DOS | postfix connect to mysql server Too many connections | proxy:mysql:

Discussion in 'Installation/Configuration' started by brt, Dec 2, 2019.

  1. brt

    brt New Member

    hi :)

    i am using 3.1.15p2 on debian buster.

    yesterday i faced a situation where the database server reached the "max_connections" limit, email, websites etc. running into trouble.
    as a quick fix i raised the limit on the database server.
    investigating the source showed that the server has been overwhelmed by repeatedly incoming emails from more than 1000 different hosts within 30 minutes.
    luckily fail2ban kicked in quickly, as most of the hosts where listed at RBLs:

    all emails targeted the same domain with random localpart, like [email protected], [email protected], ...
    i already noticed, that the mysql server has a big list of sleeping mysql processes of the user ispconfig, so i also reduced the wait_timeout to 180 seconds, not sure if this is too low. so far i didnt notice any problems, should be ok for websites and postfix connections.

    after some time staring at /etc/postfix/ i noticed that some mysql-tables are prefixed with "proxy:mysql:" while some others are not.

    these entries are missing the proxy: prefix on the mysql-tables:

    * even included in "proxy_read_maps"

    is there a reason why these parts are not configured to use the proxymap servers?

    i just tried what happens when i add the missing options to proxy_read_maps and prefix all mysql-tables with proxy, and so far i see no problems. sleeping mysql-processes went down significantly!
  2. Steini86

    Steini86 Active Member


    as far as I see, this is the only question

    Additionally, proxymap is a bit slower (but greatly reduces the requests from postfix to mysql).
    However, in some cases (even when already present in proxy_read_maps, it looks like a mistake.
    You could file a bug report in git:
    brt likes this.
  3. brt

    brt New Member

    yeah, i also read this section in the postfix manual :) i cannot see how using proxymap on the missing ones would be less secure as the ones in use, but maybe i miss something here...

    bit slower will be ok.

    thanks for sharing your thoughts!

    also found this:
    Bildschirmfoto von 2019-12-02 04-01-44.png
    Last edited: Dec 2, 2019

Share This Page