On 3/14/23 08:07, Jeremy Harris via Exim-users wrote: > On 13/03/2023 23:43, Gedalya via Exim-users wrote: >> 4. On ports 587, authentication should not be advertised before STARTTLS is >> issued. > > A slight suggested relaxation of that rule: Only authentication methods > which are self-encrypted should be used on a cleartext channel. > > That mean the same as your simpler rule for PLAIN and LOGIN, which are > the common ones. But the SCRAM family, for example, would be safe.
There's a slightly different motivation for the approach I suggested. Don't bother supporting SCRAM, and auto-ban any client that tries to use unadvertised AUTH. Cuts down on a lot of log spam. Many bots will not try TLS, and will either attempt AUTH before STARTTLS or will just not try at all. This doesn't "solve" anything, it's just a relative reduction of noise. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
