mailman disabled but keep getting "Excessive resource usage: mailman" email

[Crimpshrine]

Hello,

Could someone help me as to why I am keep getting "Excessive resource usage: mailman" message in the email after disabling mailman in Tweak Settings? Notification email always comes around 3:30am. I also shown as disabled in Service Manager and the service is not being monitored. Am I missing something I should be checking?

 

[cPRex]

Hey there! If you run the following command on your server do you see any mailman processes running?

ps aux | grep mailman

If not, I would check the headers of the message to be sure it is being sent from an active server, or the same server you're expecting. For example, if a server was migrated recently, the hostname could be the same but the message could be sending from a different machine, leading to confusion.

 

[Crimpshrine]

Thanks for the quick reply.

When I run that code, it says:

[root@host03 ~]# ps aux |grep mailman
root 107887 0.0 0.0 12148 1108 pts/0   S+   14:51   0:00 grep --color=auto mailman

We did migrate the server recently, however, this is definitely coming from the new server. Each server has different host name and I verified it in the email notification that it was in fact coming from the new server. I also requested to destroy the old server about a week ago, and I confirmed that it was no longer accessible.

 

[cPRex]

Just to be 100% certain, did you check the IP address from the mail header and not just the hostname? I know it sounds crazy, but it's not really any crazier than getting mailman notifications after you just confirmed there are no processes running with that last command.

It's also possible there is *something* attempting to run mailman at that time. Maybe using a tool like sys-snap (https://support.cpanel.net/hc/en-us...to-install-start-and-stop-the-sys-snap-script) would let you get more details about what is happening with the machine overnight. That will log server activity during busy periods so you can review them later.

 

[Crimpshrine]

I did not check the IP, but it is difinately coming from the new server. Old server was host2.XXXXXXXXXXX.com and the new server is host03.XXXXXXXXXXX.com, and it was coming from [email protected]. I also never had this issue from the old server (and we never used the mailing list). Every time when I see the email notification it says (each email notification with different date & time and PID):

Time: Mon Jan 30 03:27:09 2023 -0600
Account: mailman
Resource: Virtual Memory Size
Exceeded: 277 > 256 (MB)
Executable: /usr/lib/systemd/systemd
Command Line: (sd-pam)
PID: 4110292 (Parent PID:4110290)
Killed: No

But the process is never seen if I see Process Manager (maybe it's killed by the time I check it?).

I will try to install sys-snap as recommended and see how that goes...

 

[cPRex]

It's also worth noting that these notifications come from CSF/LFD, and not cPanel, so maybe there is an issue there.

 

[Crimpshrine]

What are the types of possible issues it may have? Are they issues that are unrelated to mailman, but triggering this message? Sorry I'm a beginner...

 

[cPRex]

I'm honestly not sure, since we don't create that product on our end. CSF is a separate entity, so if you don't find anything from monitoring the server with sys-snap, it might be worth reaching out to them:

Support – ConfigServer Services

www.configserver.com

 

[Crimpshrine]

Okay, thanks. I will try running sys-snap tonight first and see what the log says overnight.

 

[cPRex]

Let us know what you see!

 

[Crimpshrine]

So, I run the logging, then I pulled the information around the time I was getting the excessive resource usage email (3:27AM), and this was what I was getting:

[root@host03 /]# /root/sys-snap.pl --print 3:15 3:45
user: root
cpu-score: 91.90
memory-score: 369.70
user: mailman
cpu-score: 4.00
memory-score: 0.00
user: cpanelsolr
cpu-score: 2.70
memory-score: 145.80
user: XXXXXX
cpu-score: 2.60
memory-score: 0.00
user: systuser
cpu-score: 0.00
memory-score: 5.40
user: dbus
cpu-score: 0.00
memory-score: 0.00
user: dovenull
cpu-score: 0.00
memory-score: 0.00
user: polkitd
cpu-score: 0.00
memory-score: 2.70
user: chrony
cpu-score: 0.00
memory-score: 0.00
user: mysql
cpu-score: 0.00
memory-score: 16.20
user: named
cpu-score: 0.00
memory-score: 32.40
user: cpanelconnecttrack
cpu-score: 0.00
memory-score: 0.00
user: memcached
cpu-score: 0.00
memory-score: 0.00
user: ossecr
cpu-score: 0.00
memory-score: 0.00
user: nscd
cpu-score: 0.00
memory-score: 0.00
user: sshd
cpu-score: 0.00
memory-score: 0.00
user: telegraf
cpu-score: 0.00
memory-score: 16.20
user: _imunify
cpu-score: 0.00
memory-score: 0.00
user: dovecot
cpu-score: 0.00
memory-score: 0.00
user: ossec
cpu-score: 0.00
memory-score: 0.00
user: mailnull
cpu-score: 0.00
memory-score: 0.00
user: nobody
cpu-score: 0.00
memory-score: 156.60
user: cpanelphpmyadmin
cpu-score: 0.00
memory-score: 0.00

So, apparently, mailman is there although it says the memory score is 0.00...should I just get a support from ConfigServer? Or should I be pulling different kind of information?

 

[cPRex]

Ah, that actually helps a lot. While we do remove entries from Apache when mailman is disabled in Tweak Settings (you can find more details on this here: SOLVED - Disabling mailman) we don't delete the user on the system. I suppose it's technically possible, however unlikely, that user is being used for malicious activity.

Could you run this command so I can see the UID for the user? It should be a low number, in the 200s

grep mailman /etc/passwd

 

[Crimpshrine]

For some reasons, this is not allowing me to post a reply with the information I obtained...it tells me to try again later there may be some more details in browser console...

 

[Crimpshrine]

Okay, so I guess the forum does not like the "passwd" in the texts.

After running the command I received below response:

mailman:x:994:991:GNU Mailing List Manager:/usr/local/cpanel/3rdparty/mailman:/usr/local/cpanel/bin/noshell

 

[cPRex]

That was just Cloudflare being overprotective. We're fixing that when we do the next Forums update.

I think it would be best to create a ticket so we can confirm there are no security issues on the machine.

 

[Crimpshrine]

That was just Cloudflare being overprotective. We're fixing that when we do the next Forums update.

I think it would be best to create a ticket so we can confirm there are no security issues on the machine.

Okay, thanks. Will do.

 

[cPRex]

Once you do that, please post the ticket number here so I can follow along!

 

[Crimpshrine]

Once you do that, please post the ticket number here so I can follow along!

It seems like cPanel wants me to open support ticket at cPanel license provider first before opening ticket at cPanel support, so I have just opened the ticket with them. I can post the outcome after I get a feedback here though.

 

[cPRex]

That sounds good! It's usually best to go with the license provider first, although anyone with root access to their server is welcome to contact us.

 

[Crimpshrine]

So, the license provider said:

I took a look and there were still entries in the httpd.conf. I have cleared them, after first verifying that mailman was completely disabled in the service manager. This should completely prevent it from running again.

I'm thinking this is related to Disabling mailman, but per this thread, wasn't it solved in cPanel version 70? Our old CentOS 7 server with the latest cPanel version did not have this issue... (our current server CloudLinux 8.7.0 is running cPanel version 106.0.14)