# How to run Dovecot in jail ?



## bryn1u (Feb 12, 2019)

Hey.

I have a weird problem with dovecot inside jail. I can't start dovecot service.

```
[root@mail /]# service dovecot onestart
Starting dovecot.
/usr/local/etc/rc.d/dovecot: WARNING: failed to start dovecot
[root@mail /]#
```
Im doing the same thing on host and working without any problems. The problems show up when i want to run into jail. Someone can tell me how can i debug it or how to fix it ?
Thanks,


----------



## Remington (Feb 12, 2019)

Did you check dovecot log?


----------



## bryn1u (Feb 12, 2019)

Remington said:


> Did you check dovecot log?



There is something like that:

```
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(pop3-login): listen(::, 110) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(pop3-login): listen(::, 995) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(imap-login): listen(::, 143) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: socket() failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Error: service(imap-login): listen(::, 993) failed: Protocol not supported
Feb 12 11:34:02 mail dovecot[29835]: master: Fatal: Failed to start listeners
```

And really don't understand it. Why protocol is not supported ?


----------



## abishai (Feb 12, 2019)

Non VNET jails don't have localhost. You should set ip manually in dovecot config file.


----------



## sko (Feb 12, 2019)

bryn1u said:


> Error: socket() failed



Did you set/enable allow_raw_sockets for the jail?

I'm running dovecot in jails on my/our mailservers without any issues. Just make sure they have access to raw sockets and you explicitly specify the listen address (i.e. not 0.0.0.0) of all services. I'm usually using a loopback device and let PF handle all RDR to the loopback address of the jail the service is running in, this simplifies upgrades/migrations as I only have to change the RDR target.


----------



## tommiie (Feb 12, 2019)

RDR = ??


----------



## bryn1u (Feb 12, 2019)

Hey,

Thanks guys for advice.  I solved it by setup ip manually in dovecot config. "allow_raw_sockets" is no needed to be turned on.


----------



## sko (Feb 12, 2019)

tommiie said:


> RDR = ??



redirect rules, e.g.:


```
rdr         on $ext_if      inet        proto tcp          to port { imap, imaps, sieve } -> $dovecot
```

When updating (or migrating/reconfiguring) dovecot I usually clone the jail (or set up a new one) and test it; then after verifying everything is working I just have to update the $dovecot macro in pf.conf to the IP of the new jail.


regarding raw sockets: IIRC I had issues with TLS, but it seems I was a bit sloppy in my documentation about why _exactly_ I've enabled it   Try if it works without raw_sockets as this is always the better route to go. 
I'd also try to dump POP3 support entirely - nobody should use that anymore and it usually creates more problems (usually by users accessing the server via IMAP _and_ POP) than you might solve by being that much backwards-compatible. MUAs without IMAP-support (that I know of and still exist) can't even use TLS, so these shouldn't be able to access the mailserver at all...


----------



## SirDice (Feb 12, 2019)

It was tripping up as it was trying to listen on IPv6 and the jail didn't have it enabled (hence the protocol error). Look closely at the listen errors, it's trying to open :: which is the IPv6 equivalent of IPv4's 0.0.0.0.


----------

