How do I combine the use of sasldb and pam?

Gary Mills mills at
Sat Dec 30 09:47:35 EST 2006

On Fri, Dec 29, 2006 at 11:42:11PM -0500, Jim Bacon wrote:
> Why do you say it is easier to create the user accounts?  I am trying to
> avoid creating a number of functional account names (i.e. sales, support,
> etc.) and have mailboxes only, without using aliases and such to send those
> to real people.

Because, when you have all of your users in one place, many other
things work better.  For example, with the proper mailer flags,
sendmail will recognize all of them as local users.

> I am new to using PAM, how do you discriminate between full login and mail
> only with PAM?

PAM is extremely flexible.  The best place in pam.conf to authorize
users for different services is the Account management section.  In a
simple case, you only need a PAM module that consults a table of user
names or group names.  Typically on an e-mail server, you'd want to
authorize all users to read e-mail but only a few to log in to the
server.  So, you'd set up the PAM service names that Cyrus uses
(cyrus, imap, pop, sieve) with no restriction in pam.conf, but the
default service name (other) would invoke your new PAM module to
restrict access.  On a different machine, say to provide shell access
for all users, you'd set up a different PAM configuration.

-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

More information about the Cyrus-sasl mailing list