Exim Troubleshooting

We had a bit of difficulty yesterday with LDAP / Active Directory authentication within Exim. Sending mail via SMTP with authentication was timing out and it looked like a TLS error.

2013-10-01 14:39:12 [17013] TLS error on connection from blahblahblah (ehloname) [192.168.1.3]:52031 I=[192.168.6.51]:587 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

We got to the bottom of the problem by running exim in debug mode as the logs were not giving enough details.
Stop the service ‘service exim stop’ and start it with:
exim -bd -d -oX 25
Where -bd is for daemon mode I think,-d is for debugging, -oX avoids writing the PID to a file, and the 25 is the port you want to listen on.

Some excerpts from the exim.conf file are below showing the config for LDAP / Active Directory authentication. Our problem yesterday was that ldap1.domain.uk (specified in the ldap_default_servers variable) was experiencing problems but was still being used by Exim for authentication despite the IP address for another server hard-coded in the server_condition line.

ldap_default_servers = ldap1.domain.uk::389:\
ldap2.domain.uk::389

LDAP_BASE = dc=ad,dc=domain,dc=uk
LDAP_AUTH_QUERY = ldap:///LDAP_BASE?cn?sub?(sAMAccountName=$auth1)
LDAP_AUTH_LOGIN_QUERY = ldap:///LDAP_BASE?cn?sub?(sAMAccountName=$auth1)

LDAP_USER = user="adauthuser@ad.domain.uk" pass="t0psecret"
LDAP_AUTH_LOGIN_EXPR = ${lookup ldapdn {LDAP_USER LDAP_AUTH_LOGIN_QUERY}{$value}}
LDAP_AUTH_LOGIN_USER = user=${quote:LDAP_AUTH_LOGIN_EXPR} pass=$auth2

fixed_login:
driver = plaintext
public_name = LOGIN
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
server_prompts = "Username:: : Password::"
server_condition = ${if and{{ldapauth {LDAP_AUTH_LOGIN_USER ldap://192.168.1.50/LDAP_BASE}}{!eq{LDAP_AUTH_LOGIN_EXPR}{}}}{yes}{no}}

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>