diff --git a/cyrus-sasl/.footprint b/cyrus-sasl/.footprint
index f56cf3460..e05be3abb 100644
--- a/cyrus-sasl/.footprint
+++ b/cyrus-sasl/.footprint
@@ -35,6 +35,10 @@ lrwxrwxrwx	root/root	usr/lib/sasl2/libdigestmd5.so.3 -> libdigestmd5.so.3.0.0
 lrwxrwxrwx	root/root	usr/lib/sasl2/liblogin.so -> liblogin.so.3.0.0
 lrwxrwxrwx	root/root	usr/lib/sasl2/liblogin.so.3 -> liblogin.so.3.0.0
 -rwxr-xr-x	root/root	usr/lib/sasl2/liblogin.so.3.0.0
+-rwxr-xr-x	root/root	usr/lib/sasl2/libntlm.la
+lrwxrwxrwx	root/root	usr/lib/sasl2/libntlm.so -> libntlm.so.3.0.0
+lrwxrwxrwx	root/root	usr/lib/sasl2/libntlm.so.3 -> libntlm.so.3.0.0
+-rwxr-xr-x	root/root	usr/lib/sasl2/libntlm.so.3.0.0
 -rwxr-xr-x	root/root	usr/lib/sasl2/libotp.la
 lrwxrwxrwx	root/root	usr/lib/sasl2/libotp.so -> libotp.so.3.0.0
 lrwxrwxrwx	root/root	usr/lib/sasl2/libotp.so.3 -> libotp.so.3.0.0
@@ -51,6 +55,10 @@ lrwxrwxrwx	root/root	usr/lib/sasl2/libsasldb.so.3 -> libsasldb.so.3.0.0
 lrwxrwxrwx	root/root	usr/lib/sasl2/libscram.so -> libscram.so.3.0.0
 lrwxrwxrwx	root/root	usr/lib/sasl2/libscram.so.3 -> libscram.so.3.0.0
 -rwxr-xr-x	root/root	usr/lib/sasl2/libscram.so.3.0.0
+-rwxr-xr-x	root/root	usr/lib/sasl2/libsql.la
+lrwxrwxrwx	root/root	usr/lib/sasl2/libsql.so -> libsql.so.3.0.0
+lrwxrwxrwx	root/root	usr/lib/sasl2/libsql.so.3 -> libsql.so.3.0.0
+-rwxr-xr-x	root/root	usr/lib/sasl2/libsql.so.3.0.0
 drwxr-xr-x	root/root	usr/sbin/
 -rwxr-xr-x	root/root	usr/sbin/pluginviewer
 -rwxr-xr-x	root/root	usr/sbin/saslauthd
diff --git a/cyrus-sasl/.signature b/cyrus-sasl/.signature
index 18bd116a5..43a16e7ab 100644
--- a/cyrus-sasl/.signature
+++ b/cyrus-sasl/.signature
@@ -1,6 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/cLF6PAs4a8IC/IKwH7fJHpj4CZ0602Z4LXEx6p4ZJKUyObJSouOtmRyqq66hK9JAPm7qW7tYjZgYJKBg0ha/Ak=
-SHA256 (Pkgfile) = 505e022716d04d973d7ced3c62ea842246254c98757d4b8f63ae8f2e53a93c91
-SHA256 (.footprint) = 7e53348cb8daee90e323eb8a6ccb8f6b035a967177b620732a936d1321994730
+RWSE3ohX2g5d/YmC91GeP88oLLOkyWA54/ejhPfSHQD9FmxcxsDepp6VOIaQ1Lar5krSpARc2Ej1b2DpRGlBngsnVO3HZFzGdwA=
+SHA256 (Pkgfile) = 1071d1e586969c47f2be99e2fe4e0813c7a2a4b71865f55e97b4f3847e106735
+SHA256 (.footprint) = 3bc9d6a85a4a09db8e0b6fe41e56074265457b8470f5d26db1d7edf3957d4a6a
 SHA256 (cyrus-sasl-2.1.28.tar.gz) = 7ccfc6abd01ed67c1a0924b353e526f1b766b21f42d4562ee635a8ebfc5bb38c
+SHA256 (0013-Don-t-use-la-files-for-opening-plugins.patch) = bbee401c01dc6942710e0c1285091fcd98588bf636b52f24ed0e3b04039b748b
+SHA256 (0022-Fix-keytab-option-for-MIT-Kerberos.patch) = 1a0ae7bd722d57feb6fab12c05eb1922982c68bd9be1c165d405954012e6634f
+SHA256 (0032-Add-with_pgsql-include-postgresql-to-include-path.patch) = 069a731f90617cb75fd7029876b714078b1c4187c217f90d7dc8d896e2445aa4
 SHA256 (saslauthd) = 2a96dca868261d5275087ed8e1eef59946f47c6d35797368710c3037f46e61bd
diff --git a/cyrus-sasl/0013-Don-t-use-la-files-for-opening-plugins.patch b/cyrus-sasl/0013-Don-t-use-la-files-for-opening-plugins.patch
new file mode 100644
index 000000000..d02413955
--- /dev/null
+++ b/cyrus-sasl/0013-Don-t-use-la-files-for-opening-plugins.patch
@@ -0,0 +1,153 @@
+From: Debian Cyrus SASL Team
+ <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>
+Date: Thu, 24 Mar 2016 11:35:04 +0100
+Subject: Don't use la files for opening plugins
+
+---
+ lib/dlopen.c | 121 ++++-------------------------------------------------------
+ 1 file changed, 7 insertions(+), 114 deletions(-)
+
+diff --git a/lib/dlopen.c b/lib/dlopen.c
+index 8284cd8..ef90b11 100644
+--- a/lib/dlopen.c
++++ b/lib/dlopen.c
+@@ -246,113 +246,6 @@ static int _sasl_plugin_load(char *plugin, void *library,
+     return result;
+ }
+ 
+-/* this returns the file to actually open.
+- *  out should be a buffer of size PATH_MAX
+- *  and may be the same as in. */
+-
+-/* We'll use a static buffer for speed unless someone complains */
+-#define MAX_LINE 2048
+-
+-static int _parse_la(const char *prefix, const char *in, char *out) 
+-{
+-    FILE *file;
+-    size_t length;
+-    char line[MAX_LINE];
+-    char *ntmp = NULL;
+-
+-    if(!in || !out || !prefix || out == in) return SASL_BADPARAM;
+-
+-    /* Set this so we can detect failure */
+-    *out = '\0';
+-
+-    length = strlen(in);
+-
+-    if (strcmp(in + (length - strlen(LA_SUFFIX)), LA_SUFFIX)) {
+-	if(!strcmp(in + (length - strlen(SO_SUFFIX)),SO_SUFFIX)) {
+-	    /* check for a .la file */
+-	    if (strlen(prefix) + strlen(in) + strlen(LA_SUFFIX) + 1 >= MAX_LINE)
+-		return SASL_BADPARAM;
+-	    strcpy(line, prefix);
+-	    strcat(line, in);
+-	    length = strlen(line);
+-	    *(line + (length - strlen(SO_SUFFIX))) = '\0';
+-	    strcat(line, LA_SUFFIX);
+-	    file = fopen(line, "r");
+-	    if(file) {
+-		/* We'll get it on the .la open */
+-		fclose(file);
+-		return SASL_FAIL;
+-	    }
+-	}
+-        if (strlen(prefix) + strlen(in) + 1 >= PATH_MAX)
+-            return SASL_BADPARAM;
+-	strcpy(out, prefix);
+-	strcat(out, in);
+-	return SASL_OK;
+-    }
+-
+-    if (strlen(prefix) + strlen(in) + 1 >= MAX_LINE)
+-        return SASL_BADPARAM;
+-    strcpy(line, prefix);
+-    strcat(line, in);
+-
+-    file = fopen(line, "r");
+-    if(!file) {
+-	_sasl_log(NULL, SASL_LOG_WARN,
+-		  "unable to open LA file: %s", line);
+-	return SASL_FAIL;
+-    }
+-    
+-    while(!feof(file)) {
+-	if(!fgets(line, MAX_LINE, file)) break;
+-	if(line[strlen(line) - 1] != '\n') {
+-	    _sasl_log(NULL, SASL_LOG_WARN,
+-		      "LA file has too long of a line: %s", in);
+-	    fclose(file);
+-	    return SASL_BUFOVER;
+-	}
+-	if(line[0] == '\n' || line[0] == '#') continue;
+-	if(!strncmp(line, "dlname=", sizeof("dlname=") - 1)) {
+-	    /* We found the line with the name in it */
+-	    char *end;
+-	    char *start;
+-	    size_t len;
+-	    end = strrchr(line, '\'');
+-	    if(!end) continue;
+-	    start = &line[sizeof("dlname=")-1];
+-	    len = strlen(start);
+-	    if(len > 3 && start[0] == '\'') {
+-		ntmp=&start[1];
+-		*end='\0';
+-		/* Do we have dlname="" ? */
+-		if(ntmp == end) {
+-		    _sasl_log(NULL, SASL_LOG_DEBUG,
+-			      "dlname is empty in .la file: %s", in);
+-		    fclose(file);
+-		    return SASL_FAIL;
+-		}
+-		strcpy(out, prefix);
+-		strcat(out, ntmp);
+-	    }
+-	    break;
+-	}
+-    }
+-    if(ferror(file) || feof(file)) {
+-	_sasl_log(NULL, SASL_LOG_WARN,
+-		  "Error reading .la: %s\n", in);
+-	fclose(file);
+-	return SASL_FAIL;
+-    }
+-    fclose(file);
+-
+-    if(!(*out)) {
+-	_sasl_log(NULL, SASL_LOG_WARN,
+-		  "Could not find a dlname line in .la file: %s", in);
+-	return SASL_FAIL;
+-    }
+-
+-    return SASL_OK;
+-}
+ #endif /* DO_DLOPEN */
+ 
+ /* loads a plugin library */
+@@ -506,18 +399,18 @@ int _sasl_load_plugins(const add_plugin_list_t *entrypoints,
+ 		if (length + pos>=PATH_MAX) continue; /* too big */
+ 
+ 		if (strcmp(dir->d_name + (length - strlen(SO_SUFFIX)),
+-			   SO_SUFFIX)
+-		    && strcmp(dir->d_name + (length - strlen(LA_SUFFIX)),
+-			   LA_SUFFIX))
++			   SO_SUFFIX))
+ 		    continue;
+ 
++		/* We only use .so files for loading plugins */
++
+ 		memcpy(name,dir->d_name,length);
+ 		name[length]='\0';
+ 
+-		result = _parse_la(prefix, name, tmp);
+-		if(result != SASL_OK)
+-		    continue;
+-		
++		/* Create full name with path */
++		strncpy(tmp, prefix, PATH_MAX);
++		strncat(tmp, name, PATH_MAX);
++
+ 		/* skip "lib" and cut off suffix --
+ 		   this only need be approximate */
+ 		strcpy(plugname, name + 3);
diff --git a/cyrus-sasl/0022-Fix-keytab-option-for-MIT-Kerberos.patch b/cyrus-sasl/0022-Fix-keytab-option-for-MIT-Kerberos.patch
new file mode 100644
index 000000000..316ecd188
--- /dev/null
+++ b/cyrus-sasl/0022-Fix-keytab-option-for-MIT-Kerberos.patch
@@ -0,0 +1,66 @@
+From: Debian Cyrus SASL Team
+ <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>
+Date: Thu, 24 Mar 2016 11:35:05 +0100
+Subject: Fix keytab option for MIT Kerberos
+
+---
+ m4/sasl2.m4      |  1 +
+ plugins/gssapi.c | 11 ++++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/m4/sasl2.m4 b/m4/sasl2.m4
+index 56e0504..a90f7b4 100644
+--- a/m4/sasl2.m4
++++ b/m4/sasl2.m4
+@@ -282,6 +282,7 @@ if test "$gssapi" != no; then
+                     ])
+     fi
+   fi
++  AC_CHECK_FUNCS(krb5_gss_register_acceptor_identity)
+   AC_CHECK_FUNCS(gss_decapsulate_token)
+   AC_CHECK_FUNCS(gss_encapsulate_token)
+   AC_CHECK_FUNCS(gss_oid_equal)
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index ff663da..7c69ac2 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -1545,7 +1545,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
+ };
+ 
+ int gssapiv2_server_plug_init(
+-#ifndef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
++#if !defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) && !defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY)
+     const sasl_utils_t *utils __attribute__((unused)),
+ #else
+     const sasl_utils_t *utils,
+@@ -1555,7 +1555,7 @@ int gssapiv2_server_plug_init(
+     sasl_server_plug_t **pluglist,
+     int *plugcount)
+ {
+-#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
++#if defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) || defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY)
+     const char *keytab = NULL;
+     char keytab_path[1024];
+     unsigned int rl;
+@@ -1565,7 +1565,7 @@ int gssapiv2_server_plug_init(
+ 	return SASL_BADVERS;
+     }
+     
+-#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
++#if defined(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY) || defined(HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY)
+     /* unfortunately, we don't check for readability of keytab if it's
+        the standard one, since we don't know where it is */
+     
+@@ -1587,7 +1587,12 @@ int gssapiv2_server_plug_init(
+ 	
+ 	strncpy(keytab_path, keytab, 1024);
+ 	
++#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
+ 	gsskrb5_register_acceptor_identity(keytab_path);
++#endif
++#ifdef HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY
++	krb5_gss_register_acceptor_identity(keytab_path);
++#endif
+     }
+ #endif
+     
diff --git a/cyrus-sasl/0032-Add-with_pgsql-include-postgresql-to-include-path.patch b/cyrus-sasl/0032-Add-with_pgsql-include-postgresql-to-include-path.patch
new file mode 100644
index 000000000..a76552cef
--- /dev/null
+++ b/cyrus-sasl/0032-Add-with_pgsql-include-postgresql-to-include-path.patch
@@ -0,0 +1,25 @@
+Forwarded: https://github.com/cyrusimap/cyrus-sasl/pull/719
+From: Ondřej Surý <ondrej@sury.org>
+Date: Tue, 25 Oct 2016 12:33:27 +0200
+Subject: Add ${with_pgsql}include/postgresql/ to include path
+
+---
+ configure.ac | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fe7f0eb..1882f31 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -894,7 +894,9 @@ case "$with_pgsql" in
+      LIB_PGSQL_DIR=$LIB_PGSQL
+      LIB_PGSQL="$LIB_PGSQL -lpq"
+ 
+-     if test -d ${with_pgsql}/include/pgsql; then
++     if test -d ${with_pgsql}/include/postgresql/; then
++         CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/postgresql"
++     elif test -d ${with_pgsql}/include/pgsql; then
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include/pgsql"
+      elif test -d ${with_pgsql}/pgsql/include; then
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include"
+
diff --git a/cyrus-sasl/Pkgfile b/cyrus-sasl/Pkgfile
index 795c06fe8..c81827a16 100644
--- a/cyrus-sasl/Pkgfile
+++ b/cyrus-sasl/Pkgfile
@@ -2,30 +2,69 @@
 # URL: https://www.cyrusimap.org/sasl/
 # Maintainer: Tim Biermann, tbier at posteo dot de
 # Depends on: db openssl linux-pam
+# Optional: krb5 mariadb openldap postgresql
 
 name=cyrus-sasl
 version=2.1.28
-release=1
+release=2
 source=(https://github.com/cyrusimap/$name/releases/download/$name-$version/$name-$version.tar.gz
+  0013-Don-t-use-la-files-for-opening-plugins.patch
+  0022-Fix-keytab-option-for-MIT-Kerberos.patch
+  0032-Add-with_pgsql-include-postgresql-to-include-path.patch
   saslauthd)
 
 build() {
   cd $name-$version
 
-  ./configure \
+  patch -p1 -i $SRC/0013-Don-t-use-la-files-for-opening-plugins.patch
+  patch -p1 -i $SRC/0022-Fix-keytab-option-for-MIT-Kerberos.patch
+  prt-get isinst postgresql && \
+    patch -p1 -i $SRC/0032-Add-with_pgsql-include-postgresql-to-include-path.patch
+
+  CPPFLAGS="$CFLAGS"
+
+  prt-get isinst krb5 && PKGMK_CYRUSSASL+=' --enable-gssapi'
+  prt-get isinst mariadb && PKGMK_CYRUSSASL+=' --with-mysql=yes' CPPFLAGS+=" $(mysql_config --libs | sed -e 's,-[^L][^ ]*,,g' -e 's,^ *,,' -e 's, *$,,' -e 's,  *, ,g')" || PKGMK_CYRUSSASL+=' --with-mysql=no'
+  prt-get isinst openldap && PKGMK_CYRUSSASL+=' --enable-ldapdb --with-ldap'
+  prt-get isinst postgresql && PKGMK_CYRUSSASL+=' --with-pgsql=yes' CPPFLAGS+=" -I$(pg_config --includedir)" || PKGMK_CYRUSSASL+=' --with-pgsql=no'
+
+  if [[ $(prt-get isinst mariadb) || $(prt-get isinst postgresql) ]]; then
+    PKGMK_CYRUSSASL+=' --enable-sql'
+  else
+    PKGMK_CYRUSSASL+=' --disable-sql'
+  fi
+
+  rm -f config/config.guess config/config.sub
+  rm -f config/ltconfig config/ltmain.sh config/libtool.m4
+  rm -fr autom4te.cache
+  libtoolize -c
+  aclocal -I config
+  automake -a -c
+  autoheader
+  autoconf
+
+  ./configure $PKGMK_CYRUSSASL \
       --prefix=/usr \
       --sysconfdir=/etc/sasl \
+      --with-configdir=/etc/sasl2:/etc/sasl:/usr/lib/sasl2 \
       --with-plugindir=/usr/lib/sasl2 \
       --with-saslauthd=/var/sasl/saslauthd \
-      --with-dbpath=/etc/sasl/sasldb2 \
+      --with-dbpath=/var/sasl/sasldb2 \
       --with-dblib=berkeley \
       --with-bdb-incdir=/usr/include \
       --with-bdb-libdir=/usr/lib \
       --with-openssl=/usr \
+      --with-devrandom=/dev/urandom \
+      --with-sqlite3=/usr/lib \
       --enable-login \
       --enable-cram \
       --enable-digest \
-      --enable-shared
+      --enable-shared \
+      --enable-auth-sasldb \
+      --enable-plain \
+      --enable-login \
+      --enable-ntlm
+  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
 
   make CFLAGS="$CFLAGS -fPIC"
   make DESTDIR=$PKG install