About 2.5 years ago I presented the first public version of pam_mapi. If you don't know pam_mapi, please have a look to my project.
Today I am happy to announce pam_mapi 0.2.0 - which is supporting Zarafa's feature management. What does this mean? Since Zarafa 7.0.0 some features can be enabled and disabled on a per-user basis. If e.g. IMAP is disabled for a specific user any IMAP login will fail. More about this can be read in the Zarafa documentation, section "8.7. Zarafa Feature management".
This feature management can be now optionally applied to pam_mapi for e.g. SMTP authentication. But so far even if both, IMAP and POP3 were disabled, pam_mapi was still succeeding authentication and thus allowing to relay e-mails. If this is unwished the new argument "service=pop3|imap" can now be added to the PAM configuration file /etc/pam.d/smtp. This requires that either POP3 or IMAP is enabled to pass authentication.
Valid values for the "service" argument are values from "disabled_features" in /etc/zarafa/server.cfg. Multiple services can be listed using the pipe character ("|") and behave like a digital logic OR gate.
Configuration example for /etc/pam.d/smtp when authenticating only against Zarafa users while the IMAP feature must be enabled in Zarafa:
auth required pam_mapi.so try_first_pass service=imap
account required pam_mapi.so
More configuration examples are available in the documentation of pam_mapi.
Of course pam_mapi still supports Zarafa versions before 7.0.0 - however without feature/service management (and without unicode). The oldest with pam_mapi 0.2.0 tested Zarafa version is 6.20; the release where Zarafa got Open Source.