suddenly 'User unknown'?

Fri Nov 30 09:30:21 EST 2018

On 30/11/2018 15:16, Patrick Boutilier wrote:
> On 11/30/18 10:00 AM, Charles Bradshaw via Info-cyrus wrote:
>> Javier
>>
>> On 30/11/2018 11:49, Javier Angulo wrote:
>>> On 11/29/18 8:00 PM, Charles Bradshaw via Info-cyrus wrote:
>>>> Now you tell me is cyrus syslog being sent to /var/log/maillog? Or
>>>> should it be going to /var/imapd.log as the configuration files, man
>>>> pages and cyrus installation guides ( found here:
>>>> https://www.cyrusimap.org/imap/installing.html ) say it should?
>>> I believe there is no "syslog_facility:" option in cyrus 2.4 (at 
>>> least I
>>> was unable to find it). You can configure it in cyrus3 and maybe in
>>> cyrus 2.5.
>> I removed syslog_facility from imapd.conf
>>> So in /etc/imapd.conf I would remove the syslog_facility line and set:
>>> syslog_prefix: cyrus
>> Has no effect: present or not, or changed to test.
>>> And in /etc/rsyslog.conf:
>>> mail.*       -/var/log/maillog
>> Has always been in my rsyslog.conf
>>>
>>> Restart rsyslog and check logs for cyrus/something ...
>>
>> # /etc/init.d/rsyslog restart
>>
>> # service sendmail restart
>>
>> Now when I connect (from another host) using Thunderbird Mail I see in
>> /etc/maillog:
>>
>> Nov 30 13:01:02 dell2600-1 sendmail[9865]: NOQUEUE: stopping daemon,
>> reason=signal
>> Nov 30 13:01:02 dell2600-1 sendmail[9950]: starting daemon (8.14.4):
>> SMTP+queueing at 01:00:00
>> Nov 30 13:01:02 dell2600-1 sendmail[9950]: STARTTLS: CRLFile missing
>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: STARTTLS=server,
>> Diffie-Hellman init, key=1024 bit (1)
>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: STARTTLS=server, init=1
>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: started as:
>> /usr/sbin/sendmail -bd -q1h
>> Nov 30 13:01:03 dell2600-1 sm-msp-queue[9960]: starting daemon (8.14.4):
>> queueing at 01:00:00
>> Nov 30 13:01:26 dell2600-1 cyrus/imaps[8645]: USAGE
>> brad at bradcan.homelinux.com user: 0.141978 sys: 0.087986
>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: starttls: TLSv1.2 with
>> cipher AES128-SHA (128/128 bits new) no authentication
>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: login: [192.168.0.6]
>> brad at bradcan.homelinux.com CRAM-MD5+TLS User logged in
>> SESSIONID=<cyrus-8743-1543583158-1>
>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: client id: "name"
>> "Thunderbird" "version" "60.2.1"
>>
>> Hum.. cyrus/imaps sends logging to /etc/maillog
>>
>> I think it is absolutely clear:
>>
>> 1 - where cyrus syslog goes to is a red herring. It goes to, and has
>> always gone to /var/maillog. It is simply that the prefix 'cyrus' only
>> appears for cyrus imap transactions and other sendmail is labeled 
>> 'sendmail'
>>
>> 2 - imapd is working fine: allows brad.bradcan.homelinux.com to connect
>> an email client. Also to move email from one mailbox to another. The
>> proof is that since enabling telemetry logging
>> /var/lib/imap/log/brad at bradcan.homelinux.com/ reflects imap 
>> transactions.
>>
>> 3 - A problem remains with LMTP. as is clearly evident from 'User
>> unknown' appearing in maillog.
>>
>> My original question remains: How do I diagnose this when a test email
>> is sent to brad at bradcan.homelinux.com :
>>
>> Nov 30 12:59:48 dell2600-1 sendmail[9882]: wAUCxmBS009882:
>> to=brad at bradcan.homelinux.com, delay=00:00:00, xdelay=00:00:00,
>> mailer=cyrusv2, pri=32701, relay=localhost [[UNIX:
>> /var/lib/imap/socket/lmtp]], dsn=5.1.1, stat=User unknown
>
>
> I think why people are concentrating on the logging is that there 
> should be lmtp entries in your logs to indicate what the issue is. Are 
> there any lmtp entries in either /etc/maillog or /var/log/maillog ?
>
>
> Another option is to limit lmtpd to one process and strace it.
>
>

On our site we are not using Sendmail nor its cyrusv2 mailer but Postfix 
and an lmtp channel to the Cyrus service on a different server.

This lmtp connection requires authentication using a specific "system" 
account, not the end user credentials.

Mr Bradshaw, did someone at your site nuke that account or its password, 
not knowing what it was used for ?

Eric Luyten, Computing Centre VUB/ULB.