<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 22.07.2019 16:05, Timo Sirainen via
      dovecot wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:1E00AF7D-A73A-4B0A-B55B-FF0623F12A6E@sirainen.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      On 20 Jul 2019, at 23.02, Reio Remma via dovecot <<a
        href="mailto:dovecot@dovecot.org" class=""
        moz-do-not-send="true">dovecot@dovecot.org</a>> wrote:<br
        class="">
      <div>
        <blockquote type="cite" class=""><br
            class="Apple-interchange-newline">
          <div class="">
            <meta http-equiv="Content-Type" content="text/html;
              charset=windows-1252" class="">
            <div text="#000000" bgcolor="#FFFFFF" class="">
              <div class="moz-cite-prefix">On 20.07.2019 22:37, Aki
                Tuomi via dovecot wrote:<br class="">
              </div>
              <blockquote type="cite"
cite="mid:929297881.8212.1563651420028@appsuite-dev-gw2.open-xchange.com"
                class="">
                <meta http-equiv="content-type" content="text/html;
                  charset=windows-1252" class="">
                <meta charset="UTF-8" class="">
                <div class=""> <br class="">
                </div>
                <blockquote type="cite" class="">
                  <div class=""> On 20/07/2019 21:07 Reio Remma via
                    dovecot <a class="moz-txt-link-rfc2396E"
                      href="mailto:dovecot@dovecot.org"
                      moz-do-not-send="true"><dovecot@dovecot.org></a>
                    wrote: </div>
                  <div class=""> <br class="">
                  </div>
                  <div class=""> <br class="">
                  </div>
                  <div class="moz-cite-prefix"> On 20.07.2019 18:03, Aki
                    Tuomi via dovecot wrote: <br class="">
                  </div>
                  <blockquote type="cite" class="">
                    <div class=""> <br class="">
                    </div>
                    <blockquote type="cite" class="">
                      <div class=""> On 20/07/2019 13:12 Reio Remma via
                        dovecot < <a
                          href="mailto:dovecot@dovecot.org"
                          moz-do-not-send="true" class="">dovecot@dovecot.org</a>>
                        wrote: </div>
                      <div class=""> <br class="">
                      </div>
                      <div class=""> <br class="">
                      </div>
                      <div class=""> On 19.07.2019 0:24, Reio Remma via
                        dovecot wrote: </div>
                      <blockquote type="cite" class="">
                        <div class=""> I'm attempting to get Dovecot
                          working with MySQL user database on </div>
                        <div class=""> another machine. I can connect to
                          the MySQL (5.7.26) instance with SSL </div>
                        <div class=""> enabled: </div>
                      </blockquote>
                      <blockquote type="cite" class="">
                        <div class=""> mysql -h db.mrst.ee
                          --ssl-ca=/etc/dovecot/ca.pem </div>
                        <div class="">
                          --ssl-cert=/etc/dovecot/client-cert.pem </div>
                        <div class="">
                          --ssl-key=/etc/dovecot/client-key.pem
                          --ssl-cipher=DHE-RSA-AES256-SHA </div>
                        <div class=""> -u vmail -p </div>
                      </blockquote>
                      <blockquote type="cite" class="">
                        <div class=""> However if I use the same values
                          in dovecot-sql.conf.ext, I get the </div>
                        <div class=""> following error: </div>
                      </blockquote>
                      <blockquote type="cite" class="">
                        <div class=""> Jul 19 00:20:18 turin dovecot:
                          auth-worker(82996): Error: </div>
                        <div class=""> mysql(db.mrst.ee): Connect failed
                          to database (vmail): SSL connection </div>
                        <div class=""> error: protocol version mismatch
                          - waiting for 1 seconds before retry </div>
                        <div class=""> Jul 19 00:20:19 turin dovecot:
                          auth-worker(82996): Error: </div>
                        <div class=""> mysql(db.mrst.ee): Connect failed
                          to database (vmail): Connections </div>
                        <div class=""> using insecure transport are
                          prohibited while </div>
                        <div class=""> --require_secure_transport=ON. -
                          waiting for 5 seconds before retry </div>
                      </blockquote>
                      <blockquote type="cite" class="">
                        <div class=""> Database connection string: </div>
                      </blockquote>
                      <blockquote type="cite" class="">
                        <div class=""> connect = host=db.mrst.ee
                          dbname=vmail user=vmail password=stuff \ </div>
                        <div class="">     ssl_ca=/etc/dovecot/ca.pem \
                        </div>
                        <div class="">    
                          ssl_cert=/etc/dovecot/client-cert.pem \ </div>
                        <div class="">    
                          ssl_key=/etc/dovecot/client-key.pem \ </div>
                        <div class="">     ssl_cipher=DHE-RSA-AES256-SHA
                        </div>
                      </blockquote>
                      <div class=""> Update: I got it to connect
                        successfully now after downgrading the MySQL </div>
                      <div class=""> server tls-version from TLSv1.1 to
                        TLSv1. </div>
                      <div class=""> <br class="">
                      </div>
                      <div class=""> Is there a reason why Dovecot MySQL
                        doesn't support TLSv1.1? </div>
                      <div class=""> <br class="">
                      </div>
                      <div class=""> Thanks! </div>
                      <div class=""> Reio </div>
                    </blockquote>
                    <div class=""> <br class="">
                    </div>
                    <div class=""> Dovecot mysql uses libmysqlclient. We
                      do not enforce any particular tls protocol
                      version. If it requires you to downgrade I suggest
                      you review your client my.cnf for any
                      restrictions. </div>
                    <div class="io-ox-signature">
                      <pre class="">---
Aki Tuomi</pre>
                    </div>
                  </blockquote>
                  <br class="">
                  Thanks Aki! I'm looking at it now and despite
                  identical MySQL 5.7.26 versions on both systems, it
                  seems Dovecot is using libmysqlclient 5.6.37. <br
                    class="">
                  <br class="">
                  Dovecot seems to be using the older
                  libmysqlclient.so.18.1.0 (5.6.37) from
                  mysql-community-libs-compat 5.7.26 instead of the
                  newer libmysqlclient.so.20.3.13 (5.7.26) from
                  mysql-community-libs 5.7.26. <br class="">
                  <br class="">
                  If I try to remove the libs-compat, yum also insists
                  on removing dovecot-mysql, so it depends on the older
                  libmysqlclient and ignores the newer one. <br
                    class="">
                  <br class="">
                  I don't suspect I can do anything on my end to force
                  the Dovecot CentOS package to use the non-compat
                  libmysqlclient? <br class="">
                  <br class="">
                  Thanks, <br class="">
                  Reio </blockquote>
                <div class=""> <br class="">
                </div>
                <div class=""> What repo are you using? </div>
                <div class="io-ox-signature">
                  <pre class="">---
Aki Tuomi</pre>
                </div>
              </blockquote>
              <br class="">
              Installed Packages<br class="">
dovecot-mysql.x86_64                                                                                               
2:2.3.7-8                                                                                            
              @dovecot-2.3-latest<br class="">
mysql-community-libs.x86_64                                                                                        
5.7.26-1.el7                                                                                         
              @mysql57-community<br class="">
              <br class="">
              Both are from official repos.<br class="">
            </div>
          </div>
        </blockquote>
        <br class="">
      </div>
      <div>dovecot-mysql package is built against the mariadb library
        that comes with CentOS 7. If you want it to work against other
        libmysqlclient versions you'd need to compile it yourself: <a
          href="https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/"
          class="" moz-do-not-send="true">https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/</a></div>
    </blockquote>
    <br>
    Thanks, I'm again one experience richer after compiling Dovecot from
    the source RPM. Nicely running with TLSv1.1 now.<br>
    <br>
    Thanks!<br>
    Reio<br>
  </body>
</html>