Problem

MailGate Group is created and "Enable Personal Quarantine Automatically" option is checked. Nevertheless, some users do not get the Personal Quarantine (PQ) enabled no matter how many emails they are being sent. Their PQ is activated either manually or by editing the Group membership to lookup the entire domain.

Resolution

Such behavior is observed when the user account does not belong to the LDAP group selected in the MailGate Group membership explicitly, but is part of a nested group.

Since MailGate does not support nested LDAP groups, it can only list members of the first layer of the main LDAP group.

To workaround this, the memberOf attribute of the users must contain that group. If there is no such group in the attribute MailGate will not consider the user a member.

Overall, the desired users need to be explicitly assigned to be members of the defined group (having the memberOf attribute in the LDAP server) as their inherited membership is not something which should be taken into consideration.

There are two options to make this happen - either to add them to a one-layer group or create an LDAP source having the nested group DN as a search base.