Permission to use the various mail services available through Communications Express Mail can be given or denied with LDAP filters. A filter is defined with the mailAllowedServiceAccess or mailDomainAllowedServiceAccess LDAP attributes. Generally speaking, a filter works in one of three ways:
Permission to given to all users for all services when no filter is used
Permission is explicitly given to a list of users for specified service names (a plus sign (+) precedes the service name list)
Permission is explicitly denied to a list of users for specified service names (a minus sign (-) precedes the service name list)
The required mail service names for S/MIME are http, smime, and smtp. If you need to restrict the use of S/MIME among Communications Express Mail users, use the appropriate LDAP attribute syntax and service names to create a filter. The attributes are created or modified with LDAP commands.
1. The following examples block access to the S/MIME features for one Communications Express Mail user:
mailAllowedServiceAccess: -smime:*$+imap,pop,http,smtp:*
or
mailAllowedServiceAccess: +imap,pop,http,smtp:*
2. The following examples block access to the S/MIME features for all Communications Express Mail users in a domain:
mailDomainAllowedServiceAccess: -smime:*$+imap:*$+pop:*$+smtp:*$+http:*
or
mailDomainAllowedServiceAccess: +imap:*$+pop:*$+smtp:*$+http:*
See Filter Syntax for more information.