The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email sending as root - possible solutions.

Discussion in 'E-mail Discussions' started by crystalfat, Mar 5, 2015.

  1. crystalfat

    crystalfat Member

    Joined:
    Mar 3, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi there,

    I wonder if anyone could point me in the right direction, yes i have read the prevent abuse doc but i fear a compromise may already have taken place.

    Here is what i have so far;

    On the mail delivery reports there are two emails trying to send from the root user every 8 mins.
    At first i thought because it was getting deffered it was just retrying but it seems as though it gets rejected first and then deferred. There is no sign of it in the mail Queue manager.

    Any advice is appreciated
    Please find the log below;

    Code:
    Event: defer warning
    Sender User: root
    Sender Domain:
    Sender: root@vps.mydomian.com
    Sent Time: Mar 5, 2015 8:42:08 AM
    Sender Host: localhost
    Sender IP: 127.0.0.1
    Authentication: localuser
    Spam Score: 0
    Recipient: root@vps.mydomian.com
    Delivered To:
    deliveryuser:
    deliverydomain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: Mar 5, 2015 8:42:08 AM
    ID: 1YTRMI-00056c-2i
    Delivery Host:
    Delivery IP:
    Size: 802 bytes
    Result: remote host address is the local host 
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. crystalfat

    crystalfat Member

    Joined:
    Mar 3, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for the response.
    I am not well versed enough to search for a string in what i assume will be a huge file?
    i did try to locate the message details using the ID however the message had been deleted. when the message is sent it is deferred for a retry and then when retried it is deleted. It doesnt seem to log.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. crystalfat

    crystalfat Member

    Joined:
    Mar 3, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is what i got from the mainlog. It

    Code:
    2015-03-05 18:37:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1YTaeT-0000Ho -O2
    
    2015-03-05 18:37:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1YTaeT-0000Ho-O2
    
    2015-03-05 18:37:42 1YTaeT-0000Ho-O2 <= root@Vps.mydomain.com U= root P=local S=777 T="lfd on Vps.mydomain.com: SSH login alert f or user root from 82.17.147.242 (GB/United" for root
    2015-03-05 18:37:42 1YTaeT-0000Ho-O2 remote host address is the local host: vps. mydomain.com
    2015-03-05 18:37:42 1YTaeT-0000Ho-O2 == root@vps.mydomain.com R= lookuphost defer (-1): remote host address is the local host
    2015-03-05 18:37:42 1YTaeT-0000Ho-O2 ** root@Vps.mydomain.com: r etry timeout exceeded
    2015-03-05 18:37:42 1YTaeT-0000Ho-O2 Completed
    
    2015-03-05 18:37:42 1YTaeU-0000I7-DI <= <> R=1YTaeT-0000Ho-O2 U=mailnull P=local S=1730 T="Mail delivery failed: returning message to sender" for root@Vps. mydomain.com
    2015-03-05 18:37:42 1YTaeU-0000I7-DI remote host address is the local host: vps. mydomain.com
    2015-03-05 18:37:42 1YTaeU-0000I7-DI == root@vps.internationalworkpermits.com R= dkim_lookuphost defer (-1): remote host address is the local host
    2015-03-05 18:37:42 1YTaeU-0000I7-DI ** root@Vps.mydomain.com: r etry timeout exceeded
    2015-03-05 18:37:42 1YTaeU-0000I7-DI root@Vps.mydomain.com: erro r ignored
    2015-03-05 18:37:42 1YTaeU-0000I7-DI Completed 
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It looks like this message stems from your LFD application. Is a valid email address configured as the "root" contact address in "WHM Home » Server Contacts » Edit System Mail Preferences"?

    Thank you.
     
  7. crystalfat

    crystalfat Member

    Joined:
    Mar 3, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Having checked i can see there are no forwards set up for root, nobody or cpanel. I shall correct this now.

    thanks for your help.

    best
    chris
     
Loading...

Share This Page