From e03b214b3e492f786189508a627e834bbca8cf2e Mon Sep 17 00:00:00 2001
From: Fabian Groffen <grobian@gentoo.org>
Date: Sun, 19 Oct 2025 09:58:02 +0200
Subject: [PATCH] mail-mta/exim: update/append instructions for authenticators

Previous iteration for PAM replacement with gsasl was based on a
misunderstanding.  Document the Cyrus SASL route using saslauthd, as the
Dovecot implementation is trivial (copy/paste from their docs).
Hopefully this allows people to get their instances up and running
within reasonable time.

Closes: https://bugs.gentoo.org/964558
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
---
 mail-mta/exim/files/auth_conf.sub | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/mail-mta/exim/files/auth_conf.sub b/mail-mta/exim/files/auth_conf.sub
index f843314d6e67..ff8c03dd5dec 100644
--- a/mail-mta/exim/files/auth_conf.sub
+++ b/mail-mta/exim/files/auth_conf.sub
@@ -1,25 +1,39 @@
 ######################################################################
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
-# Using PAM with Exim on Gentoo is non-ideal from security perspective, see:
+# Using PAM directly from Exim on Gentoo is non-ideal from security
+# perspective, see:
 #   https://bugs.gentoo.org/964377
 # Suggestion is to use Dovecot's SASL
 #   https://doc.dovecot.org/2.4.1/howto/sasl/exim.html#exim-and-dovecot-sasl
-# or GNU SASL
-#   https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html
+# or Cyrus SASL's saslauthd
+#   https://exim-users.exim.narkive.com/joAt25zW/authentication-using-saslauthd-cyrus-sasl
 
+# You will want to setup at least 2 directives for AUTH support that are
+# only announced on secure connections (e.g. after STARTTLS) so the
+# client never attempts to send the plain password over an unencrypted
+# connection.
 # The "plain" directive works for nearly everything except windows MUA's.
 # The "login" directive will allow you to authenticate your Outlook 2000 and
 # outlook express clients.
 
-
-# below an example of how to use GNU SASL
+# below an example of how to use Cyrus SASL in Exim's authenticators.
 #plain:
-#  driver = gsasl
+#  driver = cyrus_sasl
 #  public_name = PLAIN
 #  server_set_id = $auth1
+#  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
 #
 #login:
-#  driver = gsasl
+#  driver = cyrus_sasl
 #  public_name = LOGIN
 #  server_set_id = $auth1
+#  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
+#
+# to tell cyrus_sasl to connect to the saslauth deamon, you need a file
+# /etc/sasl2/exim.conf containing:
+#pwcheck_method: saslauthd
+#
+# and make sure you configure /etc/conf.d/saslauthd properly, e.g. use
+# "-a shadow" for the simplest support, or when using pam that the
+# appropriate /etc/pam.d/saslauthd is setup.