Patrick Ben Koetter wrote, at 08/14/2008 08:22 AM:
The order in which mechanisms are listed in $mech_list or in which they are announced as SMTP capability is irrelevant. The client chooses the "best" mechanism by it's own logic.
Note that this has become a blessing from a support point of view, because modern clients will rarely send passwords in the clear if a better mechanism is available. Many users are stabbing in the dark and stop at the first configuration that works, so this approach offers a little more protection.
