Hello,

Somewhat recently, I began to notice failures of the following variety in several similarly-configured servers' mail logs:

postfix/proxymap[3378003]: warning: connect to mysql server 127.0.0.1: SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Ultimately, I cannot seem to determine why Postfix is trying to use TLS when connecting to a local MariaDB instance that resides on the same server, particularly when I have not configured Postfix to do so (at least not knowingly).

Postfix's MYSQL_TABLE(5) documentation doesn't seem to contain anything relevant to this issue, and in fact, I'm struggling to find any documentation that describes how Postfix implements TLS when connecting to MySQL/MariaDB.

I'm happy to provide my postfinger output if it seems relevant, but it's voluminous, so I figured I'd refrain unless it's requested.

Here are the vitals, however:

$ postconf mail_version
mail_version = 3.4.13

$ mysql --version
mysql Ver 15.1 Distrib 10.3.34-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

# postconf -d | grep tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH

I suppose I would ask the following:

1.) Can Postfix be instructed explicitly to use (or not to use) TLS when connecting to MySQL/MariaDB over TCP? If so, how?

2.) If not, how does Postfix decide whether or not to use TLS when connecting to MySQL/MariaDB?

3.) If there is no way to prevent Postfix from trying to use TLS when connecting to MySQL/MariaDB over a TCP connection (assume for the sake of argument that a socket is not an option, or the database host is remote), is there a mechanism by which to specify which ciphers/cipher-suites to use?

Thank you for any help, and please let me know if any additional info would be useful.

Best regards,

-Ben

Reply via email to