annotation_definitions and other options in imapd.conf

Patrick Goetz pgoetz at
Wed Dec 3 13:45:11 EST 2014

On 12/03/2014 06:53 AM, Adam Tauno Williams wrote:
>>     auth_mech:
>> - Isn't this handled by SASL?
> Partially, yes.  Don't forget that identity management is AAA - three
> As, not one.  Authorization, Authentication, Accounting.

So, for example:

Authorization would be
    cm user.username in cyradm
Authentication would be
    saslauthd -> PAM --> PAM modules
Accounting would be setting permissions and quotas
    sam user.username write
    sq user.username N

I'm still not seeing where auth_mech or ldap options fit into this, 
although Sven seems to have offered an explanation:  there is some 
undocumented way of bypassing saslauthd. Which, if true, I suggest is a 
terrible idea and should be stripped out of the code.  Allowing for 
direct PAM authentication might work somehow, assuming there is a way to 
handle TLS authentication.  Authentication architecture needs to be 
less, not more complicated in general in the unix/linux world.

Anyway, thanks Adam and Sven for the replies -- that was extremely helpful.

More information about the Info-cyrus mailing list