Copyright Digital Equipment Corp. All rights reserved.

Description

   The PMDF PASSWORD utility is used to create and modify PMDF
   password database entries. This database may be used by POP
   clients issuing the APOP command, by IMAP clients using the CRAM-
   MD5 authentication mechanism, or possibly by users authenticating
   themselves to modify their personal mailbox filters.

   Note that in general, just which source of password
   authentication information is used-whether the PMDF password
   database, or some other source-is controlled by the PMDF security
   configuration file; see That is, a connection comes in (POP,
   IMAP, or mailbox filtering) and is mapped to a security rule
   set; the security rule set in the PMDF security configuration
   then controls where and how authentication is performed for that
   connection.

   For instance, the DEFAULT security rule set in PMDF's
   implicit security configuration (which applies if no security
   configuration file exists) checks first for a PMDF user profile
   password (PMDF MessageStore or PMDF popstore profile password),
   next for a PMDF password database entry, and finally falls
   through to checking for a system password entry.

   Note that APOP and CRAM-MD5 passwords cannot be stored in the
   system password file. Therefore, in order to support use of the
   POP protocol's APOP command or AUTH command with CRAM-MD5, or
   the IMAP protocol's authenticate command with CRAM-MD5, the user
   must have a password entry stored in an authentication source
   other than (or in addition to) the system password file. The PMDF
   password database can be that additional authentication source.

   Thus for instance, for a POP or IMAP connection handled by
   the DEFAULT security rule set, a user must either be a PMDF
   MessageStore user or a PMDF popstore user (in which case their
   PMDF user profile password is normally sufficient for remote
   authentication), or if they are a legacy message store (VMS
   MAIL) user then they must have a PMDF password database entry
   in addition to their system password file entry.

   For mailbox filter connections handled by the DEFAULT
   security rule set of PMDF's implicit security configuration,
   authentication will be performed preferentially against the PMDF
   user profile, if the user has a PMDF user profile entry (that
   is, a PMDF MessageStore or PMDF popstore profile entry), if not
   then against the PMDF password database, if the user has an entry
   in it, and finally, only if the user has neither sort of entry,
   against the system password file.

   The above discussion regards whether the PMDF password
   database will actually be used as the source of authentication
   information. When the PMDF password database is used as the
   source of authentication information, then an additional issue
   can arise, namely which of a user's possibly multiple entries
   will be checked for the authentication. That is, a user can have
   multiple entries in the PMDF password database, one for each
   allowed /SERVICE value. The sort of connection (assuming that
   the PMDF password database is even checked) will control which
   /SERVICE entry is preferentially checked. Note that the sort
   of /SERVICE checked has nothing to do with the PMDF security
   configuration (which instead controlled whether or not the PMDF
   password database was queried at all); the sort of /SERVICE entry
   checked when the PMDF password database is queried has entirely
   to do with which component of PMDF is doing the querying (what
   sort of connection this regards).

   Queries by the POP server will first check a user's /SERVICE=POP
   entry, but if such an entry does not exist will fall through
   to the user's /SERVICE=DEFAULT entry. Queries by the IMAP
   server will first check a user's /SERVICE=IMAP entry, but if
   such an entry does not exist will fall through to the user's
   /SERVICE=DEFAULT entry.

   Queries for mailbox filtering will check which channel a user
   matches. For a user matching a msgstore channel, the mailbox
   filter query will preferentially use the user's /SERVICE=IMAP
   entry, but if such an entry does not exist will fall through to
   the user's /SERVICE=DEFAULT entry. For a user matching a popstore
   channel, the mailbox filter query will preferentially use the
   user's /SERVICE=POP entry, but if such an entry does not exist
   will fall through to the user's /SERVICE=DEFAULT entry. For a
   user matching the local channel, the mailbox filter query will
   use the user's /SERVICE=DEFAULT entry.

   Most sites and users will not want to use /SERVICE specific
   password database entries. Then each user has one entry, their
   /SERVICE=DEFAULT entry, used whenever the PMDF password database
   is queried.

   But for sites and users who do want to use /SERVICE specific
   password database entries, while the above description of
   /SERVICE specific probes may sound complicated, the goal is
   simply to query the "natural" password entry for each case.