I wanted cyrus-imapd to use the Unix password files for authentication. To give imapd access to /etc/shadow, I put user "cyrus" into a group "shadow" that has read privileges for /etc/shadow. I verified that user "cyrus" can read /etc/shadow by logging in as "cyrus" and viewing the file. I modified the sasl_pwcheck_method line in /etc/imapd.conf to: sasl_pwcheck_method: shadow This should have done the trick, as these are the popular work-arounds that are commonly cited. But Cyrus refused to authenticate. It *will* use the shadow passwords if I set /etc/shadow to be world readable, but that is obviously not acceptable. I finally set /usr/cyrus/bin/imapd to belong to group "shadow" with g+s mode, and this arrangement does work. But Cyrus-IMAP really should work out of the box without this undocumented (and probably unrecommended) fiddling with imapd's mode bits and ownership.
Red Hat no longer ships cyrus-imapd. Subsequent third-party RPMs if cyrus-imapd fixed this bug.