------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1381 Summary: simple LDAP lookups fails with TLS Product: Exim Version: 4.80 Platform: x86-64 OS/Version: Linux Status: NEW Severity: bug Priority: high Component: Lookups AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] Created an attachment (id=648) --> (http://bugs.exim.org/attachment.cgi?id=648) ldaps:// lookup I have setup exim to lookup an LDAP directory in order to find various informations, like local domain list, user account info etc... My setup stops workg as soon as I set the following options: ldap_start_tls = true ldap_require_cert = allow The Directory server is an OpenLDAP 2.4.31. I am using Debian packages so I was primarily pointed to possible GnuTLS issues. So i recompiled both OpenLDAP and exim to use openSSL instead, but I still have the same error. [Step to reproduce]: 1. On the directory server, create certificates: ~$ openssl genrsa 2048 > /etc/ssl/openldap/private/openldap.key ~$ openssl req -new -key /etc/ssl/openldap/private/openldap.key > /tmp/TLSCertificateReqFile ~$ openssl x509 -days 9999 -req -signkey /etc/ssl/openldap/private/openldap.key -out /etc/ssl/openldap/certs/openldap.crt -in /tmp/TLSCertificateReqFile 2. And configure openLDAP to serve STARTTLS requests (the ldif file bellow can be used as an example): dn: cn=config changeType: add add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/openldap/certs/openldap.crt dn: cn=config changeType: add add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/openldap/private/openldap.key 3. On the exim server, create a domain list e.g: .ifndef mydomains mydomains = ${lookup ldap\ {\ USER=uid=exim,dc=middle,dc=earth PASS=eximmta \ ldap:///ou=domains,dc=middle,dc=earth?dc?one?\ (associatedDomain=$domain)\ }\ } .endif 4. And add it to the list of local domains in the rcpt ACLs: require message = relay not permitted domains = +local_domains : +mydomains : +relay_to_domains 5. configure Exim ldap client: ldap_default_servers = ldap.middle.earth::389 ldap_start_tls = true ldap_require_cert = allow 6. Try an SMTP session. [Expected result] SMTP session should complete an Exim accept the mail for local delivery [Actual result]: Exim returns "failed to initiate TLS processing on an LDAP session to server ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error" after RCPT command. The same behaviour is seen with both ldaps:// and ldap://+StartTLS. I have tried to force usage of different ciphers but with not much success. I have attached network dumps and both server side (openldap) and client side (exim) debug for ldaps and ldapStartTLS lookups. Let me know if further informations are needed. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
