------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1382 Summary: ldap_require_cert has no effect Product: Exim Version: 4.80.1 Platform: Other OS/Version: Linux Status: NEW Severity: security Priority: high Component: Lookups AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] Created an attachment (id=654) --> (http://bugs.exim.org/attachment.cgi?id=654) exim -d+all Title says it all I guess. I am trying to set up encrypted communication between Exim and openldap. To do so I use a dumb, self-signed certificate, therefore I need to disable server certificate verification. I have tried to do it with ldap_require_cert in exim config but it doesn't work. The opnldap server receives from exim a TLS Alert stating "unknown CA". I have also tried to set the config directly in the LDAP library config file /etc/ldap/ldap.conf [Step to reproduce]: 1. On the directory server, create certificates: ~$ openssl genrsa 2048 > /etc/ssl/openldap/private/openldap.key ~$ openssl req -new -key /etc/ssl/openldap/private/openldap.key > /tmp/TLSCertificateReqFile ~$ openssl x509 -days 9999 -req -signkey /etc/ssl/openldap/private/openldap.key -out /etc/ssl/openldap/certs/openldap.crt -in /tmp/TLSCertificateReqFile 2. And configure openLDAP to serve STARTTLS requests (the ldif file bellow can be used as an example): dn: cn=config changeType: add add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/openldap/certs/openldap.crt dn: cn=config changeType: add add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/openldap/private/openldap.key 3. On the exim server, create a domain list e.g: .ifndef mydomains domainlist mydomains = ${lookup ldap\ {\ USER=uid=exim,dc=middle,dc=earth PASS=eximmta \ ldap:///ou=domains,dc=middle,dc=earth?dc?one?\ (associatedDomain=$domain)\ }\ } .endif 4. And add it to the list of local domains in the rcpt ACLs: require message = relay not permitted domains = +local_domains : +mydomains : +relay_to_domains 5. configure Exim ldap client: ldap_default_servers = ldap.middle.earth::389 ldap_start_tls = true ldap_require_cert = allow 6. Try an SMTP session. [Expected result] SMTP session should complete an Exim accept the mail for local delivery [Actual result]: Exim returns "failed to initiate TLS processing on an LDAP session to server ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error" after RCPT command. (Additional notes] The TLS debug from -d+all, shows that Exim always set "LDAP_OPT_X_TLS_TRY" regardless of the value of ldap_require_cert, which sounds like an actual bug to me. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
