TLS Connections Between Dovecot & MariaDB
Hi All,
I'm using a MariaDB backend to a Dovecot server, with TLS required by the MariaDB server for connections.
My sql_dovecot.conf.ext file is using the following connection line:
connect = host=mariadb.example.com dbname=mail_server user=vmail password={REDACTED} ssl_ca=/etc/pki/tls/certs/root_ca.crt.
I can't work out from the doco or Google what else I need in that line,
but I suspect it'll be something like:
ssl_cert=/etc/pki/tls/certs/vmail_rsa.pem ssl_key=/etc/pki/tls/certs/vmail_rsa.key.
Could someone please confirm this and let me know the actual extra commands/options - thanks
Cheers
Dulux-Oz
I'm using a MariaDB backend to a Dovecot server, with TLS required by the MariaDB server for connections.
My sql_dovecot.conf.ext file is using the following connection line:
connect = host=mariadb.example.com dbname=mail_server user=vmail password={REDACTED} ssl_ca=/etc/pki/tls/certs/root_ca.crt.I can't work out from the doco or Google what else I need in that line, but I suspect it'll be something like:
ssl_cert=/etc/pki/tls/certs/vmail_rsa.pem ssl_key=/etc/pki/tls/certs/vmail_rsa.key.Could someone please confirm this and let me know the actual extra commands/options - thanks
Why not add your CA to the OS default?
It is - that's just "belt and braces" stuff (also known as "defence in depth" :-) )
My *real* issue (if I understand things correctly - which, there's a significant chance that I don't) is telling dovecot which TLS certificate to use to connect to the MariaDB back-end.
Mind you, that's *not* the same cert that the users use to connect to dovecot :-)
On 25/1/25 22:07, Marc wrote:
I'm using a MariaDB backend to a Dovecot server, with TLS required by the MariaDB server for connections.
My sql_dovecot.conf.ext file is using the following connection line:
connect = host=mariadb.example.com dbname=mail_server user=vmail password={REDACTED} ssl_ca=/etc/pki/tls/certs/root_ca.crt.I can't work out from the doco or Google what else I need in that line, but I suspect it'll be something like:
ssl_cert=/etc/pki/tls/certs/vmail_rsa.pem ssl_key=/etc/pki/tls/certs/vmail_rsa.key.Could someone please confirm this and let me know the actual extra commands/options - thanks
Why not add your CA to the OS default?
It is - that's just "belt and braces" stuff (also known as "defence in depth" :-) )
It is good to limit to just your own ca. I do this with the ldap. Was just not expecting it from someone having users stored in mariadb and having virtual users and then worrying about CA's credibility. If you use a .local you already skip the regular stuff and you only need to worry about intelligence agencies.
My *real* issue (if I understand things correctly - which, there's a significant chance that I don't) is telling dovecot which TLS certificate to use to connect to the MariaDB back-end.
I don't know, would be even surprised if they support such a thing. That is why I have unix users that is all optimized for this type of stuff and any default application works fine like this.
Mind you, that's *not* the same cert that the users use to connect to dovecot :-)
I was guessing that ;)
participants (2)
-
duluxoz
-
Marc