PMDF System Manager's Guide

13.5 User Login Checks for the VMS MAIL Mailbox (OpenVMS)

On OpenVMS, the following SYSUAF checks are performed by the legacy mailbox servers when a user logs in via a remote client:

The primary password is checked. Currently, the secondary password, if any, is not checked. (The concept of a secondary password is not supported by the POP or IMAP protocols.)
Account expiration time. Users can not log into mail servers if their account has expired.
The DISACNT, DISMAIL, AUTOLOGIN, PWD_EXPIRED⁵ bits in the flags field. The user can not log into the mail server if any of the above bits are set. The DISACNT flag corresponds to the AUTHORIZE utility's DISUSER flag.
The CAPTIVE bit is no longer checked thereby allowing access to CAPTIVE and RESTRICTED accounts. You can deny such accounts access by setting the DISMAIL flag, or, if that is not sufficient, use an ACL with the pop3d.exe, and imapd.exe images and grant the appropriate rightslist identifier to the users in accord with your policy. Any user who does not have EXECUTE access to the image will be denied access.

If LOGGING is set to 1 in the pop3d.cnf or imapd.cnf file, then login failures are logged in a PMDF log file: the PMDF_TABLE:mail.log_current file or the PMDF_TABLE:connection.log_current file, depending on the setting of the PMDF option SEPARATE_CONNECTION_LOG. A login failure OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK LOGFAIL audit event is logged on an OpenVMS 6.1 (VAX) or OpenVMS 6.2 (AXP) or later system.

If the user fails to log in due to an incorrect password, the number of login failures in the SYSUAF is incremented for the user. Furthermore, if the number of login failures exceeds the SYSGEN parameter LGI_BRK_LIM (default 5) and LGI_BRK_DISUSER is set, then the user account is disabled. A login breakin OPCOM message is sent to the SECURITY operator on a VMS 5.x system; a NETWORK BREAKIN audit event (instead of a LOGFAIL event) is logged on an OpenVMS 6.1 (VAX) or OpenVMS 6.2 (AXP) or later system after LGI_BRK_LIM is reached.

When a login is successful, the last successful non-interactive login time in the SYSUAF is also updated. A successful NETWORK LOGIN audit event is logged in the system security audit log on an OpenVMS 6.1 (VAX) or OpenVMS 6.2 (AXP) or later system.

Note

⁵ `loginout.exe` only sets the PWD_EXPIRED bit if the DISFORCE_PWD_CHANGE flag is set at the time that a user with an expired password logs in. Since the DISFORCE_PWD_CHANGE flag is, by default, not set on accounts, usually the PWD_EXPIRED bit is not set, even if the user's password has expired.

Contents

Index

PMDF System Manager's Guide

13.5 User Login Checks for the VMS MAIL Mailbox (OpenVMS)

5 loginout.exe only sets the PWD_EXPIRED bit if the DISFORCE_PWD_CHANGE flag is set at the time that a user with an expired password logs in. Since the DISFORCE_PWD_CHANGE flag is, by default, not set on accounts, usually the PWD_EXPIRED bit is not set, even if the user's password has expired.

⁵ `loginout.exe` only sets the PWD_EXPIRED bit if the DISFORCE_PWD_CHANGE flag is set at the time that a user with an expired password logs in. Since the DISFORCE_PWD_CHANGE flag is, by default, not set on accounts, usually the PWD_EXPIRED bit is not set, even if the user's password has expired.