Start/notes.ini Parameters/AMgr_DisableMailLookup

AMgr_DisableMailLookup

Parameter: AMgr_DisableMailLookup
Short description: Disables the Agent Manager's mail lookup check for mail-triggered agents — workaround when the signer has no person document on its mail server (typical in cluster setups).

Profile

Parameter
AMgr_DisableMailLookup
Category
Startup / Tasks (Agent Manager)
Component
Server
Available since
At least 9.0.1 (HCL Customer Support KB0037405 – Applies to: Domino 9.0.x, 10.0.x, HCL Domino 11.0.x and later)
Supported versions
9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent
notes.ini only (no GUI)
Possible values
0 = mail lookup active (default) • 1 = disable mail lookup
Default
0

Description

When an agent with the "After new mail has arrived" trigger is signed and stored on a Domino server, the Agent Manager first checks whether the signer (user entry in the agent signature) can be uniquely resolved in the Domino Directory when new mail arrives in the corresponding mailbox. If this mail lookup fails — typically because the signer is assigned to a different mail server than the one that would currently execute the agent — the Agent Manager refuses execution and writes the following message to the console or log.nsf:
Unable to determine the execution access privileges for this agent.
With AMgr_DisableMailLookup=1 this lookup check is skipped. The Agent Manager starts the agent with the rights of the configured signer without requiring the signer's person document to exist or be resolvable on the executing mail server.
The typical use case is the HCL-recommended solution from KB0037405: in cluster mail server environments a mail database resides on multiple servers simultaneously. When an "After new mail has arrived" agent is signed, the Agent Manager on one of the cluster members may be unable to resolve the signer — even though the agent itself is entirely correct. AMgr_DisableMailLookup=1 bypasses this check cleanly and lets the agent run on every cluster member.
The parameter is not listed in the official conf_amgr_* series of the HCL product documentation — it originates from HCL Customer Support (KB0037405) and is additionally recommended in KB0032179 ("Troubleshooting Script") as a standard diagnostic setting together with Log_AgentManager=1.

Example configuration

Disable mail lookup (cluster mail server, KB0037405 workaround):
AMgr_DisableMailLookup=1
Re-enable mail lookup (default):
AMgr_DisableMailLookup=0
Set dynamically at runtime — takes effect only after restart of the Agent Manager:
set config AMgr_DisableMailLookup=1
tell amgr quit
load amgr

Notes & pitfalls

  • Does not take effect immediately via set config — only after tell amgr quit + load amgr (or a server restart) does the Agent Manager pick up the new value.
  • Applies exclusively to mail-triggered agents ("After new mail has arrived" trigger). Scheduled agents or UI-triggered agents are not affected by the lookup behavior anyway.
  • Set before running cluster failover tests — otherwise agent runs are sporadically dropped with the privilege error message, which is easily misinterpreted in monitoring as "agent not running".
  • No security loss in the strict sense: the agent still runs with the rights set in the agent properties dialog (signer identity). The switch only skips the additional resolution of the person document.
  • Diagnostic bundle for "Unable to determine the execution access privileges" per KB0032179: enable AMgr_DisableMailLookup=1 + Log_AgentManager=1, restart AMgr, reproduce the issue, evaluate the logs.
  • HCL Customer Support also recommends the switch for mail-triggered agents whose signer is in a different domain or would have to be resolved via cross-certified directories.

Sources (HCL Product Documentation)