24.10 Granting Permission to Use S/MIME Features

Permission to use the various mail services available through Communications Express Mail can be given or denied with LDAP filters. A filter is defined with the mailAllowedServiceAccess or mailDomainAllowedServiceAccess LDAP attributes. Generally speaking, a filter works in one of three ways:

• Permission to given to all users for all services when no filter is used

• Permission is explicitly given to a list of users for specified service names (a plus sign (+) precedes the service name list)

• Permission is explicitly denied to a list of users for specified service names (a minus sign (-) precedes the service name list)

The required mail service names for S/MIME are http, smime, and smtp. If you need to restrict the use of S/MIME among Communications Express Mail users, use the appropriate LDAP attribute syntax and service names to create a filter. The attributes are created or modified with LDAP commands.

24.10.1 S/MIME Permission Examples

1. The following examples block access to the S/MIME features for one Communications Express Mail user:

mailAllowedServiceAccess: -smime:*$+imap,pop,http,smtp:*

or

mailAllowedServiceAccess: +imap,pop,http,smtp:*

2. The following examples block access to the S/MIME features for all Communications Express Mail users in a domain:

mailDomainAllowedServiceAccess: -smime:*$+imap:*$+pop:*$+smtp:*$+http:*

or

mailDomainAllowedServiceAccess: +imap:*$+pop:*$+smtp:*$+http:*

See 23.7.2 Filter Syntax for more information.