I'm setting up a mail server with sendmail and Cyrus IMAP, both using Cyrus SASL. It uses pwcheck for plain text password authentication and sasldb for CRAM-MD5. All accounts (about 30 000) are defined in the Unix passwd map. Cyrus mailboxes are created when the accounts are created. We need the ability to deactivate and activate accounts, either temporarily or permanently. Once an account is deactivated, the owner should be denied the ability to read mail with that acount, although new mail will still arrive in the mailbox. This is fairly easy to do for pwcheck, by changing the shell for example. It could be done either with modifications to pwcheck or through PAM, with the result that pwcheck reject the authentication check. How can this be done for sasldb? Is there any mechanism in Cyrus SASL to say to the user ``Yes, your passord is correct, but you are still not allowed access to this service''? This could be described as authorization as well as authentication. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
