allowedbroadcaster AND alloweddomain in the same group
Hi all,
I would need to set both the mgrpallowedbroadcaster AND the mgrpalloweddomain attributes in a mailgroup entry:
This is the example:
dn: cn=lista1,ou=groups,ou=nazionali,o=inca.it,dc=inca,dc=it
mgrpAllowedBroadcaster: ldap:///cn=listautenti,ou=groups,ou=nazionali,o=inca.i
t,dc=inca,dc=it
mgrpAllowedDomain: osservatorioinca.org
mwIncaListPolicy: filtered
mgrpRFC822MailMember: utente1@inca.it
mail: lista1@inca.it
mgrpMsgRejectAction: reply
objectClass: top
objectClass: inetmailgroup
objectClass: inetlocalmailrecipient
objectClass: groupofuniquenames
objectClass: iplanet-am-managed-static-group
objectClass: iplanet-am-managed-group
objectClass: inetmailgroupmanagement
objectClass: ipgroup
objectClass: babmware
mailDeliveryOption: members
cn: lista1
But only mails sent by an address in the list "listautenti" are accepted. The alloweddomain attribute seems to be ignored. Is this normal?
# 2
Hi,
As Jay noted group restrictions are 'AND'ed and not 'OR'ed.
You can change this behaviour globally by adding the following to your option.dat file:
OR_CLAUSES=1
Then rebuild;restart the MTA.
./imsimta cnbuild;./imsimta restart
Or you can change this behaviour on a per-group value, as per Kristin's description from the info-ims mailing list:
"Or if you want to control the interpretation of multiple conditions on a per group or list basis, you can set the particular group or list's mgrpBroadcasterPolicy attribute to include the value "or". (You can specify multiple, comma-separate values for mgrpBroadcasterPolicy, so setting "or" does not prevent you from also setting the list to require authentication to post, or to require a password to post.)"
Regards,
Shane.
# 3
Ok, I'm quite confused.
I'have this list entry:
dn: cn=testlist,ou=groups,o=mydomain.it,dc=mydomain,dc=it
mgrpAllowedBroadcaster: ldap:///cn=userlist,ou=groups,o=mydomain.it,dc=mydomain,dc=it
mgrpAllowedDomain: myotherdomain.org
mgrpBroadcasterPolicy: or
mailDeliveryOption: members
mgrpRFC822MailMember: list1@mydomain.it
I am using both mgrpAllowedDomain and mgrpAllowedBroadcaster. Now, if test@myotherdomain.org (the alloweddomain) sends a mail to this list, it's blocked (You are not allowed to use this list). If the sender is user1@mydomain.it (which is a member of userlist, listed as allowedbroadcaster), the mail is accepted. So it seems that the restrictions are not ANDed nor ORed. The allowedDomain attribute seems to be completely ignored.
Another question about AND and OR. With the default configuration (eg. without setting the mgrpBroadcasterPolicy attribute), i've already tried to set multiple mgrpAllowedDomain attributes in the same entry, and they were applied with an OR (if the sender was in any one of the values, the mail was accepted). I didn't try with mgrpAllowedBroadcaster .
# 4
Hi,
> I am using both mgrpAllowedDomain and
> mgrpAllowedBroadcaster. Now, if
> test@myotherdomain.org (the alloweddomain) sends a
> mail to this list, it's blocked (You are not allowed
> to use this list). If the sender is user1@mydomain.it
> (which is a member of userlist, listed as
> allowedbroadcaster), the mail is accepted.
Seems to work for me:
dn: cn=mygroup, ou=groups, o=domain1.com, o=isp
changetype: add
objectClass: top
objectClass: groupofuniquenames
objectClass: inetMailGroup
objectClass: inetMailGroupManagement
objectClass: inetLocalMailRecipient
objectClass: nsManagedMailList
cn: mygroup
mail: mygroup@domain1.com
uniqueMember: uid=user002,ou=People, o=domain1.com, o=isp
inetMailGroupStatus: active
mailDeliveryOption: members
mgrpAllowedBroadcaster: ldap:///uid=user001,ou=People, o=domain1.com, o=isp
mgrpAllowedDomain: gmail.com
mgrpErrorsTo: /
mgrpBroadcasterPolicy: or
So to test:
./imsimta test -rewrite -from=user001@domain1.com mygroup@domain1.com
[list expanded, not blocked - correct]
./imsimta test -rewrite -from=blah@gmail.com mygroup@domain1.com
[list expanded, not blocked - correct]
./imsimta test -rewrite -from=user002@domain1.com mygroup@domain1.com
[blocked - correct]
./imsimta test -rewrite -from=blah@test.com mygroup@domain1.com
[blocked - correct]
And to double check I got rid of the "mgrpBroadcasterPolicy: or" from the list definition and ran:
./imsimta test -rewrite -from=blah@gmail.com mygroup@domain1.com
[blocked - correct]
./imsimta test -rewrite -from=user001@domain1.com mygroup@domain1.com
[list expanded, not blocked - correct]
Not sure what you are doing wrong, if you have a test server, try patching to 118207-63 (latest messaging server 6.2 patch) and trying again.
> Another question about AND and OR. With the default
> configuration (eg. without setting the
> mgrpBroadcasterPolicy attribute), i've already tried
> to set multiple mgrpAllowedDomain attributes in the
> same entry, and they were applied with an OR (if the
> sender was in any one of the values, the mail was
> accepted). I didn't try with mgrpAllowedBroadcaster .
Multiples of the same attribute type are OR'd together.. wouldn't make sense otherwise as you couldn't have more then one mgrpAllowedBroadcaster for example.
Regards,
Shane.
