PMDF System Manager's Guide


Previous Contents Index

13.5 User Login Checks for the VMS MAIL Mailbox (OpenVMS)

On OpenVMS, the following SYSUAF checks are performed by the legacy mailbox servers when a user logs in via a remote client.

Note that these only apply if the user's password is being stored in the VMS SYSUAF file. If the PMDF_TABLE:SECURITY.CNF file is configured such that the authentication source being used is something other than SYSTEM (for example, PASSDB or LDAP), then none of these actions are taken.

However, if the VMS SYSUAF file is the authentication source, the following checks are made:

If LOGGING is set to 1 in the pop3d.cnf or imapd.cnf file, then login failures are logged in a PMDF log file: the PMDF_TABLE:mail.log_current file or the PMDF_TABLE:connection.log_current file, depending on the setting of the PMDF option SEPARATE_CONNECTION_LOG. A login failure OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK LOGFAIL audit event is logged on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system.

If the user fails to log in due to an incorrect password, the number of login failures in the SYSUAF is incremented for the user. Furthermore, if the number of login failures exceeds the SYSGEN parameter LGI_BRK_LIM (default 5) and LGI_BRK_DISUSER is set, then the user account is disabled. A login breakin OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK BREAKIN audit event (instead of a LOGFAIL event) is logged on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system after LGI_BRK_LIM is reached.

When a login is successful, the last successful non-interactive login time in the SYSUAF is also updated. A successful NETWORK LOGIN audit event is logged in the system security audit log on an OpenVMS I64, or OpenVMS 6.1 (VAX) or OpenVMS 6.2 (Alpha) or later system.

Note

5 loginout.exe only sets the PWD_EXPIRED bit if the DISFORCE_PWD_CHANGE flag is set at the time that a user with an expired password logs in. Since the DISFORCE_PWD_CHANGE flag is, by default, not set on accounts, usually the PWD_EXPIRED bit is not set, even if the user's password has expired.


Previous Next Contents Index