Dave Lugo, 2010-07-05 13:54:
>>> acl_check_auth:
>>> accept encrypted = *
>>> deny message = TLS encryption required
>> I would strongly recommend against this. This does not stop Exim from
>> announcing that AUTH PLAIN is supported, so clients would send AUTH
>> PLAIN together with their login information, e.g. "AUTH PLAIN
>> AGZvbwBiYXI=", so it's too late to reject it.
> It works great for me.
>
> My exim install doesn't offer AUTH PLAIN until STARTTLS
> has kicked in.
>
> This may be because I also have the near the
> beginning of my config:
>
> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
You guessed right. :)
If Exim does not announce AUTH, it won't accept AUTH commands.
> So, do you still disrecommend this config, which
> doesn't offer AUTH until TLS is started? If yes,
> can you tell me why?
It does not hurt, but it's also useless (and therefore give a wrong
feeling of security).
Or do you have any "TLS encryption required" message in your log?