skip-name-resolve kills mailsystem in ispconfig

Discussion in 'Installation/Configuration' started by tom, Aug 4, 2016.

  1. tom

    tom Member

    I would like to set "skip-name-resolve" to have no name-resolve in mysql. But if i put it in in my.cnf it kills the whole mailsystem. No mail kann be send or recieved anymore. Does it not work with ispconfig configuration?
     
  2. siomosp

    siomosp New Member

    Same problem with me :(
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    skip-name-resolve makes MySQL authentication impossible for all accounts that use a hostname or localhost and therefore software that connects from localhost like postfix will stop working. So setting skip-name-resolves makes no sense as it must break the authentication system for all accounts that dont use IP addresses.
     
  4. siomosp

    siomosp New Member

    HelloTill , thanks for the info :)
    Is there a way to overcome this? How we can use accounts with IP addresses?
     
  5. Markus Fischer

    Markus Fischer New Member

    Hello Till,
    I am interested in a solution here, too.
    Because with "skip-name-resolve" we an use fail2ban for mysql-access...
    Or is there a different solution for that?
     
  6. siomosp

    siomosp New Member

    Hello till,
    there is a solution for the above request?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Answered in #3 already. I'll rephrase it: Disabling a function in MySQL that is required by ISPConfig will cause ISPConfig to fail, so it's up to you to decide if you want to use ISPConfig further or not. And skip-nameresolve has no influence on accounts with IP addresses, it makes a difference for accounts which uses hostnames and that's a feature used by ISPConfig.
     
  8. harkman

    harkman Member HowtoForge Supporter

  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    So, lesson learned, I'd say. Shouldn't change settings without checking possible side-effects first. ;)
     
  10. harkman

    harkman Member HowtoForge Supporter

    Well. How do you check those side-effects first? I only have one server - I can change the setting or not. Not many options to pre-evaluate the side-effects.
     
  11. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    One option would have been to run something like
    Code:
    SELECT User,Host FROM mysql.user;
    to make sure there are no hostnames in there at all. It's not only ISPConfig that uses hostnames instead of ips as this is easier to deal with on server migrations etc.
     
  12. harkman

    harkman Member HowtoForge Supporter

    Funny. I did that. But I was misled by the information that if the hostname is 'localhost' the connection would be established over the socket. I did not expect the setting to affect localhost but only entries with real FQHN.
    I think it is quite unfortunate that this setting also disables the resolution of localhost because there is no dns server involved to resolve localhost (AFAIK). So it should be safe to keep localhost while disabling resolution of other hostnames.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess one would have to benchmark this, but probably there is no measurable difference on any real systems, espacially as the mail system keeps connections open and reuses them, so no need for ongoing reconnects. By not using localhost, you'll use the network stack instead of the socket and this will slow things down. So there is a good chance that skip-name-resolve makes real systems slower instead of speeding them up. And when you use the external IP in other mysql connections instead of the external domain name (if you have any of these connections), then name resolving is probably skipped anyway as there s no name to be resolved.
     
  14. harkman

    harkman Member HowtoForge Supporter

    Feb 28 20:33:02 doozey postfix/smtpd[11454]: warning: connect to mysql server 127.0.0.1: Access denied for user 'ispconfig'@'127.0.0.1' (using password: YES)​
    @till Not sure if your assumptions are true. Even if I set skip-name-resolve I should still be able to use 'localhost' to connect to the socket. I assume after I added this setting to my.conf ispconfig still used the socket connection method.
    What is interesting is the error message: Access denied for user 'ispconfig'@'127.0.0.1' It obviously resolves localhost to 127.0.0.1 in the authentification but cannot match to the entries in the users table in the db.
    It is only a guess, but it might work if ispconfig would create users with both hosts @localhost and @127.0.0.1.
     

Share This Page