Library /sys$common/syshlp/helplib.hlb  —  PMDF  PASSWORD  Description
    The PMDF PASSWORD utility is used to create and modify PMDF
    password database entries. This database may be used by POP
    clients issuing the APOP command, by IMAP clients using the CRAM-
    MD5 authentication mechanism, or possibly by users authenticating
    themselves to modify their personal mailbox filters.

    Note that in general, just which source of password
    authentication information is used-whether the PMDF password
    database, or some other source-is controlled by the PMDF security
    configuration file; see That is, a connection comes in (POP,
    IMAP, or mailbox filtering) and is mapped to a security rule
    set; the security rule set in the PMDF security configuration
    then controls where and how authentication is performed for that
    connection.

    For instance, the DEFAULT security rule set in PMDF's
    implicit security configuration (which applies if no security
    configuration file exists) checks first for a PMDF user profile
    password (PMDF MessageStore or PMDF popstore profile password),
    next for a PMDF password database entry, and finally falls
    through to checking for a system password entry.

    Note that APOP and CRAM-MD5 passwords cannot be stored in the
    system password file. Therefore, in order to support use of the
    POP protocol's APOP command or AUTH command with CRAM-MD5, or
    the IMAP protocol's authenticate command with CRAM-MD5, the user
    must have a password entry stored in an authentication source
    other than (or in addition to) the system password file. The PMDF
    password database can be that additional authentication source.

    Thus for instance, for a POP or IMAP connection handled by
    the DEFAULT security rule set, a user must either be a PMDF
    MessageStore user or a PMDF popstore user (in which case their
    PMDF user profile password is normally sufficient for remote
    authentication), or if they are a legacy message store (VMS
    MAIL) user then they must have a PMDF password database entry
    in addition to their system password file entry.

    For mailbox filter connections handled by the DEFAULT
    security rule set of PMDF's implicit security configuration,
    authentication will be performed preferentially against the PMDF
    user profile, if the user has a PMDF user profile entry (that
    is, a PMDF MessageStore or PMDF popstore profile entry), if not
    then against the PMDF password database, if the user has an entry
    in it, and finally, only if the user has neither sort of entry,
    against the system password file.

    The above discussion regards whether the PMDF password
    database will actually be used as the source of authentication
    information. When the PMDF password database is used as the
    source of authentication information, then an additional issue
    can arise, namely which of a user's possibly multiple entries
    will be checked for the authentication. That is, a user can have
    multiple entries in the PMDF password database, one for each
    allowed /SERVICE value. The sort of connection (assuming that
    the PMDF password database is even checked) will control which
    /SERVICE entry is preferentially checked. Note that the sort
    of /SERVICE checked has nothing to do with the PMDF security
    configuration (which instead controlled whether or not the PMDF
    password database was queried at all); the sort of /SERVICE entry
    checked when the PMDF password database is queried has entirely
    to do with which component of PMDF is doing the querying (what
    sort of connection this regards).

    Queries by the POP server will first check a user's /SERVICE=POP
    entry, but if such an entry does not exist will fall through
    to the user's /SERVICE=DEFAULT entry. Queries by the IMAP
    server will first check a user's /SERVICE=IMAP entry, but if
    such an entry does not exist will fall through to the user's
    /SERVICE=DEFAULT entry.

    Queries for mailbox filtering will check which channel a user
    matches. For a user matching a msgstore channel, the mailbox
    filter query will preferentially use the user's /SERVICE=IMAP
    entry, but if such an entry does not exist will fall through to
    the user's /SERVICE=DEFAULT entry. For a user matching a popstore
    channel, the mailbox filter query will preferentially use the
    user's /SERVICE=POP entry, but if such an entry does not exist
    will fall through to the user's /SERVICE=DEFAULT entry. For a
    user matching the local channel, the mailbox filter query will
    use the user's /SERVICE=DEFAULT entry.

    Most sites and users will not want to use /SERVICE specific
    password database entries. Then each user has one entry, their
    /SERVICE=DEFAULT entry, used whenever the PMDF password database
    is queried.

    But for sites and users who do want to use /SERVICE specific
    password database entries, while the above description of
    /SERVICE specific probes may sound complicated, the goal is
    simply to query the "natural" password entry for each case.
Close Help