0

I am trying to secure connections to my MySQL server. I have SSL set up but I am looking for programs that support a SSL connection to MySQL. Specifically I am currently looking for an email server that supports it. I am coming from a Windows environment and I was using hMailServer (which doesn't look like it supports a MySQL connection with SSL). I have tried searching Google and here for things like dovecot using mysql ssl or mysql require ssl postfix. I seem to always get something like setting up Postfix, Dovecot, Mysql and SSL but they mean SSL for the IMAP, SMTP and POP3 connections not the mysql backend connection. Can anyone tell me if Dovecot/Postfix support connecting to mysql using ssl and if so, how to do it? If not what can I use? or, how can I create a secure connection for all of my services: owncloud, a custom developed webapp using nodejs with mysql, and email? I think that's everything. Currently they are on the same machine but I would like to make sure I could move things in future.

I am really interested in making my stuff as secure as possible.

:EDIT:

The accepted answer and it's associated comments form an acceptable answer.

Improve this question

1 Answer 1

Reset to default
1

As far as all your services are located on the same host you really do not need any SSL encryption between services. Just restrict internal services to the localhost - that is all.

In term of MySQL you have to modify my.cnf:

. . . . . .
[mysqld]
bind-address = 127.0.0.1
port         = 3306
socket       = /tmp/mysql.sock
. . . . . .

Here you restrict mysql to accept connections on the loopback interface ONLY (i.e. from locally running processes) and via file socket that accessible also for locally running pocesses only.

Improve this answer
5
  • I appreciate that, but I am anticipating a time when they are not all located on the same server (in the near future), as once my migration is complete I intend to separate some of the services again.
    – Peter
    Commented Apr 8, 2015 at 11:54
  • The easiest way to split services over the hosts is the ssh-based port-forwarding. Then each service keep feeling that queries are sended to the localhost while they'll be forwarded to the specific host via ssh-tunnel. With no inference into the configs.
    – Kondybas
    Commented Apr 8, 2015 at 12:15
  • Keep in mind that socket connection to the mysql is faster than network connection an plain network connection is faster than encrypted.
    – Kondybas
    Commented Apr 8, 2015 at 12:17
  • I'll look into the ssh port forwarding, is that what stunnel is/does?
    – Peter
    Commented Apr 8, 2015 at 12:20
  • No, default ssh utility establish it. ssh user@server -L localhost:3306:127.0.0.1:3306 -N. All requests to the localhost:3306 (mysql) will be forwarded to the server's 127.0.0.1:3306. Here localhost and 127.0.0.1 used to tell local and remote ones.
    – Kondybas
    Commented Apr 8, 2015 at 12:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .