Timo, I finally made the time to backport a pam fix I created for proftpd over to dovecot, that allows FreeBSD's pam_group to work as expected. (the bug was escalated to me internally hehe.. ). I also noticed an issue while testing that will be confusing to users. If the docs stay as is, or the other half of this patch is applied, then when the dovecot.conf contains: passdb pam { args = * } the imap files within etc/pam.d right now have to be named 'IMAP' and 'POP3' rather than the expected 'imap' and 'pop3'. The attached patch fixes the code to match the docs. -Phil. --- src/auth/passdb-pam.c.orig Mon Mar 26 10:10:26 2007 +++ src/auth/passdb-pam.c Mon Apr 2 16:18:54 2007 @@ -275,6 +275,8 @@ (void)pam_set_item(pamh, PAM_RHOST, host); /* TTY is needed by eg. pam_access module */ (void)pam_set_item(pamh, PAM_TTY, "dovecot"); + /* FreeBSD's pam_group need this set as well */ + (void)pam_set_item(pamh, PAM_RUSER, request->user); status = pam_auth(request, pamh, &str); if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) { @@ -428,8 +430,15 @@ int fd[2]; pid_t pid; - service = module->service_name != NULL ? - module->service_name : request->service; + if (module->service_name != NULL) { + service = module->service_name; + } else { + if (!strncmp(request->service, "IMAP", strlen(request->service))) + service = "imap"; + else if (!strncmp(request->service, "POP3", strlen(request->service))) + service = "pop3"; + } + auth_request_log_debug(request, "pam", "lookup service=%s", service); if (worker) {