<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">On 20 Jul 2019, at 23.02, Reio Remma via dovecot <<a href="mailto:dovecot@dovecot.org" class="">dovecot@dovecot.org</a>> wrote:<br class=""><div><blockquote type="cite" class=""><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
  
  <div text="#000000" bgcolor="#FFFFFF" class="">
    <div class="moz-cite-prefix">On 20.07.2019 22:37, Aki Tuomi via
      dovecot wrote:<br class="">
    </div>
    <blockquote type="cite" cite="mid:929297881.8212.1563651420028@appsuite-dev-gw2.open-xchange.com" class="">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
      <meta charset="UTF-8" class="">
      <div class=""> <br class="">
      </div>
      <blockquote type="cite" class="">
        <div class=""> On 20/07/2019 21:07 Reio Remma via dovecot
          <a class="moz-txt-link-rfc2396E" href="mailto:dovecot@dovecot.org"><dovecot@dovecot.org></a> wrote: </div>
        <div class=""> <br class="">
        </div>
        <div class=""> <br class="">
        </div>
        <div class="moz-cite-prefix"> On 20.07.2019 18:03, Aki Tuomi via
          dovecot wrote: <br class="">
        </div>
        <blockquote type="cite" class="">
          <div class=""> <br class="">
          </div>
          <blockquote type="cite" class="">
            <div class=""> On 20/07/2019 13:12 Reio Remma via dovecot < <a href="mailto:dovecot@dovecot.org" moz-do-not-send="true" class="">dovecot@dovecot.org</a>>
              wrote: </div>
            <div class=""> <br class="">
            </div>
            <div class=""> <br class="">
            </div>
            <div class=""> On 19.07.2019 0:24, Reio Remma via dovecot wrote: </div>
            <blockquote type="cite" class="">
              <div class=""> I'm attempting to get Dovecot working with MySQL
                user database on </div>
              <div class=""> another machine. I can connect to the MySQL (5.7.26)
                instance with SSL </div>
              <div class=""> enabled: </div>
            </blockquote>
            <blockquote type="cite" class="">
              <div class=""> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem </div>
              <div class=""> --ssl-cert=/etc/dovecot/client-cert.pem </div>
              <div class=""> --ssl-key=/etc/dovecot/client-key.pem
                --ssl-cipher=DHE-RSA-AES256-SHA </div>
              <div class=""> -u vmail -p </div>
            </blockquote>
            <blockquote type="cite" class="">
              <div class=""> However if I use the same values in
                dovecot-sql.conf.ext, I get the </div>
              <div class=""> following error: </div>
            </blockquote>
            <blockquote type="cite" class="">
              <div class=""> Jul 19 00:20:18 turin dovecot: auth-worker(82996):
                Error: </div>
              <div class=""> mysql(db.mrst.ee): Connect failed to database
                (vmail): SSL connection </div>
              <div class=""> error: protocol version mismatch - waiting for 1
                seconds before retry </div>
              <div class=""> Jul 19 00:20:19 turin dovecot: auth-worker(82996):
                Error: </div>
              <div class=""> mysql(db.mrst.ee): Connect failed to database
                (vmail): Connections </div>
              <div class=""> using insecure transport are prohibited while </div>
              <div class=""> --require_secure_transport=ON. - waiting for 5
                seconds before retry </div>
            </blockquote>
            <blockquote type="cite" class="">
              <div class=""> Database connection string: </div>
            </blockquote>
            <blockquote type="cite" class="">
              <div class=""> connect = host=db.mrst.ee dbname=vmail user=vmail
                password=stuff \ </div>
              <div class="">     ssl_ca=/etc/dovecot/ca.pem \ </div>
              <div class="">     ssl_cert=/etc/dovecot/client-cert.pem \ </div>
              <div class="">     ssl_key=/etc/dovecot/client-key.pem \ </div>
              <div class="">     ssl_cipher=DHE-RSA-AES256-SHA </div>
            </blockquote>
            <div class=""> Update: I got it to connect successfully now after
              downgrading the MySQL </div>
            <div class=""> server tls-version from TLSv1.1 to TLSv1. </div>
            <div class=""> <br class="">
            </div>
            <div class=""> Is there a reason why Dovecot MySQL doesn't support
              TLSv1.1? </div>
            <div class=""> <br class="">
            </div>
            <div class=""> Thanks! </div>
            <div class=""> Reio </div>
          </blockquote>
          <div class=""> <br class="">
          </div>
          <div class=""> Dovecot mysql uses libmysqlclient. We do not enforce any
            particular tls protocol version. If it requires you to
            downgrade I suggest you review your client my.cnf for any
            restrictions. </div>
          <div class="io-ox-signature">
            <pre class="">---
Aki Tuomi</pre>
          </div>
        </blockquote>
        <br class="">
        Thanks Aki! I'm looking at it now and despite identical MySQL
        5.7.26 versions on both systems, it seems Dovecot is using
        libmysqlclient 5.6.37. <br class="">
        <br class="">
        Dovecot seems to be using the older libmysqlclient.so.18.1.0
        (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the
        newer libmysqlclient.so.20.3.13 (5.7.26) from
        mysql-community-libs 5.7.26. <br class="">
        <br class="">
        If I try to remove the libs-compat, yum also insists on removing
        dovecot-mysql, so it depends on the older libmysqlclient and
        ignores the newer one. <br class="">
        <br class="">
        I don't suspect I can do anything on my end to force the Dovecot
        CentOS package to use the non-compat libmysqlclient? <br class="">
        <br class="">
        Thanks, <br class="">
        Reio </blockquote>
      <div class=""> <br class="">
      </div>
      <div class=""> What repo are you using? </div>
      <div class="io-ox-signature">
        <pre class="">---
Aki Tuomi</pre>
      </div>
    </blockquote>
    <br class="">
    Installed Packages<br class="">
dovecot-mysql.x86_64                                                                                               
2:2.3.7-8                                                                                            
    @dovecot-2.3-latest<br class="">
mysql-community-libs.x86_64                                                                                        
5.7.26-1.el7                                                                                         
    @mysql57-community<br class="">
    <br class="">
    Both are from official repos.<br class=""></div></div></blockquote><br class=""></div><div>dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: <a href="https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/" class="">https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/</a></div><br class=""></body></html>