I wanted cyrus-imapd to use the Unix password files for

authentication. To give imapd access to /etc/shadow, I put user "cyrus"

into a group "shadow" that has read privileges for /etc/shadow. I

verified that user "cyrus" can read /etc/shadow by logging in as "cyrus"

and viewing the file. I modified the sasl_pwcheck_method line in

/etc/imapd.conf to:



	sasl_pwcheck_method: shadow



This should have done the trick, as these are the popular work-arounds

that are commonly cited. But Cyrus refused to authenticate. It *will*

use the shadow passwords if I set /etc/shadow to be world readable, but

that is obviously not acceptable. I finally set /usr/cyrus/bin/imapd to

belong to group "shadow" with g+s mode, and this arrangement does

work. But Cyrus-IMAP really should work out of the box without this

undocumented (and probably unrecommended) fiddling with imapd's mode

bits and ownership.