You’ve set up a brand new Debian machine and installed the Exim MTA. Because this server is Internet-facing, you switched on the options to allow TLS with authentication so your users can securely relay mail from their phones and laptops. Your users also have local accounts on the server.
Frustratingly, when users try and send relay mail it fails and the /var/log/exim4/mainlog is filled with messages like this:
2011-03-22 18:12:57 TLS error on connection from vk6hgr.echidna.id.au [203.59.134.49] (gnutls_handshake): A TLS packet with unexpected length was received.
2011-03-22 18:12:58 login_server authenticator failed for vk6hgr.echidna.id.au (testPC) [203.59.134.49]: 535 Incorrect authentication data (set_id=testuser)
The Exim configuration was copied from another working installation so the log file, especially with the odd TLS error, points perhaps to some sort of library or version problem. Updating exim, gnutls libraries and anything else you think of to try and solve it are fruitless.
The solution is surprisingly simple and in this case the error messages are totally misleading. Authentication is failing because the Debian-exim user that Debian uses for Exim doesn’t have access to read /etc/shadow – and therefore authenticate local users. All you needed to do is add the Debian-exim user to the shadow group.
adduser Debian-exim shadow
Fixed.