Dovecot with MySQL over SSL.
Hello!
I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the following error:
Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) starting up for imap, lmtp, sieve (core dumps disabled) Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff
ssl_ca=/etc/dovecot/ca.pem
ssl_cert=/etc/dovecot/client-cert.pem
ssl_key=/etc/dovecot/client-key.pem
ssl_cipher=DHE-RSA-AES256-SHA
If I leave the ssl_cipher unset, I get:
Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: Failed to set ciphers to use - waiting for 1 seconds before retry
Any ideas?
Thanks! Reio
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.
Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.
I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?
Thanks, Reio
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot@dovecot.org> wrote:
dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/ <https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/>
On 18/07/2019 23:24, Reio Remma via dovecot wrote:
One difference between your testing manually with mysql client and the same configuration in dovecot is the "ssl_verify_server_cert" parameter. Dovecot is setting it if it is not specified. So to make the tests the same you should either specify the --ssl_verify_server_cert parameter to mysql or set it to no in the dovecot configuration.
John
On 20.07.2019 17:52, John Fawcett via dovecot wrote:
This works as well:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA --ssl-mode=VERIFY_IDENTITY -u vmail -p
Protocol mismatch persists when I set ssl_verify_server_cert=no for Dovecot MySQL connection.
Thanks, Reio
participants (4)
-
Aki Tuomi
-
John Fawcett
-
Reio Remma
-
Timo Sirainen