Hmm. The AUTH_PASSWORD wasn't really an intentional addition .. but I guess it can stay there. Some 10 years ago that might not have been such a good idea since there were still some systems where process environment variables were readable to all users in the system, but I doubt there exist such systems anymore (at least where people would want to run Dovecot).
Very optimistic assumption. Wouldn't it be safer to remove the password from the environment? Anyone using checkpassword should use FD 3 and 4 for this purpose. Environment variables and command line arguments are not safe to transport passwords.
Heiko
Heiko Schlichting Freie Universität Berlin heiko.schlichting@fu-berlin.de Zentraleinrichtung für Datenverarbeitung Telefon +49 30 838-54327 Fabeckstraße 32 Telefax +49 30 838454327 14195 Berlin