[exim] Make auth unsuccessful with some conditions

Hello!

I have installed: Exim 4.92-8+deb10u7, Dovecot 1:2.3.4.1-5+deb10u7.

I'm trying to deny users successful authentication if they connect not
from the internal network but from the Internet. At the same time, I
have a file with exception users.

server_condition is used to deny authentication. At the same time, this
works for CRAM_MD5, but does not work for PLAIN (an error message
appears in the log, but the message is sent as coming from an authorized
user).

Used macros:

LAN = 127.0.0.1 : ::::1 : 192.168.0.0/16 : 172.16.0.0/12 : 10.0.0.0/8

AUTH_EXCEPTIONS = CONFDIR/auth_exceptions


And here are my auth config:

dovecot_cram_md5:
  driver = dovecot
  public_name = CRAM-MD5
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION
  server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION
  server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}


What could be wrong with PLAIN?

There are also notes for PLAIN in the documentation: "This option must
be set for a plaintext server authenticator, where it is used directly
to control authentication. See section 34.3 for details." I don't know
how to apply or bypass this in my case.

Maybe there is some other way to implement my idea with authentication
rejection?

Thanks!