I would like to set "skip-name-resolve" to have no name-resolve in mysql. But if i put it in in my.cnf it kills the whole mailsystem. No mail kann be send or recieved anymore. Does it not work with ispconfig configuration?
skip-name-resolve makes MySQL authentication impossible for all accounts that use a hostname or localhost and therefore software that connects from localhost like postfix will stop working. So setting skip-name-resolves makes no sense as it must break the authentication system for all accounts that dont use IP addresses.
HelloTill , thanks for the info Is there a way to overcome this? How we can use accounts with IP addresses?
Hello Till, I am interested in a solution here, too. Because with "skip-name-resolve" we an use fail2ban for mysql-access... Or is there a different solution for that?
Answered in #3 already. I'll rephrase it: Disabling a function in MySQL that is required by ISPConfig will cause ISPConfig to fail, so it's up to you to decide if you want to use ISPConfig further or not. And skip-nameresolve has no influence on accounts with IP addresses, it makes a difference for accounts which uses hostnames and that's a feature used by ISPConfig.
Actually this could work if ispconfig would create the mysql users with [email protected] and not name@localhost. using skip-name-resolve actually is a pretty common optimisation measure recommended by https://github.com/major/MySQLTuner-perl I also stepped into this trap today. No worries, just killed my mailserver this way for a couple of hours
Well. How do you check those side-effects first? I only have one server - I can change the setting or not. Not many options to pre-evaluate the side-effects.
One option would have been to run something like Code: SELECT User,Host FROM mysql.user; to make sure there are no hostnames in there at all. It's not only ISPConfig that uses hostnames instead of ips as this is easier to deal with on server migrations etc.
Funny. I did that. But I was misled by the information that if the hostname is 'localhost' the connection would be established over the socket. I did not expect the setting to affect localhost but only entries with real FQHN. I think it is quite unfortunate that this setting also disables the resolution of localhost because there is no dns server involved to resolve localhost (AFAIK). So it should be safe to keep localhost while disabling resolution of other hostnames.
I guess one would have to benchmark this, but probably there is no measurable difference on any real systems, espacially as the mail system keeps connections open and reuses them, so no need for ongoing reconnects. By not using localhost, you'll use the network stack instead of the socket and this will slow things down. So there is a good chance that skip-name-resolve makes real systems slower instead of speeding them up. And when you use the external IP in other mysql connections instead of the external domain name (if you have any of these connections), then name resolving is probably skipped anyway as there s no name to be resolved.
Feb 28 20:33:02 doozey postfix/smtpd[11454]: warning: connect to mysql server 127.0.0.1: Access denied for user 'ispconfig'@'127.0.0.1' (using password: YES)@till Not sure if your assumptions are true. Even if I set skip-name-resolve I should still be able to use 'localhost' to connect to the socket. I assume after I added this setting to my.conf ispconfig still used the socket connection method. What is interesting is the error message: Access denied for user 'ispconfig'@'127.0.0.1' It obviously resolves localhost to 127.0.0.1 in the authentification but cannot match to the entries in the users table in the db. It is only a guess, but it might work if ispconfig would create users with both hosts @localhost and @127.0.0.1.