257 lines
4.1 KiB
HTML
257 lines
4.1 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Configuring MySQL</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Postfix-Cyrus-Web-cyradm-HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Getting and installing the software"
|
|
HREF="install.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Configuring PAM"
|
|
HREF="pam-config.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Postfix-Cyrus-Web-cyradm-HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="install.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="pam-config.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="MYSQL-CONFIG"
|
|
></A
|
|
>4. Configuring MySQL</H1
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="MYSQL-CONFIG-SECURING"
|
|
></A
|
|
>4.1. Securing MySQL</H2
|
|
><P
|
|
>Because you are using MySQL to authenticate users, you need to restrict network access
|
|
to port 3306.</P
|
|
><P
|
|
>The easiest way is to only bind MySQL to the loopback interface 127.0.0.1.
|
|
This makes sure nobody can connect to your MySQL daemon via the network.</P
|
|
><P
|
|
> Edit <TT
|
|
CLASS="FILENAME"
|
|
>/etc/init.d/mysql.server</TT
|
|
> and change line 107 as following:</P
|
|
><P
|
|
>Original line:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file&</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Changed line:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file \
|
|
--bind-address=127.0.0.1&</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Restart your MySQL daemon by issuing the command<B
|
|
CLASS="COMMAND"
|
|
>/etc/init.d/mysql.server start</B
|
|
></P
|
|
><P
|
|
>To ensure the configuration change was successful, <B
|
|
CLASS="COMMAND"
|
|
>netstat -an|grep LISTEN</B
|
|
>. The
|
|
Output should be looking similar to this:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>bond:~ # netstat -an|grep LISTEN
|
|
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="MYSQL-RINETD"
|
|
></A
|
|
>4.2. Setting up rinetd</H2
|
|
><P
|
|
>This step is only necessary if you run the MySQL sever on host other than the mail server. This allows
|
|
you to securely connect from another host since access is allowed only from pre-defined IP addresses.</P
|
|
><P
|
|
>The example used is from the view of the host serving the MySQL database. Lets assume your
|
|
mail server has the IP 192.168.0.100 and the MySQL host has 192.168.0.200</P
|
|
><P
|
|
> Edit <TT
|
|
CLASS="FILENAME"
|
|
>/etc/rinetd.conf</TT
|
|
> and add:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>192.168.0.200 3306 127.0.0.1 3306
|
|
allow 192.168.0.100</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>This means: The MySQL host is listening on 192.168.0.200 port 3306. If 192.168.0.100
|
|
attempts a connection, it is forwarded to 127.0.0.1:3306. All other hosts are rejected. </P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="install.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="pam-config.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Getting and installing the software</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Configuring PAM</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |