Sun Java System Messaging Server 6.3 Administration Guide

10.12.1 Optimizing Authorization Checks to the LDAP Directory for Messages Addressed to Mailing Lists

You can use metacharacter character substitutions to reduce authorization checks to the LDAP directory for Messages addressed to a mailing list.

Metacharacter substitutions can now be specified in mgrpModerator, mgrpAllowedBroadcaster and mgrpDisallowedBroadcaster attributes. In particular, the various address-related metacharacter sequences ($A for the entire address, $U for the mailbox part, $D for the domain part) refer to the current envelope From: address and can in some cases be used to limit the results returned by the URL to entries that are likely (or guaranteed) to match. This may make authorization checks much more efficient.

The new MTA option PROCESS_SUBSTITUTIONS controls whether or not substitutions are performed in various LDAP attributes that specify a URL. This is a bit-encoded value, with the bits defined as follows:




Enables substitutions in mgrpDisallowedBroadcaster if set 

Enables substitutions in mgrpAllowedBroadcaster if set 

Enables substitutions in mgrpModerator if set 

Enables substitutions in mgrpDeliverTo if set 


Enables substitutions in memberURL 

The PROCESS_SUBSTITUTIONS MTA option defaults to 0, meaning that all of these substitutions are disabled by default.

An example would be a dynamic list defined through an LDAP lookup where anyone on the list is allowed to post. In such cases you typically define the list with attributes like:


The effect of such a definition, however, is to expand the list twice, once for the authorization check and once to build the actual recipient list,. This is a very server intensive operation. If, on the other hand, you add a restriction so only entries containing the current envelope From: address are returned in the authorization check, things may be much more efficient. First change the PROCESS_SUBSTITUTION setting to 2, and then you can set the following entries:


In this example, only the sender's entry is checked for broadcast authorization as opposed to all the user entries in Sesta US. This reduces the work the directory server has to do to a single (hopefully indexed) match and a single return value. The alternative is to return the entire list and have the MTA perform the match.

Note that the information available for substitution varies depending on whether the attribute is used for authorization checks or for actual list expansion. For authorization attributes, the whole address ($A), domain ($D), host ($H), and local-part ($L) are all derived from the authenticated sender address. In the case of list expansion attributes all of these substitution values are derived from the envelope recipient address that specified the list. In both cases, however, the subaddress substitution ($S) is derived from the current envelope recipient address.

The ability to access subaddress information in list expansion URLs makes it possible to define metagroups, that is, a single group entry that creates an entire collection of different groups. For example, a group with a mgrpDeliverTo value of:

mgrpDeliverTo: ldap:///o=usergroup?mail?sub?(department=$S)

and the corresponding PROCESS_SUBSTITUTIONS value being 8. It is possible to send mail to every member of a given department with an address of the form Note that a mechanism like a forward mapping could be used to alter the syntax if subaddresses are seen as too difficult.