mailman disabled but keep getting "Excessive resource usage: mailman" email

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
Hello,

Could someone help me as to why I am keep getting "Excessive resource usage: mailman" message in the email after disabling mailman in Tweak Settings? Notification email always comes around 3:30am. I also shown as disabled in Service Manager and the service is not being monitored. Am I missing something I should be checking?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,589
2,614
363
cPanel Access Level
Root Administrator
Hey there! If you run the following command on your server do you see any mailman processes running?

Code:
ps aux | grep mailman
If not, I would check the headers of the message to be sure it is being sent from an active server, or the same server you're expecting. For example, if a server was migrated recently, the hostname could be the same but the message could be sending from a different machine, leading to confusion.
 

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
Thanks for the quick reply.

When I run that code, it says:

Code:
[root@host03 ~]# ps aux |grep mailman
root 107887 0.0 0.0 12148 1108 pts/0   S+   14:51   0:00 grep --color=auto mailman
We did migrate the server recently, however, this is definitely coming from the new server. Each server has different host name and I verified it in the email notification that it was in fact coming from the new server. I also requested to destroy the old server about a week ago, and I confirmed that it was no longer accessible.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,589
2,614
363
cPanel Access Level
Root Administrator
Just to be 100% certain, did you check the IP address from the mail header and not just the hostname? I know it sounds crazy, but it's not really any crazier than getting mailman notifications after you just confirmed there are no processes running with that last command.

It's also possible there is *something* attempting to run mailman at that time. Maybe using a tool like sys-snap (https://support.cpanel.net/hc/en-us...to-install-start-and-stop-the-sys-snap-script) would let you get more details about what is happening with the machine overnight. That will log server activity during busy periods so you can review them later.
 

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
I did not check the IP, but it is difinately coming from the new server. Old server was host2.XXXXXXXXXXX.com and the new server is host03.XXXXXXXXXXX.com, and it was coming from [email protected]. I also never had this issue from the old server (and we never used the mailing list). Every time when I see the email notification it says (each email notification with different date & time and PID):

Time: Mon Jan 30 03:27:09 2023 -0600
Account: mailman
Resource: Virtual Memory Size
Exceeded: 277 > 256 (MB)
Executable: /usr/lib/systemd/systemd
Command Line: (sd-pam)
PID: 4110292 (Parent PID:4110290)
Killed: No
But the process is never seen if I see Process Manager (maybe it's killed by the time I check it?).

I will try to install sys-snap as recommended and see how that goes...
 
Last edited:

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
So, I run the logging, then I pulled the information around the time I was getting the excessive resource usage email (3:27AM), and this was what I was getting:

[root@host03 /]# /root/sys-snap.pl --print 3:15 3:45
user: root
cpu-score: 91.90
memory-score: 369.70
user: mailman
cpu-score: 4.00
memory-score: 0.00
user: cpanelsolr
cpu-score: 2.70
memory-score: 145.80
user: XXXXXX
cpu-score: 2.60
memory-score: 0.00
user: systuser
cpu-score: 0.00
memory-score: 5.40
user: dbus
cpu-score: 0.00
memory-score: 0.00
user: dovenull
cpu-score: 0.00
memory-score: 0.00
user: polkitd
cpu-score: 0.00
memory-score: 2.70
user: chrony
cpu-score: 0.00
memory-score: 0.00
user: mysql
cpu-score: 0.00
memory-score: 16.20
user: named
cpu-score: 0.00
memory-score: 32.40
user: cpanelconnecttrack
cpu-score: 0.00
memory-score: 0.00
user: memcached
cpu-score: 0.00
memory-score: 0.00
user: ossecr
cpu-score: 0.00
memory-score: 0.00
user: nscd
cpu-score: 0.00
memory-score: 0.00
user: sshd
cpu-score: 0.00
memory-score: 0.00
user: telegraf
cpu-score: 0.00
memory-score: 16.20
user: _imunify
cpu-score: 0.00
memory-score: 0.00
user: dovecot
cpu-score: 0.00
memory-score: 0.00
user: ossec
cpu-score: 0.00
memory-score: 0.00
user: mailnull
cpu-score: 0.00
memory-score: 0.00
user: nobody
cpu-score: 0.00
memory-score: 156.60
user: cpanelphpmyadmin
cpu-score: 0.00
memory-score: 0.00
So, apparently, mailman is there although it says the memory score is 0.00...should I just get a support from ConfigServer? Or should I be pulling different kind of information?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,589
2,614
363
cPanel Access Level
Root Administrator
Ah, that actually helps a lot. While we do remove entries from Apache when mailman is disabled in Tweak Settings (you can find more details on this here: SOLVED - Disabling mailman) we don't delete the user on the system. I suppose it's technically possible, however unlikely, that user is being used for malicious activity.

Could you run this command so I can see the UID for the user? It should be a low number, in the 200s

Code:
grep mailman /etc/passwd
 

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
Once you do that, please post the ticket number here so I can follow along!
It seems like cPanel wants me to open support ticket at cPanel license provider first before opening ticket at cPanel support, so I have just opened the ticket with them. I can post the outcome after I get a feedback here though.
 

Crimpshrine

Active Member
Apr 1, 2015
25
3
53
Chicago, IL
cPanel Access Level
Root Administrator
So, the license provider said:

I took a look and there were still entries in the httpd.conf. I have cleared them, after first verifying that mailman was completely disabled in the service manager. This should completely prevent it from running again.
I'm thinking this is related to Disabling mailman, but per this thread, wasn't it solved in cPanel version 70? Our old CentOS 7 server with the latest cPanel version did not have this issue... (our current server CloudLinux 8.7.0 is running cPanel version 106.0.14)