Dovecot: ssl_ca_path not respected?
Hi,
I have difficulties setting up Dovecot to connect to remote MariaDB
instance over TLS.
So I have two Debian 11 LXD containers spun up, one as mail server with
Postfix and Dovecot, and one as database instance with MariaDB. The LXD
host is Ubuntu 20.04.
I defined `passdb` in /etc/dovecot/conf.d/auth-sql.conf.ext as:
... > passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /etc/dovecot/dovecot-sql.conf.ext
}
...
And in /etc/dovecot/dovecot-sql.conf.ext I configured:
... > driver = mysql
connect = host=<db instance's address> ssl_ca_path=/etc/ssl/certs dbname=<dbname> user=maildb password=<passwd>
password_query = SELECT email AS user, password FROM virtual_users \
WHERE email='%u'
...
In /etc/dovecot/conf.d/10-auth.conf I #include'd:
...
!include auth-sql.conf.ext
!include auth-passwdfile.conf.ext
...
On database instance, I required that user `maildb` (that I used for
Dovecot to connect to `<dbname>` database) to connect over TLS by:
alter user maildb@<mail server's address> require ssl;
Based on setup above, I expected that Dovecot can connect to database
instance over TLS.
Then I simulated user login by:
doveadm auth login <dummy@dummy.dummy> <passwd
Surprisingly, I read Dovecot log via journalctl that says:
Jun 28 12:02:19 <mail server> dovecot[2104]: auth-worker(2176): Error: mysql(<db instance's address>): Connect failed to database (<dbname>): Access denied for user 'maildb'@'<mail server's domain>' (using password: YES) - waiting for 125 seconds before retry
But I had configured Dovecot log to /var/log/dovecot.log. During
simulated login attempt, it said:
Jun 28 12:01:48 imap-login: Info: Login: user=<dummy@dummy.dummy>, method=PLAIN, rip=<ipv6 address>, mpid=2177, TLS, session=<KLRtPdLFZsn9QgZPovs4mgAAAAAAAAAB>
Jun 28 12:01:48 auth-worker(2176): Debug: passwd-file /etc/dovecot/conf.d/99-vusers.list: Read 3 users in 0 secs
Jun 28 12:01:48 auth-worker(2176): Debug: conn unix:auth-worker (pid=2169,uid=106): Server accepted connection (fd=14)
Jun 28 12:01:48 auth-worker(2176): Debug: conn unix:auth-worker (pid=2169,uid=106): Sending version handshake
Jun 28 12:02:48 auth-worker(2176): Debug: conn unix:auth-worker (pid=2169,uid=106): Disconnected: Connection closed (fd=-1)
Assumed that credentials in `connect` option are correct, I guessed that
the problem is caused by Dovecot tried to connect to database instance
without TLS (that is ignoring `ssl_ca_path` parameter).
The comment documentation for `ssl_ca_path` parameter, however, only
said that:
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
I guessed that the value of `ssl_ca_path` is path to directory contained
system's root certificate (`/etc/ssl/certs`).
Note that my setup above use custom TLS certificate signed by internal
CA. The CA's root certificate is installed to both database instance and
mail server and also added to system certificate store with
`update-ca-certificates`.
To the above, I had to disable TLS for now by removing `ssl_ca_path`
parameter in `connect` option and by reverting TLS connection
requirement by `alter user maildb@<mail server's address> require none;`
Am I missing something? Or is it Dovecot bug?
--
An old man doll... just what I always wanted! - Clara
Reply to: