Dovecot with MySQL over SSL.

Reio Remma reio at mrstuudio.ee
Mon Jul 22 20:49:19 EEST 2019


On 22.07.2019 16:05, Timo Sirainen via dovecot wrote:
> On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot at dovecot.org 
> <mailto:dovecot at dovecot.org>> wrote:
>>
>> On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:
>>>
>>>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> 
>>>> wrote:
>>>>
>>>>
>>>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
>>>>>
>>>>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org 
>>>>>> <mailto:dovecot at dovecot.org>> wrote:
>>>>>>
>>>>>>
>>>>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote:
>>>>>>> I'm attempting to get Dovecot working with MySQL user database on
>>>>>>> another machine. I can connect to the MySQL (5.7.26) instance 
>>>>>>> with SSL
>>>>>>> enabled:
>>>>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>>>>>>> --ssl-cert=/etc/dovecot/client-cert.pem
>>>>>>> --ssl-key=/etc/dovecot/client-key.pem 
>>>>>>> --ssl-cipher=DHE-RSA-AES256-SHA
>>>>>>> -u vmail -p
>>>>>>> However if I use the same values in dovecot-sql.conf.ext, I get the
>>>>>>> following error:
>>>>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>>>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL 
>>>>>>> connection
>>>>>>> error: protocol version mismatch - waiting for 1 seconds before 
>>>>>>> retry
>>>>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>>>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>>>>>>> using insecure transport are prohibited while
>>>>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>>>>>>> Database connection string:
>>>>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>>>>>>>     ssl_ca=/etc/dovecot/ca.pem \
>>>>>>> ssl_cert=/etc/dovecot/client-cert.pem \
>>>>>>> ssl_key=/etc/dovecot/client-key.pem \
>>>>>>>     ssl_cipher=DHE-RSA-AES256-SHA
>>>>>> Update: I got it to connect successfully now after downgrading 
>>>>>> the MySQL
>>>>>> server tls-version from TLSv1.1 to TLSv1.
>>>>>>
>>>>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
>>>>>>
>>>>>> Thanks!
>>>>>> Reio
>>>>>
>>>>> Dovecot mysql uses libmysqlclient. We do not enforce any 
>>>>> particular tls protocol version. If it requires you to downgrade I 
>>>>> suggest you review your client my.cnf for any restrictions.
>>>>> ---
>>>>> Aki Tuomi
>>>>
>>>> Thanks Aki! I'm looking at it now and despite identical MySQL 
>>>> 5.7.26 versions on both systems, it seems Dovecot is using 
>>>> libmysqlclient 5.6.37.
>>>>
>>>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 
>>>> (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the 
>>>> newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 
>>>> 5.7.26.
>>>>
>>>> If I try to remove the libs-compat, yum also insists on removing 
>>>> dovecot-mysql, so it depends on the older libmysqlclient and 
>>>> ignores the newer one.
>>>>
>>>> I don't suspect I can do anything on my end to force the Dovecot 
>>>> CentOS package to use the non-compat libmysqlclient?
>>>>
>>>> Thanks,
>>>> Reio 
>>>
>>> What repo are you using?
>>> ---
>>> Aki Tuomi
>>
>> Installed Packages
>> dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
>> mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community
>>
>> Both are from official repos.
>
> dovecot-mysql package is built against the mariadb library that comes 
> with CentOS 7. If you want it to work against other libmysqlclient 
> versions you'd need to compile it yourself: 
> https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/

Thanks, I'm again one experience richer after compiling Dovecot from the 
source RPM. Nicely running with TLSv1.1 now.

Thanks!
Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190722/b4fb64e2/attachment.html>


More information about the dovecot mailing list