How to run Dovecot in jail ?

[bryn1u]

Hey.

I have a weird problem with dovecot inside jail. I can't start dovecot service.

[root@mail /]# service dovecot onestart
Starting dovecot.
/usr/local/etc/rc.d/dovecot: WARNING: failed to start dovecot
[root@mail /]#

Im doing the same thing on host and working without any problems. The problems show up when i want to run into jail. Someone can tell me how can i debug it or how to fix it ?
Thanks,

 

[Remington]

Did you check dovecot log?

 

[bryn1u]

Did you check dovecot log?

There is something like that:

Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(pop3-login): listen(::, 110) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(pop3-login): listen(::, 995) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(imap-login): listen(::, 143) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(imap-login): listen(::, 993) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Fatal: Failed to start listeners

And really don't understand it. Why protocol is not supported ?

 

[abishai]

Non VNET jails don't have localhost. You should set ip manually in dovecot config file.

 

[sko]

Error: socket() failed

Did you set/enable allow_raw_sockets for the jail?

I'm running dovecot in jails on my/our mailservers without any issues. Just make sure they have access to raw sockets and you explicitly specify the listen address (i.e. not 0.0.0.0) of all services. I'm usually using a loopback device and let PF handle all RDR to the loopback address of the jail the service is running in, this simplifies upgrades/migrations as I only have to change the RDR target.

 

[tommiie]

RDR = ??

 

[bryn1u]

Hey,

Thanks guys for advice. I solved it by setup ip manually in dovecot config. "allow_raw_sockets" is no needed to be turned on.

 

[sko]

RDR = ??

redirect rules, e.g.:

rdr         on $ext_if      inet        proto tcp          to port { imap, imaps, sieve } -> $dovecot

When updating (or migrating/reconfiguring) dovecot I usually clone the jail (or set up a new one) and test it; then after verifying everything is working I just have to update the $dovecot macro in pf.conf to the IP of the new jail.


regarding raw sockets: IIRC I had issues with TLS, but it seems I was a bit sloppy in my documentation about why exactly I've enabled it Try if it works without raw_sockets as this is always the better route to go.
I'd also try to dump POP3 support entirely - nobody should use that anymore and it usually creates more problems (usually by users accessing the server via IMAP and POP) than you might solve by being that much backwards-compatible. MUAs without IMAP-support (that I know of and still exist) can't even use TLS, so these shouldn't be able to access the mailserver at all...

 

[SirDice]

It was tripping up as it was trying to listen on IPv6 and the jail didn't have it enabled (hence the protocol error). Look closely at the listen errors, it's trying to open :: which is the IPv6 equivalent of IPv4's 0.0.0.0.