g_ssl_warn_ignore – Don’t give warnings if user is from this trusted host.g_ssl_warn – Send users weekly reminder if they keep using non SSL logins.g_ssl_try_out – Try and start ssl mode to these hosts.g_ssl_try_from – Try and start ssl mode if from this user, e.g.g_ssl_throttle_renegotiation – Slow renegotiation to prevent simple dos attack.g_ssl_test_fail – Break ssl to test auto downgrade.g_ssl_sha1_sign – Obsolete, sha256 is now always used.
g_ssl_retry_seconds – Second to try and establish ssl connection, default is 5.g_ssl_require_web – Require https for most web features (excluding blogs file sharing and surgeplus).g_ssl_require_out – Other machines we only send to using SSL.
g_ssl_require_login – IP wildcard of connections fur users needing to use SSL. g_ssl_require_in – Local domains that must only receive SSL messages. g_ssl_require_imap – IP Wild card of connections to require to use SSL for IMAP. g_ssl_require – IP Wild card of connections to require to use SSL. g_ssl_perfect – Apply good SSL settings, best to remove g_ssl_ciphers setting too. g_ssl_per_domain – Create/use an SSL certificate for each domain. g_ssl_lets_path – Path to webservers /.well-known folder for letsencrypt. g_ssl_lets_exclude – Domains urls to not update, user must copy from ssl to lets folder. g_ssl_honor – Honor server cipher order. g_ssl_fips – Enable FIPS mode crash if not available (DO NOT USE). g_ssl_dmalloc – Enable dmalloc tracking in ssl. g_ssl_disable_web – Disable protocols for web only. g_ssl_disable_tlsv1_2 – Obsolte, Disable tls 1.2 support, not recommended. g_ssl_disable_tlsv1_1 – Obsolte, Disable tls 1.1 support, not recommended. g_ssl_disable_tlsv1 – Obsolte, Disable tls 1.0, not recommended. g_ssl_disable_sslv3 – Obsolte, Disable ssl 3.0 support for enhanced security. g_ssl_disable_sslv2 – Obsolte, Disable ssl 2.0 support for enhanced security. g_ssl_disable_port25 – Prevent ssl on port 25. g_ssl_disable_des – Disable DES ciphers, breaks outlook on XP. g_ssl_disable – Disable protocols tlsv1,tlsv1_1,tlsv1_2,sslv2,sslv3. g_ssl_ciphers_web – List permitted ciphers for web. g_ssl_ciphers_add – More permitted ciphers (added to g_ssl_ciphers). g_ssl_auto – Generate letsencrpt ssl certificates automatically for all domains. g_ssl_allow_imap – IP Wild card list to allow SSL encryption from for imap. g_ssl_allow_fix – Disable incoming ssl on ssl failure from an ip. g_ssl_allow – IP Wild card of connections to allow to use SSL. Then “tellmail ssl_update” should work just as if surgemail was on port 80…Īlternatively you may wish to configure ssl certificates Manually if so click here. If you have Surgemail on port 7080 (g_webmail_port = “7080”) and then put the following in default virtual server configuration (using the actual server and domain name): Mkdir /var/Using reverse proxy insetad with apache (alternative) G_SSL_LETS_PATH “/var/www/html/.well-known” If you are running apache on port 80 then you can do this, correct the path to be whatever you have used for apache’s web path… Press OK to save the input and make the file accessible on the website. well-known and for the Physical Path field enter the location of the new well-known folder you created. Open IIS Manager and right click on the website, select “ Add Virtual Directory…“. Then on IIS add a file extension of type “.” with mime type text/xml If you have IIS or Apache running on the same mail server, and it’s assigned port 80 then you need to define this setting so surgemail knows where to put the challenge file:Īnd in IIS create a virtual path “.well-known” and map it to c:\surgemail\wellknown To exclude one or more domains, then copy their certificates into the ssl folders.Ĭopy surgemail\ssl\xyz.com\*.pem surgemail\lets\xyz.com G_url_redirect from=” to=” ports=”80″ Exclude some domains G_ssl_require_login "*" # Redirect users to the https url automatically. If you wish to force the use of SSL use the following settings: # Block imap/pop/smtp logins without SSL enabled for all ip addresses. Add aliases you want to also work in each domain with the ssl_alias setting, e.g. for ‘’ you would usually use ‘’, this dns entry must exist! Ensure each domains ‘url_host’ setting is the name you want to use to refer to that domains server, typically, e.g. Each domains url_host setting must point at your server. 
Your server must be accessable on port 80 directly to surgemail (not apache or IIS). G_ssl_perfect "true" Requirements for Lets Encrypt. NOTE: It’s essential that you are running SurgeMail on port 80 and NOT some other web server!īut also check your other ssl settings are enabled: g_ssl_allow "*" (or use tellmail ssl_update_test to check your settings first, too many failures will cause a lockout for a day)
0 kommentar(er)
