We had a bit of difficulty yesterday with LDAP / Active Directory authentication within Exim. Sending mail via SMTP with authentication was timing out and it looked like a TLS error.
2013-10-01 14:39:12 [17013] TLS error on connection from blahblahblah (ehloname) [192.168.1.3]:52031 I=[192.168.6.51]:587 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
We got to the bottom of the problem by running exim in debug mode as the logs were not giving enough details.
Stop the service ‘service exim stop’ and start it with:
exim -bd -d -oX 25
Where -bd is for daemon mode I think,-d is for debugging, -oX avoids writing the PID to a file, and the 25 is the port you want to listen on.
Some excerpts from the exim.conf file are below showing the config for LDAP / Active Directory authentication. Our problem yesterday was that ldap1.domain.uk (specified in the ldap_default_servers variable) was experiencing problems but was still being used by Exim for authentication despite the IP address for another server hard-coded in the server_condition line.
ldap_default_servers = ldap1.domain.uk::389:\
ldap2.domain.uk::389
LDAP_BASE = dc=ad,dc=domain,dc=uk
LDAP_AUTH_QUERY = ldap:///LDAP_BASE?cn?sub?(sAMAccountName=$auth1)
LDAP_AUTH_LOGIN_QUERY = ldap:///LDAP_BASE?cn?sub?(sAMAccountName=$auth1)
LDAP_USER = user="adauthuser@ad.domain.uk" pass="t0psecret"
LDAP_AUTH_LOGIN_EXPR = ${lookup ldapdn {LDAP_USER LDAP_AUTH_LOGIN_QUERY}{$value}}
LDAP_AUTH_LOGIN_USER = user=${quote:LDAP_AUTH_LOGIN_EXPR} pass=$auth2
fixed_login:
driver = plaintext
public_name = LOGIN
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
server_prompts = "Username:: : Password::"
server_condition = ${if and{{ldapauth {LDAP_AUTH_LOGIN_USER ldap://192.168.1.50/LDAP_BASE}}{!eq{LDAP_AUTH_LOGIN_EXPR}{}}}{yes}{no}}
