Hello! I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) starting up for imap, lmtp, sieve (core dumps disabled) Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ??? ssl_ca=/etc/dovecot/ca.pem \ ??? ssl_cert=/etc/dovecot/client-cert.pem \ ??? ssl_key=/etc/dovecot/client-key.pem \ ??? ssl_cipher=DHE-RSA-AES256-SHA If I leave the ssl_cipher unset, I get: Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: Failed to set ciphers to use - waiting for 1 seconds before retry Any ideas? Thanks! Reio
On 19.07.2019 0:24, Reio Remma via dovecot wrote:> I'm attempting to get Dovecot working with MySQL user database on > another machine. I can connect to the MySQL (5.7.26) instance with SSL > enabled: > > mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem > --ssl-cert=/etc/dovecot/client-cert.pem > --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA > -u vmail -p > > However if I use the same values in dovecot-sql.conf.ext, I get the > following error: > > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: protocol version mismatch - waiting for 1 seconds before retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > > Database connection string: > > connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ > ??? ssl_ca=/etc/dovecot/ca.pem \ > ??? ssl_cert=/etc/dovecot/client-cert.pem \ > ??? ssl_key=/etc/dovecot/client-key.pem \ > ??? ssl_cipher=DHE-RSA-AES256-SHAUpdate: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1. Is there a reason why Dovecot MySQL doesn't support TLSv1.1? Thanks! Reio
On 18/07/2019 23:24, Reio Remma via dovecot wrote:> Hello! > > I'm attempting to get Dovecot working with MySQL user database on > another machine. I can connect to the MySQL (5.7.26) instance with SSL > enabled: > > ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem > --ssl-cert=/etc/dovecot/client-cert.pem > --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA > -u vmail -p > > However if I use the same values in dovecot-sql.conf.ext, I get the > following error: > > Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) > starting up for imap, lmtp, sieve (core dumps disabled) > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: protocol version mismatch - waiting for 1 seconds before retry > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: protocol version mismatch - waiting for 1 seconds before retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > > Database connection string: > > connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ > ??? ssl_ca=/etc/dovecot/ca.pem \ > ??? ssl_cert=/etc/dovecot/client-cert.pem \ > ??? ssl_key=/etc/dovecot/client-key.pem \ > ??? ssl_cipher=DHE-RSA-AES256-SHA > > If I leave the ssl_cipher unset, I get: > > Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: Failed to set ciphers to use - waiting for 1 seconds before retry > > Any ideas? > > Thanks! > ReioOne difference between your testing manually with mysql client and the same configuration in dovecot is the "ssl_verify_server_cert" parameter. Dovecot is setting it if it is not specified. So to make the tests the same you should either specify the --ssl_verify_server_cert parameter to mysql or set it to no in the dovecot configuration. John
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 13:12 Reio Remma via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 19.07.2019 0:24, Reio Remma via dovecot wrote: </div> <blockquote type="cite"> <div> I'm attempting to get Dovecot working with MySQL user database on </div> <div> another machine. I can connect to the MySQL (5.7.26) instance with SSL </div> <div> enabled: </div> </blockquote> <blockquote type="cite"> <div> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem </div> <div> --ssl-cert=/etc/dovecot/client-cert.pem </div> <div> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA </div> <div> -u vmail -p </div> </blockquote> <blockquote type="cite"> <div> However if I use the same values in dovecot-sql.conf.ext, I get the </div> <div> following error: </div> </blockquote> <blockquote type="cite"> <div> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection </div> <div> error: protocol version mismatch - waiting for 1 seconds before retry </div> <div> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): Connections </div> <div> using insecure transport are prohibited while </div> <div> --require_secure_transport=ON. - waiting for 5 seconds before retry </div> </blockquote> <blockquote type="cite"> <div> Database connection string: </div> </blockquote> <blockquote type="cite"> <div> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ </div> <div> ssl_ca=/etc/dovecot/ca.pem \ </div> <div> ssl_cert=/etc/dovecot/client-cert.pem \ </div> <div> ssl_key=/etc/dovecot/client-key.pem \ </div> <div> ssl_cipher=DHE-RSA-AES256-SHA </div> </blockquote> <div> Update: I got it to connect successfully now after downgrading the MySQL </div> <div> server tls-version from TLSv1.1 to TLSv1. </div> <div> <br> </div> <div> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? </div> <div> <br> </div> <div> Thanks! </div> <div> Reio </div> </blockquote> <div> <br> </div> <div> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
On 20.07.2019 17:52, John Fawcett via dovecot wrote:> On 18/07/2019 23:24, Reio Remma via dovecot wrote: >> Hello! >> >> I'm attempting to get Dovecot working with MySQL user database on >> another machine. I can connect to the MySQL (5.7.26) instance with SSL >> enabled: >> >> ?mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem >> --ssl-cert=/etc/dovecot/client-cert.pem >> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA >> -u vmail -p >> >> However if I use the same values in dovecot-sql.conf.ext, I get the >> following error: >> >> Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) >> starting up for imap, lmtp, sieve (core dumps disabled) >> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >> error: protocol version mismatch - waiting for 1 seconds before retry >> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >> error: protocol version mismatch - waiting for 1 seconds before retry >> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >> using insecure transport are prohibited while >> --require_secure_transport=ON. - waiting for 5 seconds before retry >> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >> using insecure transport are prohibited while >> --require_secure_transport=ON. - waiting for 5 seconds before retry >> >> Database connection string: >> >> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ >> ??? ssl_ca=/etc/dovecot/ca.pem \ >> ??? ssl_cert=/etc/dovecot/client-cert.pem \ >> ??? ssl_key=/etc/dovecot/client-key.pem \ >> ??? ssl_cipher=DHE-RSA-AES256-SHA >> >> If I leave the ssl_cipher unset, I get: >> >> Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: >> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >> error: Failed to set ciphers to use - waiting for 1 seconds before retry >> >> Any ideas? >> >> Thanks! >> Reio > One difference between your testing manually with mysql client and the > same configuration in dovecot is the "ssl_verify_server_cert" parameter. > Dovecot is setting it if it is not specified. So to make the tests the > same you should either specify the --ssl_verify_server_cert parameter to > mysql or set it to no in the dovecot configuration. > > JohnThis works as well: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA --ssl-mode=VERIFY_IDENTITY -u vmail -p Protocol mismatch persists when I set ssl_verify_server_cert=no for Dovecot MySQL connection. Thanks, Reio