[quoted text, click to view]

Geez, that's not "making no changes" when you're dealing with a
client-side problem. :)

[quoted text, click to view]

FTR, the first 'Require SPA' (on the main account setup dialog) would
only be applied if you are using the same creds for POP3 and SMTP.
Once you enter separate creds for SMTP, the 'Require SPA' on the SMTP
Advanced tab becomes the active SPA-related setting for SMTP.

That constant aside, 2003 and 2007 differ subtly -- but in some cases
fatally -- in when and if they support SPA/Integrated Windows Auth,
whether or not it is checked as required. If anything, I have seen
2007 be *more* forgiving than 2003 of inaccurate setups... for
example, in failing "up" to SPA if basic isn't supported by the
server, even if 'Require SPA' is not checked. However, YMMV based on
the NTLM trust between your desktop and the SMTP server, possibly
making (as you've observed) 2007 more demanding of attention.

I haven't come to a conclusion yet as to whether 2007's SPA behaviors
are more buggy or more fix-y vs. 2003: too many use cases, and too
much vagueness as to what SPA is "supposed" to be.

[FWIW, I'm not a big fan of SPA. It's not about its proprietary
nature. It's that if you're worried about your credentials being
snooped on the wire, you should be equally worried about your _message
content_ being snooped on the wire, and standards already exist
(SMTPS, STARTTLS) to protect that other important stage of the SMTP
conversation as well as the authentication stage. Why mess around with
spotty support when you can have the whole convo encrypted? Anyway,
just a li'l rant there. And yes, I understand that if every message
you send is PGP-encrypted, that offers guaranteed end-to-end
protection against snooping, but even single-ended SSL has to be a
better step in that direction than SPA, and is easy for users to
adopt.]