PMDF System Manager's Guide

The PMDF password database is normally created and modified using the pmdf password utility. With this utility the PMDF postmaster can set entries for users. Or users can set and change their own passwords.

Section 14.7 above discusses whether and when the PMDF password database will actually be used as the source of authentication information. When the PMDF password database is used as the source of authentication information, then an additional issue can arise, namely which of a user's possibly multiple entries will be checked for the authentication. That is, a user can have multiple entries in the PMDF password database, one for each allowed service value. The sort of connection (assuming that the PMDF password database is even checked) will control which service entry is preferentially checked. Note that the sort of service entry checked has nothing to do with the PMDF security configuration (which instead controlled whether or not the PMDF password database was queried at all); the sort of service entry checked when the PMDF password database is queried has entirely to do with which component of PMDF is doing the querying (what sort of connection this regards).

Queries by the POP server will first check a user's POP service entry, but if such an entry does not exist will fall through to the user's DEFAULT service entry. Queries by the IMAP server will first check a user's IMAP service entry, but if such an entry does not exist will fall through to the user's DEFAULT service entry.

Queries for mailbox filtering will check which channel a user matches. For a user matching the msgstore channel, the mailbox filter query will preferentially use the user's service=IMAP entry, but if such an entry does not exist will fall through to the user's service=DEFAULT entry. For a user matching the popstore channel, the mailbox filter query will preferentially use the user's POP service entry, but if such an entry does not exist will fall through to the user's DEFAULT service entry. For a user matching the local channel, the mailbox filter query will use the user's DEFAULT service entry.

Most sites and users will not want to use service specific password database entries. Then each user has one entry, their DEFAULT service entry, used whenever the PMDF password database is queried.

But for sites and users who do want to use service specific password database entries, while the above description of service specific probes can sound complicated, the goal is simply to query the "natural" password entry for each case.