Dovecot with MySQL over SSL.

Reio Remma reio at mrstuudio.ee
Sat Jul 20 20:08:40 EEST 2019 

On 20.07.2019 17:52, John Fawcett via dovecot wrote:
> On 18/07/2019 23:24, Reio Remma via dovecot wrote:
>> Hello!
>>
>> I'm attempting to get Dovecot working with MySQL user database on
>> another machine. I can connect to the MySQL (5.7.26) instance with SSL
>> enabled:
>>
>>   mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>> --ssl-cert=/etc/dovecot/client-cert.pem
>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
>> -u vmail -p
>>
>> However if I use the same values in dovecot-sql.conf.ext, I get the
>> following error:
>>
>> Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc)
>> starting up for imap, lmtp, sieve (core dumps disabled)
>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>> error: protocol version mismatch - waiting for 1 seconds before retry
>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>> error: protocol version mismatch - waiting for 1 seconds before retry
>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>> using insecure transport are prohibited while
>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>> using insecure transport are prohibited while
>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>>
>> Database connection string:
>>
>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>>      ssl_ca=/etc/dovecot/ca.pem \
>>      ssl_cert=/etc/dovecot/client-cert.pem \
>>      ssl_key=/etc/dovecot/client-key.pem \
>>      ssl_cipher=DHE-RSA-AES256-SHA
>>
>> If I leave the ssl_cipher unset, I get:
>>
>> Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>> error: Failed to set ciphers to use - waiting for 1 seconds before retry
>>
>> Any ideas?
>>
>> Thanks!
>> Reio
> One difference between your testing manually with mysql client and the
> same configuration in dovecot is the "ssl_verify_server_cert" parameter.
> Dovecot is setting it if it is not specified. So to make the tests the
> same you should either specify the --ssl_verify_server_cert parameter to
> mysql or set it to no in the dovecot configuration.
>
> John

This works as well:

mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem 
--ssl-cert=/etc/dovecot/client-cert.pem 
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA 
--ssl-mode=VERIFY_IDENTITY -u vmail -p

Protocol mismatch persists when I set ssl_verify_server_cert=no for 
Dovecot MySQL connection.

Thanks,
Reio

More information about the dovecot mailing list