ok, config is still debian linux 2.2.17 on intel, cyrus 2.0.12, sasl 1.5.24, openssl 0.9.6, db 3.2.x. using: sasl_pwcheck_method: shadow sasl_minimum_layer: 0 allowplaintext: yes if /etc/shadow is either world readable, or is owned by user cyrus and owner readable, then authentication works. if either of these is not true, then I get . NO Login failed: authentication failure and yes, cyrus is in the group that /etc/shadow is in, and the file is group readable! adding another user to group shadow allows that user to view the file, so it would seem to be a cyrus problem...
