Dovecot with MySQL over SSL.

Reio Remma reio at mrstuudio.ee
Sun Jul 21 01:02:23 EEST 2019 

On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:
>
>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> wrote:
>>
>>
>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
>>>
>>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org 
>>>> <mailto:dovecot at dovecot.org>> wrote:
>>>>
>>>>
>>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote:
>>>>> I'm attempting to get Dovecot working with MySQL user database on
>>>>> another machine. I can connect to the MySQL (5.7.26) instance with 
>>>>> SSL
>>>>> enabled:
>>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>>>>> --ssl-cert=/etc/dovecot/client-cert.pem
>>>>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
>>>>> -u vmail -p
>>>>> However if I use the same values in dovecot-sql.conf.ext, I get the
>>>>> following error:
>>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>>>>> error: protocol version mismatch - waiting for 1 seconds before retry
>>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>>>>> using insecure transport are prohibited while
>>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>>>>> Database connection string:
>>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>>>>>     ssl_ca=/etc/dovecot/ca.pem \
>>>>>     ssl_cert=/etc/dovecot/client-cert.pem \
>>>>>     ssl_key=/etc/dovecot/client-key.pem \
>>>>>     ssl_cipher=DHE-RSA-AES256-SHA
>>>> Update: I got it to connect successfully now after downgrading the 
>>>> MySQL
>>>> server tls-version from TLSv1.1 to TLSv1.
>>>>
>>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
>>>>
>>>> Thanks!
>>>> Reio
>>>
>>> Dovecot mysql uses libmysqlclient. We do not enforce any particular 
>>> tls protocol version. If it requires you to downgrade I suggest you 
>>> review your client my.cnf for any restrictions.
>>> ---
>>> Aki Tuomi
>>
>> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 
>> versions on both systems, it seems Dovecot is using libmysqlclient 
>> 5.6.37.
>>
>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) 
>> from mysql-community-libs-compat 5.7.26 instead of the newer 
>> libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
>>
>> If I try to remove the libs-compat, yum also insists on removing 
>> dovecot-mysql, so it depends on the older libmysqlclient and ignores 
>> the newer one.
>>
>> I don't suspect I can do anything on my end to force the Dovecot 
>> CentOS package to use the non-compat libmysqlclient?
>>
>> Thanks,
>> Reio 
>
> What repo are you using?
> ---
> Aki Tuomi

Installed Packages
dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community

Both are from official repos.

Thanks,
Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190721/85d7e211/attachment-0001.html>

More information about the dovecot mailing list