My SMTP authentication can be bypassed by sending an unknown user name and an empty password. What is wrong with this condition in a PLAIN authenticator?

server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
  accounts WHERE username='${local_part:$1}'} } }{1}{0}}

Your lookup item returns an empty string when the user does not exist. You should instead arrange for the lookup to fail:

server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
  accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}}