Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver?
> 2023-02-01 12:50:11 dovecot_login authenticator failed for hub.********
> ([10.1.1.103]) [**.**.**.**]: 435 Unable to authenticate at present: unable
> to connect to UNIX socket (/var/run/dovecot/auth-client): Permission denied
Yes, Exim connects to the socket as the Exim runtime user, but the
permissions on the socket are a way to tight.
I think, either set the socket to 666, or make 660 and assign it to a
group, Exim belongs to (though I'm not sure, if Exim "joins" its
supplementary groups (aka initgroups(3)) for auth purpose.)
I'm not sure about the security impact of widening the permissions on
this socket. In theory it can be used to do mass-checking of auth
credentials.
The permissions and ownership of the socket can be set in the dovecot
config file.