[SOLVED] Dovecot Root User Error Log Flood

Any help to remove a log flood of error messages from dovecot explained below appreciated.

Problem Description
Cockpit Log is flooded with error from dovecot with lmtp(999): Error: lmtp-server: conn unix:pid=297821,uid=126 [2]: rcpt root@domain.com: Failed to lookup user root@domain.com: Invalid settings in userdb: userdb returned 0 as uid

Steps to Reproduce

  1. Login to FreedomBox
  2. Go to Cockpit application page.
  3. Click on Logs

Expected Results
I dont expect to see a message flood with this error.

Information

  • FreedomBox version: FreedomBox version 23.3
  • Hardware: Raspberry Pi4 8GM Ram
  • How did you install FreedomBox?: installed on top of Debian

Thanks for anyone taking the time.

This issue had nothing to do with FBX.
I (stupid) setup a website with source code outside the debian repos.
Apparently, a php script was allowing my site to relay spam mail.

Removed site (could disable php email if you wish - didnt go that way) - case closed.

oof. Good catch. How’d you find the issue?

I’m sure others who might find this post would be greatful for a hint on where to look.

Hi @timmy

Sorry for the late response on this.

The problem actually had 2 layers. The first layer was the problem of clients (i.e. deamon, my user, etc) sending reports to the root user. This was because I installed FBX on an external drive with EXT4 and had Debian installed first (with a root user). I cant say my initial problem has dissapeared but I am getting less messages to cope with.

The second layer happened because my server was compromised. This is my fisrt time setting up and running a server so for the past months I have been curious in trying things out. No-one to blame but myself.

How I discovered my server was sending out spam was not in a delicate way. In a short period of time, I was getting rejection emails or notifications that my mail was spam. A simple scan with the mxtoolbox website started listing several spam filters that were positive on my IP and domain.

In the meantime, through Cockpit I was noticing a peaks in my CPU usage (with postfix taking up most of the resources). Unfortunately, after installing the email server, Cockpit stopped properly listing all my journal entries so after a quick scan on the web, I went with the following.

  1. Check the server for queued mail with mailq.
    This will usually list a lot of spam mails that are in line to be sent.
    or
    Scan the system log for postfix entries for spam mail that has already been sent with journalctl -u postfix@-.service

Once you do this, locate the spam mail message and take not of it’s message_id. It’ll be an alpha-numeric value like A705238B4C.

  1. Use postcat -qv message_id command to see the header of the spam message. In the header, you will get the details of the message (i.e. where it was sent from - where it will be sent to etc.). This was where I caught the sending URI.

  2. Empty the mail queue with postsuper -d ALL and concentrate on removing the culprit you discovered in the message headers.

In the end, although I removed the malicious script, I couldn’t trust my installan and did a clean install on my server.

Along with a clean install, I also took some extra precautions. Just sharing them below for reference if any one else wants to do something similar.

  1. My server is connected to a home router. On my router, I closed port 22 and blocked/dropped all ping requests.
  2. I changed my root users shell ( root:x:0:0:root:/root:/sbin/nologin)
  3. I created much stronger passwords both for my user and root.

For now, everything is in order. I am removing myself from blacklists one by one and trying to recover my domain / IP reputation. Hope this helps anyone who reads it.

Good luck.

1 Like

Awesome. I’m sure this will help.