Topic: MySQL User and SSL
I wanted to reply to this thread: https://forum.iredmail.org/topic12613-i … d-ssl.html where someone wanted to make all connections from their iredmail server to their MySQL server encrypted using SSL. That topic is closed, so I'm creating a new one that might help people.
I found a fairly easy way to do this on my iRedMail 0.9.7 server. There's a my.cnf file that controls global options for MySQL clients on a system. On Linux it's usually something like /etc/my.cnf. On FreeBSD it is often /usr/local/etc/my.cnf.
The symptom I was seeing is that /opt/iredapd/tools/cleanup_db.py was failing to connect. I require TLS for the iredapd user in MySQL, and since cleanup_db.py wasn't enabling TLS on the connection, the connection was failing.
Rather than modify source code, I created a /usr/local/etc/my.cnf file with these contents:
# The following options will be passed to all MySQL clients
[client]
port = 3306
# put in your own real database server name here
host = db.example.com
ssl-mode = REQUIRED
ssl-cipher = DHE-RSA-AES256-SHA
I also added the lines below to the root user's .my.cnf file (/root/.my.cnf on my system).
ssl-mode = REQUIRED
ssl-cipher = DHE-RSA-AES256-SHA
After making these changes, the cron jobs were able to successfully connect to the database using SSL. No code changes to the iredapd code was required.
Hope that helps someone.
Paco
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.