[exim-dev] [Bug 1382] New: ldap_require_cert has no effect

Top Page
Delete this message
Reply to this message
Author: alxgomz
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1382] ldap_require_cert has no effect
Subject: [exim-dev] [Bug 1382] New: ldap_require_cert has no effect
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1382
           Summary: ldap_require_cert has no effect
           Product: Exim
           Version: 4.80.1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: high
         Component: Lookups
        AssignedTo: nigel@???
        ReportedBy: alxgomz@???
                CC: exim-dev@???



Created an attachment (id=654)
--> (http://bugs.exim.org/attachment.cgi?id=654)
exim -d+all

Title says it all I guess. I am trying to set up encrypted communication
between Exim and openldap.
To do so I use a dumb, self-signed certificate, therefore I need to disable
server certificate verification.
I have tried to do it with ldap_require_cert in exim config but it doesn't
work. The opnldap server receives from exim a TLS Alert stating "unknown CA".
I have also tried to set the config directly in the LDAP library config file
/etc/ldap/ldap.conf

[Step to reproduce]:

1. On the directory server, create certificates:
~$ openssl genrsa 2048 > /etc/ssl/openldap/private/openldap.key
~$ openssl req -new -key /etc/ssl/openldap/private/openldap.key >
/tmp/TLSCertificateReqFile
~$ openssl x509 -days 9999 -req -signkey /etc/ssl/openldap/private/openldap.key
-out /etc/ssl/openldap/certs/openldap.crt -in /tmp/TLSCertificateReqFile

2. And configure openLDAP to serve STARTTLS requests (the ldif file bellow can
be used as an example):

dn: cn=config
changeType: add
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/openldap.crt

dn: cn=config
changeType: add
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/openldap.key

3. On the exim server, create a domain list e.g:
.ifndef mydomains
domainlist mydomains = ${lookup ldap\
                                {\
                                USER=uid=exim,dc=middle,dc=earth PASS=eximmta \
                                ldap:///ou=domains,dc=middle,dc=earth?dc?one?\
                                        (associatedDomain=$domain)\
                                }\
                        } 
.endif


4. And add it to the list of local domains in the rcpt ACLs:
require
    message = relay not permitted
    domains = +local_domains : +mydomains : +relay_to_domains


5. configure Exim ldap client:
ldap_default_servers = ldap.middle.earth::389
ldap_start_tls = true
ldap_require_cert = allow


6. Try an SMTP session.

[Expected result]
SMTP session should complete an Exim accept the mail for local delivery

[Actual result]:
Exim returns "failed to initiate TLS processing on an LDAP session to server
ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error" after
RCPT command.

(Additional notes]
The TLS debug from -d+all, shows that Exim always set "LDAP_OPT_X_TLS_TRY"
regardless of the value of ldap_require_cert, which sounds like an actual bug
to me.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email