[exim-dev] [Bug 1381] New: simple LDAP lookups fails with TL…

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1381
           Summary: simple LDAP lookups fails with TLS
           Product: Exim
           Version: 4.80
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: high
         Component: Lookups
        AssignedTo: nigel@???
        ReportedBy: alxgomz@???
                CC: exim-dev@???

Created an attachment (id=648)
--> (http://bugs.exim.org/attachment.cgi?id=648)
ldaps:// lookup

I have setup exim to lookup an LDAP directory in order to find various
informations, like local domain list, user account info etc...
My setup stops workg as soon as I set the following options:

ldap_start_tls = true
ldap_require_cert = allow

The Directory server is an OpenLDAP 2.4.31.

I am using Debian packages so I was primarily pointed to possible GnuTLS
issues. So i recompiled both OpenLDAP and exim to use openSSL instead, but I
still have the same error.

[Step to reproduce]:

1. On the directory server, create certificates:
~$ openssl genrsa 2048 > /etc/ssl/openldap/private/openldap.key
~$ openssl req -new -key /etc/ssl/openldap/private/openldap.key >
/tmp/TLSCertificateReqFile
~$ openssl x509 -days 9999 -req -signkey /etc/ssl/openldap/private/openldap.key
-out /etc/ssl/openldap/certs/openldap.crt -in /tmp/TLSCertificateReqFile

2. And configure openLDAP to serve STARTTLS requests (the ldif file bellow can
be used as an example):

dn: cn=config
changeType: add
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/openldap.crt

dn: cn=config
changeType: add
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/openldap.key

3. On the exim server, create a domain list e.g:
.ifndef mydomains
mydomains = ${lookup ldap\
                                {\
                                USER=uid=exim,dc=middle,dc=earth PASS=eximmta \
                                ldap:///ou=domains,dc=middle,dc=earth?dc?one?\
                                        (associatedDomain=$domain)\
                                }\
                        } 
.endif

4. And add it to the list of local domains in the rcpt ACLs:
require
    message = relay not permitted
    domains = +local_domains : +mydomains : +relay_to_domains

5. configure Exim ldap client:
ldap_default_servers = ldap.middle.earth::389
ldap_start_tls = true
ldap_require_cert = allow


6. Try an SMTP session.

[Expected result]
SMTP session should complete an Exim accept the mail for local delivery

[Actual result]:
Exim returns "failed to initiate TLS processing on an LDAP session to server
ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error" after
RCPT command.

The same behaviour is seen with both ldaps:// and ldap://+StartTLS. I have
tried to force usage of different ciphers but with not much success.
I have attached network dumps and both server side (openldap) and client side
(exim) debug for ldaps and ldapStartTLS lookups.
Let me know if further informations are needed.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email