qmail-pwrap is a wrapper for eQmail/(net)qmail around checkpassword compatible tools. It allows the use of multiple checkpassword tools one after another and as a result of this different authentication backends.
It is based of one of the quick and dirty hacks I did some years ago. After publishing eQmail I decided to make it a clean tool as extension and publish it too. The advantages are:
  Update:  Recent documentation and download of the latest release is available at openqmail.org!
Download: qmail-pwrap (sha256sum)
qmail-pwrap will be discussed on the openqmail mailing list (closed!).
Download the tarball and unpack it. I recommend to put  qmail-pwrap 
into $QMAILHOME/bin/, still any other location is fine. Set correct permissions on the target:
$ chown qmaild:qmail /var/qmail/bin/qmail-pwrap $ chmod 0755 /var/qmail/bin/qmail-pwrap
Edit your qmail-smtpd run file like:
exec /usr/bin/tcpserver ... <tcpserver stuff> ... /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-pwrap 2>&1
Save the file and restart  qmail-smtpd 
after you did the
  Important:  The configuration changed! The description below is valid for versions prior to 0.3 only!
Edit qmail-pwrap in the section “user configuration” like:
... #***** user configuration ******************************************************* # Define all checkpassword tools you want to use here, one per line seperated by # a space (best practice is maybe to start each line by a space). Savely more # lines can be inserted if needed. CPW=" /bin/cmd5checkpw /var/qmail/bin/qmail-chkpw /bin/checkpassword " # End of list ************************************************************** ...
After the line  CPW=“ 
(stands for CheckPassWord) insert the checkpassword tools with full path you wish to use. One per line, each line should start by a space. The line  ” # End of list * 
closes the configuration - do not edit this line. At least one tool have to be defined.
Important: Make sure each tool/method is working well before using it by qmail-pwrap.
qmail-pwrap reads from file descriptor 3 and saves the data temporarily. Then it closes fd3. It writes the data to fd3 again and calls one of the configured checkpassword tools. Typically any checkpassword tool will read from fd3 and closes fd3 by itself.
qmail-pwrap reads the exitcode of the checkpassword tool. On successful authentication it exits, otherwise it tries the next one. If all of them fail, authentication fails. The exitcode is always passed-through from the checkpassword tool.
qmail-pwrap logs through the system log.
If there is set an evironment variable  AUTH=0 
, then authentication will be disabled. qmail-pwrap exist with code “0”.Thus the MTA acts maybe as an open relay (depends on other settings).  DANGEROUS! 
By using tcpserver the AUTH var can be set in your run file, like:
... export AUTH=1 exec /usr/bin/tcpserver \ ...
Anyway - I recomment to do it through qmail-pwrap. At the first line of code the AUTH variable will be set if not exists. The value can be changed - it takes effect immeditily:
... # Check for environment variable AUTH and set it if necessary. Valid values are # 0 - disable authentication # 1 - enable authentication (default) # Next line has no effect if $AUTH is set somewhere before invoking qmail-pwrap ! # (then $AUTH will be set here - with one of the described values above ... ) if [ ! $AUTH ] ; then export AUTH=1 ; fi # check if auth is disabled (env var: AUTH=0) if [ $AUTH ] && [ $AUTH -eq 0 ]; then exec 3>&- # close fd3 exit $AUTH ; fi ...
On succesful authentication qmail-pwrap re-sets AUTH to  AUTH=success  
. This can be used for futher process decisions, e.g. do DKIM verification or not.