[SOLVED] Dovecot Root User Error Log Flood

Hi @timmy

Sorry for the late response on this.

The problem actually had 2 layers. The first layer was the problem of clients (i.e. deamon, my user, etc) sending reports to the root user. This was because I installed FBX on an external drive with EXT4 and had Debian installed first (with a root user). I cant say my initial problem has dissapeared but I am getting less messages to cope with.

The second layer happened because my server was compromised. This is my fisrt time setting up and running a server so for the past months I have been curious in trying things out. No-one to blame but myself.

How I discovered my server was sending out spam was not in a delicate way. In a short period of time, I was getting rejection emails or notifications that my mail was spam. A simple scan with the mxtoolbox website started listing several spam filters that were positive on my IP and domain.

In the meantime, through Cockpit I was noticing a peaks in my CPU usage (with postfix taking up most of the resources). Unfortunately, after installing the email server, Cockpit stopped properly listing all my journal entries so after a quick scan on the web, I went with the following.

  1. Check the server for queued mail with mailq.
    This will usually list a lot of spam mails that are in line to be sent.
    Scan the system log for postfix entries for spam mail that has already been sent with journalctl -u postfix@-.service

Once you do this, locate the spam mail message and take not of it’s message_id. It’ll be an alpha-numeric value like A705238B4C.

  1. Use postcat -qv message_id command to see the header of the spam message. In the header, you will get the details of the message (i.e. where it was sent from - where it will be sent to etc.). This was where I caught the sending URI.

  2. Empty the mail queue with postsuper -d ALL and concentrate on removing the culprit you discovered in the message headers.

In the end, although I removed the malicious script, I couldn’t trust my installan and did a clean install on my server.

Along with a clean install, I also took some extra precautions. Just sharing them below for reference if any one else wants to do something similar.

  1. My server is connected to a home router. On my router, I closed port 22 and blocked/dropped all ping requests.
  2. I changed my root users shell ( root:x:0:0:root:/root:/sbin/nologin)
  3. I created much stronger passwords both for my user and root.

For now, everything is in order. I am removing myself from blacklists one by one and trying to recover my domain / IP reputation. Hope this helps anyone who reads it.

Good luck.

1 Like