The PMDF password database stores, as the name suggests, passwords. Note that APOP and CRAM-MD5 passwords cannot be stored in the system password file; such passwords must be stored in a particular format which the system password file does not support. Therefore, in order to support use of the POP protocol's APOP command or AUTH command with CRAM-MD5, or the IMAP protocol's AUTHENTICATE command with CRAM-MD5, the user must have a password entry stored in an authentication source other than (or in addition to) the system password file. The PMDF password database can be that additional authentication source.

Note that in general, whether the PMDF password database is consulted at all for authentication is controlled by the PMDF security configuration, as described in Section 14.2. That is, a connection comes in (POP, IMAP, mailbox filtering, or, if SMTP SASL use is enabled, SMTP) and is mapped to a security rule set; the security rule set in the PMDF security configuration then controls where and how authentication is performed for that connection.

For instance, the DEFAULT security rule set in PMDF's implicit security configuration (which applies if no security configuration file exists) checks first for a PMDF user profile password (PMDF MessageStore or PMDF popstore password), next for a PMDF password database entry, and finally falls through to checking for a system password entry.

Thus for instance, for a POP or IMAP connection handled by the DEFAULT security rule set, if a user attempts to authenticate using the APOP or CRAM-MD5 mechanism, that user must either be a PMDF MessageStore or PMDF popstore user (in which case their PMDF MessageStore or PMDF popstore password is normally ¹ sufficient for remote authentication), or if they are a legacy message store (VMS MAIL on OpenVMS, or Berkeley mailbox on UNIX) user then they must have a PMDF password database entry in addition to their system password file entry.

For mailbox filter connections handled by the DEFAULT security rule set of PMDF's implicit security configuration, authentication will be performed preferentially against the PMDF user profile (PMDF MessageStore or PMDF popstore user profile), if the user has a user profile entry, if not then against the PMDF password database, if the user has an entry in it, and finally, only if the user has neither sort of entry, against the system password file.

Consider a typical configuration in which SMTP connections are handled by the DEFAULT security rule set of PMDF's implicit security configuration. In this case for an SMTP connection that attempts to authenticate with the ESMTP AUTH command, if CRAM-MD5 authentication is attempted then the user must have a PMDF user profile entry or a PMDF password database entry. If PLAIN or LOGIN authentication is attempted, then the password is checked first against the user's PMDF user profile entry, if one exists, next against the PMDF password database, and finally, only if the user has neither sort of entry, against the system password file.