I am trying to setup postfix mail server using ansible playbook. I am puzzled to understand different ways to setup postfix with mysql. I am not able to hold on to a complete schema. The one I got here and here
are some examples.
Using the schema from ansible role above I have setup postfix. And the schema tables include:
show tables;
+-------------------+
| Tables_in_mail |
+-------------------+
| alias |
| alias_destination |
| domain |
| domain_users |
| mailbox |
| mailbox_usage |
| user |
+-------------------+
7 rows in set (0.00 sec)
Now I want to test the postfix server with a test user /mailbox and domain.So I am looking for a way to init the schema for a test user. Any kind of help is appreciated
Edit
Tried to add a test user:
mysql> select * from user;
+----+-----------+---------------+--------+-------------+---------------------+---------------------+
| id | username | password | active | super_admin | created_at | modified_at |
+----+-----------+---------------+--------+-------------+---------------------+---------------------+
| 1 | sakhunzai | dTzdFMm0DSvmM | 1 | 0 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 |
+----+-----------+---------------+--------+-------------+---------------------+---------------------+
1 row in set (0.00 sec)
mysql> select * from domain;
+-------------+--------+-----------+-----------------------+---------------------+---------------------+
| name | active | backup_mx | default_mailbox_quota | created_at | modified_at |
+-------------+--------+-----------+-----------------------+---------------------+---------------------+
| example.com | 1 | 0 | 1073741824 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 |
+-------------+--------+-----------+-----------------------+---------------------+---------------------+
1 row in set (0.00 sec)
mysql> select * from mailbox;
+-----------+-------------+------------+------+--------+--------------+----------------+---------------------+---------------------+---------------+
| username | domain | local_part | name | active | quota_mbytes | quota_messages | created_at | modified_at | password |
+-----------+-------------+------------+------+--------+--------------+----------------+---------------------+---------------------+---------------+
| sakhunzai | example.com | | NULL | 1 | 0 | 0 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | wZQ9cRLxshVEY |
+-----------+-------------+------------+------+--------+--------------+----------------+---------------------+---------------------+---------------+
1 row in set (0.00 sec)
Testing from telnet:
telnet mail.example.com 25
Trying 127.0.1.1...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
HELO test.example.com
250 mail.example.com
MAIL FROM: <sakhunzai#example.com>
250 2.1.0 Ok
RCPT TO:<sakhunzai#example.com>
550 5.1.1 <sakhunzai#example.com>: Recipient address rejected: User unknown in virtual mailbox table
Edit 2
After updating username I am able to complete the test:
update user set username="sakhunzai#example.com";
update mailbox set username="sakhunzai#example.com";
telnet mail.example.com 25
Trying 127.0.1.1...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
HELO test.example.com
250 mail.example.com
MAIL FROM: <sakhunzai#example.com>
250 2.1.0 Ok
RCPT TO:<sakhunzai#example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test message
.
250 2.0.0 Ok: queued as 3BEEB40940
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
But with some errors in mail.log file:
to=<sakhunzai#example.com>, relay=none, delay=44, delays=44/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Nov 10 08:13:51 postfix/smtpd[32013]: connect from localhost[127.0.0.1]
Nov 10 08:14:09 postfix/smtpd[32013]: 3BEEB40940: client=localhost[127.0.0.1]
Nov 10 08:14:49 postfix/cleanup[32020]: 3BEEB40940: message-id=<20151110081409.3BEEB40940#mail.example.com>
Nov 10 08:14:49 postfix/qmgr[8096]: 3BEEB40940: from=<sakhunzai#example.com>, size=337, nrcpt=1 (queue active)
Nov 10 08:14:49 postfix/qmgr[8096]: warning: connect to transport private/smtp-amavis: No such file or directory
Nov 10 08:14:49 postfix/error[32021]: 3BEEB40940: to=<sakhunzai#example.com>, relay=none, delay=44, delays=44/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Nov 10 08:14:56 postfix/smtpd[32013]: disconnect from localhost[127.0.0.1]
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 4h
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 51200000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination =
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
relayhost =
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks.pcre
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = reject_unauth_destination reject_unlisted_recipient reject_rbl_client zen.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/ssl/private/mail.example.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.example.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_mailbox_maps.cf proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
/etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
-o receive_override_options=no_header_body_checks
-o content_filter=smtp-amavis:[127.0.0.1]:10026
# Coment the above line if you do not want to sign localy originated mail from the pickup service
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
# Dovecot
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}#${domain} -m ${extension}
# Amavisd-new
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
Based upon this and this similar issues:
Comment this line
-o content_filter=smtp-amavis:[127.0.0.1]:10026
and try
Related
[?] What should I do to normally do sudo mysql -u root -p if it always returns Access denied? [MySQL 8.0] [Ubuntu 20.04]
After clean uninstall mysql and mariadb, then install mysql, at first I got some errors but I can fix it (by configuring my.cnf file and do mysqld --upgrade=force), then finally the mysql service can be started.
However, I got this error whenever tried to access mysql root user
$ sudo mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'#'localhost' (using password: NO)
Please, I really need help for this :(
And please elaborate me about what I should do to complete the given steps, I'm afraid I don't really understand the basic of Ubuntu system :(
Thank you so much for any effort you guys tried to help me, I really really appreciate it!
What I Tried
To at least access mysql, I add skip-grant-tables on my.cnf.
(However, I cannot do anything such as create user, etc, both inside and outside safe configuration mode.)
$ sudo mysql -u root -p # this only uses blank password
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 8.0.31-0ubuntu0.20.04.2 (Ubuntu)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT USER();
+--------+
| USER() |
+--------+
| root# |
+--------+
1 row in set (0,01 sec)
mysql> CREATE USER 'root'#'localhost' IDENTIFIED BY 'root';
ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
mysql> SELECT user, host FROM mysql.user;
+------------------+-----------+
| user | host |
+------------------+-----------+
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
+------------------+-----------+
3 rows in set (0,00 sec)
mysql> SELECT * FROM mysql.user\G
*************************** 1. row ***************************
Host: localhost
User: mysql.infoschema
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
...
*************************** 2. row ***************************
Host: localhost
User: mysql.session
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: Y
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: Y
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
...
*************************** 3. row ***************************
Host: localhost
User: mysql.sys
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
...
3 rows in set (0,00 sec)
Also error on doing secure installation
$ mysql_secure_installation
Securing the MySQL server deployment.
Enter password for user root:
Error: Access denied for user 'root'#'localhost' (using password: YES)
my.cnf file
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
skip-external-locking
# skip-grant-tables
bind-address = 127.0.0.1
max_connections = 100
connect_timeout = 5
wait_timeout = 600
max_allowed_packet = 16M
thread_cache_size = 128
sort_buffer_size = 4M
bulk_insert_buffer_size = 16M
tmp_table_size = 32M
max_heap_table_size = 32M
myisam_recover_options = BACKUP
key_buffer_size = 128M
table_open_cache = 400
myisam_sort_buffer_size = 512M
concurrent_insert = 2
read_buffer_size = 2M
read_rnd_buffer_size = 1M
# general_log_file = /var/log/mysql/mysql.log
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 10
log_bin = /var/log/mysql/mariadb-bin
log_bin_index = /var/log/mysql/mariadb-bin.index
default_storage_engine = InnoDB
innodb_buffer_pool_size = 256M
innodb_log_buffer_size = 8M
innodb_file_per_table = 1
innodb_open_files = 400
innodb_io_capacity = 400
innodb_flush_method = O_DIRECT
[galera]
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
[isamchk]
key_buffer = 16M
# Error handling after installation by commenting this out
# system status error handling (these variables unknown)
# query_cache_limit = 128K
# query_cache_size = 64M
# expire_logs_days = 10
# max_binlog_size = 100M
# $ mysqld --upgrade=force error handling (these variables unknown)
# log_warnings = 2
# log_slow_verbosity = query_plan
MySQL status
$ sudo systemctl status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-12-01 14:40:12 WIB; 12min ago
Main PID: 247973 (mysqld)
Status: "Server is operational"
Tasks: 38 (limit: 6878)
Memory: 312.6M
CGroup: /system.slice/mysql.service
└─247973 /usr/sbin/mysqld
Des 01 14:40:04 EMP10 systemd[1]: Starting MySQL Community Server...
Des 01 14:40:05 EMP10 mysqld[247973]: 2022-12-01T07:40:05.235618Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.31-0ubuntu0.20.04.2) starting as process 247973
Des 01 14:40:05 EMP10 mysqld[247973]: 2022-12-01T07:40:05.272065Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
Des 01 14:40:09 EMP10 mysqld[247973]: 2022-12-01T07:40:09.042423Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
Des 01 14:40:12 EMP10 mysqld[247973]: 2022-12-01T07:40:12.258475Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
Des 01 14:40:12 EMP10 mysqld[247973]: 2022-12-01T07:40:12.258535Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
Des 01 14:40:12 EMP10 mysqld[247973]: 2022-12-01T07:40:12.474475Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
Des 01 14:40:12 EMP10 mysqld[247973]: 2022-12-01T07:40:12.474611Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.31-0ubuntu0.20.04.2' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu).
Des 01 14:40:12 EMP10 systemd[1]: Started MySQL Community Server.
Actually, if the suggestion is only to uninstall and install mysql, the later installing always gives me errors to handle :(
I usually did these to clean uninstall and install mysql
$ sudo systemctl stop mysql
$ dpkg -l | grep mysql
ii mysql-client-8.0 8.0.31-0ubuntu0.20.04.2 amd64 MySQL database client binaries
ii mysql-client-core-8.0 8.0.31-0ubuntu0.20.04.2 amd64 MySQL database core client binaries
ii mysql-common 1:10.3.37+maria~ubu1804 all MariaDB database common files (e.g. /etc/mysql/my.cnf)
ii mysql-server 8.0.31-0ubuntu0.20.04.2 all MySQL database server (metapackage depending on the latest version)
ii mysql-server-8.0 8.0.31-0ubuntu0.20.04.2 amd64 MySQL database server binaries and system database setup
ii mysql-server-core-8.0 8.0.31-0ubuntu0.20.04.2 amd64 MySQL database server binaries
$ sudo apt remove --purge mysql-client-* mysql-common mysql-server*
$ sudo rm -rf /etc/mysql /var/lib/mysql /var/log/mysql
$ sudo apt autoremove
$ sudo apt autoclean
$ sudo apt install mysql-server # or $ sudo apt install mysql-server-8.0 mysql-server-core-8.0
After installation, there must be something errors to handle.
Reinstalling also didn't fix
$ sudo apt install --reinstall mysql-server # or $ sudo apt install mysql-server-8.0 mysql-server-core-8.0
I want to achieve 6000/sec requests and trying to setup HaProxy with multi proc settings but getting this error:
cpu-map expects a process number including 'all', 'odd', 'even', or a
number from 1 to 64, followed by a list of CPU ranges with numbers
from 0 to 63
Following are the configurations I'm using.
global
daemon
maxconn 200000
maxsslconn 200000
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats socket 127.0.0.1:14567
nbproc 6
cpu-map auto:1/all 0
cpu-map auto:2/all 1
cpu-map auto:3/all 2
cpu-map auto:4/all 3
cpu-map auto:5/all 4
cpu-map auto:6/all 5
stats bind-process 6
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
and
global
daemon
maxconn 200000
maxsslconn 200000
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats socket 127.0.0.1:14567
nbproc 6
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3
cpu-map 5 4
cpu-map 6 5
stats bind-process 6
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
Nothing is working as expected.
im trying to enable SSL on a mariadb in a docker container
i have made following changes in /etc/mysql/my.cnf file
ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem
Note: i have used variables names with - and _ because i am not sure which scheme is uses
also i have provided certificates in the above mentioned path
here is the result of "show variables like '%ssl%';"
MariaDB [(none)]> show variables like '%ssl%';
+---------------------+----------------------------+
| Variable_name | Value |
+---------------------+----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/certs/client-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/certs/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/certs/server-key.pem |
| version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
+---------------------+----------------------------+
10 rows in set (0.001 sec)
but this is what i get when i run "status" command on mysql command line
MariaDB [(none)]> status
--------------
mysql Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Connection id: 42
Current database:
Current user: root#localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic mariadb.org binary distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 5 min 52 sec
it says SSL not in use, now im not sure if SSL is enabled or not, or am i missing any flag? also how can i find out if its enabled or not?
here is the complete my.cnf file
# MariaDB database server configuration file.
#
# You can copy this file to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
#user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
#
# * Fine Tuning
#
max_connections = 100
connect_timeout = 5
wait_timeout = 600
max_allowed_packet = 16M
thread_cache_size = 128
sort_buffer_size = 4M
bulk_insert_buffer_size = 16M
tmp_table_size = 32M
max_heap_table_size = 32M
#
# * MyISAM
#
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched. On error, make copy and try a repair.
myisam_recover_options = BACKUP
key_buffer_size = 128M
#open-files-limit = 2000
table_open_cache = 400
myisam_sort_buffer_size = 512M
concurrent_insert = 2
read_buffer_size = 2M
read_rnd_buffer_size = 1M
#
# * Query Cache Configuration
#
# Cache only tiny result sets, so we can fit more in the query cache.
query_cache_limit = 128K
query_cache_size = 64M
# for more write intensive setups, set to DEMAND or OFF
#query_cache_type = DEMAND
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
#
# we do want to know about network errors and such
#log_warnings = 2
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log[={0|1}]
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 10
#log_slow_rate_limit = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#log_slow_admin_statements
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#report_host = master1
#auto_increment_increment = 2
#auto_increment_offset = 1
#log_bin = /var/log/mysql/mariadb-bin
#log_bin_index = /var/log/mysql/mariadb-bin.index
# not fab for performance, but safer
#sync_binlog = 1
expire_logs_days = 10
max_binlog_size = 100M
# slaves
#relay_log = /var/log/mysql/relay-bin
#relay_log_index = /var/log/mysql/relay-bin.index
#relay_log_info_file = /var/log/mysql/relay-bin.info
#log_slave_updates
#read_only
#
# If applications support it, this stricter sql_mode prevents some
# mistakes like inserting invalid dates etc.
#sql_mode = NO_ENGINE_SUBSTITUTION,TRADITIONAL
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
default_storage_engine = InnoDB
# you can't just change log file size, requires special procedure
#innodb_log_file_size = 50M
innodb_buffer_pool_size = 256M
innodb_log_buffer_size = 8M
innodb_file_per_table = 1
innodb_open_files = 400
innodb_io_capacity = 400
innodb_flush_method = O_DIRECT
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem
ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem
#
# * Galera-related settings
#
[galera]
# Mandatory settings
#wsrep_on=ON
#wsrep_provider=
#wsrep_cluster_address=
#binlog_format=row
#default_storage_engine=InnoDB
#innodb_autoinc_lock_mode=2
#
# Allow server to accept connections on all interfaces.
#
#bind-address=0.0.0.0
#
# Optional setting
#wsrep_slave_threads=1
#innodb_flush_log_at_trx_commit=0
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completion
[isamchk]
key_buffer = 16M
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!include /etc/mysql/mariadb.cnf
!includedir /etc/mysql/conf.d/
I can't reproduce the problem:
$ mysql -u user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \! ls -alF /path/to/MariaDB/ssl/
total 20
drwxr-xr-x 2 user user 140 Jan 01 00:01 ./
drwxr-xr-x 5 user user 240 Jan 01 00:01 ../
-r-----r-- 1 user user 1273 Jan 01 00:01 ca.pem
-r-----r-- 1 user user 1143 Jan 01 00:01 client-cert.pem
-r-----r-- 1 user user 1679 Jan 01 00:01 client-key.pem
-r-----r-- 1 user user 1147 Jan 01 00:01 server-cert.pem
-r-----r-- 1 user user 1679 Jan 01 00:01 server-key.pem
MariaDB [(none)]> \! cat /path/to/MariaDB/my.cnf
...
[client]
...
## MariaDB Client Configuration ##
ssl-ca=/path/to/MariaDB/ssl/ca.pem
ssl-cert=/path/to/MariaDB/ssl/client-cert.pem
ssl-key=/path/to/MariaDB/ssl/client-key.pem
### This option is disabled by default ###
ssl-verify-server-cert
...
...
[mysqld]
...
#
# * Security Features
#
ssl
ssl-ca=/path/to/MariaDB/ssl/ca.pem
ssl-cert=/path/to/MariaDB/ssl/server-cert.pem
ssl-key=/path/to/MariaDB/ssl/server-key.pem
ssl-cipher=TLSv1.2
...
MariaDB [(none)]> \s
--------------
mysql Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Connection id: 1
Current database:
Current user: user#localhost
SSL: Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 11 sec
Threads: 8 Questions: 61 Slow queries: 0 Opens: 32 Flush tables: 1 Open tables: 26 Queries per second avg: 5.545
--------------
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /path/to/MariaDB/ssl/ca.pem |
| ssl_capath | |
| ssl_cert | /path/to/MariaDB/ssl/server-cert.pem |
| ssl_cipher | TLSv1.2 |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /path/to/MariaDB/ssl/server-key.pem |
| version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
+---------------------+--------------------------------------+
10 rows in set (0.001 sec)
The output of an mysql command doesnt correctly align the titels (using script).
Here is the sql command in script.sh
#!/usr/bin/bash
echo "select * from hw_inventory "| mysql --host=localhost --user=root --database=monitor > /tmp/inventory
This gives me following output in /tmp/inventory
ip_address entity_index entity_physname entity_physdesc entity_serial
10.212.0.1 1000 Switch 1 WS-C3850-12S FOC1842U117
10.212.0.1 1009 Switch 1 - Power Supply A Switch 1 - Power Supply A LIT18300URD
10.212.0.1 1010 Switch 1 - Power Supply B Switch 1 - Power Supply B LIT183506NH
10.212.0.1 1034 Switch 1 FRU Uplink Module 1 2x1G 2x10G Uplink Module FOC18363NJX
As you cen see the alignment (tabs) is not in the same way as the text with Switch 1 should start under entity_physname.
It needs to be like following output:
ip_address entity_index entity_physname entity_physdesc entity_serial
10.212.0.1 1000 Switch 1 WS-C3850-12S FOC1842U117
10.212.0.1 1009 Switch 1 - Power Supply A Switch 1 - Power Supply A LIT18300URD
10.212.0.1 1010 Switch 1 - Power Supply B Switch 1 - Power Supply B LIT183506NH
10.212.0.1 1034 Switch 1 FRU Uplink Module 1 2x1G 2x10G Uplink Module FOC18363NJX
Any ideas?
Thanks in advance
For formatting the output from the mysql use the -t param
"select * from hw_inventory "| mysql -t --host=localhost --user=root --database=monitor > /tmp/inventory
(See my answer below. Leaving this up in case it helps someone else.)
What follows is a series of attempts to dump a query to an outfile on a new FreeBSD box that my site has moved to. The results are the same if I log in as me or if I log in as root. I hope the style isn't too annoying. I have my comments commented out around the actual code and output.
// try to dump query to my home dir
SELECT pmr.datetime_requested,
nfo.postal_code
FROM
print_mailing_request pmr,
personal_info nfo
WHERE
nfo.person = pmr.person AND
pmr.datetime_requested >= "2010-01-01 00:00:00" AND
(pmr.print_mailing = 31 OR pmr.print_mailing = 30)
ORDER BY pmr.datetime_requested INTO OUTFILE '/usr/home/david/x';
ERROR 1 (HY000): Can't create/write to file '/usr/home/david/x' (Errcode: 2)
// tried creating file first with touch and even chmod 077 file
// but same error each time
// OK, lets try /tmp
SELECT pmr.datetime_requested,
nfo.postal_code
FROM
print_mailing_request pmr,
personal_info nfo
WHERE
nfo.person = pmr.person AND
pmr.datetime_requested >= "2010-01-01 00:00:00" AND
(pmr.print_mailing = 31 OR pmr.print_mailing = 30)
ORDER BY pmr.datetime_requested INTO OUTFILE '/tmp/x';
Query OK, 24654 rows affected (0.78 sec)
// so let's look at the file
less /tmp/x
/tmp/x: No such file or directory
// Log back into mysql and try same query again
ERROR 1086 (HY000): File '/tmp/x' already exists
ls /tmp
20100325180233.gtg2010.csv 20100330094652.gtg2010.csv
20100325180448.gtg2010.csv 2010_Q1_UNO.csv
20100325181446.gtg2010.csv 4724.csv
20100325181927.gtg2010.csv aprbUfvxp
20100326003002.gtg2010.csv dave.txt
20100327003002.gtg2010.csv etr.xml
20100328003002.gtg2010.csv mysql.sock
20100329003003.gtg2010.csv
// No file x.
// If I run query with no INTO OUTFILE I see 24000+ rows of
| 2010-04-04 13:27:09 | 33156 |
| 2010-04-04 13:27:10 | 33156 |
| 2010-04-04 13:30:04 | NE38 8SR |
| 2010-04-04 14:27:03 | 00901 |
| 2010-04-04 14:37:04 | 75001 |
| 2010-04-04 14:53:05 | 78640 |
| 2010-04-04 15:15:03 | 07410 |
| 2010-04-04 15:27:04 | 43235 |
// So I know it isn't the query...
// Advice?
Doh! When I log into mysql on this machine my connection string has an IP address in it. /tmp as far as mysql is concerned is not on the machine I am logged into...
so I solved problem by using mysql -e eg:
mysql -h my.db.com -u usrname--password=pass db_name -e 'SELECT foo FROM bar' > /tmp/myfile.txt