Hi, Dulux-Oz, The error comes from MariaDB trying to check your "REQUIRE SUBJECT" clause. If you check documentation - https://mariadb.com/kb/en/grant/#tls-options - you'll see than an example of REQUIRE SUBJECT looks like GRANT USAGE ON *.* TO 'alice'@'%' REQUIRE SUBJECT '/CN=alice/O=My Dom, Inc./C=US/ST=Oregon/L=Portland'; That is, you need to specify a slash as a part of the subject. Internally "subject" is retrieved using OpenSSL function X509_NAME_oneline() and what you specify in REQUIRE SUBJECT must match that. MariaDB doesn't do any parsing of the subject of any kind. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org On Jan 24, duluxoz via discuss wrote:
Hi All,
I'm not sure if this is was Postfix issue, a TLS Certificate issue, and/or a MariaDB issue, so I started in the Postfix mailing lists. Their reply (below) indicated that I should post here instead - apologises if this is not the right place.
My original post:
I'm using a MariaDB backend to Postfix. Everything is working correctly until I attempt to secure the Postfix<->MariaDB connection with a TLS Certificate. When I perform a `postmap -q example.com mysql:/etc/postfix/virtual_domains.cf` command on the postfix server *without* using TLS I get a successful response. However, when I engage TLS I get the following error in the MariaDB log: `X509 subject mismatch: should be 'CN=mail_user@example.com' but is '/CN=mail_user@example.com'`.
Now, obviously the issue is the extra '/' at the start of the 'CN=', but for the life of me I can't figure out where that '/' is coming from.
It is *not* in the TLS Certificate (verified by OpenSSL).
It is *not* in the virtual_domains.cf file (see below).
It is *not* in the MariaDB 'GRANT' statement used to allow access to the database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com' IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT 'CN=mail_user@example.com'`.
OS of both servers: Rocky Linux 9.5
Postfix Version: 3.9.1
MariaDB Version: 11.6.2
virtual_domains.cf:
~~~ hosts = mariadb.example.com dbname = mail_server user = mail_user password = {PASWORD OBSCURED} tls_cert_file = /etc/pki/tls/certs/mail_user@exampl.com.crt tls_key_file = /etc/pki/tls/certs/mail_user@exampl.com.key tls_CApath = /etc/pki/tls/certs/root_ca.crt query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s' ~~~
The Postfix mailing List Reply:
There is (of course if happens to know too much about X.509 naming) no such "slash" in the actual certificate. The subject DN is a sequence of relative distinguished names (RDNs) of which CN=... is in this case the first element. There are many ways to write the sequence as a string, the two most popular are:
/RDN1/RDN2/.../RDNx RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the second format, but ends up with the first, because of a failure to be specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something about the way OpenSSL was built? Anyway, Postfix is just the messenger, it is the MariaDB library that sets up TLS connection.
Could someone please point me in the right direction to get this sorted - thanks
Cheers
Dulux-Oz