Dovecot with MySQL over SSL.
Timo Sirainen
timo at sirainen.com
Mon Jul 22 16:05:51 EEST 2019
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot at dovecot.org> wrote:
>
> On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:
>>
>>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> <mailto:dovecot at dovecot.org> wrote:
>>>
>>>
>>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
>>>>
>>>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org <mailto:dovecot at dovecot.org>> wrote:
>>>>>
>>>>>
>>>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote:
>>>>>> I'm attempting to get Dovecot working with MySQL user database on
>>>>>> another machine. I can connect to the MySQL (5.7.26) instance with SSL
>>>>>> enabled:
>>>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>>>>>> --ssl-cert=/etc/dovecot/client-cert.pem
>>>>>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
>>>>>> -u vmail -p
>>>>>> However if I use the same values in dovecot-sql.conf.ext, I get the
>>>>>> following error:
>>>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>>>>>> error: protocol version mismatch - waiting for 1 seconds before retry
>>>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>>>>>> using insecure transport are prohibited while
>>>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>>>>>> Database connection string:
>>>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>>>>>> ssl_ca=/etc/dovecot/ca.pem \
>>>>>> ssl_cert=/etc/dovecot/client-cert.pem \
>>>>>> ssl_key=/etc/dovecot/client-key.pem \
>>>>>> ssl_cipher=DHE-RSA-AES256-SHA
>>>>> Update: I got it to connect successfully now after downgrading the MySQL
>>>>> server tls-version from TLSv1.1 to TLSv1.
>>>>>
>>>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
>>>>>
>>>>> Thanks!
>>>>> Reio
>>>>
>>>> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.
>>>> ---
>>>> Aki Tuomi
>>>
>>> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.
>>>
>>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
>>>
>>> If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.
>>>
>>> I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?
>>>
>>> Thanks,
>>> Reio
>>
>> What repo are you using?
>> ---
>> Aki Tuomi
>
> Installed Packages
> dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
> mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community
>
> Both are from official repos.
dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/ <https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190722/2fc094be/attachment-0001.html>
More information about the dovecot
mailing list