[exim] Different classes of user

Hi folks. I'm trying to set up an all-things-to-all-users mail server to
handle a dozen or so domains, some being delivered locally to users
and/or forwarded, some as secondary MX, and some as a front-end
anti-virus and anti-spam filter, while also being my users' smarthost.

I've got most of it licked, my remaining awkward thing is having both
semi-trusted and untrusted users, where I want to require encryption for
users with shell accounts, but allow unencrypted AUTH for the others. I
haven't even decided whether the non-shell users will have real accounts
with no shell (probably) or they'll be "virtual" users.

I can't advertise authentication only to people who've started TLS, so I
guess I need to fail authentication to my shell users whatever password
they give if they haven't started TLS. I can see some horrible mess
coming along with my authenticators' server_condition - either trying to
do lookups of the user's shell in /etc/shells, or looking up the user in
two different places.

Has anybody here done this elegantly, or even done it at all, and if so
please could you share it with me - or tell me why this is all
incredibly stupid?

Cheers,

John.

PS. I shall be off to the Dovecot lists to ask the same there, unless
anyone here has also done that :-)

PPS. I wonder why my /etc/shells currently includes /sbin/nologin...