On Fri, Jan 24, 2025 at 03:30:43PM +1100, duluxoz via Postfix-users wrote:
> I'm using a MariaDB backend to Postfix. Everything is working correctly
> until I attempt to secure the Postfix<->MariaDB connection with a TLS
> Certificate. When I perform a `postmap -q example.com
> mysql:/etc/postfix/virtual_domains.cf` command on the postfix server
> *without* using TLS I get a successful response. However, when I engage TLS
> I get the following error in the MariaDB log: `X509 subject mismatch: should
> be 'CN=mail_u...@example.com' but is '/CN=mail_u...@example.com'`.
>
> Now, obviously the issue is the extra '/' at the start of the 'CN=', but for
> the life of me I can't figure out where that '/' is coming from.
There is (of course if happens to know too much about X.509 naming) no
such "slash" in the actual certificate. The subject DN is a sequence
of relative distinguished names (RDNs) of which CN=... is in this
case the first element. There are many ways to write the sequence
as a string, the two most popular are:
/RDN1/RDN2/.../RDNx
RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the
second format, but ends up with the first, because of a failure to be
specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something
about the way OpenSSL was built? Anyway, Postfix is just the messenger,
it is the MariaDB library that sets up TLS connection.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
