In Progress [CPANEL-33967] dovecot warnings, - lookup mail user

[keat63]

Guys

Could anyone help me understand these warnings please.

/usr/local/cpanel/logs/error_log:
[2020-08-26 04:43:53 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN7> line 2.
        Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
        Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x20841b0), "shared", "dovecot_userdb", "faye.melia\@domain1.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
        Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x20841b0), "Lshared/dovecot_userdb/faye.melia\@domain1.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
        eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
        Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x20841b0)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
        Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1df77f8)) called at cpsrvd.pl line 1778
        cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
        cpanel::cpsrvd::script() called at cpsrvd.pl line 431

Initially, I assumed that this was something to do with maybe a stray database entry gone wrong, as we used to have a mail user named faye.melia@domain1
However, we've never had a user called solyomchabachira@domain2, so rather than this being a dovecot error, i'm now thinking that it might be a potentail security issue.

/usr/local/cpanel/logs/error_log:
[2020-08-25 20:30:59 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN3> line 2.
        Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
        Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x2145280), "shared", "dovecot_userdb", "solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
        Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x2145280), "Lshared/dovecot_userdb/solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
        eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
        Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x2145280)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
        Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1eb8788)) called at cpsrvd.pl line 1778
        cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
        cpanel::cpsrvd::script() called at cpsrvd.pl line 431

Since posting, I found this in exim mainlog

2020-08-25 20:30:59 H=s526.hubucoapp.com [185.196.54.14]:49469 F=<[email protected]> rejected RCPT <[email protected]>: No such 
person at this address."

So I'm now guessing that the initial warnings are maybe not so much of a threat, however, what's triggering these.
I don't recall seeing these in the past.
I updated to v90.0.5 on Monday evening, could it be related to this ???

 

[Paul Shultz]

It would be nice to know because I am seeing a ton of these

 

[keat63]

Hi Paul.

Since when did these start for you ?
I don't recall seeing any of these prior to Tuesday, where I updated on Monday evening.

 

[cPanelLauren]

Hi @keat63

Can you show me the output of the following:

grep "solyomchabachira" /var/log/maillog |tail

I believe these mail be the result of failed login attempts which occur frequently on servers for non-existent as well as existing accounts.

 

[keat63]

The grep line doesn't reveal anything.

I'm guessing that these are related to spammers trying to send to a non existant address.

<[email protected]>: No such person at this address."


However, I don't recall seeing errors like the one below, prior to Monday evening where I updated to V90.
I'm finding lots of these in my hourly email report.

/usr/local/cpanel/logs/error_log:
[2020-08-25 20:30:59 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN3> line 2.
Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x2145280), "shared", "dovecot_userdb", "solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x2145280), "Lshared/dovecot_userdb/solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x2145280)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1eb8788)) called at cpsrvd.pl line 1778
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
cpanel::cpsrvd::script() called at cpsrvd.pl line 431

is it possible to suppress these from my hourly report ?

 

[Paul Shultz]

It would be nice to know because I am seeing a ton of these

For me they started on [2020-08-21 13:11:04 +1000]

 

[Paul Shultz]

For me they started on [2020-08-21 13:11:04 +1000]

Actually straight after cPanel & WHM was updated to Version 90

 

[cPanelLauren]

The only other report I have of this is a result of failed login attempts. The one thing that is concerning though is the error being output in the cPanel error logs. I would suggest that if you are experiencing this issue that you open a ticket so that our analysts can investigate this further.

 

[jdpuglisi]

Ditto here on my install. my cPanel error_log is littered with them. Maybe disabling Dovecot might be in order.

 

[jdpuglisi]

Here's the odd warning from my cPanel error_log

[2020-08-29 08:45:56 -0400] warn [cpsrvd] lookup_mail_user() failed: This system does not have a domain named “inmotionhosting.com”. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN11903> line 2.
    Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
    Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x26fbc08), "shared", "dovecot_userdb", "willem\@inmotionhosting.com") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
    Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x26fbc08), "Lshared/dovecot_userdb/willem\@inmotionhosting.com") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
    eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
    Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x26fbc08)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
    Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x26e0af8)) called at cpsrvd.pl line 1778
    cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
    cpanel::cpsrvd::script() called at cpsrvd.pl line 431

That's my VPS host. I'd understand the warning if it was my domain's email address but the host's????

 

[keat63]

I'll maybe look at opening a ticket when I'm back in the office on Tuesday.

 

[keat63]

I'm not convinced that CPanel staff will be able to gain access, but here goes
93654054

 

[keat63]

So I had Cpanel look into this, and it appears that it's been implemented by design.
It looks like we might have to live with this.

 

[jdpuglisi]

So I had Cpanel look into this, and it appears that it's been implemented by design.
It looks like we might have to live with this.

Not sure what value this "feature" delivers other than it makes it very difficult to find actual issues in a bloated error_log.

 

[keat63]

Agreed, in fact, I said something very similar.
The tech who dealt with my ticket has asked if this feature can be configurable in a future release.

 

[keat63]

Tech support filed a new case regarding the notification/log messages in CPANEL-33967 for the developers to consider making this something that can be disabled to prevent the log noise.

 

[jdpuglisi]

Tech support filed a new case regarding the notification/log messages in CPANEL-33967 for the developers to consider making this something that can be disabled to prevent the log noise.

Nice. I did a quick search for this case but didn't find anything quite yet. I'd like to follow it when I can find the case URL.

 

[cPanelLauren]

I checked in on this today and added some notes to the case. They are indeed there by design with the note being as follows:

These are intentionally thrown exceptions when we fail to lookup a mail user. They could be useful for diagnosing login issues.

I noted in the new case that was opened the following:

To add, for failed login attempts, both the maillog and the cpanel error log are being written to. The error noted, in this case, is what is output in the cPanel error log. This feels like it would be better suited to the maillog only but also if it's going to be output to the cPanel error logs maybe rather than a toggle for on/off - include this in a verbose or debug logging option similar to what we do for DNS syncing in Tweak Settings.

I'll update here if I get any feedback on that or if there are any updates for that case. Thanks for opening the ticket @keat63

 

[jdpuglisi]

I checked in on this today and added some notes to the case. They are indeed there by design with the note being as follows:



I noted in the new case that was opened the following:


I'll update here if I get any feedback on that or if there are any updates for that case. Thanks for opening the ticket @keat63

Thank you. In my case, I'm not sure why it's logging errors to the host's root domain name. Again, I would understand logging a hit against the HELO address which is different from my domain but that's not the case.

 

[cPanelLauren]

Thank you. In my case, I'm not sure why it's logging errors to the host's root domain name. Again, I would understand logging a hit against the HELO address which is different from my domain but that's not the case.

I'd assume that's because someone is attempting to log in to webmail on your server with that email address. Are there corresponding /var/log/maillog login attempts?

I'd use the timestamp in the error logs to correlate: 2020-08-29 08:45