On 18/07/2019 23:24, Reio Remma via dovecot wrote: > Hello! > > I'm attempting to get Dovecot working with MySQL user database on > another machine. I can connect to the MySQL (5.7.26) instance with SSL > enabled: > > mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem > --ssl-cert=/etc/dovecot/client-cert.pem > --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA > -u vmail -p > > However if I use the same values in dovecot-sql.conf.ext, I get the > following error: > > Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) > starting up for imap, lmtp, sieve (core dumps disabled) > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: protocol version mismatch - waiting for 1 seconds before retry > Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: protocol version mismatch - waiting for 1 seconds before retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): Connections > using insecure transport are prohibited while > --require_secure_transport=ON. - waiting for 5 seconds before retry > > Database connection string: > > connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ > ssl_ca=/etc/dovecot/ca.pem \ > ssl_cert=/etc/dovecot/client-cert.pem \ > ssl_key=/etc/dovecot/client-key.pem \ > ssl_cipher=DHE-RSA-AES256-SHA > > If I leave the ssl_cipher unset, I get: > > Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: > mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection > error: Failed to set ciphers to use - waiting for 1 seconds before retry > > Any ideas? > > Thanks! > Reio
One difference between your testing manually with mysql client and the same configuration in dovecot is the "ssl_verify_server_cert" parameter. Dovecot is setting it if it is not specified. So to make the tests the same you should either specify the --ssl_verify_server_cert parameter to mysql or set it to no in the dovecot configuration. John
