subject:"Dovecot with MySQL over SSL."

Re: Dovecot with MySQL over SSL.

2019-07-22 Thread Reio Remma via dovecot


On 22.07.2019 16:05, Timo Sirainen via dovecot wrote:
On 20 Jul 2019, at 23.02, Reio Remma via dovecot > wrote:


On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:


On 20/07/2019 21:07 Reio Remma via dovecot  
wrote:



On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:


On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org 
> wrote:



On 19.07.2019 0:24, Reio Remma via dovecot wrote:

I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance 
with SSL

enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem 
--ssl-cipher=DHE-RSA-AES256-SHA

-u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the
following error:
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL 
connection
error: protocol version mismatch - waiting for 1 seconds before 
retry

Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
ssl_cert=/etc/dovecot/client-cert.pem \
ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA
Update: I got it to connect successfully now after downgrading 
the MySQL

server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks!
Reio


Dovecot mysql uses libmysqlclient. We do not enforce any 
particular tls protocol version. If it requires you to downgrade I 
suggest you review your client my.cnf for any restrictions.

---
Aki Tuomi


Thanks Aki! I'm looking at it now and despite identical MySQL 
5.7.26 versions on both systems, it seems Dovecot is using 
libmysqlclient 5.6.37.


Dovecot seems to be using the older libmysqlclient.so.18.1.0 
(5.6.37) from mysql-community-libs-compat 5.7.26 instead of the 
newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 
5.7.26.


If I try to remove the libs-compat, yum also insists on removing 
dovecot-mysql, so it depends on the older libmysqlclient and 
ignores the newer one.


I don't suspect I can do anything on my end to force the Dovecot 
CentOS package to use the non-compat libmysqlclient?


Thanks,
Reio 


What repo are you using?
---
Aki Tuomi


Installed Packages
dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community

Both are from official repos.


dovecot-mysql package is built against the mariadb library that comes 
with CentOS 7. If you want it to work against other libmysqlclient 
versions you'd need to compile it yourself: 
https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/


Thanks, I'm again one experience richer after compiling Dovecot from the 
source RPM. Nicely running with TLSv1.1 now.


Thanks!
Reio

Re: Dovecot with MySQL over SSL.

2019-07-22 Thread Timo Sirainen via dovecot

On 20 Jul 2019, at 23.02, Reio Remma via dovecot  wrote:
> 
> On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:
>> 
>>> On 20/07/2019 21:07 Reio Remma via dovecot  
>>>  wrote:
>>> 
>>> 
>>> On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: 
 
> On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org 
> > wrote:
> 
> 
> On 19.07.2019 0:24, Reio Remma via dovecot wrote:
>> I'm attempting to get Dovecot working with MySQL user database on
>> another machine. I can connect to the MySQL (5.7.26) instance with SSL
>> enabled:
>> mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
>> --ssl-cert=/etc/dovecot/client-cert.pem
>> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
>> -u vmail -p
>> However if I use the same values in dovecot-sql.conf.ext, I get the
>> following error:
>> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
>> error: protocol version mismatch - waiting for 1 seconds before retry
>> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
>> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
>> using insecure transport are prohibited while
>> --require_secure_transport=ON. - waiting for 5 seconds before retry
>> Database connection string:
>> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>> ssl_ca=/etc/dovecot/ca.pem \
>> ssl_cert=/etc/dovecot/client-cert.pem \
>> ssl_key=/etc/dovecot/client-key.pem \
>> ssl_cipher=DHE-RSA-AES256-SHA
> Update: I got it to connect successfully now after downgrading the MySQL
> server tls-version from TLSv1.1 to TLSv1.
> 
> Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
> 
> Thanks!
> Reio
 
 Dovecot mysql uses libmysqlclient. We do not enforce any particular tls 
 protocol version. If it requires you to downgrade I suggest you review 
 your client my.cnf for any restrictions.
 ---
 Aki Tuomi
>>> 
>>> Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 
>>> versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. 
>>> 
>>> Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from 
>>> mysql-community-libs-compat 5.7.26 instead of the newer 
>>> libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. 
>>> 
>>> If I try to remove the libs-compat, yum also insists on removing 
>>> dovecot-mysql, so it depends on the older libmysqlclient and ignores the 
>>> newer one. 
>>> 
>>> I don't suspect I can do anything on my end to force the Dovecot CentOS 
>>> package to use the non-compat libmysqlclient? 
>>> 
>>> Thanks, 
>>> Reio
>> 
>> What repo are you using?
>> ---
>> Aki Tuomi
> 
> Installed Packages
> dovecot-mysql.x86_64  
>   2:2.3.7-8   
>   
> @dovecot-2.3-latest
> mysql-community-libs.x86_64   
>   5.7.26-1.el7
>   
> @mysql57-community
> 
> Both are from official repos.

dovecot-mysql package is built against the mariadb library that comes with 
CentOS 7. If you want it to work against other libmysqlclient versions you'd 
need to compile it yourself: 
https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Reio Remma via dovecot


On 20.07.2019 22:37, Aki Tuomi via dovecot wrote:



On 20/07/2019 21:07 Reio Remma via dovecot  wrote:


On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:


On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org 
> wrote:



On 19.07.2019 0:24, Reio Remma via dovecot wrote:

I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance with 
SSL

enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
-u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the
following error:
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
    ssl_cert=/etc/dovecot/client-cert.pem \
    ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA
Update: I got it to connect successfully now after downgrading the 
MySQL

server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks!
Reio


Dovecot mysql uses libmysqlclient. We do not enforce any particular 
tls protocol version. If it requires you to downgrade I suggest you 
review your client my.cnf for any restrictions.

---
Aki Tuomi


Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 
versions on both systems, it seems Dovecot is using libmysqlclient 
5.6.37.


Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) 
from mysql-community-libs-compat 5.7.26 instead of the newer 
libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.


If I try to remove the libs-compat, yum also insists on removing 
dovecot-mysql, so it depends on the older libmysqlclient and ignores 
the newer one.


I don't suspect I can do anything on my end to force the Dovecot 
CentOS package to use the non-compat libmysqlclient?


Thanks,
Reio 


What repo are you using?
---
Aki Tuomi


Installed Packages
dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest
mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community

Both are from official repos.

Thanks,
Reio

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Aki Tuomi via dovecot



 
 
  
   
  
  
   
On 20/07/2019 21:07 Reio Remma via dovecot  wrote:
   
   

   
   

   
   
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:

   
   

 


 
  On 20/07/2019 13:12 Reio Remma via dovecot < 
  dovecot@dovecot.org> wrote:
 
 
  
 
 
  
 
 
  On 19.07.2019 0:24, Reio Remma via dovecot wrote:
 
 
  
   I'm attempting to get Dovecot working with MySQL user database on
  
  
   another machine. I can connect to the MySQL (5.7.26) instance with SSL
  
  
   enabled:
  
 
 
  
   mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
  
  
   --ssl-cert=/etc/dovecot/client-cert.pem
  
  
   --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
  
  
   -u vmail -p
  
 
 
  
   However if I use the same values in dovecot-sql.conf.ext, I get the
  
  
   following error:
  
 
 
  
   Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
  
  
   mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
  
  
   error: protocol version mismatch - waiting for 1 seconds before retry
  
  
   Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
  
  
   mysql(db.mrst.ee): Connect failed to database (vmail): Connections
  
  
   using insecure transport are prohibited while
  
  
   --require_secure_transport=ON. - waiting for 5 seconds before retry
  
 
 
  
   Database connection string:
  
 
 
  
   connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
  
  
       ssl_ca=/etc/dovecot/ca.pem \
  
  
       ssl_cert=/etc/dovecot/client-cert.pem \
  
  
       ssl_key=/etc/dovecot/client-key.pem \
  
  
       ssl_cipher=DHE-RSA-AES256-SHA
  
 
 
  Update: I got it to connect successfully now after downgrading the MySQL
 
 
  server tls-version from TLSv1.1 to TLSv1.
 
 
  
 
 
  Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
 
 
  
 
 
  Thanks!
 
 
  Reio
 


 


 Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.


 ---
Aki Tuomi

   
   Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.
   
   Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.
   
   If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one.
   
   I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient?
   
   Thanks,
   Reio
  
  
   
  
  
   What repo are you using?
  
  
   ---
Aki Tuomi

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Reio Remma via dovecot


On 20.07.2019 18:03, Aki Tuomi via dovecot wrote:


On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org 
> wrote:



On 19.07.2019 0:24, Reio Remma via dovecot wrote:

I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance with SSL
enabled:
mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
-u vmail -p
However if I use the same values in dovecot-sql.conf.ext, I get the
following error:
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Database connection string:
connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
    ssl_cert=/etc/dovecot/client-cert.pem \
    ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA

Update: I got it to connect successfully now after downgrading the MySQL
server tls-version from TLSv1.1 to TLSv1.

Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks!
Reio


Dovecot mysql uses libmysqlclient. We do not enforce any particular 
tls protocol version. If it requires you to downgrade I suggest you 
review your client my.cnf for any restrictions.

---
Aki Tuomi


Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 
versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37.


Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) 
from mysql-community-libs-compat 5.7.26 instead of the newer 
libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26.


If I try to remove the libs-compat, yum also insists on removing 
dovecot-mysql, so it depends on the older libmysqlclient and ignores the 
newer one.


I don't suspect I can do anything on my end to force the Dovecot CentOS 
package to use the non-compat libmysqlclient?


Thanks,
Reio

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Reio Remma via dovecot


On 20.07.2019 17:52, John Fawcett via dovecot wrote:

On 18/07/2019 23:24, Reio Remma via dovecot wrote:

Hello!

I'm attempting to get Dovecot working with MySQL user database on
another machine. I can connect to the MySQL (5.7.26) instance with SSL
enabled:

  mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
--ssl-cert=/etc/dovecot/client-cert.pem
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
-u vmail -p

However if I use the same values in dovecot-sql.conf.ext, I get the
following error:

Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc)
starting up for imap, lmtp, sieve (core dumps disabled)
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): Connections
using insecure transport are prohibited while
--require_secure_transport=ON. - waiting for 5 seconds before retry

Database connection string:

connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
     ssl_ca=/etc/dovecot/ca.pem \
     ssl_cert=/etc/dovecot/client-cert.pem \
     ssl_key=/etc/dovecot/client-key.pem \
     ssl_cipher=DHE-RSA-AES256-SHA

If I leave the ssl_cipher unset, I get:

Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error:
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
error: Failed to set ciphers to use - waiting for 1 seconds before retry

Any ideas?

Thanks!
Reio

One difference between your testing manually with mysql client and the
same configuration in dovecot is the "ssl_verify_server_cert" parameter.
Dovecot is setting it if it is not specified. So to make the tests the
same you should either specify the --ssl_verify_server_cert parameter to
mysql or set it to no in the dovecot configuration.

John


This works as well:

mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem 
--ssl-cert=/etc/dovecot/client-cert.pem 
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA 
--ssl-mode=VERIFY_IDENTITY -u vmail -p


Protocol mismatch persists when I set ssl_verify_server_cert=no for 
Dovecot MySQL connection.


Thanks,
Reio

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Aki Tuomi via dovecot



 
 
  
   
  
  
   
On 20/07/2019 13:12 Reio Remma via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On 19.07.2019 0:24, Reio Remma via dovecot wrote:
   
   

 I'm attempting to get Dovecot working with MySQL user database on


 another machine. I can connect to the MySQL (5.7.26) instance with SSL


 enabled:

   
   

 mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem


 --ssl-cert=/etc/dovecot/client-cert.pem


 --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA


 -u vmail -p

   
   

 However if I use the same values in dovecot-sql.conf.ext, I get the


 following error:

   
   

 Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:


 mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection


 error: protocol version mismatch - waiting for 1 seconds before retry


 Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:


 mysql(db.mrst.ee): Connect failed to database (vmail): Connections


 using insecure transport are prohibited while


 --require_secure_transport=ON. - waiting for 5 seconds before retry

   
   

 Database connection string:

   
   

 connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \


     ssl_ca=/etc/dovecot/ca.pem \


     ssl_cert=/etc/dovecot/client-cert.pem \


     ssl_key=/etc/dovecot/client-key.pem \


     ssl_cipher=DHE-RSA-AES256-SHA

   
   
Update: I got it to connect successfully now after downgrading the MySQL
   
   
server tls-version from TLSv1.1 to TLSv1.
   
   

   
   
Is there a reason why Dovecot MySQL doesn't support TLSv1.1?
   
   

   
   
Thanks!
   
   
Reio
   
  
  
   
  
  
   Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions.
  
  
   ---
Aki Tuomi

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread John Fawcett via dovecot

On 18/07/2019 23:24, Reio Remma via dovecot wrote:
> Hello!
>
> I'm attempting to get Dovecot working with MySQL user database on
> another machine. I can connect to the MySQL (5.7.26) instance with SSL
> enabled:
>
>  mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem
> --ssl-cert=/etc/dovecot/client-cert.pem
> --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA
> -u vmail -p
>
> However if I use the same values in dovecot-sql.conf.ext, I get the
> following error:
>
> Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc)
> starting up for imap, lmtp, sieve (core dumps disabled)
> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
> error: protocol version mismatch - waiting for 1 seconds before retry
> Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error:
> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
> error: protocol version mismatch - waiting for 1 seconds before retry
> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
> using insecure transport are prohibited while
> --require_secure_transport=ON. - waiting for 5 seconds before retry
> Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error:
> mysql(db.mrst.ee): Connect failed to database (vmail): Connections
> using insecure transport are prohibited while
> --require_secure_transport=ON. - waiting for 5 seconds before retry
>
> Database connection string:
>
> connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
>     ssl_ca=/etc/dovecot/ca.pem \
>     ssl_cert=/etc/dovecot/client-cert.pem \
>     ssl_key=/etc/dovecot/client-key.pem \
>     ssl_cipher=DHE-RSA-AES256-SHA
>
> If I leave the ssl_cipher unset, I get:
>
> Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error:
> mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection
> error: Failed to set ciphers to use - waiting for 1 seconds before retry
>
> Any ideas?
>
> Thanks!
> Reio

One difference between your testing manually with mysql client and the
same configuration in dovecot is the "ssl_verify_server_cert" parameter.
Dovecot is setting it if it is not specified. So to make the tests the
same you should either specify the --ssl_verify_server_cert parameter to
mysql or set it to no in the dovecot configuration.

John

Re: Dovecot with MySQL over SSL.

2019-07-20 Thread Reio Remma via dovecot


On 19.07.2019 0:24, Reio Remma via dovecot wrote:
I'm attempting to get Dovecot working with MySQL user database on 
another machine. I can connect to the MySQL (5.7.26) instance with SSL 
enabled:


mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem 
--ssl-cert=/etc/dovecot/client-cert.pem 
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA 
-u vmail -p


However if I use the same values in dovecot-sql.conf.ext, I get the 
following error:


Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection 
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): Connections 
using insecure transport are prohibited while 
--require_secure_transport=ON. - waiting for 5 seconds before retry


Database connection string:

connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
    ssl_cert=/etc/dovecot/client-cert.pem \
    ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA


Update: I got it to connect successfully now after downgrading the MySQL 
server tls-version from TLSv1.1 to TLSv1.


Is there a reason why Dovecot MySQL doesn't support TLSv1.1?

Thanks!
Reio

Dovecot with MySQL over SSL.

2019-07-18 Thread Reio Remma via dovecot


Hello!

I'm attempting to get Dovecot working with MySQL user database on 
another machine. I can connect to the MySQL (5.7.26) instance with SSL 
enabled:


 mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem 
--ssl-cert=/etc/dovecot/client-cert.pem 
--ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u 
vmail -p


However if I use the same values in dovecot-sql.conf.ext, I get the 
following error:


Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) 
starting up for imap, lmtp, sieve (core dumps disabled)
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection 
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection 
error: protocol version mismatch - waiting for 1 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): Connections using 
insecure transport are prohibited while --require_secure_transport=ON. - 
waiting for 5 seconds before retry
Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): Connections using 
insecure transport are prohibited while --require_secure_transport=ON. - 
waiting for 5 seconds before retry


Database connection string:

connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \
    ssl_ca=/etc/dovecot/ca.pem \
    ssl_cert=/etc/dovecot/client-cert.pem \
    ssl_key=/etc/dovecot/client-key.pem \
    ssl_cipher=DHE-RSA-AES256-SHA

If I leave the ssl_cipher unset, I get:

Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: 
mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection 
error: Failed to set ciphers to use - waiting for 1 seconds before retry


Any ideas?

Thanks!
Reio

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Re: Dovecot with MySQL over SSL.

Dovecot with MySQL over SSL.

10 matches

Site Navigation

Mail list logo

Footer information