On OpenVMS, the following SYSUAF checks are performed by the legacy mailbox servers when a user logs in via a remote client.

Note that these only apply if the user's password is being stored in the VMS SYSUAF file. If the PMDF_TABLE:SECURITY.CNF file is configured such that the authentication source being used is something other than SYSTEM (for example, PASSDB or LDAP), then none of these actions are taken.

However, if the VMS SYSUAF file is the authentication source, the following checks are made:

• The primary password is checked. Currently, the secondary password, if any, is not checked. (The concept of a secondary password is not supported by the POP or IMAP protocols.)
• Account expiration time. Users can not log into mail servers if their account has expired.
• The DISACNT, AUTOLOGIN, PWD_EXPIRED ⁵ bits in the flags field. The user can not log into the mail server if any of the above bits are set. The DISACNT flag corresponds to the AUTHORIZE utility's DISUSER flag.
• The CAPTIVE bit is no longer checked thereby allowing access to CAPTIVE and RESTRICTED accounts. You can deny such accounts access by setting one of the above SYSUAF flags, or, if that is not sufficient, use an ACL with the pop3d.exe, and imapd.exe images and grant the appropriate rightslist identifier to the users in accord with your policy. Any user who does not have EXECUTE access to the image will be denied access.

If LOGGING is set to 1 in the pop3d.cnf or imapd.cnf file, then login failures are logged in a PMDF log file: the PMDF_TABLE:mail.log_current file or the PMDF_TABLE:connection.log_current file, depending on the setting of the PMDF option SEPARATE_CONNECTION_LOG. A login failure OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK LOGFAIL audit event is logged on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system.

If the user fails to log in due to an incorrect password, the number of login failures in the SYSUAF is incremented for the user. Furthermore, if the number of login failures exceeds the SYSGEN parameter LGI_BRK_LIM (default 5) and LGI_BRK_DISUSER is set, then the user account is disabled. A login breakin OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK BREAKIN audit event (instead of a LOGFAIL event) is logged on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system after LGI_BRK_LIM is reached.

When a login is successful, the last successful non-interactive login time in the SYSUAF is also updated. A successful NETWORK LOGIN audit event is logged in the system security audit log on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system.