On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:

...

On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On 19.07.2019 0:24, Reio Remma via dovecot wrote:

...

I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff
ssl_ca=/etc/dovecot/ca.pem
ssl_cert=/etc/dovecot/client-cert.pem
ssl_key=/etc/dovecot/client-key.pem
ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks! Reio

Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.

Aki Tuomi

Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.

Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.

If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.

I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?

Thanks, Reio

On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:

...

On 20/07/2019 21:07 Reio Remma via dovecot dovecot@dovecot.org wrote:

On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:

...

...

On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On 19.07.2019 0:24, Reio Remma via dovecot wrote:

...

I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff
ssl_ca=/etc/dovecot/ca.pem
ssl_cert=/etc/dovecot/client-cert.pem
ssl_key=/etc/dovecot/client-key.pem
ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks! Reio

Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.

Aki Tuomi

Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.

Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.

If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.

I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?

Thanks, Reio

What repo are you using?

Aki Tuomi

Installed Packages dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community

Both are from official repos.

Thanks, Reio

On 22.07.2019 16:05, Timo Sirainen via dovecot wrote:

On 20 Jul 2019, at 23.02, Reio Remma via dovecot mailto:dovecot@dovecot.org> wrote:

...

On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:

...

...

On 20/07/2019 21:07 Reio Remma via dovecot dovecot@dovecot.org wrote:

On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:

...

...

On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:

On 19.07.2019 0:24, Reio Remma via dovecot wrote: > I'm attempting to get Dovecot working with MySQL user database on > another machine. I can connect to the MySQL (5.7.26) instance > with SSL > enabled: > mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem > --ssl-cert=/etc/dovecot/client-cert.pem > --ssl-key=/etc/dovecot/client-key.pem > --ssl-cipher=DHE-RSA-AES256-SHA > -u vmail -p > However if I use the same values in dovecot-sql.conf.ext, I get the > following error: > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL > connection > error: protocol version mismatch - waiting for 1 seconds before > retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > Database connection string: > connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff
>     ssl_ca=/etc/dovecot/ca.pem
> ssl_cert=/etc/dovecot/client-cert.pem
> ssl_key=/etc/dovecot/client-key.pem
>     ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks! Reio

Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.

Aki Tuomi

Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.

Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.

If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.

I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?

Thanks, Reio

What repo are you using?

Aki Tuomi

Installed Packages dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community

Both are from official repos.

dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/

Thanks, I'm again one experience richer after compiling Dovecot from the source RPM. Nicely running with TLSv1.1 now.

Thanks! Reio

On 20.07.2019 17:52, John Fawcett via dovecot wrote:

On 18/07/2019 23:24, Reio Remma via dovecot wrote:

...

Hello!

I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled:

 mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p

However if I use the same values in dovecot-sql.conf.ext, I get the following error:

Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) starting up for imap, lmtp, sieve (core dumps disabled) Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry

Database connection string:

connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff
ssl_ca=/etc/dovecot/ca.pem
ssl_cert=/etc/dovecot/client-cert.pem
ssl_key=/etc/dovecot/client-key.pem
ssl_cipher=DHE-RSA-AES256-SHA

If I leave the ssl_cipher unset, I get:

Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: Failed to set ciphers to use - waiting for 1 seconds before retry

Any ideas?

Thanks! Reio One difference between your testing manually with mysql client and the same configuration in dovecot is the "ssl_verify_server_cert" parameter. Dovecot is setting it if it is not specified. So to make the tests the same you should either specify the --ssl_verify_server_cert parameter to mysql or set it to no in the dovecot configuration.

John

This works as well:

mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA --ssl-mode=VERIFY_IDENTITY -u vmail -p

Protocol mismatch persists when I set ssl_verify_server_cert=no for Dovecot MySQL connection.

Thanks, Reio