Hi John!
> What I want to stop, or make harder, is password cracking using brute
> force. In my limited experience of SMTP AUTH, it either works as the
> userid/password is the same as that for IMAP/POP or fails. Perhaps a count
> could be added to the AUTH drivers to limit the number of retries and once
> exceeded the call is dropped.
Since at least version 4.20 Exim has an ACL for the AUTH command. In
order to drop a connection when a second AUTH is attempted, you could
use one as simple as this:
acl_smtp_auth = acl_check_auth
acl_check_auth:
drop condition = $acl_m0
accept set acl_m0 = yes
Please be aware that some MUAs send two AUTH commands: one before, and
one after they have initiated a TLS session. But this is beyond the
scope of your original question. ;-)
Andy
