<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 13:12 Reio Remma via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 19.07.2019 0:24, Reio Remma via dovecot wrote: </div> <blockquote type="cite"> <div> I'm attempting to get Dovecot working with MySQL user database on </div> <div> another machine. I can connect to the MySQL (5.7.26) instance with SSL </div> <div> enabled: </div> </blockquote> <blockquote type="cite"> <div> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem </div> <div> --ssl-cert=/etc/dovecot/client-cert.pem </div> <div> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA </div> <div> -u vmail -p </div> </blockquote> <blockquote type="cite"> <div> However if I use the same values in dovecot-sql.conf.ext, I get the </div> <div> following error: </div> </blockquote> <blockquote type="cite"> <div> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection </div> <div> error: protocol version mismatch - waiting for 1 seconds before retry </div> <div> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): Connections </div> <div> using insecure transport are prohibited while </div> <div> --require_secure_transport=ON. - waiting for 5 seconds before retry </div> </blockquote> <blockquote type="cite"> <div> Database connection string: </div> </blockquote> <blockquote type="cite"> <div> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ </div> <div> ssl_ca=/etc/dovecot/ca.pem \ </div> <div> ssl_cert=/etc/dovecot/client-cert.pem \ </div> <div> ssl_key=/etc/dovecot/client-key.pem \ </div> <div> ssl_cipher=DHE-RSA-AES256-SHA </div> </blockquote> <div> Update: I got it to connect successfully now after downgrading the MySQL </div> <div> server tls-version from TLSv1.1 to TLSv1. </div> <div> <br> </div> <div> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? </div> <div> <br> </div> <div> Thanks! </div> <div> Reio </div> </blockquote> <div> <br> </div> <div> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:> >> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org >> <mailto:dovecot at dovecot.org>> wrote: >> >> >> On 19.07.2019 0:24, Reio Remma via dovecot wrote: >>> I'm attempting to get Dovecot working with MySQL user database on >>> another machine. I can connect to the MySQL (5.7.26) instance with SSL >>> enabled: >>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem >>> --ssl-cert=/etc/dovecot/client-cert.pem >>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA >>> -u vmail -p >>> However if I use the same values in dovecot-sql.conf.ext, I get the >>> following error: >>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >>> error: protocol version mismatch - waiting for 1 seconds before retry >>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >>> using insecure transport are prohibited while >>> --require_secure_transport=ON. - waiting for 5 seconds before retry >>> Database connection string: >>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ >>> ??? ssl_ca=/etc/dovecot/ca.pem \ >>> ??? ssl_cert=/etc/dovecot/client-cert.pem \ >>> ??? ssl_key=/etc/dovecot/client-key.pem \ >>> ??? ssl_cipher=DHE-RSA-AES256-SHA >> Update: I got it to connect successfully now after downgrading the MySQL >> server tls-version from TLSv1.1 to TLSv1. >> >> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? >> >> Thanks! >> Reio > > Dovecot mysql uses libmysqlclient. We do not enforce any particular > tls protocol version. If it requires you to downgrade I suggest you > review your client my.cnf for any restrictions. > --- > Aki TuomiThanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? Thanks, Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190720/16a6b5df/attachment-0001.html>
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br> </div> <div class="moz-cite-prefix"> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: <br> </div> <blockquote type="cite"> <div> <br> </div> <blockquote type="cite"> <div> On 20/07/2019 13:12 Reio Remma via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 19.07.2019 0:24, Reio Remma via dovecot wrote: </div> <blockquote type="cite"> <div> I'm attempting to get Dovecot working with MySQL user database on </div> <div> another machine. I can connect to the MySQL (5.7.26) instance with SSL </div> <div> enabled: </div> </blockquote> <blockquote type="cite"> <div> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem </div> <div> --ssl-cert=/etc/dovecot/client-cert.pem </div> <div> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA </div> <div> -u vmail -p </div> </blockquote> <blockquote type="cite"> <div> However if I use the same values in dovecot-sql.conf.ext, I get the </div> <div> following error: </div> </blockquote> <blockquote type="cite"> <div> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection </div> <div> error: protocol version mismatch - waiting for 1 seconds before retry </div> <div> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: </div> <div> mysql(db.mrst.ee): Connect failed to database (vmail): Connections </div> <div> using insecure transport are prohibited while </div> <div> --require_secure_transport=ON. - waiting for 5 seconds before retry </div> </blockquote> <blockquote type="cite"> <div> Database connection string: </div> </blockquote> <blockquote type="cite"> <div> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ </div> <div> ssl_ca=/etc/dovecot/ca.pem \ </div> <div> ssl_cert=/etc/dovecot/client-cert.pem \ </div> <div> ssl_key=/etc/dovecot/client-key.pem \ </div> <div> ssl_cipher=DHE-RSA-AES256-SHA </div> </blockquote> <div> Update: I got it to connect successfully now after downgrading the MySQL </div> <div> server tls-version from TLSv1.1 to TLSv1. </div> <div> <br> </div> <div> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? </div> <div> <br> </div> <div> Thanks! </div> <div> Reio </div> </blockquote> <div> <br> </div> <div> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </blockquote> <br>Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. <br> <br>Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. <br> <br>If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. <br> <br>I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? <br> <br>Thanks, <br>Reio </blockquote> <div> <br> </div> <div> What repo are you using? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>