Hi All,
I'm not sure if this is was Postfix issue, a TLS Certificate issue,
and/or a MariaDB issue, so I started in the Postfix mailing lists. Their
reply (below) indicated that I should post here instead - apologises if
this is not the right place.
My original post:
I'm using a MariaDB backend to Postfix. Everything is working correctly
until I attempt to secure the Postfix<->MariaDB connection with a TLS
Certificate. When I perform a `postmap -q example.com
mysql:/etc/postfix/virtual_domains.cf` command on the postfix server
*without* using TLS I get a successful response. However, when I engage
TLS I get the following error in the MariaDB log: `X509 subject
mismatch: should be '[email protected]' but is
'/[email protected]'`.
Now, obviously the issue is the extra '/' at the start of the 'CN=', but
for the life of me I can't figure out where that '/' is coming from.
It is *not* in the TLS Certificate (verified by OpenSSL).
It is *not* in the virtual_domains.cf file (see below).
It is *not* in the MariaDB 'GRANT' statement used to allow access to the
database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com'
IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT
'[email protected]'`.
OS of both servers: Rocky Linux 9.5
Postfix Version: 3.9.1
MariaDB Version: 11.6.2
virtual_domains.cf:
~~~
hosts = mariadb.example.com
dbname = mail_server
user = mail_user
password = {PASWORD OBSCURED}
tls_cert_file = /etc/pki/tls/certs/[email protected]
tls_key_file = /etc/pki/tls/certs/[email protected]
tls_CApath = /etc/pki/tls/certs/root_ca.crt
query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s'
~~~
The Postfix mailing List Reply:
There is (of course if happens to know too much about X.509 naming) no
such "slash" in the actual certificate. The subject DN is a sequence
of relative distinguished names (RDNs) of which CN=... is in this
case the first element. There are many ways to write the sequence
as a string, the two most popular are:
/RDN1/RDN2/.../RDNx
RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the
second format, but ends up with the first, because of a failure to be
specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something
about the way OpenSSL was built? Anyway, Postfix is just the messenger,
it is the MariaDB library that sets up TLS connection.
Could someone please point me in the right direction to get this sorted
- thanks
Cheers
Dulux-Oz
_______________________________________________
discuss mailing list -- [email protected]
To unsubscribe send an email to [email protected]
