In Progress [CPANEL-33967] dovecot warnings, - lookup mail user

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Guys

Could anyone help me understand these warnings please.

Code:
/usr/local/cpanel/logs/error_log:
[2020-08-26 04:43:53 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN7> line 2.
        Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
        Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x20841b0), "shared", "dovecot_userdb", "faye.melia\@domain1.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
        Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x20841b0), "Lshared/dovecot_userdb/faye.melia\@domain1.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
        eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
        Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x20841b0)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
        Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1df77f8)) called at cpsrvd.pl line 1778
        cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
        cpanel::cpsrvd::script() called at cpsrvd.pl line 431
Initially, I assumed that this was something to do with maybe a stray database entry gone wrong, as we used to have a mail user named [email protected]
However, we've never had a user called [email protected], so rather than this being a dovecot error, i'm now thinking that it might be a potentail security issue.

Code:
/usr/local/cpanel/logs/error_log:
[2020-08-25 20:30:59 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN3> line 2.
        Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
        Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x2145280), "shared", "dovecot_userdb", "solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
        Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x2145280), "Lshared/dovecot_userdb/solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
        eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
        Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x2145280)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
        Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1eb8788)) called at cpsrvd.pl line 1778
        cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
        cpanel::cpsrvd::script() called at cpsrvd.pl line 431
Since posting, I found this in exim mainlog

Code:
2020-08-25 20:30:59 H=s526.hubucoapp.com [185.196.54.14]:49469 F=<[email protected]> rejected RCPT <[email protected]>: No such 
person at this address."

So I'm now guessing that the initial warnings are maybe not so much of a threat, however, what's triggering these.
I don't recall seeing these in the past.
I updated to v90.0.5 on Monday evening, could it be related to this ???
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Hi Paul.

Since when did these start for you ?
I don't recall seeing any of these prior to Tuesday, where I updated on Monday evening.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
Hi @keat63

Can you show me the output of the following:

Code:
grep "solyomchabachira" /var/log/maillog |tail

I believe these mail be the result of failed login attempts which occur frequently on servers for non-existent as well as existing accounts.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
The grep line doesn't reveal anything.

I'm guessing that these are related to spammers trying to send to a non existant address.

<[email protected]>: No such person at this address."


However, I don't recall seeing errors like the one below, prior to Monday evening where I updated to V90.
I'm finding lots of these in my hourly email report.

Code:
/usr/local/cpanel/logs/error_log:
[2020-08-25 20:30:59 +0100] warn [cpsrvd] lookup_mail_user() failed: You do not have a user named â[email protected]â. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN3> line 2.
Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x2145280), "shared", "dovecot_userdb", "solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x2145280), "Lshared/dovecot_userdb/solyomchabachira\@domain2.co.uk") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x2145280)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x1eb8788)) called at cpsrvd.pl line 1778
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
cpanel::cpsrvd::script() called at cpsrvd.pl line 431
is it possible to suppress these from my hourly report ?
 
Last edited:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
The only other report I have of this is a result of failed login attempts. The one thing that is concerning though is the error being output in the cPanel error logs. I would suggest that if you are experiencing this issue that you open a ticket so that our analysts can investigate this further.
 

jdpuglisi

Active Member
Apr 24, 2020
41
9
8
NYC USA
cPanel Access Level
Root Administrator
Here's the odd warning from my cPanel error_log
Code:
[2020-08-29 08:45:56 -0400] warn [cpsrvd] lookup_mail_user() failed: This system does not have a domain named “inmotionhosting.com”. at /usr/local/cpanel/Cpanel/Server.pm line 2251, <GEN11903> line 2.
    Cpanel::Server::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 197
    Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x26fbc08), "shared", "dovecot_userdb", "willem\@inmotionhosting.com") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
    Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x26fbc08), "Lshared/dovecot_userdb/willem\@inmotionhosting.com") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
    eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
    Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x26fbc08)) called at /usr/local/cpanel/Cpanel/Server.pm line 2258
    Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x26e0af8)) called at cpsrvd.pl line 1778
    cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1090
    cpanel::cpsrvd::script() called at cpsrvd.pl line 431
That's my VPS host. I'd understand the warning if it was my domain's email address but the host's????
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
So I had Cpanel look into this, and it appears that it's been implemented by design.
It looks like we might have to live with this.
 

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Agreed, in fact, I said something very similar.
The tech who dealt with my ticket has asked if this feature can be configurable in a future release.
 
  • Like
Reactions: jdpuglisi

keat63

Well-Known Member
Nov 20, 2014
1,963
267
113
cPanel Access Level
Root Administrator
Tech support filed a new case regarding the notification/log messages in CPANEL-33967 for the developers to consider making this something that can be disabled to prevent the log noise.
 
  • Like
Reactions: jdpuglisi

jdpuglisi

Active Member
Apr 24, 2020
41
9
8
NYC USA
cPanel Access Level
Root Administrator
Tech support filed a new case regarding the notification/log messages in CPANEL-33967 for the developers to consider making this something that can be disabled to prevent the log noise.
Nice. I did a quick search for this case but didn't find anything quite yet. I'd like to follow it when I can find the case URL.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
I checked in on this today and added some notes to the case. They are indeed there by design with the note being as follows:

These are intentionally thrown exceptions when we fail to lookup a mail user. They could be useful for diagnosing login issues.
I noted in the new case that was opened the following:
To add, for failed login attempts, both the maillog and the cpanel error log are being written to. The error noted, in this case, is what is output in the cPanel error log. This feels like it would be better suited to the maillog only but also if it's going to be output to the cPanel error logs maybe rather than a toggle for on/off - include this in a verbose or debug logging option similar to what we do for DNS syncing in Tweak Settings.
I'll update here if I get any feedback on that or if there are any updates for that case. Thanks for opening the ticket @keat63
 

jdpuglisi

Active Member
Apr 24, 2020
41
9
8
NYC USA
cPanel Access Level
Root Administrator
I checked in on this today and added some notes to the case. They are indeed there by design with the note being as follows:



I noted in the new case that was opened the following:


I'll update here if I get any feedback on that or if there are any updates for that case. Thanks for opening the ticket @keat63
Thank you. In my case, I'm not sure why it's logging errors to the host's root domain name. Again, I would understand logging a hit against the HELO address which is different from my domain but that's not the case.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
Thank you. In my case, I'm not sure why it's logging errors to the host's root domain name. Again, I would understand logging a hit against the HELO address which is different from my domain but that's not the case.
I'd assume that's because someone is attempting to log in to webmail on your server with that email address. Are there corresponding /var/log/maillog login attempts?

I'd use the timestamp in the error logs to correlate: 2020-08-29 08:45