Incorrect CN Being Reported When Using Postfix With MariaDB
Hi All, I'm not sure if this is was Postfix issue, a TLS Certificate issue, and/or a MariaDB issue, so I started in the Postfix mailing lists. Their reply (below) indicated that I should post here instead - apologises if this is not the right place. My original post: I'm using a MariaDB backend to Postfix. Everything is working correctly until I attempt to secure the Postfix<->MariaDB connection with a TLS Certificate. When I perform a `postmap -q example.com mysql:/etc/postfix/virtual_domains.cf` command on the postfix server *without* using TLS I get a successful response. However, when I engage TLS I get the following error in the MariaDB log: `X509 subject mismatch: should be 'CN=mail_user@example.com' but is '/CN=mail_user@example.com'`. Now, obviously the issue is the extra '/' at the start of the 'CN=', but for the life of me I can't figure out where that '/' is coming from. It is *not* in the TLS Certificate (verified by OpenSSL). It is *not* in the virtual_domains.cf file (see below). It is *not* in the MariaDB 'GRANT' statement used to allow access to the database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com' IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT 'CN=mail_user@example.com'`. OS of both servers: Rocky Linux 9.5 Postfix Version: 3.9.1 MariaDB Version: 11.6.2 virtual_domains.cf: ~~~ hosts = mariadb.example.com dbname = mail_server user = mail_user password = {PASWORD OBSCURED} tls_cert_file = /etc/pki/tls/certs/mail_user@exampl.com.crt tls_key_file = /etc/pki/tls/certs/mail_user@exampl.com.key tls_CApath = /etc/pki/tls/certs/root_ca.crt query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s' ~~~ The Postfix mailing List Reply: There is (of course if happens to know too much about X.509 naming) no such "slash" in the actual certificate. The subject DN is a sequence of relative distinguished names (RDNs) of which CN=... is in this case the first element. There are many ways to write the sequence as a string, the two most popular are: /RDN1/RDN2/.../RDNx RDN1, RDN2, ..., RNDx It looks you have a buggy MariaDB library that expects to get DNs in the second format, but ends up with the first, because of a failure to be specific about the format, or just outright getting it wrong... Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something about the way OpenSSL was built? Anyway, Postfix is just the messenger, it is the MariaDB library that sets up TLS connection. Could someone please point me in the right direction to get this sorted - thanks Cheers Dulux-Oz
Hi, Dulux-Oz, The error comes from MariaDB trying to check your "REQUIRE SUBJECT" clause. If you check documentation - https://mariadb.com/kb/en/grant/#tls-options - you'll see than an example of REQUIRE SUBJECT looks like GRANT USAGE ON *.* TO 'alice'@'%' REQUIRE SUBJECT '/CN=alice/O=My Dom, Inc./C=US/ST=Oregon/L=Portland'; That is, you need to specify a slash as a part of the subject. Internally "subject" is retrieved using OpenSSL function X509_NAME_oneline() and what you specify in REQUIRE SUBJECT must match that. MariaDB doesn't do any parsing of the subject of any kind. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org On Jan 24, duluxoz via discuss wrote:
Hi All,
I'm not sure if this is was Postfix issue, a TLS Certificate issue, and/or a MariaDB issue, so I started in the Postfix mailing lists. Their reply (below) indicated that I should post here instead - apologises if this is not the right place.
My original post:
I'm using a MariaDB backend to Postfix. Everything is working correctly until I attempt to secure the Postfix<->MariaDB connection with a TLS Certificate. When I perform a `postmap -q example.com mysql:/etc/postfix/virtual_domains.cf` command on the postfix server *without* using TLS I get a successful response. However, when I engage TLS I get the following error in the MariaDB log: `X509 subject mismatch: should be 'CN=mail_user@example.com' but is '/CN=mail_user@example.com'`.
Now, obviously the issue is the extra '/' at the start of the 'CN=', but for the life of me I can't figure out where that '/' is coming from.
It is *not* in the TLS Certificate (verified by OpenSSL).
It is *not* in the virtual_domains.cf file (see below).
It is *not* in the MariaDB 'GRANT' statement used to allow access to the database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com' IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT 'CN=mail_user@example.com'`.
OS of both servers: Rocky Linux 9.5
Postfix Version: 3.9.1
MariaDB Version: 11.6.2
virtual_domains.cf:
~~~ hosts = mariadb.example.com dbname = mail_server user = mail_user password = {PASWORD OBSCURED} tls_cert_file = /etc/pki/tls/certs/mail_user@exampl.com.crt tls_key_file = /etc/pki/tls/certs/mail_user@exampl.com.key tls_CApath = /etc/pki/tls/certs/root_ca.crt query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s' ~~~
The Postfix mailing List Reply:
There is (of course if happens to know too much about X.509 naming) no such "slash" in the actual certificate. The subject DN is a sequence of relative distinguished names (RDNs) of which CN=... is in this case the first element. There are many ways to write the sequence as a string, the two most popular are:
/RDN1/RDN2/.../RDNx RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the second format, but ends up with the first, because of a failure to be specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something about the way OpenSSL was built? Anyway, Postfix is just the messenger, it is the MariaDB library that sets up TLS connection.
Could someone please point me in the right direction to get this sorted - thanks
Cheers
Dulux-Oz
Ahh, of course, that makes perfect sense now that it's been pointer out - instead of trying to eliminate the '/' I should have been specifying it (to MariaDB). Thanks Sergi :-) On 24/1/25 22:03, Sergei Golubchik wrote:
Hi, Dulux-Oz,
The error comes from MariaDB trying to check your "REQUIRE SUBJECT" clause.
If you check documentation -https://mariadb.com/kb/en/grant/#tls-options - you'll see than an example of REQUIRE SUBJECT looks like
GRANT USAGE ON *.* TO 'alice'@'%' REQUIRE SUBJECT '/CN=alice/O=My Dom, Inc./C=US/ST=Oregon/L=Portland';
That is, you need to specify a slash as a part of the subject.
Internally "subject" is retrieved using OpenSSL function X509_NAME_oneline() and what you specify in REQUIRE SUBJECT must match that. MariaDB doesn't do any parsing of the subject of any kind.
Regards, Sergei Chief Architect, MariaDB Server andsecurity@mariadb.org
On Jan 24, duluxoz via discuss wrote:
Hi All,
I'm not sure if this is was Postfix issue, a TLS Certificate issue, and/or a MariaDB issue, so I started in the Postfix mailing lists. Their reply (below) indicated that I should post here instead - apologises if this is not the right place.
My original post:
I'm using a MariaDB backend to Postfix. Everything is working correctly until I attempt to secure the Postfix<->MariaDB connection with a TLS Certificate. When I perform a `postmap -q example.com mysql:/etc/postfix/virtual_domains.cf` command on the postfix server *without* using TLS I get a successful response. However, when I engage TLS I get the following error in the MariaDB log: `X509 subject mismatch: should be 'CN=mail_user@example.com' but is '/CN=mail_user@example.com'`.
Now, obviously the issue is the extra '/' at the start of the 'CN=', but for the life of me I can't figure out where that '/' is coming from.
It is *not* in the TLS Certificate (verified by OpenSSL).
It is *not* in the virtual_domains.cf file (see below).
It is *not* in the MariaDB 'GRANT' statement used to allow access to the database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com' IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT 'CN=mail_user@example.com'`.
OS of both servers: Rocky Linux 9.5
Postfix Version: 3.9.1
MariaDB Version: 11.6.2
virtual_domains.cf:
~~~ hosts = mariadb.example.com dbname = mail_server user = mail_user password = {PASWORD OBSCURED} tls_cert_file = /etc/pki/tls/certs/mail_user@exampl.com.crt tls_key_file = /etc/pki/tls/certs/mail_user@exampl.com.key tls_CApath = /etc/pki/tls/certs/root_ca.crt query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s' ~~~
The Postfix mailing List Reply:
There is (of course if happens to know too much about X.509 naming) no such "slash" in the actual certificate. The subject DN is a sequence of relative distinguished names (RDNs) of which CN=... is in this case the first element. There are many ways to write the sequence as a string, the two most popular are:
/RDN1/RDN2/.../RDNx RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the second format, but ends up with the first, because of a failure to be specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something about the way OpenSSL was built? Anyway, Postfix is just the messenger, it is the MariaDB library that sets up TLS connection.
Could someone please point me in the right direction to get this sorted - thanks
Cheers
Dulux-Oz
-- PEREGRINE IT Pty Ltd Signature
*Matthew J BLACK* M.Inf.Tech.(Data Comms) MBA B.Sc. MACS (Snr), CP, IP3P When you want it done /right/ ‒ the first time! Phone: +61 4 0411 0089 Email: matthew@peregrineit.net <mailto:matthew@peregrineit.net> Web: www.peregrineit.net <http://www.peregrineit.net> View Matthew J BLACK's profile on LinkedIn <http://au.linkedin.com/in/mjblack> This Email is intended only for the addressee. Its use is limited to that intended by the author at the time and it is not to be distributed without the author’s consent. You must not use or disclose the contents of this Email, or add the sender’s Email address to any database, list, or mailing list unless you are expressly authorised to do so. Unless otherwise stated, PEREGRINE I.T. Pty Ltd accepts no liability for the contents of this Email except where subsequently confirmed in writing. The opinions expressed in this Email are those of the author and do not necessarily represent the views of PEREGRINE I.T. Pty Ltd. This Email is confidential and may be subject to a claim of legal privilege. If you have received this Email in error, please notify the author and delete this message immediately.
participants (2)
-
duluxoz -
Sergei Golubchik