The PMDF security configuration controls among other things the authentication source used by the PMDF POP and IMAP servers; see the discussion in Chapter 14 on how you can customize this for your site.
Typically, however, users accessing the VMS MAIL message store (OpenVMS) or native Berkeley message store (UNIX) would authenticate against the system password file---except that the system password file on OpenVMS or UNIX can not store certain password forms such as that required for CRAM-MD5 authentication (from IMAP or POP clients) or APOP authentication (from POP clients). Thus in order to perform such authentication from clients, another authentication source must also be in use. That additional authentication source can be the PMDF password database.
When using the PMDF password database as the source of authentication information, note that it can contain several entries, one for each allowed service value. The sort of connection (for instance, whether POP or IMAP) will control which service entry is preferentially checked. Queries by the POP server will first check the user's POP service entry, but if such an entry does not exist will fall through to the the user's DEFAULT service entry. Queries by the IMAP server will first check the user's IMAP service entry, but if such an entry does not exist will fall through to the DEFAULT service entry.
The use of service specific password database entries is not typical; typically, users would each simply have one entry, a DEFAULT service entry, used whenever the PMDF password database is queried. But if users do want to use service specific password database entries, while the above description of service specific probes can sound complicated, the goal is simply to query the "natural" password entry for each case.
So typically, before a POP mail client accessing a native OpenVMS or UNIX message store can use the APOP command to authenticate himself, or before an IMAP or POP mail client accessing a native OpenVMS or UNIX message store can use CRAM-MD5 authentication, the user himself (or the system manager on his behalf) must set the user's password (for the DEFAULT service) in the PMDF password database. See Section 14.7 for additional discussion.
Note that users accessing the PMDF MessageStore or PMDF popstore normally authenticate against a PMDF user profile, which is suitable for use for all such forms of authentication. Thus such users normally need not have any PMDF password database entry.
13.7 Mailbox Server Connection Logging
When the LOGGING option is enabled in the IMAP server or POP server
configuration file, connection log entries will be generated by that
server in the PMDF log file---or if the
PMDF option has been set, see Section 7.3.6, then instead in
the PMDF connection log file. Such entries can include detail about
SASL errors, details which are not revealed over the wire, such as the
distinction between a non-existent user and a bad password.
See Section 33.1.2 for a discussion of the format of such PMDF log file or connection log file entries. In particular, the server entries will be of one of the sorts listed in Table 13-2. Note that every connection gets an "O" entry and either a "C" entry or an "X" entry. Any number of "A" entire entries (including none) can be generated by a single IMAP/POP session.
|A||Authentication attempt failed|
|O||Login phase completed (either successful login or aborted connection)|
|C||Connection closed cleanly|
|X||Connection aborted (by either end)+|