For our companies Intranet, we did a variation on this theme. Every employee has a login to a dual-alpha Tru64 Unix box that, among other things, provides pop3 service.
We modified the login process to call a custom proc that opened a socket to the port 110 on the Tru64 box and sent the username and password. If the pop daemon respons with either a "+OK" or a "-ERR Could not lock" then we know the password is good; otherwise it isn't. If it is we call ad_user_login $user_id to log them in.