postfix connecting MySQL database with ssl enabled does not work

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix connecting MySQL database with ssl enabled does not work

Ricardo Barbosa
hi all

I am trying to use postfix to fetch data from an external MySQL server in an AWS environment. However it uses encryption I have already made several attempts to use TLSv1 / 2 without success changing the file "/etc/ssl/openssl.conf".

I followed this post but it didn't work for me.

https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available

https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level


which guides you to create the changes in the /etc/ssl/openssl.conf file

You don't have your config changes quite right. You need to add this to the beginning of your config file:

---------openssl.conf-------------
openssl_conf = default_conf
---------------------------------------

And then this to the end:

-----------openssl.conf---------------

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
---------------------------------------


- attempt using ssl

Then I created the mysql-virtual-mailbox-domain.cf file with the following content

------------mysql-virtual-mailbox-domain.cf-------------------------
user = postfix
password = xxxxx
dbname = email
hosts = 192.168.11.11
query = SELECT dominio AS "virtual" FROM dominios WHERE dominio='%s'
tls_CAfile =/etc/postfix/rds-combined-ca-bundle.pem
-----------------------------------------------------------------------------------

But unsuccessfully, I did this procedure changing the MinProtocol variable for the TLSv1, TLSv1.1 and TLSv1.2 protocols, but without success

The log message

-------mail.log-------
Dec  8 13:36:45 server postfix/trivial-rewrite[1880]: warning: connect to mysql server 192.168.11.11: SSL connection error: SSL_CTX_set_default_verify_paths failed
-------------------------

checked the read permission of the certificate file.

"
root@server:~# namei -lv /etc/postfix/rds-combined-ca-bundle.pem
f: /etc/postfix/rds-combined-ca-bundle.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root postfix
-rw-r--r-- root root rds-combined-ca-bundle.pem
root@server:~#
"


- attempt without using ssl

I've been reading the postfix documentation http://www.postfix.org/MYSQL_README.html and created the .my.cnf file inside the postfix home (/var/spool/postfix) with the following content

----------/var/spool/postfix/.my.cnf------------------
[client]
ssl_mode=DISABLED
--------------------------------------------------------------

Then I created the mysql-virtual-mailbox-domain.cf file with the following content

------------mysql-virtual-mailbox-domain.cf-------------------------
user = postfix
password = xxxxx
dbname = email
hosts = 192.168.11.11
query = SELECT dominio AS "virtual" FROM dominios WHERE dominio='%s'
option_file = /var/spool/postfix/.my.cnf
option_group = client
-----------------------------------------------------------------------------------

But it didn't work

The log message


---------------mail.log-----------------
Dec  8 13:47:50 server postfix/trivial-rewrite[3395]: warning: connect to mysql server 192.168.11.11: SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
------------------------------------------


I logging in as a postfix user the .my.cnf file works.

------------------------------------------------------------------------------------
root@server:~# su - postfix -s /bin/bash
postfix@server:~$ mysql -s
mysql>
------------------------------------------------------------------------------------

I also tried to leave the /etc/ssl/openssl.conf file

------------openssl.conf---------------------------
openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
#MinProtocol = TLSv1.2
#CipherString = DEFAULT:@SECLEVEL=1
----------------------------------------------------


Leaving no options, but without success. Is there any way to make postfix disable ssl or even use the certificate provided by aws the ca file.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Versions:
Ubuntu: Ubuntu 20.04.1 LTS
Postfix: 3.4.13
MySQL: 5.6.10

Best Regards.




Reply | Threaded
Open this post in threaded view
|

Re: postfix connecting MySQL database with ssl enabled does not work

Viktor Dukhovni
On Tue, Dec 08, 2020 at 04:55:03PM +0000, Ricardo Barbosa wrote:

> ------------mysql-virtual-mailbox-domain.cf-------------------------
> user = postfix
> password = xxxxx
> dbname = email
> hosts = 192.168.11.11
> query = SELECT dominio AS "virtual" FROM dominios WHERE dominio='%s'
> tls_CAfile =/etc/postfix/rds-combined-ca-bundle.pem
> -----------------------------------------------------------------------------------
>
> But unsuccessfully, I did this procedure changing the MinProtocol
> variable for the TLSv1, TLSv1.1 and TLSv1.2 protocols, but without
> success The log message
>
> -------mail.log-------
> Dec  8 13:36:45 server postfix/trivial-rewrite[1880]: warning: connect to mysql server 192.168.11.11: SSL connection error: SSL_CTX_set_default_verify_paths failed
> -------------------------

Is the "trivial-rewrite" service configured to use "chroot" in your
master.cf file?  Best to disable any chroot for now.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: postfix connecting MySQL database with ssl enabled does not work

Ricardo Barbosa
Hi Viktor, thanks for response.


I also tried to put the openssl.conf file inside the jail but the rewrite doesn't read it and is it possible to pass the OPENSSL_CONF environment variable to the rewrite process?

Regards

Em terça-feira, 8 de dezembro de 2020 13:08:58 AMT, Viktor Dukhovni <[hidden email]> escreveu:


On Tue, Dec 08, 2020 at 04:55:03PM +0000, Ricardo Barbosa wrote:


> ------------mysql-virtual-mailbox-domain.cf-------------------------
> user = postfix
> password = xxxxx
> dbname = email
> hosts = 192.168.11.11
> query = SELECT dominio AS "virtual" FROM dominios WHERE dominio='%s'
> tls_CAfile =/etc/postfix/rds-combined-ca-bundle.pem
> -----------------------------------------------------------------------------------
>
> But unsuccessfully, I did this procedure changing the MinProtocol
> variable for the TLSv1, TLSv1.1 and TLSv1.2 protocols, but without
> success The log message
>
> -------mail.log-------
> Dec  8 13:36:45 server postfix/trivial-rewrite[1880]: warning: connect to mysql server 192.168.11.11: SSL connection error: SSL_CTX_set_default_verify_paths failed

> -------------------------

Is the "trivial-rewrite" service configured to use "chroot" in your
master.cf file?  Best to disable any chroot for now.

--
    Viktor.