<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div class="moz-cite-prefix">
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:
<br>
</div>
<blockquote type="cite">
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 20/07/2019 13:12 Reio Remma via dovecot <
<a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 19.07.2019 0:24, Reio Remma via dovecot wrote:
</div>
<blockquote type="cite">
<div>
I'm attempting to get Dovecot working with MySQL user database on
</div>
<div>
another machine. I can connect to the MySQL (5.7.26) instance with SSL
</div>
<div>
enabled:
</div>
</blockquote>
<blockquote type="cite">
<div>
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
</div>
<div>
--ssl-cert=/etc/dovecot/client-cert.pem
</div>
<div>
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
</div>
<div>
-u vmail -p
</div>
</blockquote>
<blockquote type="cite">
<div>
However if I use the same values in dovecot-sql.conf.ext, I get the
</div>
<div>
following error:
</div>
</blockquote>
<blockquote type="cite">
<div>
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
</div>
<div>
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
</div>
<div>
error: protocol version mismatch - waiting for 1 seconds before retry
</div>
<div>
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
</div>
<div>
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
</div>
<div>
using insecure transport are prohibited while
</div>
<div>
--require_secure_transport=ON. - waiting for 5 seconds before retry
</div>
</blockquote>
<blockquote type="cite">
<div>
Database connection string:
</div>
</blockquote>
<blockquote type="cite">
<div>
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
</div>
<div>
ssl_ca=/etc/dovecot/ca.pem \
</div>
<div>
ssl_cert=/etc/dovecot/client-cert.pem \
</div>
<div>
ssl_key=/etc/dovecot/client-key.pem \
</div>
<div>
ssl_cipher=DHE-RSA-AES256-SHA
</div>
</blockquote>
<div>
Update: I got it to connect successfully now after downgrading the MySQL
</div>
<div>
server tls-version from TLSv1.1 to TLSv1.
</div>
<div>
<br>
</div>
<div>
Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
</div>
<div>
<br>
</div>
<div>
Thanks!
</div>
<div>
Reio
</div>
</blockquote>
<div>
<br>
</div>
<div>
Dovecot mysql uses libmysqlclient. We do not enforce any particular tls
protocol version. If it requires you to downgrade I suggest you review your
client my.cnf for any restrictions.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</blockquote>
<br>Thanks Aki! I'm looking at it now and despite identical MySQL
5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient
5.6.37.
<br>
<br>Dovecot seems to be using the older libmysqlclient.so.18.1.0
(5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer
libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
<br>
<br>If I try to remove the libs-compat, yum also insists on removing
dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer
one.
<br>
<br>I don't suspect I can do anything on my end to force the
Dovecot CentOS package to use the non-compat libmysqlclient?
<br>
<br>Thanks,
<br>Reio
</blockquote>
<div>
<br>
</div>
<div>
What repo are you using?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:> >> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> wrote: >> >> >> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: >>> >>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org >>>> <mailto:dovecot at dovecot.org>> wrote: >>>> >>>> >>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote: >>>>> I'm attempting to get Dovecot working with MySQL user database on >>>>> another machine. I can connect to the MySQL (5.7.26) instance with >>>>> SSL >>>>> enabled: >>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem >>>>> --ssl-cert=/etc/dovecot/client-cert.pem >>>>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA >>>>> -u vmail -p >>>>> However if I use the same values in dovecot-sql.conf.ext, I get the >>>>> following error: >>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >>>>> error: protocol version mismatch - waiting for 1 seconds before retry >>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >>>>> using insecure transport are prohibited while >>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry >>>>> Database connection string: >>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ >>>>> ??? ssl_ca=/etc/dovecot/ca.pem \ >>>>> ??? ssl_cert=/etc/dovecot/client-cert.pem \ >>>>> ??? ssl_key=/etc/dovecot/client-key.pem \ >>>>> ??? ssl_cipher=DHE-RSA-AES256-SHA >>>> Update: I got it to connect successfully now after downgrading the >>>> MySQL >>>> server tls-version from TLSv1.1 to TLSv1. >>>> >>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? >>>> >>>> Thanks! >>>> Reio >>> >>> Dovecot mysql uses libmysqlclient. We do not enforce any particular >>> tls protocol version. If it requires you to downgrade I suggest you >>> review your client my.cnf for any restrictions. >>> --- >>> Aki Tuomi >> >> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 >> versions on both systems, it seems Dovecot is using libmysqlclient >> 5.6.37. >> >> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) >> from mysql-community-libs-compat 5.7.26 instead of the newer >> libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. >> >> If I try to remove the libs-compat, yum also insists on removing >> dovecot-mysql, so it depends on the older libmysqlclient and ignores >> the newer one. >> >> I don't suspect I can do anything on my end to force the Dovecot >> CentOS package to use the non-compat libmysqlclient? >> >> Thanks, >> Reio > > What repo are you using? > --- > Aki TuomiInstalled Packages dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community Both are from official repos. Thanks, Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190721/85d7e211/attachment-0001.html>
On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot at dovecot.org> wrote:> > On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: >> >>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot at dovecot.org> <mailto:dovecot at dovecot.org> wrote: >>> >>> >>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: >>>> >>>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot at dovecot.org <mailto:dovecot at dovecot.org>> wrote: >>>>> >>>>> >>>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote: >>>>>> I'm attempting to get Dovecot working with MySQL user database on >>>>>> another machine. I can connect to the MySQL (5.7.26) instance with SSL >>>>>> enabled: >>>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem >>>>>> --ssl-cert=/etc/dovecot/client-cert.pem >>>>>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA >>>>>> -u vmail -p >>>>>> However if I use the same values in dovecot-sql.conf.ext, I get the >>>>>> following error: >>>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >>>>>> error: protocol version mismatch - waiting for 1 seconds before retry >>>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >>>>>> using insecure transport are prohibited while >>>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry >>>>>> Database connection string: >>>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ >>>>>> ssl_ca=/etc/dovecot/ca.pem \ >>>>>> ssl_cert=/etc/dovecot/client-cert.pem \ >>>>>> ssl_key=/etc/dovecot/client-key.pem \ >>>>>> ssl_cipher=DHE-RSA-AES256-SHA >>>>> Update: I got it to connect successfully now after downgrading the MySQL >>>>> server tls-version from TLSv1.1 to TLSv1. >>>>> >>>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? >>>>> >>>>> Thanks! >>>>> Reio >>>> >>>> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. >>>> --- >>>> Aki Tuomi >>> >>> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. >>> >>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. >>> >>> If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. >>> >>> I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? >>> >>> Thanks, >>> Reio >> >> What repo are you using? >> --- >> Aki Tuomi > > Installed Packages > dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest > mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community > > Both are from official repos.dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/ <https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190722/2fc094be/attachment-0001.html>