fix(mta): add MYSQL_TLS_VERIFY_CERT environment variable for MySQL configuration

jeboehm · jeboehm · commit 8d884f07fcb5 · 2026-01-12T21:26:42.000+01:00
diff --git a/docs/configuration/environment-variables.md b/docs/configuration/environment-variables.md
@@ -11,13 +11,14 @@ These are the core environment variables that need to be configured in your `.en
 When you use the MySQL service provided by docker-mailserver compose, you don't need to configure this.
 It is required to **always set** `MYSQL_PASSWORD`.
 
-| Variable         | Default                              | Description             |
-| ---------------- | ------------------------------------ | ----------------------- |
-| `MYSQL_HOST`     | `db`                                 | MySQL database hostname |
-| `MYSQL_PORT`     | `3306`                               | MySQL database port     |
-| `MYSQL_DATABASE` | `mailserver`                         | MySQL database name     |
-| `MYSQL_USER`     | `root` (MTA/MDA), `mailserver` (Web) | MySQL database username |
-| `MYSQL_PASSWORD` | _(empty)_                            | MySQL database password |
+| Variable                | Default                              | Description                        |
+| ----------------------- | ------------------------------------ | ---------------------------------- |
+| `MYSQL_HOST`            | `db`                                 | MySQL database hostname            |
+| `MYSQL_PORT`            | `3306`                               | MySQL database port                |
+| `MYSQL_DATABASE`        | `mailserver`                         | MySQL database name                |
+| `MYSQL_USER`            | `root` (MTA/MDA), `mailserver` (Web) | MySQL database username            |
+| `MYSQL_PASSWORD`        | _(empty)_                            | MySQL database password            |
+| `MYSQL_TLS_VERIFY_CERT` | `no`                                 | MySQL TLS certificate verification |
 
 ### Mail Server Identity
 
diff --git a/target/mta/Dockerfile b/target/mta/Dockerfile
@@ -11,6 +11,7 @@ ENV MAILNAME=mail.example.com \
     MYSQL_PORT=3306 \
     MYSQL_USER=root \
     MYSQL_DATABASE=mailserver \
+    MYSQL_TLS_VERIFY_CERT=no \
     MDA_LMTP_ADDRESS=mda:2003 \
     MDA_AUTH_ADDRESS=mda:2004 \
     FILTER_MILTER_ADDRESS=filter:11332 \
diff --git a/target/mta/rootfs/etc/postfix/mysql-email-submission.cf.templ b/target/mta/rootfs/etc/postfix/mysql-email-submission.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT CONCAT(mail_users.name, '@', d1.name) AS email FROM mail_users JOIN mail_domains d1 ON mail_users.domain_id = d1.id HAVING email='%s' UNION SELECT destination AS email FROM mail_aliases JOIN mail_domains d2 ON mail_aliases.domain_id = d2.id WHERE CONCAT(mail_aliases.name, '@', d2.name)='%s'
diff --git a/target/mta/rootfs/etc/postfix/mysql-email2email.cf.templ b/target/mta/rootfs/etc/postfix/mysql-email2email.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT CONCAT(mail_users.name, '@', mail_domains.name) AS email FROM mail_users JOIN mail_domains ON mail_users.domain_id = mail_domains.id HAVING email='%s'
diff --git a/target/mta/rootfs/etc/postfix/mysql-recipient-access.cf.templ b/target/mta/rootfs/etc/postfix/mysql-recipient-access.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT IF(send_only = true, 'REJECT', 'OK') AS access FROM mail_users JOIN mail_domains ON mail_users.domain_id = mail_domains.id WHERE mail_users.name = '%u' AND mail_domains.name = '%d'
diff --git a/target/mta/rootfs/etc/postfix/mysql-virtual-alias-maps.cf.templ b/target/mta/rootfs/etc/postfix/mysql-virtual-alias-maps.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT destination FROM mail_aliases JOIN mail_domains ON mail_aliases.domain_id = mail_domains.id WHERE CONCAT(mail_aliases.name, '@', mail_domains.name) = '%s'
diff --git a/target/mta/rootfs/etc/postfix/mysql-virtual-mailbox-domains.cf.templ b/target/mta/rootfs/etc/postfix/mysql-virtual-mailbox-domains.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT 1 FROM mail_domains WHERE name='%s'
diff --git a/target/mta/rootfs/etc/postfix/mysql-virtual-mailbox-maps.cf.templ b/target/mta/rootfs/etc/postfix/mysql-virtual-mailbox-maps.cf.templ
@@ -2,4 +2,5 @@ user = {{ .Env.MYSQL_USER }}
 password = {{ .Env.MYSQL_PASSWORD }}
 hosts = {{ .Env.MYSQL_HOST }}:{{ .Env.MYSQL_PORT }}
 dbname = {{ .Env.MYSQL_DATABASE }}
+tls_verify_cert = {{ .Env.MYSQL_TLS_VERIFY_CERT }}
 query = SELECT 1 FROM mail_users JOIN mail_domains ON mail_users.domain_id = mail_domains.id WHERE mail_users.name = '%u' AND mail_domains.name = '%d' AND enabled = 1
