On 20 Jul 2019, at 23.02, Reio Remma via dovecot <dovecot@dovecot.org> wrote: > > On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: >> >>> On 20/07/2019 21:07 Reio Remma via dovecot <dovecot@dovecot.org> >>> <mailto:dovecot@dovecot.org> wrote: >>> >>> >>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: >>>> >>>>> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org >>>>> <mailto:dovecot@dovecot.org>> wrote: >>>>> >>>>> >>>>> On 19.07.2019 0:24, Reio Remma via dovecot wrote: >>>>>> I'm attempting to get Dovecot working with MySQL user database on >>>>>> another machine. I can connect to the MySQL (5.7.26) instance with SSL >>>>>> enabled: >>>>>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem >>>>>> --ssl-cert=/etc/dovecot/client-cert.pem >>>>>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA >>>>>> -u vmail -p >>>>>> However if I use the same values in dovecot-sql.conf.ext, I get the >>>>>> following error: >>>>>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: >>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection >>>>>> error: protocol version mismatch - waiting for 1 seconds before retry >>>>>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: >>>>>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections >>>>>> using insecure transport are prohibited while >>>>>> --require_secure_transport=ON. - waiting for 5 seconds before retry >>>>>> Database connection string: >>>>>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ >>>>>> ssl_ca=/etc/dovecot/ca.pem \ >>>>>> ssl_cert=/etc/dovecot/client-cert.pem \ >>>>>> ssl_key=/etc/dovecot/client-key.pem \ >>>>>> ssl_cipher=DHE-RSA-AES256-SHA >>>>> Update: I got it to connect successfully now after downgrading the MySQL >>>>> server tls-version from TLSv1.1 to TLSv1. >>>>> >>>>> Is there a reason why Dovecot MySQL doesn't support TLSv1.1? >>>>> >>>>> Thanks! >>>>> Reio >>>> >>>> Dovecot mysql uses libmysqlclient. We do not enforce any particular tls >>>> protocol version. If it requires you to downgrade I suggest you review >>>> your client my.cnf for any restrictions. >>>> --- >>>> Aki Tuomi >>> >>> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 >>> versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. >>> >>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from >>> mysql-community-libs-compat 5.7.26 instead of the newer >>> libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. >>> >>> If I try to remove the libs-compat, yum also insists on removing >>> dovecot-mysql, so it depends on the older libmysqlclient and ignores the >>> newer one. >>> >>> I don't suspect I can do anything on my end to force the Dovecot CentOS >>> package to use the non-compat libmysqlclient? >>> >>> Thanks, >>> Reio >> >> What repo are you using? >> --- >> Aki Tuomi > > Installed Packages > dovecot-mysql.x86_64 > 2:2.3.7-8 > > @dovecot-2.3-latest > mysql-community-libs.x86_64 > 5.7.26-1.el7 > > @mysql57-community > > Both are from official repos.
dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/ <https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/>