<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 22.07.2019 16:05, Timo Sirainen via
dovecot wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1E00AF7D-A73A-4B0A-B55B-FF0623F12A6E@sirainen.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <<a
href="mailto:dovecot@dovecot.org" class=""
moz-do-not-send="true">dovecot@dovecot.org</a>> wrote:<br
class="">
<div>
<blockquote type="cite" class=""><br
class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<div class="moz-cite-prefix">On 20.07.2019 22:37, Aki
Tuomi via dovecot wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:929297881.8212.1563651420028@appsuite-dev-gw2.open-xchange.com"
class="">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252" class="">
<meta charset="UTF-8" class="">
<div class=""> <br class="">
</div>
<blockquote type="cite" class="">
<div class=""> On 20/07/2019 21:07 Reio Remma via
dovecot <a class="moz-txt-link-rfc2396E"
href="mailto:dovecot@dovecot.org"
moz-do-not-send="true"><dovecot@dovecot.org></a>
wrote: </div>
<div class=""> <br class="">
</div>
<div class=""> <br class="">
</div>
<div class="moz-cite-prefix"> On 20.07.2019 18:03, Aki
Tuomi via dovecot wrote: <br class="">
</div>
<blockquote type="cite" class="">
<div class=""> <br class="">
</div>
<blockquote type="cite" class="">
<div class=""> On 20/07/2019 13:12 Reio Remma via
dovecot < <a
href="mailto:dovecot@dovecot.org"
moz-do-not-send="true" class="">dovecot@dovecot.org</a>>
wrote: </div>
<div class=""> <br class="">
</div>
<div class=""> <br class="">
</div>
<div class=""> On 19.07.2019 0:24, Reio Remma via
dovecot wrote: </div>
<blockquote type="cite" class="">
<div class=""> I'm attempting to get Dovecot
working with MySQL user database on </div>
<div class=""> another machine. I can connect to
the MySQL (5.7.26) instance with SSL </div>
<div class=""> enabled: </div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> mysql -h db.mrst.ee
--ssl-ca=/etc/dovecot/ca.pem </div>
<div class="">
--ssl-cert=/etc/dovecot/client-cert.pem </div>
<div class="">
--ssl-key=/etc/dovecot/client-key.pem
--ssl-cipher=DHE-RSA-AES256-SHA </div>
<div class=""> -u vmail -p </div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> However if I use the same values
in dovecot-sql.conf.ext, I get the </div>
<div class=""> following error: </div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> Jul 19 00:20:18 turin dovecot:
auth-worker(82996): Error: </div>
<div class=""> mysql(db.mrst.ee): Connect failed
to database (vmail): SSL connection </div>
<div class=""> error: protocol version mismatch
- waiting for 1 seconds before retry </div>
<div class=""> Jul 19 00:20:19 turin dovecot:
auth-worker(82996): Error: </div>
<div class=""> mysql(db.mrst.ee): Connect failed
to database (vmail): Connections </div>
<div class=""> using insecure transport are
prohibited while </div>
<div class=""> --require_secure_transport=ON. -
waiting for 5 seconds before retry </div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> Database connection string: </div>
</blockquote>
<blockquote type="cite" class="">
<div class=""> connect = host=db.mrst.ee
dbname=vmail user=vmail password=stuff \ </div>
<div class=""> ssl_ca=/etc/dovecot/ca.pem \
</div>
<div class="">
ssl_cert=/etc/dovecot/client-cert.pem \ </div>
<div class="">
ssl_key=/etc/dovecot/client-key.pem \ </div>
<div class=""> ssl_cipher=DHE-RSA-AES256-SHA
</div>
</blockquote>
<div class=""> Update: I got it to connect
successfully now after downgrading the MySQL </div>
<div class=""> server tls-version from TLSv1.1 to
TLSv1. </div>
<div class=""> <br class="">
</div>
<div class=""> Is there a reason why Dovecot MySQL
doesn't support TLSv1.1? </div>
<div class=""> <br class="">
</div>
<div class=""> Thanks! </div>
<div class=""> Reio </div>
</blockquote>
<div class=""> <br class="">
</div>
<div class=""> Dovecot mysql uses libmysqlclient. We
do not enforce any particular tls protocol
version. If it requires you to downgrade I suggest
you review your client my.cnf for any
restrictions. </div>
<div class="io-ox-signature">
<pre class="">---
Aki Tuomi</pre>
</div>
</blockquote>
<br class="">
Thanks Aki! I'm looking at it now and despite
identical MySQL 5.7.26 versions on both systems, it
seems Dovecot is using libmysqlclient 5.6.37. <br
class="">
<br class="">
Dovecot seems to be using the older
libmysqlclient.so.18.1.0 (5.6.37) from
mysql-community-libs-compat 5.7.26 instead of the
newer libmysqlclient.so.20.3.13 (5.7.26) from
mysql-community-libs 5.7.26. <br class="">
<br class="">
If I try to remove the libs-compat, yum also insists
on removing dovecot-mysql, so it depends on the older
libmysqlclient and ignores the newer one. <br
class="">
<br class="">
I don't suspect I can do anything on my end to force
the Dovecot CentOS package to use the non-compat
libmysqlclient? <br class="">
<br class="">
Thanks, <br class="">
Reio </blockquote>
<div class=""> <br class="">
</div>
<div class=""> What repo are you using? </div>
<div class="io-ox-signature">
<pre class="">---
Aki Tuomi</pre>
</div>
</blockquote>
<br class="">
Installed Packages<br class="">
dovecot-mysql.x86_64
2:2.3.7-8
@dovecot-2.3-latest<br class="">
mysql-community-libs.x86_64
5.7.26-1.el7
@mysql57-community<br class="">
<br class="">
Both are from official repos.<br class="">
</div>
</div>
</blockquote>
<br class="">
</div>
<div>dovecot-mysql package is built against the mariadb library
that comes with CentOS 7. If you want it to work against other
libmysqlclient versions you'd need to compile it yourself: <a
href="https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/"
class="" moz-do-not-send="true">https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/</a></div>
</blockquote>
<br>
Thanks, I'm again one experience richer after compiling Dovecot from
the source RPM. Nicely running with TLSv1.1 now.<br>
<br>
Thanks!<br>
Reio<br>
</body>
</html>