On 22.07.2019 16:05, Timo Sirainen via dovecot wrote:
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot@dovecot.org> wrote:

On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:

On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org> wrote:


On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:

On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org> wrote:


On 19.07.2019 0:24, Reio Remma via dovecot wrote:
I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance with SSL
enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
-u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the
following error:
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
    ssl_cert=/etc/dovecot/client-cert.pem \
    ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA
Update: I got it to connect successfully now after downgrading the MySQL
server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks!
Reio

Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. 
---
Aki Tuomi

Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.

Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.

If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.

I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?

Thanks,
Reio

What repo are you using? 
---
Aki Tuomi

Installed Packages
dovecot-mysql.x86_64                                                                                                2:2.3.7-8                                                                                             @dovecot-2.3-latest
mysql-community-libs.x86_64                                                                                         5.7.26-1.el7                                                                                          @mysql57-community

Both are from official repos.

dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/

Thanks, I'm again one experience richer after compiling Dovecot from the source RPM. Nicely running with TLSv1.1 now.

Thanks!
Reio