Mailing List Access Controls
From MsgServerDocWiki
How do I restrict mailing lists using combinations of mailing list access restrictions?
With an LDAP based mailing list, there are a number of directory attributes which can be used to restrict who can post to an email mailing list based on their envelope from address:
- mgrpDisAllowedBroadcaster - deny senders who match this email address
- mgrpAllowedBroadcaster - allow senders who match this email address
- mgrpDisAllowedDomain - deny senders who match this email domain
- mgrpAllowedDomain - allow senders who match this email domain
* Note: These directory attributes are defined in the Directory Schema Reference Guide
These rules are checked in the order shown above in 6.0 and later releases. Prior to 6.0 the
domain checks were done before the address checks and allowed checks preceded disallowed checks.
This ordering was less efficient (a disallow address match causes unconditional failure, making subsequent checks superfluous) and also made it impossible for an allowed address match to override
an allowed domain check. In 6.0 and later the mgrpBroadcasterPolicy attribute and the or_clauses MTA option control whether or not a successful allowed domain check can
override an unsuccessful allowed address check.
For example, if you had the following access restrictions on a mailing list:
dn: cn=mygroup, ou=groups, o=domain1.com, o=isp mail: mygroup@domain1.com uniqueMember: uid=user002,ou=People, o=domain1.com, o=isp mgrpAllowedBroadcaster: ldap:///uid=user001,ou=People, o=domain1.com, o=isp mgrpAllowedDomain: gmail.com mgrpErrorsTo: /
Where the DN: uid=user001,ou=People, o=domain1.com, o=isp resolves to a user with a mail: attribute set to user001@domain1.com.
You will get the following results when testing the access restrictions:
./imsimta test -rewrite -from=user001@domain1.com mygroup@domain1.com [list expanded, sender address user001@domain1.com not rejected - correct] ./imsimta test -rewrite -from=blah@gmail.com mygroup@domain1.com [blocked, sender address blah@gmail.com rejected as it didn't match the mgrpAllowedBroadcaster - correct]
If you want emails to be allowed if the sender matches mgrpAllowedBroadcaster OR mgrpAllowedDomain then this is possible in two ways.
For site-wide (all mailing lists/groups affected), add the following to your option.dat configuration file:
OR_CLAUSES=1
For per-list (only single mailing list/group affected), add the following directory attribute to your mailing group/list:
mgrpBroadcasterPolicy: or
Using the example list above, when "mgrpBroadcasterPolicy: or" is added to the mailing list definition, the following were the results:
./imsimta test -rewrite -from=user001@domain1.com mygroup@domain1.com [list expanded, matched mgrpAllowedBroadcaster: rule - correct] ./imsimta test -rewrite -from=blah@gmail.com mygroup@domain1.com [list expanded, matched mgrpAllowedDomain: rule - correct] ./imsimta test -rewrite -from=user002@domain1.com mygroup@domain1.com [blocked, matched neither Allow rules - correct] ./imsimta test -rewrite -from=blah@test.com mygroup@domain1.com [blocked, matched neither Allow rules - correct]
If the or_clauses MTA option is set to 1 a mgrpBroadcasterPolicy setting of "and"
can be used to force AND semantics on a per-list basis.
Categories: FAQ | MTA
