Any help to remove a log flood of error messages from dovecot explained below appreciated.
Cockpit Log is flooded with error from dovecot with lmtp(999): Error: lmtp-server: conn unix:pid=297821,uid=126 : rcpt firstname.lastname@example.org: Failed to lookup user email@example.com: Invalid settings in userdb: userdb returned 0 as uid
Steps to Reproduce
Login to FreedomBox
Go to Cockpit application page.
Click on Logs
I dont expect to see a message flood with this error.
FreedomBox version: FreedomBox version 23.3
Hardware: Raspberry Pi4 8GM Ram
How did you install FreedomBox?: installed on top of Debian
The problem actually had 2 layers. The first layer was the problem of clients (i.e. deamon, my user, etc) sending reports to the root user. This was because I installed FBX on an external drive with EXT4 and had Debian installed first (with a root user). I cant say my initial problem has dissapeared but I am getting less messages to cope with.
The second layer happened because my server was compromised. This is my fisrt time setting up and running a server so for the past months I have been curious in trying things out. No-one to blame but myself.
How I discovered my server was sending out spam was not in a delicate way. In a short period of time, I was getting rejection emails or notifications that my mail was spam. A simple scan with the mxtoolbox website started listing several spam filters that were positive on my IP and domain.
In the meantime, through Cockpit I was noticing a peaks in my CPU usage (with postfix taking up most of the resources). Unfortunately, after installing the email server, Cockpit stopped properly listing all my journal entries so after a quick scan on the web, I went with the following.
Check the server for queued mail with mailq.
This will usually list a lot of spam mails that are in line to be sent.
Scan the system log for postfix entries for spam mail that has already been sent with journalctl -u postfix@-.service
Once you do this, locate the spam mail message and take not of it’s message_id. It’ll be an alpha-numeric value like A705238B4C.
Use postcat -qv message_id command to see the header of the spam message. In the header, you will get the details of the message (i.e. where it was sent from - where it will be sent to etc.). This was where I caught the sending URI.
Empty the mail queue with postsuper -d ALL and concentrate on removing the culprit you discovered in the message headers.
In the end, although I removed the malicious script, I couldn’t trust my installan and did a clean install on my server.
Along with a clean install, I also took some extra precautions. Just sharing them below for reference if any one else wants to do something similar.
My server is connected to a home router. On my router, I closed port 22 and blocked/dropped all ping requests.
I changed my root users shell ( root:x:0:0:root:/root:/sbin/nologin)
I created much stronger passwords both for my user and root.
For now, everything is in order. I am removing myself from blacklists one by one and trying to recover my domain / IP reputation. Hope this helps anyone who reads it.