Dovecot cgroup error?

A customer claims they aren’t receiving new mail, so I checked and found this in the maillog

Jun 12 10:51:25 p111 dovecot[3392779]: imap-login: Login: user=<mail@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3555859, secured, session=<Kkbm5mE3UMN/AAAB>
Jun 12 10:51:25 p111 dovecot[3392779]: imap(mail@domain.com)<3555859><Kkbm5mE3UMN/AAAB>: Error: net_connect_unix(/var/run/dovecot/cgroup) failed: Connection refused
Jun 12 10:51:25 p111 dovecot[3392779]: imap(mail@domain.com)<3555859><Kkbm5mE3UMN/AAAB>: Error: Failed to notify
Jun 12 10:51:25 p111 dovecot[3392779]: imap(mail@domain.com)<3555859><Kkbm5mE3UMN/AAAB>: Disconnected: Logged out bytes=94/1089

Localized to this account? Localized to this user? /var/run/dovecot is a reference mount to /.socket/dovecot/run.

I’d check by looking at their filesystem

chroot /home/virtual/siteXX/fst -- ls -la /var/run/dovecot

Is it the only site having issues?

cpcmd admin:kill-site DOMAIN.COM
systemctl restart fsmount dovecot

It might be hitting process (PID) limits. Does dmesg | grep siteXX report anything? Where siteXX is the identifier from get_site DOMAIN.COM

It’s multiple accounts, I’m seeing it for the customer that complained but I’m also seeing it for other domains.

Nothing in dmesg and `ls -la /var/run/dovecot shows the link for cgroup.

~]# chroot /home/virtual/site96/fst
bash-4.4# ls -la /var/run/dovecot/
total 0
drwxr-xr-x 2   97 root 57 Jun  9 13:29 .
drwxr-xr-x 1 root root 21 Jun 11 09:40 ..
lrwxrwxrwx 1 root root 27 Jun  9 13:29 cgroup -> /.socket/dovecot/run/cgroup
lrwxrwxrwx 1 root root 35 Sep 25  2024 imap-hibernate -> /.socket/dovecot/run/imap-hibernate
lrwxrwxrwx 1 root root 28 Sep 25  2024 indexer -> /.socket/dovecot/run/indexer

I’m not seeing it on my servers.

su site96
stat $(readlink /var/run/dovecot/cgroup)

Run systemctl restart dovecot. Repeat the process - did the inode update with stat? Are there any errors in Dovecot upon restart? grep -i error /var/log/maillog | grep -i dovecot.

You can remove the “cgroup” plugin from /etc/dovecot/conf.d/apnscp.conf under mail_plugins. This shouldn’t impact usability, in particular /var/run/dovecot/cgroup is a socket created by Dovecot on startup to listen for cgroup requests…

]$ stat $(readlink /var/run/dovecot/cgroup)
  File: /.socket/dovecot/run/cgroup
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: fd01h/64769d    Inode: 540889849   Links: 1
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: (   97/ UNKNOWN)
Access: 2025-06-11 08:33:04.226655072 -0500
Modify: 2025-06-11 08:33:02.007551111 -0500
Change: 2025-06-11 08:33:02.007551111 -0500
 Birth: 2025-06-11 08:33:02.007551111 -0500

The only thing that changed is moving accounts off my final CentOS 7 server to this Rocky 8 server.

Ohh and the inode did not update.

Just more of the same, not anything related to Dovecot itself.

Ran dnf update --enablerepo=apnscp-testing without specifying “mod_shield”, so both nss-apnscp and pam-apnscp packages were updated to v2.0. This in turn allowed dovecot23-apnscp to update in the main repo while remaining on major branch.

dnf downgrade -y pam-apnscp nss-apnscp dovecot23-apnscp resolves this. Alternatively, moving to edge would have also resolved it.