==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version 1.4.0
- Deployed with downloadable installer
- Rocky Linux 8.4
- MariaDB backend
- Nginx webserver
====

Alright, so I have installed iRedMail on a test server with MariaDB backend and rebooted the server as instructed. No other commands but the ones listed below were run on the server (except for the iRedMail installation and installation of wget and nano).

After reboot I immediately try to connect to MariaDB with

reboot
...
mysql -u root -p

This does not work because with the strict SSL certificate testing of current MariaDB versions on Rocky Linux 8.4 (should apply to CentOS 8 Stream too) there seems to be a problem with the self signed iRedMail.crt and iRedMail.key created during installation. I receive the following error message:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0

The problem is with the certificate, because when I turn off SSL for MariaDB it works fine. Since running a mail server with a self signed certificate isn't best practice anyway I got a Let's Encrypt certificate and ran the following commands recommended by the /etc/nginx/templates/ssl.tmpl file.

rm -f /etc/pki/tls/private/iRedMail.key
rm -f /etc/pki/tls/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/pki/tls/private/iRedMail.key
ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/pki/tls/certs/iRedMail.crt

Of course I replaced <domain> by the corrent domain name as the command would otherwise throw an error. After this step nginx works fine with the Let's Encrypt certificate, however MariaDB doesn't because the mysql user has no access to the files. You'll see the following error messages in /var/log/messages (or eventually /var/log/mariadb/error.log depending on your logging configuration):

cat /var/log/messages | grep mysqld
Sep  4 10:36:29 test mysqld[3289]: SSL error: Unable to get certificate from '/etc/pki/tls/certs/iRedMail.crt'
Sep  4 10:36:29 test mysqld[3289]: 2021-09-04 10:36:29 0 [Warning] Failed to setup SSL
Sep  4 10:36:29 test mysqld[3289]: 2021-09-04 10:36:29 0 [Warning] SSL error: Unable to get certificate
Sep  4 10:36:29 test mysqld[3289]: 2021-09-04 10:36:29 0 [Warning] SSL error: error:0200100D:system library:fopen:Permission denied
Sep  4 10:36:29 test mysqld[3289]: 2021-09-04 10:36:29 0 [Warning] SSL error: error:20074002:BIO routines:file_ctrl:system lib
Sep  4 10:36:29 test mysqld[3289]: 2021-09-04 10:36:29 0 [Warning] SSL error: error:140DC002:SSL routines:use_certificate_chain_file:system lib

To allow MariaDB or rather the mysql user to access the certificate files I have run the following commands:

setfacl -R -m "u:mysql:rx" /etc/letsencrypt/archive/ /etc/letsencrypt/live/
setfacl -R -m "u:mysql:rx" /etc/pki/tls/certs/iRedMail.crt /etc/pki/tls/private/iRedMail.key

I used setfacl since I didn't want to "replace" the original permissions with chown.
Et voila, when you run MariaDB (systemctl restart mariadb) SSL starts working.

MariaDB [(none)]> show variables like '%ssl%';
--------------
show variables like '%ssl%'
--------------

+---------------------+-----------------------------------+
| Variable_name       | Value                             |
+---------------------+-----------------------------------+
| have_openssl        | YES                               |
| have_ssl            | YES                               |
| ssl_ca              |                                   |
| ssl_capath          |                                   |
| ssl_cert            | /etc/pki/tls/certs/iRedMail.crt   |
| ssl_cipher          | EECDH+AESGCM:EDH+AESGCM           |
| ssl_crl             |                                   |
| ssl_crlpath         |                                   |
| ssl_key             | /etc/pki/tls/private/iRedMail.key |
| version_ssl_library | OpenSSL 1.1.1g FIPS  21 Apr 2020  |
+---------------------+-----------------------------------+
10 rows in set (0.002 sec)

Additional information: my.cnf was changed in accordance with https://syslink.pl/cipherlist/ recommendations.
Make sure #ssl-ca is unset in my.cnf (default of iRedMail configuration) because the fullchain.pem from the Let's Encrypt certificate contains the full chain including the CA certificate as the name says and thus ssl-ca doesn't need to be set.

#ssl_cipher = ALL
ssl_cipher = EECDH+AESGCM:EDH+AESGCM

So to sum it up, this is no question but rather a tutorial how to fix broken out of the box SSL with MariaDB when installing iRedMail 1.4 on Rocky Linux 8.4.

PS This setup also works with Master-Master MariaDB replication in my production environment where I use two iRedMail servers (vmail is synced with GlusterFS).

A little caveat I still have here is that all services using the Let's Encrypt certificate must be restarted on renewal (nginx, amavisd, postfix, dovecot, mariadb ... for GlusterFS I use self signed certificates). For nginx I think a daemon-reload would be sufficient, but dovecot e.g. only "loads" the refreshed certificate when I run "systemctl restart dovecot". I haven't found a way yet to avoid this.