Hello,
Somewhat recently, I began to notice failures of the following variety
in several similarly-configured servers' mail logs:
postfix/proxymap[3378003]: warning: connect to mysql server 127.0.0.1:
SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
Ultimately, I cannot seem to determine why Postfix is trying to use TLS
when connecting to a local MariaDB instance that resides on the same
server, particularly when I have not configured Postfix to do so (at
least not knowingly).
Postfix's MYSQL_TABLE(5) documentation doesn't seem to contain anything
relevant to this issue, and in fact, I'm struggling to find any
documentation that describes how Postfix implements TLS when connecting
to MySQL/MariaDB.
I'm happy to provide my postfinger output if it seems relevant, but it's
voluminous, so I figured I'd refrain unless it's requested.
Here are the vitals, however:
$ postconf mail_version
mail_version = 3.4.13
$ mysql --version
mysql Ver 15.1 Distrib 10.3.34-MariaDB, for debian-linux-gnu (x86_64)
using readline 5.2
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
# postconf -d | grep tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
I suppose I would ask the following:
1.) Can Postfix be instructed explicitly to use (or not to use) TLS when
connecting to MySQL/MariaDB over TCP? If so, how?
2.) If not, how does Postfix decide whether or not to use TLS when
connecting to MySQL/MariaDB?
3.) If there is no way to prevent Postfix from trying to use TLS when
connecting to MySQL/MariaDB over a TCP connection (assume for the sake
of argument that a socket is not an option, or the database host is
remote), is there a mechanism by which to specify which
ciphers/cipher-suites to use?
Thank you for any help, and please let me know if any additional info
would be useful.
Best regards,
-Ben