Direct LDAP attribute name MTA options

From Messaging Server Technical Reference Wiki
Jump to: navigation, search


By default, the MTA assumes a particular sort of LDAP schema; that is, the MTA assumes that certain named attributes (with certain sorts of meanings) are available and used in the LDAP directory to store the user and domain information. However, the exact attribute names that the MTA looks for (recognizes) are configurable via the various ldap_*, ldap_attr_domain*, and ldap_domain_attr_* MTA options, listed below. Thus a different (though semantically compatible) schema may be used by setting the ldap_*, ldap_attr_domain*, and ldap_domain_attr_* MTA options to tell the MTA what named attributes to use (recognize).

Note that many of the attributes used (and hence the attribute name which the MTA by default expects to see used) are standardized; see for instance RFC 2798 (Definition of the inetOrgPerson LDAP Object Class). Other attributes are specific to the Sun schema; see the Sun Schema Reference Guide.

Note that prior to MS 6.3-0.15, each LDAP attribute could be used for only one (from the MTA's point of view) purpose. In particular, prior to MS 6.3-0.15, the MTA would not permit setting two of its LDAP attribute name options to the same underlying LDAP attribute. If a site wanted to use the "same" LDAP attribute for multiple purposes in the MTA, that previously would have to be achieved by creating a second LDAP attribute (named differently), and having its value be duplicated in LDAP. New in MS 6.3-0.15, this restriction has been relaxed, so that two MTA purposes (options) can use the same underlying LDAP attribute; for instance, one can now set, say, ldap_optin1 and ldap_optin2 to both point to (use/name) the same underlying LDAP attribute, e.g., mailAntiUBEService.

Note that throughout this discussion and other MTA discussions, for convenience often LDAP attributes will be referred to merely by name. But in general, any such MTA reference to a specific attribute name really ought to be a reference to the attribute named by the corresponding MTA option. For instance, any use by the MTA of the mailConversionTag attribute is really a use of the attribute named by the ldap_conversion_tag MTA option.

However, the general authentication libraries in Messaging Server (sometimes referred to as SASL libraries, or HULA) used for authentication (both by the MTA when performing SMTP AUTH authentication, or by the Message Store when performing login to a user mailbox) do not permit the same degree of "renaming" of attributes. As the authentication infrastructure uses LDAP simple bind for traditional password authentication, if the LDAP directory itself is configured to look at an attribute other than the usual userPassword for LDAP simple bind, that should just work. However, in order to support CRAM-MD5/APOP, then the userPassword attribute must be used and it must contain the clear-text password. The authentication infrastructure also has hard dependence on various user attributes including uid, inetUserStatus, mailUserStatus, and mailAllowedServiceAccess (among others). (Note that the MMP and its proxy servers can be configured to use a different LDAP attribute in place of mailAllowedServiceAccess via their tcpaccessattr option; the IMAP, POP, and MSHTTP servers, however, always use mailAllowedServiceAccess.)

And of particular relevance when configuring and considering MTA operation, another attribute which is not renameable (prior to the 8.0 release) via an MTA option is the mailSMTPSubmitChannel user attribute. (This is because the MTA itself makes no explicit use of this attribute. Instead, authentication library code explicitly fetches the mailSMTPSubmitChannel attribute's value, and then uses that value to tell the MTA what source channel to set.) But as of 8.0, some renaming/specification of the attributes returned with successful authentication is possible; in particular, see the ldap_auth_attr_submit_channel MTA option which specifies the name of the LDAP attribute whose value the authentication library should fetch (in place of the default mailSMTPSubmitChannel attribute's value). Also new in 8.0, the authentication library may be directed to fetch back values of LDAP attributes other than the default mail and mailHost via the ldap_auth_attr_sender and ldap_auth_attr_mail_host MTA options, respectively. See Direct LDAP attributes returned upon authentication MTA options.

The schema sets restrictions (via an ACI) on which attributes even in his or her "own" entry an end user is allowed to modify. Reassigning the MTA's interpretation of LDAP attributes via MTA options does not, itself, affect such LDAP schema restrictions; so when reassigning end-user-modifiable LDAP attributes, be sure to also update your schema ACIs correspondingly.

Technical note: In the table below, the user/group attributes are listed in roughly the order in which they are processed by the MTA (though there have been some changes in various versions, and there are some subtleties not captured in the order shown). While this order does not matter for most purposes, on occasion it can be helpful to consider this order as an aid to understanding certain interactions and precedence between attributes.

MTA LDAP attribute name options
Option Default attribute name(s) Valid Meaning and notes
Per-user/group attributes
ldap_objectclass objectClass UGD  
ldap_user_status inetUserStatus U Prior to Messaging Server 7.0, the supported values were a strict subset of the supported mailUserStatus values, and in particular the only supported values were active, inactive, or deleted. As of Messaging Server 7.0, for the convenience of sites that may wish to "switch" the use (in effect switch the priority order in which checking occurs) of inetUserStatus and mailUserStatus, the full set of values supported for mailUserStatus are also supported for inetUserStatus. This is not intended to encourage general, direct use of such additional values for inetUserStatus, but rather, as mentioned, is intended so that the priority (order of checking) of these two status settings for users can be reordered by setting them "switched":

ldap_user_status=mailUserStatus
ldap_user_mail_status=inetUserStatus

ldap_user_mail_status mailUserStatus U Valid values are active, inactive, disabled, deleted, overquota, hold, removed (new in MS 6.0), defer (new in MS 6.3), defer-submit (new in MS 6.3), deliver (new in 7.3-11.01), and deliver-disabled (new in 8.0.1.3/8.0.2.1). A status of removed is equivalent to deleted from the MTA's point of view; it exists as a distinct status for the benefit of the commcli user purging operation. The statuses defer and defer-submit tell the MTA to accept all messages to the user but defer them to the reprocess channel for later delivery (re)attempts; or in the case of defer-submit accept and defer to the reprocess channel those messages coming in a submit channel while giving inactive behavior, hence normally temporary errors, for attempted submissions on any other channels. A status of deliver is treated by the MTA as active active for purposes of message delivery but which other components will treat as inactive (giving the effect that messages can be delivered, but the user can not login); any other value is treated as inactive. Finally, a status of deliver-disabled is treated by the MTA as disabled by as active by other components.
ldap_group_status   G Prior to Messaging Server 7.0, the supported values were a strict subset of the values supported for inetMailGroupStatus; in particular, the supported values were active, inactive, and deleted. New in Messaging Server 7.0, all the values supported for inetMailGroupStatus are supported for this attribute as well, for the convenience of sites that wish to "switch" the priority (order) in which they are checked by "switching" which attributes the MTA options ldap_group_status and ldap_group_mail_status point to.
ldap_group_mail_status inetMailGroupStatus G Supported values are active, deleted, removed, disabled, hold, inactive, ew in Messaging Server 7.0 defer anddefer-submit, and new in MS 8.0.1.3/8.0.2.1 deliver-disabled.
ldap_permid uid UG As of Messaging Server 8.0.2, the attribute specified by the ldap_permid option is used for construction of user and group identifiers rather than the attribute specified by the ldap_uid option, assuming they differ. The MTA checks that there is only one such attribute and value and that the value is no more than 128 octets long.
ldap_uid uid UG As of MS 6.2, the MTA checks that there is only one such attribute; as of MS 6.3, the MTA also checks that there is only one value set for the one attribute. As of 7.0, the MTA checks that the UID value is no more than 128 octets; a longer value will result in the user entry being considered invalid. (This check is performed because various lower layer libraries have hard buffer limits that preclude longer UIDs.)
ldap_mlsrange   UG (New in Messaging Server 7.0?) RESTRICTED
ldap_capture   UG Specify an attribute used to trigger automatic capturing of user e-mail messages. The value of the attribute should be the address to which the "captured" messages should be sent. Typically, this attribute is set up so that it is not even visible, let alone modifiable, by the users themselves. When a user has this attribute specified on their entry, both messages sent to them, as well as from them, will also have a "capture" copy (an encapsulated copy with an entirely new message envelope) sent to the specified address. New in 7.0.5, the capture_format_default MTA option controls whether message copies generated due to use of the LDAP attribute named by ldap_capture default to being in DSN encapsulated format, or to being in envelope "journal" format. Also new in 7.4-18.01, values of the LDAP attribute may be tagged to explicitly specify the format on a per-target-address basis: the tag ;format-report selects the usual DSN encapsulated format, whereas the tag ;format-journal selects the envelope "journal" format.
ldap_recipientlimit   UG Specify an attribute used to store a sending-user-specific maximum number of envelope recipients (additional recipients are rejected), analogous to the recipientlimit channel option. New behavior in MS 6.3 is that a per-user setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 6.3, a particular user can be allowed to send large messages as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_recipientcutoff   UG Specify an attribute used to store a sending-user-specific maximum number of envelope recipients (messages with more recipients are rejected entirely), analogous to the recipientcutoff channel keyword. New behavior in MS 6.3 is that a per-user setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 63, a particular user can be allowed to send messages to a large number of recipients as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_sourceblocklimit   UG Specify an attribute used to store a sending-user-specific maximum message size, analogous to the sourceblocklimit channel option. New behavior in MS 6.3 is that a per-user setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 6.3, a particular user can be allowed to send large messages as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_source_channel   UG (New in 6.3) Specify a source channel to which to "switch" (if userswitchchannel is set on the current source channel)
ldap_source_optinN   UG (New in 6.3) Sending user analogue of ldap_optinN option
ldap_preferred_language preferredLanguage+ UG The MTA's typical NOTIFICATION_LANGUAGE mapping table and DISPOSITION_LANGUAGE mapping table checks the value of this attribute when deciding in what language to send back notification messages. Also, as of MS 6.3, the MTA has the ability to chose between multiple LDAP attribute values with different language tags and determine the correct value to use. The language tags in effect are compared against the preferred language information associated with the envelope From address. In MS 6.3, the only attributes receiving this treatment are ldap_autoreply_subject (normally mailAutoReplySubject), ldap_autoreply_text (normally mailAutoReplyText), ldap_autoreply_text_internal (normally mailAutoReplyTextInternal), ldap_spare_4 and ldap_spare_5. As of Messaging Server 7.0-3.01, the attribute named by (new in that version) ldap_spare_6 also received such treatment; as of Messaging Server 7.2-7.01, any of the ldap_spare_N named attributes may optionally, depending upon the setting of the corresponding spare_N_separator MTA option, receive preferredLanguage treatment; and as of Messaging Server 7.3-11.01, the attribute named by ldap_add_tag also receives preferredLanguage treatment.
ldap_preferred_country   UG (New in MS 6.3-0.15)
ldap_nosolicit   UG New in 6.2. Specifies solicitation strings used by the SMTP NO-SOLICITING extension that this user doesn't want to receive.
ldap_routing_address mailRoutingAddress UG Used to specify an address to which to route, overriding (as of MS 6.0) the usual mailHost check and mailDeliveryOption interpretation.
ldap_delivery_option mailDeliveryOption+ UG See the MTA option delivery_options for a discussion of the interpretation of possible values for this attribute.
ldap_personal_name   UG Specify an attribute used to store a user's personal name. If this option is set, then the value of the specified attribute (if present in a user entry) will be inserted by the MTA as a personal name wherever the user's address appears in message headers (overriding any originally present personal name for the user that might have been present), including when generating vacation messages on behalf of the user. Note that (as of 6.2p3 for normal messages, or as of 6.2p6 for generated messages such as vacation messages) the MTA will quote the value obtained from LDAP, if required according to the quoting rules for personal names (technically "phrases") given in RFC 5322.
ldap_source_conversion_tag   UG New in MS 6.2. Specify an attribute whose value will be applied as a conversion tag for messages coming from this user.
ldap_sender_sieve   UG (New in MS 8.0.1)
ldap_primary_address mail UG  
ldap_alias_addresses varies with the schema tag; mailAlternateAddress for ims50 or nms41; rfc822mailalias for sims40 UG Attributes whose values (addresses) are accepted as equivalent to (aliases for) the canonical mail address on incoming messages; see also the ldap_mail_reverses MTA option which controls just which attributes (addresses) are normally converted to the canonical mail address during reverse_url application via the $Q substitution sequence.
ldap_equivalence_addresses mailEquivalentAddress UG Addresses accepted as equivalent to the canonical mail address for incoming messages; such equivalent addresses are also allowed to appear on outgoing messages (are not converted during reverse_url application). Multiple, comma-separated attribute names are permitted. Note that when setting this option to a non-default value, it is also usually appropriate/necessary to modify the ldap_mail_aliases MTA option correspondingly (to include the attribute(s) named by ldap_equivalence_addresses).
ldap_optin   UG An alias for ldap_optin1. The presence in a user entry of the attribute named by this option normally (but see the spamfilterN_null_optin MTA options) causes messages addressed to this user to be "opted-in" for virus/spam filter package processing (by virus/spam filter package 1), with the opt-in value specified by the value of the attribute. The Sun Schema Reference Manual recommends using the mailAntiUBEService attribute.
ldap_optinN   UG (New in MS 6.2.) The presence in a user entry of the attribute named by this option normally (but see the spamfilterN_null_optin MTA option) causes messages addressed to this user to be "opted-in" for virus/spam filter package processing (by virus/spam filter package # N), with the opt-in value specified by the value of the attribute. The value of N can range from 1 to 8. Note that the Sun Schema Reference Manual recommends using the mailAntiUBEService attribute for optin use.
ldap_optoutN   UG (New in MS 8.0.1.3.) The presence in a user entry of the attribute named by this option normally (but see the spamfilterN_null_optin MTA option) causes messages addressed to this user to be "opted-out" of virus/spam filter package processing (by virus/spam filter package # N). The value of N can range from 1 to 8.
ldap_presence   UG RESTRICTED: Not yet used.
ldap_autosecretary   UG RESTRICTED: Not yet used.
ldap_alternate_recipient   UG (New in MS 8.0.1) Specify an attribute whose value contains alternate recipient address(es) to whom to send the message if it cannot be delivered to this primary recipient.
ldap_start_date vacationStartDate+ UG The value for this attribute should have the format YYYYMMDDHHMMSSZ, which note is in the GMT timezone. The value for this attribute should have the format YYYYMMDDHHMMSSZ, which note is in the GMT timezone. An autoreply will only be generated if the current time is after the time specified by this attribute and inclusive limit processing is in effect, or before the specified limit if exclusive time limit processing is in effect. No start date limit is enforced if this attribute is missing.
ldap_end_date vacationEndDate+ UG The value for this attribute should have the format YYYYMMDDHHMMSSZ, which note is in the GMT timezone. An autoreply will only be generated if the current time is before the time specified by this attribute and inclusive limit processing is in effect, or after the specified limit if exclusive time limit processing is in effect. No end date limit is enforced if this attribute is missing.
ldap_conversion_tag mailConversionTag UG  
ldap_detourhost_optin   UG Opt-in to "detour" routing, as specified by the aliasoptindetourhost source channel option
ldap_blocklimit mailMsgMaxBlocks UG The maximum size, in MTA blocks (see the block_size MTA option), of message that may be sent to a user. New in MS 6.3, this attribute will also (for messages that have no return-of-content policy flag already) cause messages sent from this user that are larger than the specified size to automatically get the non-return-of-content NOTARY flag set, to make it more likely that the user will be able to receive any bounce notifications about such message.
ldap_mailhost mailHost UG Normally, only the host specified by this attribute may interpret (act on) a user's delivery options; however, in the case where all such delivery options are "host-independent", as on an MTA that delivers via LMTP to "back end" message store systems, or when a user entry only contains some particular delivery options that happen to be host-independent, then processing can continue even on other hosts. This attribute is optional for groups and mailing lists. If present for a group or mailing list, it specifies that that host and only that host can expand the group or list; if absent, any host can expand the group or list.

For a user for whom a mailHost is required (such as a user with mailbox delivery option set, when mailbox delivery is host-dependent per delivery_options, with no domain level ldap_domain_attr_default_mailhost attribute value set), absence of a mailHost attribute will cause a temporary alias expansion error: 4.0.0 temporary error returned by alias expansion: address

(or whatever text is configured via the error_text_alias_temp MTA option), the same sort of error that would occur if an LDAP problem had occurred during the lookup of the user entry (after an LDAP lookup of the domain had already succeeded).

ldap_disk_quota mailQuota U Subsequent to the initial release of MS 6.2, support was added for mailQuota values specified in units other than bytes; that is, suffix characters K (kilobytes), M (megabytes), and G (gigabytes) are supported
ldap_message_quota mailMsgQuota U  
ldap_program_info mailProgramDeliveryInfo+ UG  
ldap_delivery_file mailDeliveryFileURL, mailDeliveryFile UG  
ldap_spare_1   UGD Specify an attribute that may be then be accessed in LDAP URL lookups via a $E1 substitution.
ldap_spare_2   UGD Specify an attribute that may be then be accessed in LDAP URL lookups via a $E2 substitution.
ldap_spare_3   UGD Specify an attribute that may be then be accessed in LDAP URL lookups via a $E3 substitution.
ldap_spare_4   UGD Specify an attribute that may be then be accessed in LDAP URL lookups via a $E4 substitution as well as in Sieve extlists callouts. Note that new in MS 6.3, the MTA supports the use of multiple, language-tagged values, for this attribute. When multiple, language-tagged values are present, the MTA will preferentially use the value tagged as being in the language preference expressed in a header line such as Accept-Language:, or in the absence of such header lines will use the preference noted in the envelope From user's ldap_preferred_language (normally preferredLanguage) attribute's value.
ldap_spare_5   UGD Specify an attribute that may be then be accessed in LDAP URL lookups via a $E5 substitution, as well as in Sieve extlists callouts. As of MS 6.3, the MTA supports the use of multiple, language-tagged values, for this attribute. When multiple, language-tagged values are present, the MTA will preferentially use the value tagged as being in the language preference expressed in a header line such as Accept-Language:, or in the absence of such header lines will use the value tagged as being in the language of the envelope From user's ldap_preferred_language (normally preferredLanguage) attribute's value.
ldap_spare_6   UGD (New in 7.0-3.01) Specify an attribute that may be then be accessed in LDAP URL lookups via a $E6 substitution, as well as in Sieve extlists callouts. The MTA supports the use of multiple, language-tagged values, for this attribute. When multiple, language-tagged values are present, the MTA will preferentially use the value tagged as being in the language preference expressed in a header line such as Accept-Language:, or in the absence of such header lines the MTA's next choice will be the value tagged as being in the language of the envelope From user's ldap_preferred_language (normally preferredLanguage) attribute's value.
ldap_autoreply_mode mailAutoReplyMode+ UG+++ Supported values for this attribute are echo and reply. These modes will appear in a Sieve script as nonstandard :echo and :reply arguments to the vacation action. echo will produce a "processed" message disposition notification (MDN) that contains the original message as returned content. reply will produce a pure reply containing only the reply text. An illegal value won't manifest as any argument to the vacation action and this will produce an MDN containing only the headers of the original message.
ldap_autoreply_subject mailAutoReplySubject+ UG+++
      This attribute is used to specify the contents of the subject field to        use in the vacation (autoreply) response. The value in the attribute        must be a UTF-8 string. This value gets passed as the       :subject argument to the       vacation action. As of MS 6.2p2, the special strings       $SUBJECT and       $FROM are supported for use in this attribute's value,       causing substitution of the original message's Subject: field value or       From: field value, respectively, into the generated string. New in MS 8.0.2.2,       substitutions from the vacationStartDate and vacationEndDate are also also       available. These substitutions take the form $<attribute><part>       where $<attribute> is "B" for the start (beginning) date       or "E" for the end date, and <part> is one of the date       parts defined in RFC 5260 section 4.2. 
     Note that       new in MS 6.3, the MTA supports the use of multiple, language-tagged       values, for this attribute. When multiple, language-tagged values are       present, the MTA will preferentially use the value tagged as being in       the language preference expressed in a header line such as       Accept-Language:, or in the absence of such header lines the MTA's next       choice will be the value tagged as being in the language of the       envelope From user's       ldap_preferred_language       (normally       preferredLanguage) attribute's value. 
ldap_autoreply_text mailAutoReplyText+ UG+++

This attribute is used to store the vacation (autoreply) text (the "reason" string) returned to all senders except users in the recipient's domain. If the recipient's LDAP entry does not have a value specified for this attribute, then external users receive no vacation message. As of MS 6.2p2, the special strings $SUBJECT and $FROM are supported for use in this attribute's value, causing substitution of the original message's Subject: field value or From: field value, respectively, into the generated string. New in MS 8.0.2.2, substitutions from the vacationStartDate and vacationEndDate are also also available. These substitutions take the form $<attribute><part> where $<attribute> is "B" for the start (beginning) date or "E" for the end date, and <part> is one of the date parts defined in RFC 5260 section 4.2.

Note that new in MS 6.3, the MTA supports the use of multiple, language-tagged values, for this attribute;. When multiple, language-tagged values are present, the MTA will preferentially use the value tagged as being in the language preference expressed in a header line such as Accept-Language:, or in the absence of such header lines the MTA's next choice will be the value tagged as being in the language of the envelope From user's ldap_preferred_language (normally preferredLanguage) attribute's value.

ldap_autoreply_text_internal mailAutoReplyTextInternal+ UG+++

This attribute is used to store the vacation (autoreply) text (the "reason" string) returned to all senders in the recipient's own domain. If the recipient's LDAP entry does not have a value specified for this attribute, then internal users receive the external vacation text, stored in the ldap_autoreply_text MTA option. As of MS 6.2p2, the special strings $SUBJECT and $FROM are supported for use in this attribute's value, causing substitution of the original message's Subject: field value or From: field value, respectively, into the generated string. New in MS 8.0.2.2, substitutions from the vacationStartDate and vacationEndDate are also also available. These substitutions take the form $<attribute><part> where $<attribute> is "B" for the start (beginning) date or "E" for the end date, and <part> is one of the date parts defined in RFC 5260 section 4.2.

Note that new in MS 6.3, the MTA supports the use of multiple, language-tagged values, for this attribute. When multiple, language-tagged values are present, the MTA will preferentially use the value tagged as being in the language preference expressed in a header line such as Accept-Language:, or in the absence of such header lines the MTA's next choice will be the value tagged as being in the language of the envelope From user's ldap_preferred_language (normally preferredLanguage) attribute's value.

ldap_autoreply_addresses   UG+++ (New in 6.2p5.) This attribute takes multiple values specifying additional addresses to recognize as "one's own" for purposes of whether to generate a vacation message. That is, it is an analogue of the :addresses argument for the Sieve vacation action.
ldap_autoreply_timeout mailAutoReplyTimeOut+ UG+++ This attribute stores the duration, in hours, for successive vacation (autoreply) responses to any given mail sender. Used only when mailAutoReplyMode=reply. If the attribute's value is 0, then a response is sent back every time a message is received. This value will be converted to the nonstandard :hours argument to the vacation action. If this attribute doesn't appear on a user entry, then a default timeout will be obtained from the user's domain (from the attribute named by the ldap_domain_attr_autoreply_timeout MTA option) if the domain has its own timeout, or otherwise from the autoreply_timeout_default MTA option.
ldap_filter mailSieveRuleSource+ UG This attribute stores a per-user Sieve filter.
ldap_parental_controls   UG (New in 6.2.) Specifies the name of a user or group LDAP attribute whose value can request "head of household" (a.k.a "parental controls") Sieve filtering be applied to this user's (or group's) messages. Any of the values Yes, 1, or true is considered to be requesting parental controls.
ldap_filter_reference   UG (New in 6.2.) If parental controls are enabled for a user (see the ldap_parental_controls MTA option), then the attribute named by this ldap_filter_reference MTA option specifies the DN of the entry that contains the actual head of household filter (typically, that is, the DN of the head of household user). (The attribute within that user entry containing the filter is specified by the ldap_hoh_filter MTA option, which defaults to mailSieveRuleSource. The lookup requests both the filter, contained in the attribute named by the ldap_hoh_filter MTA option, and the owner, contained in the attribute named by the ldap_hoh_owner MTA option, which defaults to mail.)
ldap_forwarding_address mailForwardingAddress+ UG Address(es) used in the expansion of named delivery options with the special value "*" (normally the name "forward" is associated with this value).
ldap_list_id mgrpUniqueId G (New in 7.3-11.01) Single valued attribute specifing a unique identifier for the group. This identifier is used to implement MAILSERV group membership; it provides the identifier on one side of the linkage between groups and entries in the mluser tree. If this attribute is present, and and the ldap_mluser_basedn MTA option is set, various virtual attributes are to the group automatically; the specifics vary depending on list policy settings.
ldap_reprocess mailDeferProcessing UG This attribute allows per-group or per-list override of the defer_group_processing MTA option. Valid values are "Yes", "No", or (new in MS 6.3p1) "AFTER_AUTH". "AFTER_AUTH" causes LDAP attribute based access checks, such as mgrpAllowedBroadcaster, etc., to get performed "in-line", while deferring membership expansion (as well as a second check of the LDAP attribute access checks) to the reprocess channel. New in Messaging Server 7.0u3, a channel name (e.g., "process_special" or some similar, special, reprocess_* or process_* channel variant value) may be specified, and in this case the group or list expansion will be deferred to the specified channel.
ldap_jettison_domain mgrpJettisonDomain G (New in 7.3-11.01) Messages from these domains are silently discarded. Glob-style wildcards may be used. Multiple attributes and multiple values are allowed.
ldap_jettison_url mgrpJettisonBroadcasters G (New in 7.3-11.01) URL identifying mail addresses whose messages should be jettisoned if sent to this group. Multiple attributes and multiple values are allowed; mailto: URLs are acceptable. Each URL is expanded into a list of addresses and each address is checked against the current envelope from address. A match marks the message to be jettisoned and bypasses all other group checks and expansion. Substitution processing will be performed on this URL if bit 6 (value 64) of the process_substitutions MTA option is set.
ldap_reject_action mgrpMsgRejectAction G (New in 6.0) Single valued attribute that controls what happens if any of the subsequent access checks fail. Only one value is defined: "TOMODERATOR", which if set instructs the MTA to redirect any access failures to the moderator specified by the mgrpModerator attribute. The default (and any other value of this attribute) causes an error to be reported and the message rejected.
ldap_reject_text mgrpRejectText, mgrpMsgRejectText G The name of the attribute used to store a value specifying the error text to use when an attempted posting to the group/list encounters an access failure. Because the error text may appear in SMTP responses, it must conform to SMTP response limitations. In particular, it may consist merely of a single line of text limited to the US-ASCII charset. (If the value contains eight bit characters, the entire value will be ignored. If the value contains more than a single line of text, only the first line of text will be used.)
ldap_auth_policy mgrpBroadcasterPolicy G Specifies level of authentication needed to send to the group. Possible tokens are "SMTP_AUTH_REQUIRED" or "AUTH_REQ", both of which mean that the SMTP AUTH command must be used to identify the sender in order to send to the group and any address produced by authentication will be used in subsequent authentication checks, "SMTP_AUTH_USED" or "AUTH_USED", both of which force the use of any authenticated address in authorization checks but does not actually require authentication, "PASSWORD_REQUIRED", "PASSWD_REQUIRED", or "PASSWD_REQ", all of which mean the password to the list specified by the mgrpAuthPassword attribute (see below) must appear in an Approved: header field in the message, "OR", which changes the or_clauses MTA option setting to 1 for this list, "AND", which changes the or_clauses MTA option setting to 0 for this list, and "NO_REQUIREMENTS", which is basically a no-op. "OR" and "AND" are new in 6.1. This attribute is limited to a single value prior to 6.1; in 6.1 multiple values are allowed and each value can consist of a comma-separated list of tokens.

If SMTP AUTH is called for it also implies that any subsequent authorization checks will be done against the email address provided by the SASL layer rather than the MAIL FROM address.

New in 7.3-11.01 are five new tokens for this attribute which specify list behavior for mailserv-maintained lists. The tokens are: "LIST_OPEN", "LIST_MEMBERS", "LIST_MODERATE_NONMEMBERS", "LIST_MODERATE_MEMBERS", and "LIST_MODERATE".

Also new in 7.3-11.01, multiple attributes can now be mapping to this attribute slot.

ldap_cant_url mgrpDisallowedBroadcaster G URLs identifying mail addresses not allowed to send mail to this group. Can be multivalued. Each URL is expanded into a list of addresses and each address is checked against the current envelope from address. A match means access checking has failed and all subsequent checks are bypassed. The expansion that is performed is similar to an SMTP EXPN with all access control checks disabled. Substitution processing will be performed on this URL if bit 0 (value 1) of the process_substitutions MTA option is set in 6.3 or later.
ldap_auth_url mgrpAllowedBroadcaster G URL identifying mail addresses allowed to send mail to this group. Can be multivalued. Each URL is expanded into a list of addresses and each address is checked against the current envelope from address. A match failure with the or_clauses MTA option set to 0 (the default) means access checking has failed and all subsequent tests are bypassed. A match failure with the or_clauses MTA option set to 1 sets a "failure pending" flag; some other allowed access check must succeed in order for access checking to succeed. As of MS 6.0 a match also disables subsequent domain access checks. The expansion that is performed is similar to an SMTP EXPN with all access control checks disabled. Substitution processing will be performed on this URL If bit 1 (value 2) of the process_substitutions MTA option is set in MS 6.3 or later.

New in MS 6.3, this now checks for address aliases ( e.g., mailAlternateAddress and mailEquivalentAddress) as well as for the canonical address (normally the mail attribute value).

ldap_cant_domain mgrpDisallowedDomain G Domains not allowed to submit messages to this group. A match means access checking has failed and all subsequent checks are bypassed. In MS 6.0 this check is bypassed if the submitter has already matched an ldap_auth_url. Can be multivalued and as of MS 6.2 glob-style wildcards are allowed.
ldap_auth_domain mgrpAllowedDomain G Domains allowed to submit messages to this group. A match failure with the or_clauses MTA option set to 0 (the default) means access checking has failed and all subsequent tests are bypassed. A match failure with the or_clauses MTA option set to 1 sets a "failure pending" flag; some other access check must succeed in order for access checking to succeed. In MS 6.0 this check is bypassed if the submitter has already matched an ldap_auth_url.
As of MS 6.2, the value of the attribute supports use of the asterisk character, *, as a wildcard. For instance, *.domain.com means to allow all subdomains of domain.com, though not domain.com itself; to allow domain.com and all its subdomains, use two values for the attribute, domain.com and *.domain.com.
ldap_maximum_message_size mgrpMsgMaxSize G Maximum message size in bytes that can be sent to the group. This attribute is obsolete but still supported for backwards compatibility; the new mailMsgMaxBlocks attribute should be used instead.
ldap_auth_password mgrpAuthPassword G Specifies a password needed to post to the group.

In iMS 5.2 the value of this attribute was saved if the mgrpbroadcasterpolicy attribute was set to require a password (see above) and checked against the Approved: field once the header is available. The Approved: field was removed from the header once the checkis complete. But this did not allow for routing to the moderator in the event of a password check failure.

In the M 6.0 release and later the presence of a mgrpauthpassword attribute forces a reprocessing pass. As the message is enqueued to the reprocessing channel the password is taken from the header and placed in the envelope. Then while reprocessing the password is taken from the envelope and checked against this attribute. Additionally, only passwords that actually are used are removed from the header field.

The or_clauses MTA option acts on this attribute in the same way it acts on the other access check attributes.

ldap_moderator_url mgrpModerator G The list of URLs given by this attribute to be expanded into a series of addresses. The interpretation of this address list depends on the setting of the group's mgrpMsgRejectAction LDAP attribute (more precisely, the LDAP attribute named by the ldap_reject_action MTA option). If mgrpMsgRejectActionis set to "TOMODERATOR", then this attribute specifies the moderator address(es) the message is to be sent to should any of the access checks fail. If mgrpMsgRejectAction is missing or has any other value the address list is compared with the envelope From address. Processing continues if there is a match. If there isn't a match, the message is again sent to all of the addresses specified by this attribute. Expansion of this attribute is implemented by making the value of this attribute the list of URLs for the group. Any list of RFC 822 addresses or DNs associated with the group is cleared, and the delivery options for the group are set to "members". Finally, subsequent group attributes listed in this table are ignored. Substitution processing will be performed on this URL If bit 2 (value 4) of the process_substitutions MTA option is set in 6.3 or later.
ldap_group_last_access_time   G (New in 8.0) Specify the name of an LDAP attribute used to keep track of the last access time for email groups defined in LDAP. If this attribute is present in a group's LDAP entry, then the MTA will update the attribute each time the group is successfully accessed for purposes of sending mail or expanding a mailing list. RFC 3339 format (a profile of ISO 8601 format) is used, e.g., "2013-09-29T17:38:52Z".

In order to prevent excessive LDAP writes, the attribute is read prior to writing and a write is only done if the current time exceeds the stored time by at least 30 minutes. (A write is also done if the attribute does not contain a valid RFC 3339 time, making it possible to set the initial value to something like "<never accessed>".)

ldap_group_url1 mgrpDeliverTo G List of URLs which, when expanded, provides a list of mailing list member addresses. Substitution processing will be performed on this URL If bit 3 (value 8) of the process_substitutions MTA option is set in 6.3 or later. See also the ldap_url_result_mapping MTA option; with it, a mapping table can be used to manipulate the value(s) of the ldap_group_url1 attribute.
ldap_group_url2 memberURL G Another list of URLs which, when expanded, provides another list of mailing list member addresses. Substitution processing will be performed on this URL If bit 4 (value 16) of the process_substitutions MTA option is set in 6.3 or later. See also the ldap_url_result_mapping MTA option; with it, a mapping table can be used to manipulate the value(s) of the ldap_group_url2 attribute.
ldap_group_dn uniqueMember G List DNs or other identifiers for group members. Normally DNs are specified but other sorts of identifiers may be used depending on the URL template that is chosen. DNs may specify an entire subtree. These values are expanded by embedding them in an LDAP URL. The exact template to use is specified by the group_dn_template MTA option. The default value for this option is "ldap:///$A?mail?sub?(mail=*)"; $A specifies the point where the uniqueMember DN is inserted.

As of 7.0.5, if a GROUP_TEMPLATES mapping table exists, it is used as a source for the template. The mapping probe is of the form "attribute-name|attribute-value". If the mapping sets $Y, then the mapping result is used as the template instead of the group_dn_template MTA option value.

Multiple values are supported but only one attribute of this type is allowed on any given group.

As of 7.0.5 any mapping specified by the attribute named by the ldap_url_result_mapping MTA option will also be applied to the results produced by these attributes.

ldap_group_dn2   G (New in 7.0.5.) Like ldap_group_dn, a list of DNs or other identifiers for group members. This second slot with the same semantics was added so that a single group can be defined using multiple attribute values with different sematics.
ldap_group_rfc822 mgrpRFC822MailMember, rfc822MailMember G Mail addresses of members of this list. Multiple values are allowed. rfc822MailMember is also supported for backwards compatibility with NMS, but only one of these attributes can be used in any given group.  
ldap_url_result_mapping   G (New in MS 6.3.) The name of the attribute used to store the name of a mapping table to be applied to the values returned from the LDAP attributes named by the ldap_group_url1, ldap_group_url2, and as of 7.0.5, the ldap_group_dn and ldap_group_dn2 MTA options. That is, ldap_url_result_mapping specifies the name of an LDAP attribute whose value is the name of a mapping to apply to the results of expanding these attribute values. The mapping probe will be of the form:
LDAP-URL|LDAP-result

where LDAP-URL is the (literal string) value of the expansion attribute, and LDAP-result is the value returned from LDAP for that LDAP-URL query. If the mapping returns with $Y set, then the mapping result string will replace the LDAP result for alias processing purposes. If the mapping returns with $N set, then the result will be skipped.

This mechanism can be used to define groups based on attributes that don't contain proper email address.

ldap_errors_to mgrpErrorsTo G Used to set an envelope From address which will override the original message's envelope From address; that is, this address is a mailing list. Setting a value for this attribute implies mailing list, rather than group, semantics: in particular, this has implications for notification messages regarding the list definition (e.g., syntactic errors in list member addresses, or syntactic errors in a list-specific Sieve filter) or regarding delivery of messages to list members, and for the handling of delivery receipt requests. Typically, the value will be some normal address. But two (three, as of 7.0-0.04) special syntaxes are also supported.

Setting the value to an address of the form user+*@domain has a special meaning. The asterisk character will be expanded into a representation of the recipient address; thus a separate copy of the list message is generated for each recipient, with each copy including the intended recipient address as a subaddress within the return address. If delivery errors subsequently occur, the subaddress will indicate which was the failing address. In some cases, when dealing with remote MTAs that generate nonstandard, uninformative delivery error messages, this can in theory be useful as a way of determining which recipient address(es) failed, even when the bounce message's inner content is relatively uninformative. And it may make processing of such bounce messages by an automated program more convenient. However, the tradeoff is that such per-user-specific return address values require that a separate message copy be generated and sent for each recipient; for a "large" list, with many recipients in the same destination domains, this can be a large increase in overhead (a large decrease in efficiency). And with more prevalent use nowadays of standard format notification messages, the "need" for this sort of approach, with its extra (potentially large) overhead, is much less (since the intended recipient information can instead be extracted from the standard field in the contents of a standard format notification message).

(New in MS 6.3, but not working until fix for 12194452 [Sun 6530591].) Setting the value to the forward slash character, /, has a special meaning. It tells the MTA to revert to using the original envelope From: address that had been present on the incoming message, yet in all other respects use mailing list semantics. This can be useful for setting up mailing lists that report all forms of list errors to the original sender.

New in MS 6.3, the process_substitutions MTA option can enable use of the $S (recipient's subaddress) substitution in the value. This would tend to be of interest when defining a "meta-list".

ldap_delay_notifications mgrpDelayNotifications G (New in 7.0u3.) Should NOTIFY=DELAY be set on list messages? Supported values are yes and no, with the obvious meanings.
ldap_add_header mgrpAddHeader G Specify header fields to add to messages posted to the list. Such header fields might include, for instance, the List-*: header fields suggested in RFC 2369 (URLs for Mail List Commands through Message Headers).
ldap_remove_header mgrpRemoveHeader G Specify header fields to remove from messages posted to the list. Only the field name should be specified.
ldap_add_tag No default; mgrpListTag recommended G Prefix text to insert on the Subject: header line of messages to this recipient/list, analogous to the alias_tag alias option, the [TAG] named mailing list parameter, or the effect of the Sieve addtag action. As of MS 6.3, the vertical bar, |, character should not be used in the tag text; in previous versions, the space character should not have been used in tag text, as such use would interfere with the MTA's internal mechanisms for checking whether a tag was already present.
ldap_prefix_text mgrpMsgPrefixText G Insert prefix text into messages as they undergo group expansion. Prior to Messaging Server 7.0 update 3, text could only be inserted into initial, TEXT/PLAIN parts; new in Messaging Server 7.0 update 3, text can be inserted into the first text part within a nested multipart (excluding multipart/alternative). The attribute values are given in UTF-8; this is then converted to match the charset of the part that the text is inserted into.
ldap_suffix_text mgrpMsgSuffixText G Insert suffix text into messages as they undergo group expansion. Prior to Messaging Server 7.0 update 3, text could only be inserted into initial, TEXT/PLAIN parts; new in Messaging Server 7.0 update 3, text can be inserted into the first text part within a nested multipart (excluding multipart/alternative). The attribute values are given in UTF-8; this is then converted to match the charset of the part that the text is inserted into.
ldap_expandable mgmanMemberVisibility, expandable UG Specify the attribute(s) used to define who (in addition to the group or list owner) may view the membership of a group or list; in MTA terms, who will get the group or list expanded in response to the SMTP EXPN command. Supported values for such an attribute or attributes are anyone, all or synonymously true (which means that only authenticated users -- hence users who have an account and provide their password---will be able to expand the group or list), and none; unrecognized values are interpreted as none. Note that group or list access controls ( e.g., use of attributes such as mgrpAllowedBroadcaster, etc., or an mgrpBroadcasterPolicy setting of "SMTP_AUTH_REQUIRED"), also impose restrictions on who is allowed to view list membership. All applicable conditions must be met in order for group or list membership to be viewed (expanded).
MAILSERV attributes (new in 7.4-18.01)
ldap_list_name mgrpListName G Name associated with the list for administrative purposes. The value must be a UTF-8 string.
ldap_list_description mgrpDescription G Textual description of the list. UTF-8 string. Multivalued and supports language-tagged attribute values.
ldap_list_advertised mgrpAdvertised G Whether or not to advertise the list in the MAILSERV GUI. Possible values are yes or no.
ldap_list_public_roster mgrpPublicRoster G Should the membership list be visible to anyone, or merely to members, or to admins_only.
ldap_list_subscribe_policy mgrpSubscribePolicy G Policy for handling list subscription requests. Possible values are:
  • "immediate" - honor subscription requests immediately
  • "confirm" - send confirmation e-mail
  • "to_moderator" - require moderator approval
  • "both" - require both confirmation and moderator approval.
ldap_list_unsubscribe_policy mgrpUnsubscribePolicy G Controls list unsubscribe policy. Same possible settings as for ldap_list_subscribe_policy.
ldap_list_trust_new_members mgrpTrustNewMembers G  
Head of household control support attributes
ldap_hoh_filter mailSieveRuleSource   (New in MS 6.2.) Specify an attribute to request when performing a head of household filter lookup.
ldap_hoh_owner mail   (New in MS 6.2.) Attribute in which to find the owner of the HOH Sieve.
Schema 2 support attributes
ldap_attr_domain1_schema2 sunPreferredDomain++ D Attribute used to store the primary domain in Schema 2.
ldap_attr_domain2_schema2 associatedDomain++ D Attribute used to store any secondary domains in Schema 2.
ldap_attr_domain_search_filter     Attribute in the global configuration template area (see the ldap_global_config_templates MTA option) that is used to store the domain search filter template.
Per-domain attributes
ldap_domain_attr_basedn inetDomainBaseDn D Domain entry attribute used to store the baseDN of domain entries.
ldap_domain_attr_alias aliasedObjectName D Schema 1 attribute used in domain alias entries to specfify the DN of the actual domain entry.
ldap_domain_attr_uplevel   D (New in MS 6.3) Specify a domain level attribute used to store a domain-specific uplevel value which overrides the value of the domain_uplevel MTA option for this particular domain. Currently only bits 0 and 2 (values 1 and 4) have meaning for the named attribute's value; the other bits of the domain_uplevel MTA option remain in effect. Note that this domain level attribute is only consulted if the domain is first found. Thus setting bit 0 (value 1) has no effect unless bit 0 (value 1) of the domain_uplevel MTA option is set. However, with bit 0 (value 1) of domain_uplevel is set, then clearing bit 0 in the domain level attribute can disable domain uplevel matching for subdomains of this particular domain while domain uplevel matching is still possible for other domains.
ldap_domain_attr_canonical inetCanonicalDomainName D Specifies the canonical domain name for domains whose member entries overlap.
ldap_domain_attr_uid_separator domainUidSeparator D The UID separator default for users in the domain.
ldap_domain_attr_subaddress   D (New in 8.0) Specify the name of an LDAP attribute that controls use of subaddresses in lookups of addresses in this domain.
ldap_domain_attr_routing_hosts mailRoutingHosts D Specify the hosts that are responsible for performing routing for this domain. If this MTA is one such host, then the user address will be looked up and attributes processed. Otherwise, the address will be routed onwards: by default, just routing based on rewriting the address, but if the MTA option route_to_routing_host is set to 1 then the first mailRoutingHosts value will be inserted into the address as a source route (hence the rewriting routing will depend upon that host name). Note that delivery options can be marked as mail host independent, thereby meaning that processing should occur regardless of whether this MTA is one of the mailRoutingHosts; see the delivery_options MTA option.
ldap_domain_attr_smarthost mailRoutingSmartHost D If a user address is not found in the directory, then route onwards, inserting the mailRoutingSmartHost value into the address as a source route.
ldap_domain_attr_status inetDomainStatus D The attribute containing the domain's overall status.
ldap_domain_attr_mail_status mailDomainStatus D The attribute containing the domain's mail service status. Valid values for this attribute are: active, inactive, deleted, hold, disabled, overquota, and (new in MS 6.0) unused and removed; other values are interpreted as inactive. Note that the imquotacheck utility is what updates mailDomainStatus to set it to overquota.
ldap_domain_attr_blocklimit mailDomainMsgMaxBlocks D Set a domain limit for how large of message users in the domain may receive. New in MS 6.3, this attribute is also checked during reverse_url lookups, and will be used (for messages that have no return-of-content policy already set) to decide whether the NOTARY non-return-of-content flag should be set.
ldap_domain_attr_conversion_tag mailDomainConversionTag D New in MS 6.1. Specify a per-domain attribute whose value will be applied as conversion tags for messages sent to users or groups associated with this domain.
ldap_domain_attr_source_conversion_tag   D New in MS 6.2. Specify a per-domain attribute whose value will be applied as conversion tags for messages coming from users associated with this domain.
ldap_domain_attr_optin   D A deprecated synonym for ldap_domain_attr_optin1
ldap_domain_attr_optinN   D Specifies the names of attributes used to opt in to spam filtering at the domain level. Messages sent or received from addresses associated with the domain will be opted in to the spam filter associated with the specified slot. Currently the slot value must be between 1 and 8.
ldap_domain_attr_nosolicit   D New in MS 6.2.
ldap_domain_attr_autoreply_timeout   D Name of an attribute that specifies a default autoreply timeout for users associated with this domain.
ldap_domain_attr_default_mailhost No default; but the Admin SDK has a preferredMailHost attribute, used in provisioning, that would be one possibly appropriate attribute to also use for this purpose D (New in MS 6.3) Specify a default mailHost to take effect for all users in this domain who do not have their own explicit mailHost set.
ldap_domain_attr_disk_quota   D  
ldap_domain_attr_message_quota   D  
ldap_domain_attr_filter mailDomainSieveRuleSource D Attribute used to specify domain-level Sieve filters.
ldap_domain_attr_sender_sieve mailDomainSenderSieve D (New in MS 8.0.1)
ldap_domain_attr_report_address mailDomainReportAddress D The domain's postmaster address. This value is used as the header From: address in DSNs reporting problems associated with recipient addresses in the domain. It is also used (in certain cases) when reporting problems to users within the domain regarding errors associated with nonlocal addresses. If this attribute is not set, then in those cases the reporting address will default to postmaster@domain. Note that regardless of whether or not this attribute is set, there are a number of cases where the overall host's postmaster address will be used, rather than any domain-specific postmaster address.
ldap_domain_attr_catchall_address mailDomainCatchallAddress D Specifies the name of an attribute whose value is a "catch all" address for the domain: an address to which to route any messages to addresses "in" this domain but with an unrecognized local-part.
ldap_domain_attr_catchall_mapping No default; mailDomainCatchallMapping recommended D (New in MS 6.3.) Specify the name of an attribute used to specify the name of a mapping table which will be consulted when an address associated with the domain fails to match any particular user entry. The format of the mapping table probe is the same as that of the FORWARD mapping table, and is affected by any setting of the use_forward_database MTA option in the same way as the FORWARD mapping table probe is affected. If the mapping sets the $Y metacharacter, then the resulting string will replace the address being processed.
ldap_domain_attr_sourceblocklimit   D Specify a per-domain attribute, analogous to the per-user ldap_sourceblocklimit. New behavior in MS 6.3 is that a per-domain setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 6.3, a particular domain can be allowed to send large messages as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_domain_attr_source_channel   D (New in MS 6.3) Specify a source channel to which to "switch" (if userswitchchannel is specified on the current source channel)
ldap_domain_attr_recipientlimit   D Specify a per-domain attribute, analogous to the per-user ldap_recipientlimit and the recipientlimit channel option. New behavior in MS 6.3 is that a per-domain setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 6.3, a particular domain can be allowed to send messages to many recipients as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_domain_attr_recipientcutoff   D Specify a per-domain attribute, analogous to the per-user ldap_recipientcutoff and the recipientcutoff channel option. New behavior in MS 6.3 is that a per-domain setting such as this will override more general settings, rather than (as previously) the minimum of all applicable limits being applied; thus new in MS 6.3, a particular domain can be allowed to send messages to many recipients as an exception to more general, smaller limits, by setting a large value for this attribute while general small limits remain in effect.
ldap_domain_attr_detourhostoptin   D (New in 7.0.5) Specify a per-domain attribute, analogous to the per-user ldap_detourhost_optin. If this attribute has the special value (if any) specified by the aliasdetourhost_null_optin MTA option, that will be considered equivalent to the domain attribute being absent.

+ User-modifiable LDAP attribute.

++ Domain map code has the specified default, not the MTA proper

+++ While the MTA in principle allows this attribute on group/mailing list entries, the typical configuration of the delivery_options MTA option disables this support; plus, the Sun schema does not, as distributed, allow this attribute on group/mailing list entries. See the delivery_options MTA option for some discussion regarding enabling use of this attribute on group/mailing list entries.


See also: