dovecot - Jul 2019 - Dovecot with MySQL over SSL.

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 20/07/2019 13:12 Reio Remma via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On 19.07.2019 0:24, Reio Remma via dovecot wrote:
   </div>
   <blockquote type="cite">
    <div>
     I'm attempting to get Dovecot working with MySQL user database on
    </div>
    <div>
     another machine. I can connect to the MySQL (5.7.26) instance with SSL
    </div>
    <div>
     enabled:
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
    </div>
    <div>
     --ssl-cert=/etc/dovecot/client-cert.pem
    </div>
    <div>
     --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
    </div>
    <div>
     -u vmail -p
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     However if I use the same values in dovecot-sql.conf.ext, I get the
    </div>
    <div>
     following error:
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
    </div>
    <div>
     mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
    </div>
    <div>
     error: protocol version mismatch - waiting for 1 seconds before retry
    </div>
    <div>
     Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
    </div>
    <div>
     mysql(db.mrst.ee): Connect failed to database (vmail): Connections
    </div>
    <div>
     using insecure transport are prohibited while
    </div>
    <div>
     --require_secure_transport=ON. - waiting for 5 seconds before retry
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     Database connection string:
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    </div>
    <div>
         ssl_ca=/etc/dovecot/ca.pem \
    </div>
    <div>
         ssl_cert=/etc/dovecot/client-cert.pem \
    </div>
    <div>
         ssl_key=/etc/dovecot/client-key.pem \
    </div>
    <div>
         ssl_cipher=DHE-RSA-AES256-SHA
    </div>
   </blockquote>
   <div>
    Update: I got it to connect successfully now after downgrading the MySQL
   </div>
   <div>
    server tls-version from TLSv1.1 to TLSv1.
   </div>
   <div>
    <br>
   </div>
   <div>
    Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
   </div>
   <div>
    <br>
   </div>
   <div>
    Thanks!
   </div>
   <div>
    Reio
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   Dovecot mysql uses libmysqlclient. We do not enforce any particular tls
protocol version. If it requires you to downgrade I suggest you review your
client my.cnf for any restrictions.
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
>
>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org 
>> <mailto:dovecot at dovecot.org>> wrote:
>>
>>
>> On 19.07.2019 0:24, Reio Remma via dovecot wrote:
>>> I'm attempting to get Dovecot working with MySQL user database
on
>>> another machine. I can connect to the MySQL (5.7.26) instance with
SSL
>>> enabled:
>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>>> --ssl-cert=/etc/dovecot/client-cert.pem
>>> --ssl-key=/etc/dovecot/client-key.pem
--ssl-cipher=DHE-RSA-AES256-SHA
>>> -u vmail -p
>>> However if I use the same values in dovecot-sql.conf.ext, I get the
>>> following error:
>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL
connection
>>> error: protocol version mismatch - waiting for 1 seconds before
retry
>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>>> using insecure transport are prohibited while
>>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>>> Database connection string:
>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>>> ??? ssl_ca=/etc/dovecot/ca.pem \
>>> ??? ssl_cert=/etc/dovecot/client-cert.pem \
>>> ??? ssl_key=/etc/dovecot/client-key.pem \
>>> ??? ssl_cipher=DHE-RSA-AES256-SHA
>> Update: I got it to connect successfully now after downgrading the
MySQL
>> server tls-version from TLSv1.1 to TLSv1.
>>
>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
>>
>> Thanks!
>> Reio
>
> Dovecot mysql uses libmysqlclient. We do not enforce any particular 
> tls protocol version. If it requires you to downgrade I suggest you 
> review your client my.cnf for any restrictions.
> ---
> Aki Tuomi
Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 
versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.

Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) 
from mysql-community-libs-compat 5.7.26 instead of the newer 
libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.

If I try to remove the libs-compat, yum also insists on removing 
dovecot-mysql, so it depends on the older libmysqlclient and ignores the 
newer one.

I don't suspect I can do anything on my end to force the Dovecot CentOS 
package to use the non-compat libmysqlclient?

Thanks,
Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190720/16a6b5df/attachment-0001.html>

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div class="moz-cite-prefix">
    On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
    <br>
   </div>
   <blockquote type="cite">
    <div>
     <br>
    </div>
    <blockquote type="cite">
     <div>
      On 20/07/2019 13:12 Reio Remma via dovecot < 
      <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
     </div>
     <div>
      <br>
     </div>
     <div>
      <br>
     </div>
     <div>
      On 19.07.2019 0:24, Reio Remma via dovecot wrote:
     </div>
     <blockquote type="cite">
      <div>
       I'm attempting to get Dovecot working with MySQL user database on
      </div>
      <div>
       another machine. I can connect to the MySQL (5.7.26) instance with SSL
      </div>
      <div>
       enabled:
      </div>
     </blockquote>
     <blockquote type="cite">
      <div>
       mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
      </div>
      <div>
       --ssl-cert=/etc/dovecot/client-cert.pem
      </div>
      <div>
       --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
      </div>
      <div>
       -u vmail -p
      </div>
     </blockquote>
     <blockquote type="cite">
      <div>
       However if I use the same values in dovecot-sql.conf.ext, I get the
      </div>
      <div>
       following error:
      </div>
     </blockquote>
     <blockquote type="cite">
      <div>
       Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
      </div>
      <div>
       mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
      </div>
      <div>
       error: protocol version mismatch - waiting for 1 seconds before retry
      </div>
      <div>
       Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
      </div>
      <div>
       mysql(db.mrst.ee): Connect failed to database (vmail): Connections
      </div>
      <div>
       using insecure transport are prohibited while
      </div>
      <div>
       --require_secure_transport=ON. - waiting for 5 seconds before retry
      </div>
     </blockquote>
     <blockquote type="cite">
      <div>
       Database connection string:
      </div>
     </blockquote>
     <blockquote type="cite">
      <div>
       connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
      </div>
      <div>
           ssl_ca=/etc/dovecot/ca.pem \
      </div>
      <div>
           ssl_cert=/etc/dovecot/client-cert.pem \
      </div>
      <div>
           ssl_key=/etc/dovecot/client-key.pem \
      </div>
      <div>
           ssl_cipher=DHE-RSA-AES256-SHA
      </div>
     </blockquote>
     <div>
      Update: I got it to connect successfully now after downgrading the MySQL
     </div>
     <div>
      server tls-version from TLSv1.1 to TLSv1.
     </div>
     <div>
      <br>
     </div>
     <div>
      Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
     </div>
     <div>
      <br>
     </div>
     <div>
      Thanks!
     </div>
     <div>
      Reio
     </div>
    </blockquote>
    <div>
     <br>
    </div>
    <div>
     Dovecot mysql uses libmysqlclient. We do not enforce any particular tls
protocol version. If it requires you to downgrade I suggest you review your
client my.cnf for any restrictions.
    </div>
    <div class="io-ox-signature">
     <pre>---
Aki Tuomi</pre>
    </div>
   </blockquote>
   <br>Thanks Aki! I'm looking at it now and despite identical MySQL
5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient
5.6.37.
   <br>
   <br>Dovecot seems to be using the older libmysqlclient.so.18.1.0
(5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer
libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
   <br>
   <br>If I try to remove the libs-compat, yum also insists on removing
dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer
one.
   <br>
   <br>I don't suspect I can do anything on my end to force the
Dovecot CentOS package to use the non-compat libmysqlclient?
   <br>
   <br>Thanks,
   <br>Reio
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   What repo are you using?
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>