Some cyrus-sasl questions

[Patrick Goetz]

Hi -

I've been setting up some new servers and wanted to revisit and optimize 
my cyrus-sasl configuration.  I couldn't find answers to these questions 
anywhere in the documentation or online, but figured this list would 
know.  Ironically, the postfix documentation for using sasl 
(http://www.postfix.org/SASL_README.html) appears to be more complete 
than anything I could find on the cyrus source site.

1. Postfix suggests that I can put the SASL configuration file in 
/etc/sasl2 instead of /usr/lib/sasl2, but I couldn't find this anywhere 
in the official  cyrus-sasl documentation.  User configurable options 
always need to go in /etc, not /usr/lib, so I just want to confirm that 
2.1.26 will look for the configuration file in /etc/sasl2

2. I can't find any hints about what an optimal PAM configuration file 
is if you only want to authenticate users through PAM with valid 
accounts.  Currently the /etc/pam.d/imap file is basically set up as

    auth      required  pam_unix.so
    account   required  pam_unix.so

(Debian/Ubuntu add other junk via default common authentication groups 
which must be superfluous).  I don't understand why the account 
management group is needed for imap authentication.  Is it just there 
because there's no documentation on how to do this properly, so people 
are guessing?

3. Both cyrus and postfix use SASL.  In the past, I've run postfix in a 
chroot jail, so it had it own saslauthd daemon process.  Since chroot 
jails don't add much security, I'm jettisoning that, but presumably 
cyrus and postfix will happily use the same saslauthd daemon process? 
Postfix requires a sasl configuration file, but I just noticed that my 
cyrus 2.3.16 install doesn't seem to have one.  Is this compile time 
default or am I just overlooking where the configuration file?  Or does 
cyrus use the SASL libraries directly, in which case I'm not sure how it 
knows to use pam.  Is there any documentation on this?