This chapter discusses connection authentication and password source control, including SASL support, the POPPASSD server (supporting the ad-hoc password changing mechanism used by, for instance, Eudora), and the PMDF password database.

PMDF's authentication control facilities include:

• Support for SASL (Simple Authentication and Security Layer---see RFC 2222¹)---a means for controlling the mechanisms by which POP, IMAP or SMTP clients identify themselves to the respective server. PMDF's support for SMTP SASL use complies with RFC 2554 (ESMTP AUTH).
• Support for various authentication sources (password sources), regardless of whether the client supports or uses SASL.
• Support for automatically transitioning users between different authentication sources and mechanisms.
• Support for translating between "external usernames" (what the user types into their client as the username) and "internal usernames" (the name of the underlying account on the PMDF system), as well as support for virtual domains.
• Support for fetching auxiliary properties during authentication.

These facilities are controlled by the PMDF security configuration file, discussed below in Section 14.2, by special entries in the PORT_ACCESS mapping table, discussed below in Section 14.3, and by TCP/IP channel configuration choices (in the case of SASL use over SMTP), discussed below in Section 14.4.