On 22.07.2019 16:05, Timo Sirainen via dovecot wrote:
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot@dovecot.org
<mailto:dovecot@dovecot.org>> wrote:
On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:
On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org>
wrote:
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org
<mailto:dovecot@dovecot.org>> wrote:
On 19.07.2019 0:24, Reio Remma via dovecot wrote:
I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance
with SSL
enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem
--ssl-cipher=DHE-RSA-AES256-SHA
-u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the
following error:
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL
connection
error: protocol version mismatch - waiting for 1 seconds before
retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
ssl_ca=/etc/dovecot/ca.pem \
ssl_cert=/etc/dovecot/client-cert.pem \
ssl_key=/etc/dovecot/client-key.pem \
ssl_cipher=DHE-RSA-AES256-SHA
Update: I got it to connect successfully now after downgrading
the MySQL
server tls-version from TLSv1.1 to TLSv1.
Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
Thanks!
Reio
Dovecot mysql uses libmysqlclient. We do not enforce any
particular tls protocol version. If it requires you to downgrade I
suggest you review your client my.cnf for any restrictions.
---
Aki Tuomi
Thanks Aki! I'm looking at it now and despite identical MySQL
5.7.26 versions on both systems, it seems Dovecot is using
libmysqlclient 5.6.37.
Dovecot seems to be using the older libmysqlclient.so.18.1.0
(5.6.37) from mysql-community-libs-compat 5.7.26 instead of the
newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs
5.7.26.
If I try to remove the libs-compat, yum also insists on removing
dovecot-mysql, so it depends on the older libmysqlclient and
ignores the newer one.
I don't suspect I can do anything on my end to force the Dovecot
CentOS package to use the non-compat libmysqlclient?
Thanks,
Reio
What repo are you using?
---
Aki Tuomi
Installed Packages
dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community
Both are from official repos.
dovecot-mysql package is built against the mariadb library that comes
with CentOS 7. If you want it to work against other libmysqlclient
versions you'd need to compile it yourself:
https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/
Thanks, I'm again one experience richer after compiling Dovecot from the
source RPM. Nicely running with TLSv1.1 now.
Thanks!
Reio
