Re: Connecting postfix to mysql with ssl

Tue, 27 Dec 2022 10:13:04 -0800 

On 12/27/2022 11:58 AM, Phil Stracchino wrote:

On 12/27/22 12:49, Aaron Axelsen wrote:
I've been trying to get the correct recipe of settings to allow postfix to connect to mysql where ssl is required. So far I have the following that is not working: 

user = mysqluser
password = XXX
hosts = secure-mysql-db.example.com
dbname = mail
query = SELECT 1 FROM users WHERE email='%s'
tls_ciphers = TLSv1.3
tls_CAfile = /path/to/mysql-ca.crt


Now I'm getting the following error: SSL connection error: no cipher 
match



The MySQL server does support the listed cipher. Connecting via 
command line works as expected.  Connecting without ssl via postfix 
works fine also.


I'm running Postfix 3.5.17 on Debian 11.5




What MySQL version and how is it configured?  For some time now MySQL 
has actually implemented 'SSL' connections as TLS and should not 
require a client certificate.



The MySQL server is: 8.0.26 MySQL Community Server - GPL

It's a managed MySQL instance with require secure transport set to ON.

TLS versions on the MySQL server are: TLSv1.2,​TLSv1.3

Output from a command line connection:

mysql -h secure-mysql-db.example.com -p -u mysqluser mail --ssl
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 970955
Server version: 8.0.26 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.


Type 'help;' or '\h' for help. Type '\c' to clear the current input 
statement.


MySQL [mail]> \s
--------------

mysql  Ver 15.1 Distrib 10.5.18-MariaDB, for debian-linux-gnu (x86_64) 
using  EditLine wrapper


Connection id:          970955
Current database:       mail
Current user:           postfix-ro@192.168.0.143
SSL:                    Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MySQL
Server version:         8.0.26 MySQL Community Server - GPL
Protocol version:       10
Connection:             secure-mysql-db.example.com via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8mb3
Conn.  characterset:    utf8mb3
TCP port:               3306
Uptime:                 34 days 9 hours 39 min 51 sec

--
Aaron Axelsen
























					Reply via email to