to jail or not to jail

Kyle Evans kevans at
Sun Jun 2 02:43:44 UTC 2019

On Sat, Jun 1, 2019 at 7:30 PM David Mehler <dave.mehler at> wrote:
> Hello,
> I've got a newly installed FreeBSD 12 vps. It's going to be running a
> web server/php hosting multiple sites, with letsencrypt tls
> certificates for each. It's also going to be running an email server,
> postfix, dovecot, rspamd, mysql database backend, again with the same
> letsencrypt tls certificates. Previously I've had all this on one
> host.
> What I'm wondering is if I should jail off these services, I've got a
> zfs setup, still trying to wrap my head around that, and am wondering
> should I run the database in one jail, the webserver/php in another
> jail, and the email server in a third jail? If I do this how would I
> get the tls certificates in to each jail, I'm looking for the maximum
> automation.

I have a similar setup to this- DB, webserver/php, mail server is a
good separation. My acme setup has a /usr/local/certs on the host that
I've null mounted into the jails that need it, but I haven't quite
worked out logistics for signaling my xmpp jail when webserver jail's
updated the certs. Perhaps a flag file in /usr/local/certs that the
host looks for would be sufficient.


Kyle Evans

More information about the freebsd-questions mailing list