Philip Hazel wrote:
>>You have to advertise all or nothing, but maybe this should be
>>configureable in the authenticator (this COULD also make the
>>auth_advertise_hosts option obsolete).
>
>
> That is correct.
>
> I have noted this requirement in the Wish List. However, it isn't as
> simple as just specifing what to advertise, because Exim should only
> accept back requests for advertised mechanisms. This is quite a lot of
> complication.
Why?
IMHO, you need to loop through the authenticators anyway, to find the
requested authenticator, so checking the condition again and skipping if
it yields false shouldn't be a problem (around line 1793 in my version
of smtp_in.c). But I could be wrong, I just had a quick look ;)
The check for au == NULL should catch it if someone tries to use an
unadvertised mechanism.
> What you can do is to reject AUTH commands that don't use an approved
> mechanism in the ACL for AUTH. This may confuse the clients, of course.
Hmmm, do we have a variable to get the requested auth-scheme?
Especialy Netscape and Mozilla are very picky about the AUTH-part.
ciao
