diff --git a/type/__dma_auth/explorer/logins b/type/__dma_auth/explorer/auth_conf
old mode 100644
new mode 100755
similarity index 54%
rename from type/__dma_auth/explorer/logins
rename to type/__dma_auth/explorer/auth_conf
index 0ed6bc1..cef0aca
--- a/type/__dma_auth/explorer/logins
+++ b/type/__dma_auth/explorer/auth_conf
@@ -17,25 +17,33 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# This explorer lines matching user + server in /etc/dma/auth.conf and reports
-# their cksum.
+# This explorer determines the path of dma's auth.conf file
 
-test -r /etc/dma/auth.conf || exit 0
+# No dma.conf -> use default
+test -f /etc/dma/dma.conf || {
+	echo /etc/dma/auth.conf
+	exit 0
+}
+test -r /etc/dma/dma.conf || {
+	echo 'Cannot read /etc/dma/dma.conf' >&2
+	exit 1
+}
 
-if test -f "${__object}/parameter/login"
-then
-	login=$(cat "${__object}/parameter/login")
-else
-	login=$__object_id
-fi
-server=$(cat "${__object}/parameter/server")
-
-regex=$(printf '^%s|%s:' "$login" "$server")
-
-grep -e "${regex}" /etc/dma/auth.conf \
-| while read -r line
-  do
-	  echo "${line}" \
-	  | cksum - \
-	  | cut -d ' ' -f 1
-  done
+# Get AUTHPATH from dma.conf
+awk -F'[ \t]' '
+{
+	sub(/#.*$/, "", $0)  # remove comments
+	if (!$0) next  # ignore empty lines
+}
+$1 == "AUTHPATH" {
+	# Store authpath. In dma conf parsing last wins.
+	if ($2) authpath = substr($0, index($0, " ") + 1)
+}
+END {
+	if (authpath) {
+		print authpath
+		exit 0
+	} else exit 1
+}
+' /etc/dma/dma.conf \
+|| echo /etc/dma/auth.conf  # default
diff --git a/type/__dma_auth/explorer/authusers b/type/__dma_auth/explorer/authusers
new file mode 100755
index 0000000..5fc6b4e
--- /dev/null
+++ b/type/__dma_auth/explorer/authusers
@@ -0,0 +1,51 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer looks for lines matching the server parameter in dma's auth.conf
+# and reports the login and server fields (password is stripped off)
+
+auth_conf=$("${__type_explorer}/auth_conf")
+test -r "${auth_conf}" || exit 0
+
+if test -f "${__object}/parameter/server"
+then
+	server=$(cat "${__object}/parameter/server")
+else
+	server=$__object_id
+fi
+
+awk -F'\n' -v server="${server}" '
+BEGIN {
+	DP = "[: \t]"  # copied from dma/conf.c
+}
+
+# skip comments and empty lines
+/^#/ || /^$/ { next }
+
+{
+	login = substr($0, 1, index($0, "|") - 1)
+	host = substr($0, length(login) + 2)
+	if (match(host, DP)) {
+		host = substr(host, 1, RSTART - 1)
+		endpos = length(login) + RSTART
+	} else endpos = length
+}
+
+host == server { print substr($0, 0, endpos) }
+' "${auth_conf}"
diff --git a/type/__dma_auth/gencode-remote b/type/__dma_auth/gencode-remote
index 0951c16..989e176 100755
--- a/type/__dma_auth/gencode-remote
+++ b/type/__dma_auth/gencode-remote
@@ -18,24 +18,24 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-logins=$(cat "${__object}/explorer/logins")
+authusers=$(cat "${__object}/explorer/authusers")
 state_should=$(cat "${__object}/parameter/state")
 
-if test -f "${__object}/parameter/login"
+if test -f "${__object}/parameter/server"
 then
-	login=$(cat "${__object}/parameter/login")
+	server=$(cat "${__object}/parameter/server")
 else
-	login=$__object_id
+	server=$__object_id
 fi
+login=$(cat "${__object}/parameter/login")
 password=$(cat "${__object}/parameter/password")
-server=$(cat "${__object}/parameter/server")
 
 case $state_should
 in
 	(present)
 		conf_line=$(printf '%s|%s:%s\n' "${login}" "${server}" "${password}")
 		cksum_should=$(echo "${conf_line}" | cksum - | cut -d ' ' -f 1)
-		if echo "$logins" | grep -qxF "${cksum_should}"
+		if echo "$authusers" | grep -qxF "${cksum_should}"
 		then
 			# correct line already present -> nothing to do
 			exit 0
@@ -44,11 +44,8 @@ in
 		mode=1
 	;;
 	(absent)
-		if test -z "$logins"
-		then
-			# no logins present -> nothing to do
-			exit 0
-		fi
+		# no logins present -> nothing to do
+		test -n "$authusers" || exit 0
 
 		# NOTE: password is not needed to delete
 		conf_line=$(printf '%s|%s:%s\n' "${login}" "${server}" "")
@@ -66,11 +63,14 @@ read -r CONF_LINE <<'EOL'
 ${conf_line}
 EOL
 export CONF_LINE
+export mode=${mode}
+EOF
 
-awk -F: -v print=$mode '
+cat <<'EOF'
+awk -F: -v mode=$mode '
 BEGIN { split(ENVIRON["CONF_LINE"], conf, ":") }
 $1 == conf[1] {
-    if (print && !found) {
+    if (mode && !found) {
         # remove duplicates
         print ENVIRON["CONF_LINE"]
         found = 1
diff --git a/type/__dma_auth/man.rst b/type/__dma_auth/man.rst
index bd077d6..9c3ad7a 100644
--- a/type/__dma_auth/man.rst
+++ b/type/__dma_auth/man.rst
@@ -14,16 +14,16 @@ servers.
 
 REQUIRED PARAMETERS
 -------------------
+login
+    The user's LOGIN name on the SMTP server.
 password
     The user's password (in plain text.)
-server
-    The SMTP server on which the login is valid.
 
 
 OPTIONAL PARAMETERS
 -------------------
-login
-    The user's LOGIN name on the SMTP server. Defaults to `__object_id`.
+server
+    The SMTP server on which the login is valid. Defaults to `__object_id`.
 state
     Either `present` or `absent`. Defaults to `present`.
 
@@ -38,13 +38,13 @@ EXAMPLES
 .. code-block:: sh
 
     # Set the password for smarthost
-    __dma_auth joe --server smarthost --password hunter2
+    __dma_auth smarthost.example.com --login joe --password hunter2
 
     # Set credentials for user at an external provider
-    __dma_auth paul@example.com --server mail.provider.com --password letmein
+    __dma_auth mail.provider.com --login paul@example.com --password letmein
 
-    # Delete credentials for example.com
-	__dma_auth paul --server example.com --state absent
+    # Delete credentials for example.com (for all users)
+    __dma_auth example.com --login '' --password '' --state absent
 
 SEE ALSO
 --------
diff --git a/type/__dma_auth/parameter/optional b/type/__dma_auth/parameter/optional
index c35dbef..3e42ed3 100644
--- a/type/__dma_auth/parameter/optional
+++ b/type/__dma_auth/parameter/optional
@@ -1,2 +1,2 @@
-login
+server
 state
diff --git a/type/__dma_auth/parameter/required b/type/__dma_auth/parameter/required
index 8f1a1c9..ae3c622 100644
--- a/type/__dma_auth/parameter/required
+++ b/type/__dma_auth/parameter/required
@@ -1,2 +1,2 @@
+login
 password
-server