######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################
# Using PAM directly from Exim on Gentoo is non-ideal from security
# perspective, see:
#   https://bugs.gentoo.org/964377
# Suggestion is to use Dovecot's SASL
#   https://doc.dovecot.org/2.4.1/howto/sasl/exim.html#exim-and-dovecot-sasl
# or Cyrus SASL's saslauthd
#   https://exim-users.exim.narkive.com/joAt25zW/authentication-using-saslauthd-cyrus-sasl

# You will want to setup at least 2 directives for AUTH support that are
# only announced on secure connections (e.g. after STARTTLS) so the
# client never attempts to send the plain password over an unencrypted
# connection.
# The "plain" directive works for nearly everything except windows MUA's.
# The "login" directive will allow you to authenticate your Outlook 2000 and
# outlook express clients.

# below an example of how to use Cyrus SASL in Exim's authenticators.
#plain:
#  driver = cyrus_sasl
#  public_name = PLAIN
#  server_set_id = $auth1
#  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
#
#login:
#  driver = cyrus_sasl
#  public_name = LOGIN
#  server_set_id = $auth1
#  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
#
# to tell cyrus_sasl to connect to the saslauth deamon, you need a file
# /etc/sasl2/exim.conf containing:
#pwcheck_method: saslauthd
#
# and make sure you configure /etc/conf.d/saslauthd properly, e.g. use
# "-a shadow" for the simplest support, or when using pam that the
# appropriate /etc/pam.d/saslauthd is setup.