I have configured a server for IMAP and POP3 access. On the GWIA for this server, I have configured a new class of service that gives the specified user accounts (Groupwise authentication) access to POP3, IMAP, SMTP Incoming, and SMTP outgoing.

The Default Class of Service which contains Everyone allows SMTP Incoming and SMTP Outgoing. If I prevent SMTP Incoming, SMTP outgoing, users who are in the new IMAP/POP3 class of service can no longer connect by using SMTP. This behavior occurs even though they are members of the new class of service which allows this.
The documentation says that if the user entries are at the same level (the user level in this case (everyone versus individual groupwise accounts)), the least restrictive setting should take precedence.
On this particular GWIA, I would like to restrict SMTP connections to only the members of the particular class of service (to limit the authenticated spam attack vector). However, it does not seem possible.
I would really appreciate any help pointing me in the right direction. Not sure what I am missing here.

Thank you very much!