings respectively.

g_dns_require - Require reverse DNS names match

Require MAIL FROM header to match the reverse dns lookup based of the sender based on the sender's IP.

eg. from=*@hotmail.com hosts=*hotmail.com

g_domain_default - Default domain when POP/IMAP user does not specify one

This is probably not what you think it is, generally the 'first' domain in surgemail.ini is used in this situation, but in some instances, when using domuser.dat for example to translate users back to virtual domains, you will want the default domain to be a 'generic' made up domain that doesn't really exist.

For example lets say you have users fred@a.com, bob@b.com, then in domusers.dat you have

fred@a.com fred@a.com
bob@b.com bob@b.com
bob@xxx bob@b.com
fred@xxx fred@a.com

And the result is that users who login to pop as bob or fred, will be correctly mapped to the correct virtual domain user even though the actual domain is different in those two cases.

Clear as mud I expect?

g_domain_list_max - Maximum number of domains to list at once

Maximum number of domains to list at once in the admin user interface. 

g_domain_separator - Separator characters for virtual POP

For POP logins where your virtual domain is NOT distinguished by IP address users can login with 'user@domain' or user/domain.name etc and the mail server will pickup the domain name correctly. By default only 'user@domain.name' is accepted unless this setting is used which can be useful for brain dead mail clients which don't allow the user to specify 'user@domain.name' as the username eg:

g_domain_separator "/"

g_domuser_file - Domain users to thousands of virtual domains easily

Specifies a file which contains lines that translate an email address to the username that should be looked up in the database. This file can contain a domain name not previously specified in surgemail.ini allowing you to create unique sub-domain addresses. eg:

g_domuser_file "c:\surgemail\domuser.dat"

Example entries...

*@domain.com postmaster@domain.com
userA@domain.com userB@domain.com
firstname@lastname.domain.com firstname@lastname.domain.com

g_dotlock_minutes - NFS lock waits

Minutes to wait for nfs lock file, default 20 minutes.

g_dotstuff_fix - Convert the way mail is stored on disk from dotstuffed to non dot stuffed (beta)

In the dotstuffed format any attachments that have content (in encoded format) starting with a . get corrupted, as all single '.' characters at the start of a line are converted to '..'. This is only very seldomly an issue as encoded text doesn't usually have . characters. This feature can only be enabled and still need furhter production level testing to make sure there are no side effects... so if you play with it consider yourself adequately warned :-)

g_drop_use_len - Use the content-len header for drop file processing

For use on Solaris when using sendmail for incoming mail delivery.

g_fallback - Fallback address

Default address for all local domains. If a local delivery is not to any valid user Emails will be delivered to this address. There is also a per domain default. 

We want to stress that this is a dangerous setting, you use at your own peril.
Spammers will turn up to your server and test sending to accounts, they will just run through a dictionary of names, with a fallback setting you will be telling the spammer that all these accounts exist. The spammer will then deliver spam to these addresses in volumes that can cripple a server almost.

g_filter_max - Max size of messages to send through the filter pipe

Messages over this size (in bytes) are skipped. default = no limit

g_filter_pipe - Filter pipe allowing external message processing

This allows external applications to filter and modify incoming messages. Example: Integration with Spam Assassin (on UNIX) could be achieved as follows:

g_filter_pipe "/usr/local/bin/spamassassin -P"

it expects a normal unix 'filter' so, read the message on 'stdin' and write the identical (or modified) message to 'stdout'.

The input will be 'crlf' terminated and so should the output file.

That's all you can do with this mechanism, if you want to bounce the message or flag it as spam you 'add' a header and then use something in surgemail to detect and act on the header you've added (mfilter)

g_filter_timeout - Filter pipe timeout

Filter timeout (g_filter_pipe) in seconds, default is 360.

g_filter_n - Number of filters to run simultaneously

Default is 20, when this limit is reached the incoming thread waits a few seconds then skips the filter if necessary, this is intended to prevent a log jam/melt down effect.

g_friends_confirm_subject - String to use as the subject of a friends confirmation email

String to use as the subject of a friends confirmation email. Defaults to: "Please reply to ||confirm|| message and allow delivery". This value must contain the text ||confirm||, this text is replaced by the unique message id that allows SurgeMail to find the message to release eg. confirm(1150419513.1880_1180.domain). It is also advisable to place the ||confirm|| near the start of the string as some clients will truncate long subjects and any truncation of the ||confirm|| value will result in failure to release the message.

g_friends_only - Friends system

An anti-spam feature which screens incoming mail to ensure it comes from a human. For incoming mail from unknown addresses a message is sent to this person requesting them to reply to confirm they are human and the original message will be delivered. See this page for more details.

g_friends_ignore - List of addresses considered friends for all users on the system

List of addresses considered friends for all users on the system eg: the system manager email address

g_friends_latest_headers - Friends system re-read message headers

Causes friends to re-read message headers, allowing rules based on headers added during delivery

g_friends_name - What to call the friends system

This specifies what to call the friends system when referring to it on web pages and in email to our users, you can call it whatever you like

g_footer_file - Footer file

Footer file which is appended to all plain text mail messages.

g_footer_html - Footer file (HTML mail)

Footer file which is appended to all HTML mail messages.

g_footer_send - Footer file (outbound only)

Plain text footer file which is appended to all outbound mail messages only.

g_footer_sendonly - Enable outbound footer

Add g_footer_send to all messages when sending to non local users.

g_forward_illegal - Prevents users setting forward rules to certain addresses

Syntax: g_forward_illegal to="address" apply="user type "

This setting allows you to specify some addresses as being illegal for certain users. This stops users setting up forwarding rules to these addresses. They can still send mail to these addresses manually with their email client. These rules _ONLY_ apply to non local domains.

Some examples:

If you want to stop your users setting up forward rules that redirect to aol.com.
g_forward_illegal to="*@aol.com" apply="user"

If you want to stop your users setting a forward to all domains except aol.com
g_forward_illegal to="*,!*@aol.com" apply="user"

Stop domain admins sending to aol.com
g_forward_illegal to="*@aol.com" apply="domadmin"

Stop admins sending to netwinsite.com
g_forward_illegal to="*@netwinsite.com" apply="admin"

g_from_allow - From header allow

From headers to allow bypassing the g_from* checks. e.g. "*@x.y.com,*@b.com,fred@bb.com"

g_from_bounce - Bounce if from is probably faked

Bounce if from address is probably faked.

This check is activated for any mail with a local domain in the from address but not using SMTP authentcation, relay allow IP address or spam allow IP address.

g_from_check - Check from matches valid local domain

Check from domains match valid local domains if user is authenticated, or g_from_allow.

g_from_exact - Check from matches authenticated user

Check from matches authenticated user. If user is not authenticated the setting is skipped.

Should be used with g_from_bounce "true" which basically forces them to authenticate and then makes this setting work properly.

g_from_header - From header used in delivery bounces

From header used in delivery bounces.

g_from_stamp - Stamp if from is probably faked

Stamp message with "X-Verify-Failed:" header if from address is probably faked.

eg: X-Verify-Failed: <user@mydomain.com> From mydomain.com is local but user not authenticated or from g_relay_allow_ip

This check is activated based on the same conditions as g_from_bounce.

g_from_timeout - Timeout on g_badfrom_* checks

Timeout in seconds of g_badfrom_* checks. Default = 60 seconds. If this timeout is reached the g_badfrom check will be classed as having failed.

g_friends_pending_keep - Time to keep friend pending messages

How long to store users friends pending messages before deleting them (days)

g_gateway - Gateway messages to a particular domain (Or smarthost)

Used to gateway messages to another local mail server.  Typically this other server is inside a fire wall so it's local IP address is not known by the DNS server.  You specify the domain and IP address to send messages to and this server is treated as 'local' rather than remote in terms of open relay restrictions. eg: nonauthenticated users are able to send in mail. Open relay restrictions do not apply to messages sent to this domain because they are considered as if they were local users and not 'relaying'. 

This setting has the fields domain(required), to(required), user(optional), pass(optional), relay=true/false(optional),check=true/false (optional)

Normally "domain" and "to" are the only fields that need to be filled in. eg. To relay mail from anyone to user accounts in the domain somedomain.com to the host 1.2.3.4.
g_gateway domain="somedomain.com" to="1.2.3.4"

user="username" pass="password"

If SMTP authentication is required on the destination server the user and pass fields need to be completed.

The check=true setting tells surgemail to actually connect to the server and check that recipients exist before accepting an incoming email for that user, this is STRONGLY recommended, as it stops the server having to bounce thousands of messages when spammers send to invalid addresses on your server. If SurgeMail cannot connect it will assume the user does exist so nothing is bounced except when the connection is successful.

Classic smarthost setting

This is where you want to send all outgoing email to another server, that may require authentication, note that we don't use relay="true" as that would make the server an open relay.

g_gateway domain="*" to="isp.mail.server" user="user@isp.server" pass="xxx"

relay="true" (warning, usually not needed or wise, this can make your server into an open relay for spammers to abuse!)

As a safety measure to prevent accidental openrelays, SurgeMail will not relay for non authenticated users or trusted users (users that are allowed to relay due to relaying settings eg g_relay_allow_ip) if the domain is "*". This can be overridden by placing "true" in the "relay" field. eg: To relay all mail for all users to host 1.2.3.4:

g_gateway domain="*" to="1.2.3.4" relay="false"

It is possible to use domain="c:\domains.txt" where domains.txt is a file listing the domains to be gatewayed, this should only be done for one gateway rule, and is only worth doing if you have thousands of domains to gateway.

local="true"

Requires that the destination addresses exist in the local account database.

Gateway after user lookup

When gatewaying to a domain which accepts all email regardless of address (e.g. exchange) you are best to define the users in your local user database, this is the only way to prevent nasty bounces and get rid of all the spam cleanly.

1) remove the gateway setting for the domain
2) add a virtual domain
3) In the virtual domain add surgewall settings, e.g. in this example I'm gatewaying the domain 'netwin.co.nz' to a
backend server called 'backend.netwin.co.nz"

vdomain address="" name="netwin.co.nz"
...
surgewall "backend.netwin.co.nz"
surgewall_options strip_domain="" proxy_failover="" auth_local="TRUE" pop="" smtp="" imap="" usercgi=""

 

You can find more gateway examples in our FAQ here http://www.netwinsite.com/surgemail/help/faq.htm#gateway

g_gateway_always - Always send to gateway even if local domain exists

Always send to gateway even if local domain exists. Not sure why you would want to use this setting other than to temporarily send mail on to another server whilst keeping the local domain and accounts intact and untouced.

g_gateway_ifnot - Send mail to gateway in preference to local delivery unless IP matches

g_gateway_auth - Send SMTP auth requests to another host

Send SMTP auth requests to another host.

g_group_field - Group Field from authentication database

Based upon a match on an arbitrary field in the authentication database a user can be defined as being part of an access_group. All fields (field, value, group) are required. eg: To add the user to the access_group "paid_user" if the field "mystatus" has the value "fullaccess":

g_group_field field="mystatus" value="fullaccess" group="paid_user"

g_header_out - Header to add to outgoing posts

Mail header to add to outgoing mailing list posts.

g_helo_optional - Make the SMTP Helo optional

Helo is optional for SMTP protocol (not recommended).

g_home - Root directory of the mail server

This setting controls where the mail server runs including the many sub directories it creates below this directory for work files and log files for each domain. Not something you should generally change. 

g_http_proxy - Proxy web server for fetching files via HTTP

Proxy web server for fetching files if direct access fails. (mainly for updates to the spam prevention rules from netwinsite.com and for downloading the latest version of the SurgePlus Windows client to make available to your users.) 

g_imap_log_flush - IMAP log flush

Flush IMAP log on every write (for debugging).

g_imap_log_protocol - Log IMAP protocol

Log IMAP protocol and other IMAP information to the mail.log file.

g_imap_no_internal_date - Disable the internal date output on IMAP commands

The RFC implementation of internal dateis broken wiht MS outlook. SurgeMail has been modified to conform to the outlook inplementation of internal date making this setting redundant..

g_imap_port - IMAP Port (default 143)

Specifies the PORT to listen for IMAP connections on. IMAP is an alternative to POP protocol where the messages and folders all exist on the server. This is ideal when sharing a mail account between several users or when using Email from more than one computer.  Use the keyword 'disabled' to disable this part of the surgemail service.

g_imap_timezone - Timezone to display - for testing purposes only

as per title :-)

g_imap_uidl_nofix - Disable UIDL auto repair of duplicate entries

If true disable auto repair of identical UIDL entries.

g_imap_secure_port - IMAP Port (default 993)

Specifies the PORT to listen for dedicated SSL IMAP connections.

g_ldap_port - LDAP Port (normally 389)

If specified this enables the mini ldap server inside surgemail which allows users with email clients that can do 'ldap' directory lookups to search for other users on the system. Obviously this should NEVER BE turned on for a public mail server, it is only appropriate with private mail servers where all users who can access the system are trusted.

There are additional 'domain' settings ldap_anydomain, which lets users search for users outside their own domain name. And ldap_disable which can disable ldap for specific domains.

g_last_login - Create last_login.time files

If true then when users login via pop or imap or webmail the file last_login.time is created/touched, this can then be used by local scripts to determine which user directories are not in active use.

g_local_skipgateway - Skip gateway rule for local messages

If true skip gateway rule for local messages (bounces etc). 

g_log_flush - Flushing log - flush on every write

This makes the server flush log data after every write to the file. This affects performance but can sometimes be the only way to track down an unusual fault eg: if the server dies the log is completely up to date and shows the last thing the server did before dying. 

g_log_fwd - Log fwd/redirection rules associated in msg.rec

Log fwd/redirection rules associated with g_log_rcpt in msg.rec files. 

g_log_level - Set logging level

Set the logging level. This is primarily intended for finding faults with the server. Info level logging is the default. Alternatives are 'error' and 'debug' 

g_log_path - Path for log files

Sets the path for all SurgeMails generated logfiles. (except the delivery record logs)

g_log_pid - Log pid

Log PID along with thread-id in the UNIXlog files.

g_log_norcpt - Don't log individual recipients in msg.rec files

Log individual recipients in msg.rec files

g_log_reject_disable - Disable the logging of rejected mail

SurgeMail will normally log failed deliveries due to MFilter / SmiteSpam / etc in the delivery logs. This setting will restrict this logging to accepted mail only.

g_log_size - Size of the mail.log files before they are rotated

The mail.log files are a fixed size rotating log of what is happening inside SurgeMail. Dependant on the load of your server this may contain a few days worth of activity or a few minutes worth. This setting allows you to change the default 2MB before rotation size.

g_log_tcp_read,g_log_tcp_write - Log actual data for a specific IP

These settings let you 'trace' the data going 'to' and or 'from' a specific IP address (or list, or wild card) Lets say you have a client on a specific address that has a problem where the fault could be server/client or network related. To track it down add this to surgemail.ini

g_log_tcp_read "2.3.4.5"

g_log_tcp_write "2.3.4.5"

Then try whatever is 'failing' and examine 'mail.log' to see what was read/written to that client.

g_lookup_names - Lookup names for connecting IP addresses

This is one of those things that you very likely do not want to turn on. It makes the mail server lookup the IP name of any connecting user, however lookups can take 30-90 seconds so it can negatively impact apparent performance. Most of the access rules in the server can accept IP names if this setting is enabled, e.g. instead of specifying local users are 153.2.3.* you can say '*.netwinsite.com" 

g_lookup_reject_fails - If lookup cannot get a name, reject user (not generally recommended)

If lookup cannot get a name, reject user (not generally recommended) 

g_lowdisk_warning - Disk space level below which to warn the manager

SurgeMail checks available disk space on startup and every half hour whilst running on all the mail, temp and home directories. If any is found to be low an email is sent to the system manager.  The recommended level is at least 100MB (default is 10MB).

g_mailstatus_message - Error message to give when mailstatus is set to specified state

This allows you to specify the error message given to the user when they are set to certain states, you may use other authent fields in the message, for example:

g_mailstatus_message state="payup" message="Payment is due $full_name$, please pay here: http://your.site/path/file.htm"

g_mailbox_path - Default directory to store mail

Default directory to store mail this is used to set mailbox_path when creating domains. 

g_maildir_standard - Use more standard maildir format

The maildir format is flawed in that it is not designed to be used on Windows systems. This setting will force SurgeMail to use a more standard maildir format, but does mean you cannot just copy mail from a UNIX box to a Windows box as the ":" character is a reserved character on Windows systems. 

g_manager - Email address of manager

Email address to send reports to. 

g_manager_port - Manager port (default 7026)

This is the port the web manager and web mail access will run on. By default it is port 7026. Use the keyword 'disabled' to disable this part of the surgemail service.

g_manager_secure_port - Manager secure port (default 143)

This should be the main server management port and provides a secure server management connection. By default it is port 7025. https://your.mail.server:7025. Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_manager_smtp - SMTP server for manager Emails about failures

For obvious reasons, if the server is not working it cannot use itself to send the manager an Email message, so for highest reliability you may want to define another mail server for fault reports to be Emailed to. 

g_max_bad_to - Max bad recipients in a row

If a system sending your system Email sends more than the specified number of bad addresses in a row then it is assumed to be incoming spam and further messages are rejected. 

g_max_bad_nolookup - Max bad recipients in a row if exceeded skip user lookup

Max bad recipients in a row if exceeded skip user lookup - useful when tarpitting a spammer. 

g_mdir_prefix - Maildir folder prefix

Prefix for maildir folders defaults to 'mdir', use '.' for compatibility with qmail. 

g_mdir_hash - SurgeMail hashing mode

Hashing mode for SurgeMail, default is 5, for compatibilty with /b/o/bob use 2. 

g_mfilter_addonly - Add headers only

If true then only allow 'adding' headers, not changing them.

g_mfilter_file - Path to mfilter.rul spam rule processing

This is the full path to the Mfilter rule file which provides advanced message filtering capabilities. See Mfilter.htm for more details.

g_mfilter_localonly - Only filter local deliveries

If true then only run Mfilter on local deliveries.

g_mfilter_maxlen - Mfilter Max message length

Size to truncate messages to before processing with Mfilter.

g_mfilter_skip_ip - Skip mfilter for messages from these ip's

This allows you to add a comma separated list of ip's to skip running mfilter on. This is based on the ip of the sender. Wild cards and ranges can be used.

Example:
g_mfilter_skip "10.0.0.2,210.56.43.*,193.1.16-24.0-255"

g_mfilter_trace - Log trace lines in Mfilter

Log trace lines in Mfilter for debugging .

g_mirror_config - Mirror surgemail.ini

Syntax: g_mirror_config "true/false"

You put this on both machines and it will attempt to mirror the surgemail.ini. There will be some settings that you do not wish to mirror and these can be exempted by using:

g_mirror_config_except "setting,setting,setting"

Some settings are not mirrored by default these are: g_mirror_host, g_mirror_nwauth*, g_mirror_mode, g_authent_path, g_dlist_path, g_log_path, g_record_path, g_home, g_authent_process, g_mfilter_file, g_webmail_work, g_work, g_virus_cmd, g_atrn_port, g_imap_port, g_imap_secure_port, g_ldap_port, g_manager_port, g_manager_secure_port, g_monitor_port, g_pop_port, g_pop_secure_port, g_ppd_port, g_smtp_port, g_smtp_secure_port, g_webmail_port, g_webmail_secure_port, g_surgeplus_port, g_surgeplus_secure_port, g_surgeplus_web_port, g_bind_out, g_virus_avast, dmail_drop_path, dmail_bin_path, web_path, webmail_work

(it is possible we will update this list over time)
* g_mirror_nwauth is obsolete don't use it.

g_mirror_config_except - Mirror surgemail.ini

Syntax: g_mirror_config "setting,setting,setting"

This will tell the server not to import the specified settings from the other mirror.

Example:
g_mirror_except "g_spam_allow"

This will tell the server not to change this setting. This only affects the machine its on, if the other server does not have this set, it will continue to mirror the setting. This setting accepts wildcards. This setting accepts a special case value "address" that will prevent mirroring of existing domain ip addresses, allowing different ips on each mirror machine. There are a number of settings which are not mirrored by default these are specified above in g_mirror_config.

In addition the mailbox_path setting is not mirrored, unless, the existing setting is a sub directory of the g_mailbox_path and the new setting is a sub directory of the g_mailbox_path from the other server, in which case the mailbox_path is set to the same sub directory using the existing g_mailbox_path setting eg.

[recieving server]
g_mailbox_path "c:\surgemail\mbox"
mailbox_path "c:\surgemail\mbox\domain"

[sending server]
g_mailbox_path "d:\surgemail\mbox"
mailbox_path "c:\surgemail\mbox\domain_moved_here"

[result on recieving server]
g_mailbox_path "c:\surgemail\mbox"
mailbox_path "c:\surgemail\mbox\domain_moved_here"

g_mirror_host - Mirror host 

This unique SurgeMail feature allows you to setup two identical mail servers across a local or widearea network. The waiting mail messages & folders etc are duplicated continuously between the two systems, so users can use either system. If either system fails for any hardware reason the other acts as an instant on line replacement without any interruption to the user. In addition when the faulty system is replaced the two automatically re-synchronize. 

See this page for Mirror overview

g_mirror_mode - Master / slave mirror system

Certain actions may only be run on the mirror master system (such as expire processing) or are different in behaviour between the master and slave (such as NWAuth mirrorring and dlist mirorring). This setting must be set to MASTER on one system and SLAVE on the other system for correct operation. (Note basic mirrorring of delivered mail will happen if this setting is the same on both systems it is just some of the special mirrorring functionality that this is required for)

g_mirror_nossl - Disable SSL for mirror protocol connection

This is best turned off unless your servers are talking over a wide area untrusted network. 

g_mirror_prune_age - Mirror minimum age for items to be pruned during sync_prune

Mirror minimum age for items to be pruned during sync_prune, default 14 days. 

g_mirror_secret - Mirror secret shared password

This password is required to prevent the mirroring mechanisms being abused. We recommend a random string of letters at least 10 characters long. e.g. "urcajfielsjfs" 

g_monitor_disable - Disable the monitor process

This allows the monitor process to be completely disabled. The monitor process is the swatch executable and can be setup to monitor and automatically restart SurgeMail if it crashes. The monitor process is also used to start SurgeMail from the using the web interface if it has been shutdown.

g_monitor_port - SurgeMail monitor port (default 7027)

The port SurgeMail monitor runs on allowing SurgeMail to be remotely started. Typically you won't need to change this, however you can specify an IP address to bind to or a list of alternate ports, e.g. 10.3.2.3:7027 or 7027,8027 etc...  

g_msg_max - Max size of a single message

Max size, in bytes, of a message, eg: 20,000,000 for a 20mb limit. This setting is useful to prevent a single large message jamming up your system. 

g_naked_msg - Text to display if message body contains naked LF characters

Default is: "Naked LF see https://netwinsite.com/surgemail/help/smtplf.htm"

g_old_pophost_debug - Log extra info when doing old pophost logins

Log extra info when doing old pophost logins for debugging. 

g_orbs_cache_life - Sets the amount of time to keep RBL entries cached.

Syntax: g_orbs_cache_life "seconds"
Default: 7200 seconds

This allows you to control how long the RBL lookups are cached for.

Example:
g_orbs_cache_life "100"

g_orbs_exception - Exceptions to Open Relay / Known Spam sites

This allows you to over-ride a response from an ORBS/RBL database. For example, if a site you wish to do business with is in the RBL database you can add their IP address to this setting and then they can send you Email again. 

g_orbs_force - Forces RBL lookup even if they are in an exception.

Syntax: g_orbs_force "true/false"

This allows you to force RBL lookups on users that would normally not be checked due to being in an allowed relay ip (g_allow_relay_ip).

g_orbs_rec - Log to record file if orbs deny action occurs

Log to record file if ORBS deny action occurs (can fill logs up). 

g_orbs_service - Open Relay Blocking System RBL, service name (superceeded by g_orbs_list)

Set the name of the RBL service you want to use. A RBL service is a DNS database that has a record of all known spamming sites. If the server finds the connecting users IP address in this database all Email from their system is rejected. Also see the setting g_orbs_exception.  Here are a few known RBL services, some charge and some are free!

• www.ordb.org 
• inputs.orbs.org

g_orbs_system - Use system DNS lookups instead of SurgeMails for ORBS (not recommended)

If true use system DNS lookups instead of surgemails for orbs (not recommended). 

g_orbs_testing - ORBS testing

If true ORBSlookups are recorded but not blocked.

g_orbs_timeout - Orbs timeout

ORBS lookup timeout in seconds (default=10). If the timeout is reached the message is accepted and the failure is logged to mail.log.

g_orbs_list - Multiple Open Relay Blocking System RBL databases

Allows enforcement of a servers blacklisting or whitelisting in one or more RBL databases with a different action for each database. In addition this can be used to mark messages with a header which can then be taken into account in the SmiteCRC"SpamDetect rating" calculation. A RBL database is simply a DNS server that returns a positive response if a server is listed in the database. A variety of services are available online that can maintain blacklist databases. Normally you would maintain your own whitelist database that overrides the blacklist listings.

name=service action=deny,accept,stamp stamp="string to add to header ||remoteip||"

Where the stamp option adds the header:

X-ORBS-Stamp: string to add to header 1.2.3.4

The variable ||remoteip|| can be used to create a url to go directly to a spam database web site and give details on the offending ip address. e.g. stamp="Spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||"

eg 1 - A simple deny mail from blacklisted servers could be achieved with:

g_orbs_list name="relays.ordb.org" action="deny"

eg 2 - A smarter setup with exceptions for certain IP ranges and a whilelist exception database, a blacklisted deny database and with useful header based tagging could be achieved as follows:

g_orbs_exception "127.0.0.*,12.34.56.*"
g_orbs_list name="mywhitedatabase.none" action="accept"
g_orbs_list name="relays.ordb.org" action="deny"
g_orbs_list name="relays.osirusoft.com" action="deny"
g_orbs_list name="bl.spamcop.net" action="stamp" stamp="spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||"

eg 3 - To use the output of header based ORBS stamping in the SmiteCRC calculation the following could be used:

g_orbs_list name="relays.ordb.org" action="stamp" stamp="open relay"
g_orbs_list name="my.dialup.databse.none" action="stamp" stamp="dialup"

These entries have the following rules in filter.rul. If you used your own stamp text you would place appropriate entries in the local.rul file.

if(rexp_case("X-ORBS-Stamp", "open relay")) then
call spamdetect(4.0, "Sender's IP was on an open relay RBL")
endif

if(rexp_case("X-ORBS-Stamp", "dialup")) then
call spamdetect(4.0, "Sender's IP was on a dialup RBL")
endif

Some RBL lists return a numeric code to give extra meaning, for example 127.0.0.4 might mean an open relay, and 127.0.0.5 might mean the site has no postmaster address. You can specify multiple stamp messages using this format, stamp="4=Open Relay~5=No postmaster address~Default message goes here"

See Also: RBL's

g_orbs_late - Disconnect user only if they fail to authenticate

Sometimes your customers will be using dial in lines that are banned by RBL databases, in this situation this setting will help as it will keep the connection alive long enough for a valid user to send an smtp authentication in.

Can also be used wth g_spf_skip_to "user@domain" this will allow you to add exceptions for users or domains that do not want RBL checks done on their accounts.

g_perflog_disable - Disable perflog logging

Completely disable the logging of historica performance data for the status graphs.

g_perflog_logall - Log all counters

Log all counters including the currently undisplayed counters. This is useful if in the future you suddenly think, Oh I would really like to see the historic information on one of the undisplayed counters - which would normally not have been logged to file.

g_perflog_lowres - Log in low resolution

Normally data is logged avery 10 seconds and 5 display scales are available hour, day, week, month and year. If this is set samples are taken every 5 minutes and 4 display scales are avbailable: day, week, month, year.

g_perflog_flush_interval - Flush interval

Interval in seconds to flush the performance log files to disk. Default is 3600 s (ie once per hour)

g_perflog_surgeonly - Only log surgemail counters

On Windows systems surgemail's performance logging will gather counters from surgemail and from the system "Perfmon" performance logging. This disables the collection of system counters.

g_pipelining - Show pipelining in ehlo response

Show pipelining in ehlo response - not recommended - has no behavior affect.

g_pop_blocksize - Size of packets to read POP messages (best left alone)

Size of packets to read POP messages (best left alone).

g_pop_lock - Lock out duplicate POP users with the file system

Use this setting if you are sharing a file system between multiple mail servers. This will make the mail server lock the users files to prevent a second user of the same name logging in and reading mail from one of the other systems.

g_pop_max - Max total POP & IMAP users at any one time

This limits the channels that will be used at any one time for incoming POP and IMAP connections. The purpose of this setting is to prevent a sudden burst of users reading mail from using up all available channels. Generally setting this is a bad idea as there is a sensible default (dependent on the system resources available). 

See FAQ section on session limits

g_pop_delay - Send POP packets after waiting for more data to send

This setting replaced g_pop_nodelay, as the default has been changed. It was changed as this can improve performance.

g_pop_port - Port to listen for POP connections (default 110)

Typically you won't need to change this, however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:110 or 110,6110 etc... By default the mail server listens to port 110 on all adapters/addresses. Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_pop_secure_port - Port to listen for secure POP connections (default 995)

Dedicated secure port to listen on for POP connections.  Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_popfetch - Fetch incoming mail from another POP server

POPfetch will retrieve mail from POP accounts on another server and store it locally. The POP fetch interval can be set using g_popfetch_interval. The parameters for this setting are host(required), user(required), pass(required) or localuser(required).

eg:
g_popfetch host="netwin.co.nz" user="marijn" pass="secret" localuser="marijn@anydomain.com"

Alternatively POPfetch is able to attempt local delivery based on headers. Delivery is attempted to "X-Rcpt-To:" with fallback of "To:" and "Cc:" headers. To enable this the local user needs to be defined as "*,userxxx". Fetched mail will be delivered as specified in the headers or if no valid user is identified in the header to the default user "userxxx". 

g_popfetch_interval - Interval between POPfetch attempts

The interval (in seconds) between successive attempts to fetch mail from remote mailserver POP accounts (as per g_popfetch rules). (default is 5 minutes = 300)  

g_popfetch_kick - POPfetch will try and open the link for 10 seconds, then retry, this should bring up ISDN lines.

If true then POPfetch will try and open the link for 10 seconds, then retry, this should bring up ISDN lines. 

g_popfetch_nodup - Drop duplicate messages

Drop duplicate messages based on "Message-id:" header. 

g_ppd_port - POPPassD port (default 106)

Port to listen for POPPassD connections. Typically you won't need to change this, however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:106 or 106,6106 etc... By default the mail server listens to port 106 on all adapters/addresses.  Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_proxy - Proxy mode (or mailhost)

This enables the SurgeMail proxy mode, using 'tohost="xxx"' received from the authentication to determine real host for SMTP/POP connections. Any incoming SMTP, POP or IMAP connections will be passed on directly to the specified server. This allows you to split a domain over several separate systems. This method is outlined in general terms here.

To setup a proxy server system with 4 machines (2 proxy, 2 backend) use the following steps, lets assume your hosts are PROXY1, PROXY2, SERVER1, SERVER2

1) Set on the proxy servers in surgemail.ini g_proxy "true"

On the back end server use g_pop_nolock "true" (to avoid timing issues)

On the back end server set g_tohost_local "server1" (or server2) so it knows it's own name.

2) Configure your authent database to return 'tohost=xxx' for each user on your system, e.g. in nwauth

nwauth

set testuser1@test.com test tohost="SERVER1"

set testuser2@test.com test tohost="SERVER2"

lookup testuser1@test.com

+OK testuser1@test.com config 0 tohost="SERVER1"

3) Configure your load balancing router to send users to PROXY1 & PROXY2, ...

4) When new users are added always define the 'tohost' setting to define which system they are added to as load increases you can add more backend or frontend servers as needed.

This is very similar to the 'mailhost' setting some systems use in LDAPAuth to translate mailhost to 'tohost' you would use: info_fields mailhost,tohost in ldapauth.ini

g_proxy_default - Default proxy host

Default host to forward to if 'tohost' is not defined in user database for this user. 

g_queue_max - Size of internal queue file cache

Size of internal mail queue file cache, range 500-3000. 

g_quota_rcpt_disable - Disables quota check at rcpt stage

SurgeMail now does quota checking at rcpt stage (Quota checking used to be done after data arrived) This setting disables the quota checking at rcpt stage if the above causes problems (not intended for general use). 

g_quota_friends - Count stored spam as part of quota

Count friends pending messages and spam store as part of the per user quota. 

g_quota_try_later - Retry responses for over quota

Give 450 response if user is over quota so message will be resent. 

g_quota_warning_disable - Disables the 80% quota warning message

Disables the 80% quota warning message. 

g_quota_skip - Skip quota checks for matching ip addresses

Skips the quota checking. Use this if you have a high priority robot (like your billing system) that must be able to deliver email to users (or students) even if the user is over quota.

g_rcpt_bang - Allow bang characters in addresses

Allow exclamation marks in addresses. ie '!'

g_rcpt_colon - Allow colon characters in addresses

Allow colon characters in addresses. ie ':'

g_rcpt_max - Max recipients per message, default is 1000

Max recipients per message, default is 1000, can only be lower than 1000.

g_rcpt_msg - Invalid recipient response

Response given for invalid recipient errors message is prefixed by email address..

g_received_name - Name shown in received headers

Name shown as received "by" in the received headers this defaults to server name but can be specified if required:

eg "myservername"

   Received: from netwin.co.nz (unverified [10.0.0.5])
      by myservername (SurgeMail 1.5f) with ESMTP id 1140619
      for <marijn@netwin.co.nz>; Fri, 07 Nov 2003 10:25:59 +1300

g_received_skip - Don't write a received header for local trusted users

This setting can be used to hide sensitive local ip addresses from outgoing mail headers. This will make tracking abuse more difficult, we do not recommend using this setting generally.

g_recent_bypass - Bypass recent login failure checking

This allows you to disable recent login failure checking for certain IP addresses. Normally there up to a maximum of 9 login attempts are allowed per connection.

g_record_days - Period delivery logs are stored

The number of days SurgeMail message delivery logs are stored.

g_record_hash - Hash delivery logs

Message delivery logs may be stored in hashed format within g_record_path as <surgemail dir> \recYYMM\msgYYMMDD.rec

g_record_path - Path for mail delivery logs

Sets the path for the SurgeMail delivery logs. Delivery logs contain entries for mail received and delivered in a single file per day. See Searching the Log Files for more information.

g_redirect - Redirect messages to 'was' to the 'new' address

Specifies global redirection rule. These rules are applied to local and remote addresses so should be used with 'care', for domain based redirection use the redirect rules within a domain. An example rule would be: fred@xx.com --> bob@yy.com or *@xx.com --> joe@xx.com 

Wild cards can be used and replaced, e.g.

g_redirect was="*@gadget.net" to="%1@gadget.com"
g_redirect was="*@*.gadget.com" to="%1-%2@gadget.com"

Would make

bob@gadget.net --> bob@gadget.com
fred@cool.gadget.com --> fred-cool@gadget.com

These rules are processed 'before' the domain is identified, therefore you cannot use host_alias domain values in them. Use a domain redirect rule if this is required.

You can also redirect a message to a robot or script like this:

g_redirect was="auto@mydomain.com" to="|/usr/local/myrobot.sh"

Your script can read the environment variables:
MAILFROM
RCPTTO
MSGSIZE

And must read the message on 'stdin', the message will be terminated with "crlf.crlf"

Your script can then process the message and if it want's to respond must use smtp to send a response back etc...

Your script will run as the user 'mail' so if that user does not have access to the script file or work files then it will fail :-)

g_redirect_cc - Carbon Copy redirect message

Same as 'redirect' but the message is still delivered to the original address as well. For g_redirect_cc there are two special names defined "$localdomain$" and "$remotedomain$", which can be used in the 'was' paramater (requires SurgeMail 2.3). 

g_redirect_from - Redirect message if from matches

Redirect a message to another address if the from matches. 

g_redirect_from_cc - Carbon Copy redirect message if from matches

Redirect a copy of the message to another address if the from matches still delivering to the original address as well.

g_redirect_hide - Hide the redirection in the SMTP output

Hide the redirection in the SMTP output

g_relay_allow_ip - Allow relaying from these users

List the IP ranges of local users that you will allow to send 'OUTGOING' Email without using SMTP authentication, e.g. "127.0.0.1,10.0.*". In the past, mail servers used to permit this from any IP address, but since this was abused by 'spammers' all modern mail servers only allow this from known local IP addresses. Remote users should use 'smtp authentication' or login via POP protocol before sending Email, then SurgeMail will trust them. Do NOT set this to '*' If you do your system will be blocked as it will be assumed that spammers are using your system even if they are not!!! 

g_relay_allow_from - Allow relaying for known from addresses

This setting allows users to send outgoing Email if their envelope 'from' address is a known local address. This is a very bad idea in general as spammers can do this too. So in general don't use this setting except as a lesser of two evils.  It will be detected by some open relay checking systems and your site can then end up listed as an open relay.  If this happens your Emails will be rejected by other peoples systems. e.g.

g_relay_allow_from "*@my.domain,*@second.domain,fred@third.domain"

g_relay_dom_and_ip - Relay based on domain and IP

Allow relaying if the domain in the from envelope and IP address both match.

g_relay_message - Message to display to users who try to relay

Text string displayed to users who try and relay.

Default (blank) is: "Relaying blocked, read new mail, add <sender.ip> to forwarding or enable smtp authentication in your mail client"

g_relay_to - Relay to this domain from anyone

This setting allows mail from anyone to be relayed to the specified domain. The relaying is unconditional.

g_relay_window - Allow relaying after valid POP login

This sets the time after a valid POP login that you will allow a user on the same IP to send outgoing mail. In general it is safe to set this setting large and it can allow people using old mail clients (that do not know how to do SMTP authentication) to still send through your server without making your server an open relay. 

g_rename_files - Files to apply virus renaming to

Only takes effect if g_virus_rename is checked. Default is: "*.exe,*.pif,*.bat,*.com,*.cmd,*.jav,*.vbs,*.scr,*.wsh"

g_restart - Auto restart server

If turned on Swatch (a spawned second process) checks every 30 seconds to see if the server is still running. If it isn't running but it's pid file still exists (so if it died) this second process restarts the missing server and sends the manager account an Email reporting the fault.

For this to work on NT you need to set Dr Watson NOT to show visual notification of faults:

 This sets Dr Watson to be the default debugger)
         c:/> drwtsn32 /i   
 This brings up the Dr Watson settings, un-tick "Visual Notification"
         c:/> drwtsn32

Generally this setting is not needed and could be left off, but if an odd problem should develop, this setting can give you peace of mind for a few days while you wait for a problem resolution from NetWin. 

g_retry_bounces - Max hours to keep trying to bounce messages

Max hours to keep trying to deliver a bounce the default is 48hrs

g_retry_limit - Max hours to keep trying to deliver messages

Every hour the mail server will attempt to deliver any messages that fail for a reason that may be a temporary fault (for example the destination mail server doesn't respond). This setting limits how long these retries continue for. The default is 48 hours (2 days). 

g_retry_minutes - Time between attempted retries

Time in minutes that SurgeMail will try and resend a message that has failed to be delivered.
(default = 60 minutes).

g_retry_rule - Retry rules overriding g_retry_limit

Rules that allow you to specify the retry_limit in hours on a per destination domain basis.

Example:
g_retry_rule domain="test.com" hours="48"

That will make it keep retrying to send to the domain test.com for 48 hours.

g_route - Wildcard route mail to specified server

Route messages matching particular wildcard "from address" and wildcard "to address" to specified server. This is not a gatweay rule and is only applied to mail that has already been accepted via SMTP authentication, relaying rules or gateway rules.

This would typically be used to route all mail for a particular user on a domain to another mailserver or to route all mail from a local domain through another server:

Case 1: Route mail for one user to another server

g_route from="*@*" to="user@localdomain.com" dest="1.2.3.4" user="" pass=""

Case 2: Route all mail from local domain through other server

g_route from="*@localdomain.com" to="*" dest="1.2.3.4" user="" pass=""

g_route_except gets applied allowing you to prevent mail coming in from certain IP addresses to be routed.

g_route_by_tohost - Route based on authent 'tohost' field

Use routing to a particular server based on 'tohost' setting in authentication database. This is particularly useful if you have users spread over several physical locations and want to be able to route mail for different users to particular servers.

g_route_except - IP exception to g_route and g_route_by_tohost

IP exception to g_route and g_route_by_tohost.

g_scan_action - Converts return value from g_scan_cmd to action on email

Converts return value from g_scan_cmd, action=drop,accept,bounce.

g_scan_cmd - Run command on message, and return integer

Run command on message, and return integer, see g_scan_action.

g_sched_utoken_timeout - Timeout for sched utokens in minutes

Timeout for sched utokens in minutes. 

g_send_backoff - Backoff slow hosts

Seconds to leave slow responding host alone (default 900).

g_send_helo - Domain to use for all outgoing SMTP helo commands

Fully qualified domain to use for all outgoing SMTP helo commands.

g_send_helo_from - Use the sending domain for the helo command

If the senders domain name (in return path envelope) is a valid local domain, then it is used in the 'helo' command.

Not generally recommended. The correct use of the helo is to identify the sending machine, not the domain, so although this makes the headers look pretty it doesn't make them more correct in my opinion.

g_send_lines - Send single line packets

Send messages in single line packets, slow! (for debugging)

g_send_open_timeout - SMTP link open timeout

Timeout, in seconds when opening an SMTP link.

g_send_max - Max concurrent sending sessions

Maximum concurrent outgoing SMTP connections . You should not have to change this. The default is 100.

g_send_max_perdom - Max concurrent sending sessions to a single domain

Maximum concurrent outgoing SMTP connections to a single domain. The default is 2. This can be set higher and the default used to be 6 however there are a few servers out there that don't like more than 2 channels being opened to them.

g_send_onpopfetch - Only send outgoing while doing a POPfetch

Only send outgoing while doing a POPfetch (For dialup use).

g_send_body_noretry - Don't try and resend if failure during body send

By default SurgeMail retries to send messages if the tcp connection is lost during the body send part of sending an email message. In rare situations this may cause problems, for example while sending a large file if the receiving software is faulty and is dieing rather than responding with 'don't try again' error code. This behaviour was reversed before version 2.0h (e.g. it never retried)

g_send_noskipslow - Don't skip slow hosts

Normally surgemail remembers hosts that are slow to open, fail and doesn't retry for 60 minutes.

g_send_speed - max outbound bandwidth

Bytes per second to limit each outgoing channel to. eg: 10k

g_send_timeout - Send timeout

Timeout, in seconds when sending mail, default is 540 (9 minutes)

g_server_name - Wildcard "SERVER_NAME" translation for domain identification

The vdomain a user connects on is normally identified automatically for "user account self management" and for "webmail". In the event that the domain name is not the same as the host name (eg hostname = mail.domain.com, domainname = domain.com) the WebMail web server can automatically translate the SERVER_NAME variable.

This setting specifies a wild card list of URLs 'URL' with associated translated host name for "SERVER_NAME". If the URL matches then SERVER_NAME is set to the second part of this setting 'name'. eg: to host the domains domain.com and mail.domain.com on host mail.domain.com:

g_server_name url="*.domain.com" name="domain.com"

Note: If your server name is not the same as your domain name also check the per domain setting URL_host.

g_server_stamp - Replaces SurgeMail and version string in "Received" headers

Replaces SurgeMail and version string in Received headers of process mail

g_smite_all - Add smite headers to all messages passing through server

Normally SmiteSpam headers are only added for locally delivered messages. This setting to all messages passing through this server. 

g_smite_level - Smite level to discard message

If SmiteSpam gives a message a "smite score" above this, throw it awayl. This setting is best never used. If used it should be set to '1 or 2'. A value of 1 = "has been reported", 2 = "has been reported multiple times". If smite match score is above this drop message. This is applied when the user downloads the email not at delivery time.  What you probably want is 'g_spam_bounce' described elsewhere on this page.

g_share_home - Allow sharing of home directory

This allows sharing of the home directory in the unlikely situation that you might want to run separate surgemail processes. eg one process to cope with SMTP and another to cope with POP access.

g_share_mail - Allow sharing of mail directory

Set true if mail area is shared (by nfs or other mechanism)

g_smite_gateway - Add smite headers to gatewayed messages

Normally SmiteSpam headers are only added for locally delivered messages. This setting adds the headers for gatewayed messages too. This also adds headers to messages that are redirected by forward rules as well.

g_smite_skip - Skip smitecrc processing for messages from these domains

This will skip running SmiteCRC for messages whose from address matches these domains. This is the mail from envelope header NOT the from header in the message (you can check the return path header in the message to check what you need to add for this setting).

Note this is a wildcard field so to match any mail claiming to be from safedomain.com you would have to set:

g_smite_skip "*@safedomain.com" 

g_smite_skip_ip - Skip smite based on sender IP

Skip smite scanner if sender IP matches this wild card list.

g_smite_skip_to - Skip smite based on <to>

Skip smite scanner if to matches this wild card to <address>.

g_smite_tag - Tag message if in SmiteSpam database

If set to true will tag messages already in the SmiteSpam database.  A value of 1 = "has been reported", 2 = "has been reported multiple times".

g_sms_gateway - Address and port of your SMS gateway

This is the ip and port of an 'email to sms gateway'. The gateway should accept SMTP messages on this port and convert the email into an sms message then deliver to the phone number in the 'to' address. SMSGate is our 'email to sms gateway' and is FREE with SurgeMail. Setting user_sms to "true" for a domain allows users to specify a phone number (or email address) and rules for when to notify them.

g_smtp_cmd_timeout - SMTP command timeout

Seconds to wait after getting a message for next command (workaround for sendmail bug)

g_smtp_delay_stamp - Stamp message if sender doesn't wait for welcome

If true then if any smtp commands arrive before the 'helo' greeting is sent then a header is added to messages which will result in a higher spam score.

g_smtp_data_timeout - SMTP data timeout

Seconds to wait for SMTP data input.

g_smtp_etrn_auth - etrn if authenticatd

Only do etrn processing if user is authenticated.

g_smtp_help_disable - disable smtp help command

Disable SMTP help command (minor security percaution).

g_smtp_log_protocol - Log SMTP protocol

If enabled, the SMTP protocol is logged to the mail.log file as "smtp: In" and "smtp: Out" entries.

g_smtp_max - Max total incoming SMTP connections

This limits the channels that will be used at any one time for incoming SMTP connections. The purpose of this setting is to prevent a sudden burst of spam from using up all available channels. Generally you do not need to change this. (Default = 250). Use the related setting g_smtp_max_reason to over-write the detailed error if you don't want spammers to know what your limits are set to.

g_smtp_max_nolimit - IP based exceptions to g_smtp_max

This lets you specify IP based exceptions to g_smtp_max, so if you need a certain IP to open up many connections you would add that IP here.

eg. g_smtp_max_nolimit "10.0.0.50"

g_smtp_maxbad - Max bad SMTP commands

The maximum number of bad commands accepted per session before SurgeMail will drop the connection.

Example: g_smtp_maxbad "10"

g_smtp_port - Port to listen for SMTP connections (default 25)

Typically you won't need to change this however you can specify an IP address to bind to or a list of alternate ports, eg: 10.3.2.3:25 or 110,2110 etc... By default the mail server listens to port 25 on all adapters/addresses.  Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_smtp_secure_port - Port to listen for secure SMTP connections (default 465)

Port to listen on for dedicated SSL SMTP connections.

g_smtp_vrfy_msg - VRFY response

Change Response to VRFY, e.g. 252 Not telling.

g_smtp_welcome_delay - delays welcome message

Syntax: g_smtp_welcome_delay "seconds"

This delays the welcome message sent by SurgeMail to a connecting server. If the server sends data to SurgeMail during this waiting time SurgeMail will drop their connection. The theory is that any well behaved server will wait for prompts and check them, but a lot of spamming software never takes any notice of prompts/responses and sends blindly. We believe a value of 1-3 seconds is ideal. You can also exempt ip's from this setting by using g_spam_allow "ip". Settings too high will cause real mail to be lost.

Examples:
g_smtp_welcome_delay "3"
g_spam_allow "127.0.0.1"

So above, delay giving the welcome message for 3 seconds, anyone that sends data in that 3 seconds will be dropped, but anything connecting from 127.0.0.1 will be able to send immediately (you should make sure webmail is exempt).

g_spam_aspam - Aspam rating

Scale for Aspam default is 1.0. Valid range is zero to two.

The aspam matching based on it's database of known spam and non spam produces a score in the range -5 --> 5. Tthe g_spam_aspam setting lets you 'scale' this score to increase/decrease the importance of the aspam rating. The result is then applied (added to) the spamdetect header.

g_spam_autotrain - Autotrain "good" filter

Auto train spam filter good messages based on first 1,000 outgoing emails.

g_spam_allow - IP wild card of sites to exempt from spam limits

Typically use this to allow known mailing list servers that use your system to send messages in without being tarpitted. e.g. "127.0.0.1,local.ip.number". This same setting is an exception to the other spam rules. 

g_spam_allow_recent - Exempt recent POP from spam limits

Skip spam rules if recent POP IP number (see g_relay_window). 

g_spam_body - Add SpamDetect header in body

If spamdetect score is above this, add spamdetect header at top of message body (in addition to the header). This allows mail clients that are not able to filter mail based on headers to filter out spam email. This can be set on a per user basis too. A value of 3 or 4 would be reasonable. The only real reason for this setting is some common mail clients are unable to scan non standard headers so cannot automatically file spam in a folder unless this is used. My recommendation is for such users to use the web interface to set actions individually.

g_spam_bounce - Bounce local delivery based on spamdetect score

If spamdetect score (number of '*'s) is above this, bounce message if local delivery. 14 is a reasonable value, never set below 10.

g_spam_bounce_text - Error text when message is bounced due to g_spam_bounce setting

As per description. Default is: "554 Failure Message looks like spam, sorry not wanted here q=311", where q is the message queue id.

g_spam_bounce_all - Bounce local and remote delivery based on spamdetect score

If spamdetect score (number of '*'s) is above this, bounce message, this applies to all messages regardless of user settings. e.g. 7 or 8 would be reasonable, 3 would be very strict, and less than 3 would certainly bounce real emails. I recommend you don't set this below 5. This rule is applied as soon as the message is submitted, user spam settings do not override it.

g_spam_catcher - Spam catcher addresses

Addresses on web pages that shouldn't get any email (robot bait), only for use with Aspam.
Any email going to the specified address will be sent to the isspam address for processing and the message will also be dropped. If the message has multiple rctp's and some are valid users, but one matches the catcher address, it is not delivered to anyone. If you need to enter a lot of spam catcher addresses then the best way is to just setup a single spam catcher address and then use g_redirect to redirect other addresses to the spam catcher address.

eg
g_spam_catcher "johnsmith@mydomain.com"

g_spam_check_auth - Enable spam rules for authenticated users

Normally authenticated users are exempt from spam rules when sending mail. This enables all spam checking rules for authenticated users.

g_spam_hold_keep - Spam hold timeout

How many days to store users spam hold messages before deleting them.
Default is 14 days.
eg. g_spam_hold "14"

g_spam_info - Info line explaning aspam system

Info line and url to explain aspam system.

g_spam_info_hide - Remove x-spamdetect-info header line

Removes the x-spamdetect-info header line.

g_spam_internal - Enable internal Aspam spam processing system

Enable new 'internal' spam processing system, note this disables SmiteCRC too!

g_spam_notrain - Disable isspam and notspam addresses

Disable isspam and notspam addresses for user training.

g_spam_notspam - Spam collection address

Address that non authenticated users can send non spam to.

Example: g_spam_notspam "notspam@domain.com"

g_spam_noupdate - Disable aspam updates

Disable fetch of aspam filter rules etc from netwinsite.

g_spam_poly - Scale for poly word matching

Scale for poly word matching, default is 0.1, Valid range is zero to two, Use 1.0 to enable.

g_spam_private - Enable private email addresses for users to avoid spam

Note: The user will define these settings, after turning on this global setting the user can use the Web Self administration interface, press the 'Spam' button and the private email address is defined on that page.

This setting adds the ability for each user to create a private email address to bypass SPF/ Spam filters. The user would then typically increase the spam settings for their non private account to 'friends mode' and enable SPF. So only known friends will be able to contact them via the old address.

This allows the user to live 'spam free' without the risk of blocking email from real people.

The user must be careful with their new private address, it should only be used with humans, when entering an address in a web form or mailing list a special variant should be used e.g. user--from-WEBDOMAINNAME@users.domain

The user defines their private address, in the form user--PRIVATE@domain.com, e.g. if the users public address is joe@cool.com, and the user defines a private extension of "juggle" then the private address would be:

joe--juggle@cool.com

Email addressed to joe--juggle@cool.com is delivered without SPF or SPAM filtering / tagging.

In addition the user can enable 'from' matching which must look like this: username--KEYWORD-STRING@cool.com, the user specifies a keyword e.g. "match". Then anything addressed to the user in this form:

joe--match-STRING@cool.com

Will only be delivered if 'STRING' is found in the 'from' envelope address, otherwise it will bounce. So when entering an email address in a web page called "toys.com" the user would enter:

joe--match-toys@cool.com

Any -- extension that is not recognized will return a bounce suggesting they remove the extension and try again.

g_spam_subject - Modify message subject line based on spam rating

If spamdetect score is above this add spam rating Spam:**** to subject.

g_spam_subject_gateway - Modify message subject lime based on spam rating for gatewayed messages

If true then spam_subject setting applies to gatewayed messages too

g_spam_subject_word - Allow arbitrary modification of message subject line

This is a string that is prefixed to the subject of incoming mail caught by g_spam_subject. You can use ||score|| and ||stars|| which will contain the actual spam rating. Good examples might be: "[SPAM]" or "SPAM(||score||), "

g_spam_url - Scale for url word matching

Scale for URL word matching, default is 0.3, Valid range is zero to two (recommend 1.0)

g_spam_user_max - Max messages for authenticated users

Max messages an authenticated user can send per 30 minutes, eg: 5000

g_spam_vanish_all - Vanish local and remote delivery based on spamdetect score

If spamdetect score (number of '*'s) is above this, drop message, applies to all messages regardless of user settings. e.g. 14. This rule is applied as soon as the message is submitted, user spam settings do not override it.

g_spam_userconfig - Enable per user spam settings

Allow users to opt in / out of specific anti spam features. If this is enabled this will add a "Spam" button on the users account self management pages.

The most useful antispam feature is that user's mail that is suspected spam, can be stored on the server so that these messages do not need to be downloaded to your normail email client over what could well be a low bandwidth connection.

g_spam_vanish - Vanish local delivery based on spamdetect score

If spamdetect score (number of '*'s) is above this, vanish message if local delivery. eg: 12 would be reasonable.

g_spamdetect_always - Always add spamdetect header

Always show spamdetect header even for low and negative scores.

g_spf_mode - Sender Permitted From

See https://netwinsite.com/spf.htm for details.

g_spf_skip_to - Skips SPF checks based on rcpt address and RBL checks.

Syntax: g_spf_skip_to "user@domain.com"

This setting can be used to skip spf checks based on the rcpt address, if used with g_orbs_late "true" then it can also be used to skip rbl checks if the rcpt matches this setting.

g_spool_path - Allows SurgeMail to scan a directory for messages to send.

Syntax: g_spool_path "directory of spool"

SurgeMail will scan this directory every few seconds and check for any messages in this directory if found SurgeMail will then send them the messages (must end in the extension .msg). The format of the messages is as follows (without the quotes).

filename: test.msg

"
To: you@domain.com
From: blah@domain.com
Subject: blah blah

This is a test
"

g_startup_delay - Startup delay

Seconds to wait before accepting inbound connections when starting SurgeMail .

g_ssl_allow - IP Wild card of connections to allow to use SSL

This setting controls which connecting IP numbers are permitted to use SSL on POP and IMAP. They will see TLS in the protocol extension command (ETRN for SMTPor CAPA for POP). Typically, to enable SSL you set this to "*" after getting a certificate. If you don't have a valid certificate then turning this on can cause problems as mail clients will try to use SSL and fail. 

g_ssl_allow_imap - IP Wild card list to allow SSL encryption from for imap

This setting controls which connecting IP numbers are permitted to use SSL on IMAP.

g_ssl_per_domain - Create/use an SSL certificate for each domain

SurgeMail can be set to use a single SSL certificate for the server or individual certificates on a per domain basis.

SurgeMail will create private key / certificate pairs if required on startup. Alternatively these can be created using the 'SSL Config' link on the global settings page. These can be replaced with your own trusted signed certificates using the web admin interface or by placing the appropriate private key and certificate pem files in the following location: <surgemail>/ssl for a single certificate for the whole server and under <surgemail>/ssl/<vdomain> for per vdomain certificates.

Some mail clients and web browsers will complain if the certificate domain does not match the domain they are connecting to.

Changing g_ssl_per_domain will require surgemail to be restarted to take affect. Changes to certificates using the web admin interface now take affect immediately.

g_ssl_require - IP Wild card of connections to require to use SSL

This forces all matching IP addresses to use SSL for SMTP, POP and IMAP connections. Typically you would use this for non local connections to increase security local connections might be comparatively safe in un-encrypted mode. 

g_ssl_require_imap - IP Wild card of connections to require to use SSL for IMAP

This forces all matching IP addresses to use SSL for IMAP connections.

g_ssl_require_login - IP wildcard of connections fur users needing to use SSL

This setting forces all matching IP addresses to use SSL for any action that requires a user login. eg: POP, IMAP and SMTP authentication but not plain SMTP. So this is ideal if you want all users to use SSL but still want email to come in from non SSL SMTP servers.

g_ssl_require_out - Other machines we only send to using SSL

This forces all matching IP addresses to use SSL for SMTP outgoing connections. Typically you would use this for outgoing connections to increase security. 

g_tarpit_badrcpt - Delay rejection of bad recipients

Delay rejection of bad recipients (in seconds, default 4s).

g_tarpit_blackhole - Reject email one recipient at a time to make spammers go away

If tarpit_blackhole is true then if it was going to drop the connection to that user. Instead it will keep it and let the user talk and try and send messages, but will reject all recipients, it only does this for a max of 200 channels, any more are dropped.

g_tarpit_drop - Max recipients per hour from one IP

Drop link and ban for 1 hour if g_tarpit_max or g_max_bad_to has been exceeded.

g_tarpit_max - Max number of local recipients per hour from one IP

If this limit is exceeded, the offending client is "tarpitted". This means the mail server starts pretending to go slowly. This is better than simply closing the connection as that will not stop the sending system from trying to reconnect rapidly or send to other systems rapidly, but tarpitting jams the sending system and limits the damage they can do to you and others. Cool huh? 

Unlike G_BOMB_MAX, the g_tarpit_max setting counts the total of all recipients to all addresses from this IP address.

A setting of about 200-10,000 is probably good but be careful with mailing lists it will break them. Use an exclusion for IP addresses of known mailing lists or set the limit higher than known mailing lists, eg: 2,000 is probably a good setting just to avoid disasters without disrupting many real users.

Use spam_allow ip.address.list to over-ride the limit for known systems (eg: mailing list servers) that would be exceed the limit.

g_tarpit_max_remote - Max remote recipients from one IP

The maximum number of remote recipients before slowing down.

g_tcp_read_timeout - Timeout in 'seconds' on POP connections (do not adjust)

Timeout in 'seconds' on POP connections, do not adjust. (default 600).

g_tellmail_ip - Tellmail IP restriction

Restrict remote tellmail commands to these IP addresses.

g_thread_max - Total maximum number of threads allowed

Total maximum number of threads allowed on this system. This should not normally be changed. If you do increase it start small, eg: 400 is a safe number on most systems. Generally if you need to increase it more than that then you have a performance problem that needs fixing and increasing it more is unlikely to be a good idea. On Linux if your thread_max setting is above 500 then you must modify surgemail_start.sh to increase the handle limit from 1024 to 2048 (at least twice the g_thread_max value). If you get crashes with 'handle_limit' recorded in the logs then it's likely that your operating system handle limit is too small for your g_thread_max setting. On Solaris you will need the 64 bit build of SurgeMail to increase this limit as the Solaris 32 bit 'c' libraries are limited to 256 file handles (I kid you not :-)

See FAQ section on session limits

g_thread_reuse_real2 - Thread reuse

If enabled the server will reuse existing threads instead of creating and destroying threads for each incoming/outgoing message. This has no affect on performance but does avoid a bug in some UNIX threading libraries which leak handles and cause problems if threads are not reused. Generally best disabled except on early Linux systems. 

g_timezone - Timezone text

Text to be placed in the timezone part of the date string. e.g. +1200 NZT 

g_tohost_local - Tohost entries to deliver locally

Authentication database tohost name entry to deliver locally. This setting only applies if g_proxy or g_route_by_tohost is enabled. This is useful to allow the configuration of multisite systems using g_route_tohost with a single shared authentication database.

g_url_alias - Allows translation from one URL to another

Allows translation from one URL or beginning of a URL to another. eg:

g_url_alias from="/cgi-bin/" to="/scripts/"

will cause the URL http://localhost:7025/cgi-bin/fred.cgi to reference the same file as http://localhost:7025/scripts/fred.cgi would have, the fred.cgi in the SurgeMail 'scripts' directory. The domain url_alias settings are checked before these, the first matching rule is used, settings are checked in the order specified.

g_url_enable - Enables widearea url database

Syntax: g_url_enable <true/false>

If set then SurgeMail fetches the url database and updates from netwinsite.com every few hours. Messages which contain matches will get a header X-SpamUrl:... which will be used in the spam score. Once enabled you will contribute to Netwin's central server and also download from their once every couple of days.
Additions to your isspam/notspam training addresses are also sent to netwinsite.com (just the url's for white list/blacklist)

g_url_master - Not for general use

Used by netwin to manage the master server. Sorry this doesn't allow you to run your own master.
Should be left blank

g_url_master_to - Not for general use

Not for general use. Used by netwin for testing.

g_user_access - Allow / Restrict user access to features based on g_access_group

g_user_access group="wildcard" access="list"

This setting matches the g_access_group the user is in to the wildcard specified and applies the specified list to that user, giving / restricting thier access to certain features. The list may include any of the following:

In addition you can prefix any of the above with ! to deny access. There are two other special case values, "all" and "none" which mean exactly what they say, access to "all" or "none" of the features.

Example:

g_user_access group="simple" access="all,!spam,!virus"

The above setting gives users in the 'simple' group access to all the features except spam and virus features.

g_user_access_default - Default user features granted to users

This setting is a default access list for all users on the server, it is specified in the same maner as the g_user_access settings 'access' parameter. eg:

g_user_access_default "all,!spam,!virus"

g_user_send_max - Maximum number of emails per day (requires SMTP AUTH)

g_user_send_max group="wildcard" max="number"

If 'group' is set to '*' then it applies to users who are not in a group (see g_access_group), and/or whose group does not match another g_user_send_max setting.

g_user_send_rule - Define valid recipient addresses for users in a group (requires SMTP AUTH)

This rule allows you to define which domains users in the specified group can send email to.

g_user_send_rule group="wildcard" to="number"

If 'group' is set to '*' then it applies to users who are not in a group (see g_access_group), and/or whose group does not match another g_user_send_rule setting. The 'to' field contains a wildcard list of allowed email addresses.

g_user_alias_file - User aliases configuration file

This setting specifies the configuration file for user aliases. This file is in the following format:

domain alias_domain,access[,access]...

where domain is the domain name eg: email.com, alias_domain is the domain in which aliases can be created, and access specifies who is allowed to create these aliases, it can have one of the following values:

Example alias.dat file:

email.com *.email.com,public
email.com sport.email.com,public
internal.email.com email.com,private
internal.email.com internal.email.com,admin

g_user_alias - Number of aliases accounts can create

This setting specifies the maximum number of account aliases an account (optionally in specified group) can create. The format of these aliases is specified in the file specified by the g_user_alias_file setting. eg.

g_user_alias quota="10" group=""
g_user_alias quota="20" group="grp1"
g_user_alias quota="30" group="grp2"

g_user_domainlist - Show domains list on user pages

This setting decides who will see the drop-down list of domains on the user check, add, login, and management pages. It has three possible values: user, domadmin and admin. A value of 'user' allows everyone to see the list, 'domadmin' allows domain admins and the admin to see the list, and 'admin' allows only the admin to see the domains list.

g_user_cookies - Enable browser cookies for user self management

Enable browser cookies for user self management.

g_user_mfilter - Local delivery Mfilter rules

Mfilter rules to run late in the delivery process after the email messages have become "user specirfic", In particular this allows filtering based on the output of g_user_pipe.

g_user_filter_early - Process user exceptions/filters before tagging message as spam

Causes the users exception rules to be processed before tagging the message as spam, meaning, if a rule matches to 'accept' a message, that message not to be tagged as spam.

g_user_pipe - Local delivery filter pipe

Pipe run on file just before delivery to user, $USER$ available on command line. This allows the message to be modified (also see g_filter_pipe).

g_user_sms_quota - SMS quota

Number of SMS messages accounts can send.

g_user_utoken_days - Length of time a user self management login token is valid

Length of time a user self management login token is valid for. Length of time a user self management cookie is valid for. After this time period the login token will stop allowing the user access and they will need to login again.

g_user_virus_scan - Allow users to enable / disable virus scanner for themselves

This setting adds a tickbox to the Spam page in user self administration that allows the user to enable and disable the virus scanner for them selves.

g_user_list_quota - Number of mailing lists users can create

g_user_list_quota group="" quota="100"

This setting configures the number of mailing lists a user can create on this server. The group field is optional, specifying none effects all users globally, otherwise it matches this against the users access group. See also user_list_quota which can set quota per domain. Also the list_quota authent field can set quota per user.

g_vanish_bad_bounces - Vanish suspected spam bounces

Vanish suspected spam bounces (requires g_received_name).

g_verify_helo - Verify helo name translates to same network as sending system.

Syntax: g_verify_helo "true/false"

It will skip this check for any trusted connection (smtp authenticated, or any ip it would allow to forward)

It adds this header:
X-Verify-Helo

It simply takes the helo name, and turns it into a number a.b.c.d, then it checks that the connection is coming from 'a.b.*.*'
if it isn't it adds a header saying as much.

g_verify_mx - Verify sender IP by MX

Verify MX records contain senders IP address (also see g_verify_mx_skip).

g_verify_mx_skip - Skip verify sender IP by MX

Use to define incoming mail gateway IPs so the MX verify doesn't fail on them.

g_verify_smtp - Verify SMTP port

Verify we can talk back to the SMTP port on incoming IP address.

g_virus_avast - Enable Avast virus scanner integration

Not recommended, now use the anti virus config page to configure surgemail to use your system scanner.

g_virus_avast - Set Avast update time

This is a string based setting that allows you to specify when Avast updates are attempted.

eg: to update at 12 midnight, 6am,12noon and 6 pm.

g_virus_avast_hour "0,6,12,18"

g_virus_fprot - Set F-PROT port for mail scanning

Typically set this to 11200

First install f-prot virus scanner, exact steps will vary depending on platform so follow your F-Prot install instructions, but as an example on Linux we did this:

cd /usr/local
gunzip DISTRIBUTION.tar.gz
tar -xvf DISTRIBUTION.tar
cd f-prot
./install-f-prot.pl
cd tools

# Now start mail scanner as user 'mail'
su mail -c"/usr/local/f-prot/tools/scan-mail.pl -server -daemon"
         

Your will also need to start the scanner as above in your startup scripts (e.g. rc.local)

Then lastly in surgemail.ini set

g_virus_fprot 11200

When a message is scanned a header X-Fprot: ... is added giving some informational status.

g_virus_cmd - Command line virus checker to run on MIME parts

If defined the mail server will extract MIME parts in a multi part message and run the virus scanner over the extracted file. The command line can include $FILE$ which will be replaced with the actual file name of the extracted part. An intelligent cache is used so mailing lists, etc, will not require running the virus scanner on every message sent.  If you set this to "do_not_run" then SurgeMail will extract the MIME parts but not actually run any program, some virus scanners scan all files on the system so the file is deleted magically and SurgeMail will notice and bounce the message. If your scanner supports the returning of return codes if a virus is found then you should use g_virus_cmd_codes with this setting as this is more reliable than having to detect if a file is deleted and also means also will work on viruses in archives which a lot of scanners won't delete.

g_virus_cmd_codes - Return codes to bounce message

Accept return codes from virus scanner as a confirmation that the scanned file is infected, eg: 1,2,3,4,5.

Lets SurgeMail check the return code from g_virus_cmd and if the code matches
one in the above setting assumes its a virus and bounces it.

g_virus_cmd_codes "10,12"

This would assume its a virus if the scanner returns return code 10 or 12 and then will bounce the message.

g_virus_cmd_max - Maximum number of concurrent threads to use for scanning

Syntax: g_virus_cmd_max "number of threads"

This sets the maximum number of threads that be used for running the virus scanner set by g_virus_cmd. Some scanners can take a while to scan a message and if the server is very busy this can tie up many channels and drain the cpu slowing down the entire mail server. When the maximum has been reached any messages coming in will be passed on without being run through the scanner - although this is not the best, it's better than the mail server grinding to a halt.

g_virus_cmd_nodel - Do not delete scanned files

Disables cleanup of scanned files, so you can test manually. The files are extracted to the "toscan" directory inside the SurgeMail directory. You should never normally need this on unless for debugging purposes.

g_virus_cmd_sleep - Wait after g_virus_cmd incase delete is not immediate

Milli seconds to wait after g_virus_cmd incase delete is not immediate, eg: 500 = half a second.

g_virus_filter - Virus checker or filter that takes commands on stdin and response on stdout

Virus filters use the following protocol the process is run continuously and sent on STDIN a command of the form, "nnn CHECK fullfilename envelopefilename\r\n" and in response it must send back is  "nnn OK|REJECT|ERROR reason text\r\n"

It can modify the file directly and then respond with 'ok', however if it does this it must maintain the crlf line terminated and dot stuffed nature of the file.

Here is an example test of a virus filter

		c:\surgemail> vfilter.exe
     	1 check c:\surgemail\work\a.itm c:\surgemail\work\a.hdr
     	1 REJECT Found something bad in that file
     	2 check c:\surgemail\work\a.itm c:\surgemail\work\a.hdr
     	2 OK send message along

a.hdr would contain:

		From: bob@domain.com
     	To: xyz@thisdomain.com
     	To: xyz3@thisdomain.com

g_virus_rename - Rename attached executables to prevent autorun

If enabled SurgeMail will rename dangerous executable files by replacing the '.' with an '_'. This will stop many autorun viruses. This is name

g_virus_filter_require - Require filter pipe

If any g_virus_filter pipe fails bounce messages rather than allow to continue.

g_vpipe_concurrent - Concurrent requests to vpipe process

Concurrent requests to vpipe process, default is 7, set to 1 to debug vpipe issues

g_vpipe_notag - Disable vpipe result headers

Disable headers showing vpipe results in messages.

g_virus_recent_skip - Skip recent virus cache

Skip virus recent cache which attempts to speed up virus scanners.

g_virus_allow_unmonitorable - Allow unmonitorable content (avast antivirus)

By default messages that cannot be scanned (eg as they contain password protected archive files) are blocked by the avast virus scanner. This setting allows unmonitorable contect to be sent.

g_vpipe_timeout - Timeout for firus filters (default 60s)

The timeout in second that SurgeMail will wait for a virus filter (defined by g_virus_filter) to complete. If after this time the virus filter has not responded the message will be let through and the following line logged in mail.log:

"Virus filter not responding, stuck on <msg file> allowing message through"

g_vpipe_skip - Skip virus filter checks per IP address

Disable virus and crc checking for known safe bulk mailers that would otherwise overload the server. This setting affects the virus checker.
Example: g_vpipe_skip "20.0.0.2"

• g_virus_cmd
• virus filters (g_virus_filter)
• filter program (g_filter_pipe)
• F-Prot in daemon mode (g_virus_fprot)

g_virus_restart - Restart vpipe virus scanners

Restart vpipe virus scanners every this many items.

g_webmail_port - WebMail port (default 7080)

This is the port that WebMail users should connect through (unless you want better security, then use the secure port and HTTPS protocol listed below) By default it is port 7080, but if you are not running a web server you probably want to change it or add port 80, eg:"7025,80" so that people can get to it with a URL like this: http://your.mail.server instead of http://your.mail.server:7080. Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_webmail_secure_port - WebMail secure port (default 7443)

This is the port that WebMail users should connect through.. By default it is port 7443, but if you are not running a web server you probably want to change it or add port 443, eg:"443" so that people can get to it with a URL like this: https://your.mail.sever Instead of https://your.mail.server:7443. Use the keyword 'disabled' to disable this part of the SurgeMail service.

g_work - Workarea Path

Work area for SurgeMail temporary work files.

g_xauthuser_hide - Hide X-Authenticated-User header

The header X-Authenticated-User is added to all local deliveries for users that login using SMTP authentication. This is the most reliable way to determine who actually sent this email. This setting will disable the addition of this header.

g_xfile_allow - IP address to allow xfile and WebMail features from

Allow xfile & web upload features for users. Set to '*' or the WebMail servers IP address.

g_xrcpt_hide - Hide X-Rcpt header

The X-Rcpt header is added indicating which local account this message was delivered to. This setting will disable the addition of this header.

g_xrcptoriginal_hide - Hide X-Rcpt-Original header

The X-Rcpt header is added indicating which local account this message was delivered to. If the mail has been redirected for any reason the original delivery address is added as an X-Rcpt-Original header. This setting will disable the addition of this header.

g_xserver_hide - Hide XServer header

This wil hide the X-Server header.

spamlist - Spam Filter Rules

These rules allow simple filtering of Email messages for common or repetitive spam message.  The form lets you specify whether a string is found in a specified header that all such messages be bounced or redirected.  This form will write or modify your mfilter.rul file to include an auto generated section which obeys the rules you have defined, e.g.
 

D:\>type   \surgemail\mfilter.rul
 # BEGIN_AUTO Generated section do NOT EDIT this bit
 if (isin("Subject","bad words")) accept "fred@remote.domain"
 if (isin("To","bad words")) accept "fred@remote.domain"
 # END_AUTO Generated section do NOT EDIT this bit

You can write much more complex rules yourself manually, see mfilter.htm for more details.

g_authent_prefix_sep - Authent Prefix Separator (deprecated - for backward compatibility only)

Prefix separator for prefix based separator. Only relevant if enabled on a per vdomain basis using the "prefix" setting.

g_authent_fwdfile - Use DMail forward files (deprecated - for backward compatibility only)

Allows old style DMail forward files to be read.

g_dmail_filter - Run DMail compatible filter files (deprecated - for backward compatibility only)

Run DMail compatible filter files. Mfilter rule files should be used instead.

g_mirror_nwauth - Mirror NWAuth data files (deprecated - for backward compatibility only)

This setting is no longer used (as of SurgeMail 1.7d), the g_mirror_mode setting is used instead to decide whether do mirror the NWAuth database.

g_backtrace_disable - Backtrace Disable

Disable backtrace information for unix systems.

g_crash_normal - Crash without catching exceptions

Crash without catching signals 10,11. In particular this will generate correct core files on FreeBSD systems.

g_debug_block - For catching bugs in block file processsing

For catching bugs in block file processsing.

g_mutex_timeout - Crash without catching exceptions

Default mutex timeout period in seconds (default=600 ie 10minutes). This is a self monitoring feature that if it has not received a mutex for some reason (usually a bug, but could be server overloading) SurgeMail will shut itself down. If g_restart is enabled this would restart surgemail.

g_shutdown_slow - Delay shutdown

Add 20 second delay to shutdown for testing purposes only.

g_slow_welcome - Delay the welcome message

Add 20 second delay to welcome message for testing purposes only.

g_vpipe_fail_crash - Crash if vpipe fails

Crash SurgeMail if vpipe fails. This is for debugging purposes only.

End of global settings file. DO NOT ADD ANYTHING BELOW THIS!!! or autogeneration will get messed up.