suddenly 'User unknown'?

Fri Nov 30 09:51:33 EST 2018

On 11/30/18 3:30 PM, Eric Luyten wrote:
> 
> On 30/11/2018 15:16, Patrick Boutilier wrote:
>> On 11/30/18 10:00 AM, Charles Bradshaw via Info-cyrus wrote:
>>> Javier
>>>
>>> On 30/11/2018 11:49, Javier Angulo wrote:
>>>> On 11/29/18 8:00 PM, Charles Bradshaw via Info-cyrus wrote:
>>>>> Now you tell me is cyrus syslog being sent to /var/log/maillog? Or
>>>>> should it be going to /var/imapd.log as the configuration files, man
>>>>> pages and cyrus installation guides ( found here:
>>>>> https://www.cyrusimap.org/imap/installing.html ) say it should?
>>>> I believe there is no "syslog_facility:" option in cyrus 2.4 (at
>>>> least I
>>>> was unable to find it). You can configure it in cyrus3 and maybe in
>>>> cyrus 2.5.
>>> I removed syslog_facility from imapd.conf
>>>> So in /etc/imapd.conf I would remove the syslog_facility line and set:
>>>> syslog_prefix: cyrus
>>> Has no effect: present or not, or changed to test.
>>>> And in /etc/rsyslog.conf:
>>>> mail.*       -/var/log/maillog
>>> Has always been in my rsyslog.conf
>>>>
>>>> Restart rsyslog and check logs for cyrus/something ...
>>>
>>> # /etc/init.d/rsyslog restart
>>>
>>> # service sendmail restart
>>>
>>> Now when I connect (from another host) using Thunderbird Mail I see in
>>> /etc/maillog:
>>>
>>> Nov 30 13:01:02 dell2600-1 sendmail[9865]: NOQUEUE: stopping daemon,
>>> reason=signal
>>> Nov 30 13:01:02 dell2600-1 sendmail[9950]: starting daemon (8.14.4):
>>> SMTP+queueing at 01:00:00
>>> Nov 30 13:01:02 dell2600-1 sendmail[9950]: STARTTLS: CRLFile missing
>>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: STARTTLS=server,
>>> Diffie-Hellman init, key=1024 bit (1)
>>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: STARTTLS=server, init=1
>>> Nov 30 13:01:03 dell2600-1 sendmail[9950]: started as:
>>> /usr/sbin/sendmail -bd -q1h
>>> Nov 30 13:01:03 dell2600-1 sm-msp-queue[9960]: starting daemon (8.14.4):
>>> queueing at 01:00:00
>>> Nov 30 13:01:26 dell2600-1 cyrus/imaps[8645]: USAGE
>>> brad at bradcan.homelinux.com user: 0.141978 sys: 0.087986
>>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: starttls: TLSv1.2 with
>>> cipher AES128-SHA (128/128 bits new) no authentication
>>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: login: [192.168.0.6]
>>> brad at bradcan.homelinux.com CRAM-MD5+TLS User logged in
>>> SESSIONID=<cyrus-8743-1543583158-1>
>>> Nov 30 13:05:59 dell2600-1 cyrus/imaps[8743]: client id: "name"
>>> "Thunderbird" "version" "60.2.1"
>>>
>>> Hum.. cyrus/imaps sends logging to /etc/maillog
>>>
>>> I think it is absolutely clear:
>>>
>>> 1 - where cyrus syslog goes to is a red herring. It goes to, and has
>>> always gone to /var/maillog. It is simply that the prefix 'cyrus' only
>>> appears for cyrus imap transactions and other sendmail is labeled
>>> 'sendmail'
>>>
>>> 2 - imapd is working fine: allows brad.bradcan.homelinux.com to connect
>>> an email client. Also to move email from one mailbox to another. The
>>> proof is that since enabling telemetry logging
>>> /var/lib/imap/log/brad at bradcan.homelinux.com/ reflects imap
>>> transactions.
>>>
>>> 3 - A problem remains with LMTP. as is clearly evident from 'User
>>> unknown' appearing in maillog.
>>>
>>> My original question remains: How do I diagnose this when a test email
>>> is sent to brad at bradcan.homelinux.com :
>>>
>>> Nov 30 12:59:48 dell2600-1 sendmail[9882]: wAUCxmBS009882:
>>> to=brad at bradcan.homelinux.com, delay=00:00:00, xdelay=00:00:00,
>>> mailer=cyrusv2, pri=32701, relay=localhost [[UNIX:
>>> /var/lib/imap/socket/lmtp]], dsn=5.1.1, stat=User unknown
>>
>>
>> I think why people are concentrating on the logging is that there
>> should be lmtp entries in your logs to indicate what the issue is. Are
>> there any lmtp entries in either /etc/maillog or /var/log/maillog ?
>>
>>
>> Another option is to limit lmtpd to one process and strace it.
>>
>>
> 
> On our site we are not using Sendmail nor its cyrusv2 mailer but Postfix
> and an lmtp channel to the Cyrus service on a different server.
> 
> This lmtp connection requires authentication using a specific "system"
> account, not the end user credentials.
> 
> 
> Mr Bradshaw, did someone at your site nuke that account or its password,
> not knowing what it was used for ?
> 
> 
> 

>From what sendmail show in the logs (550 5.1.1 User unknown) I would try
this:
In /etc/cyrus.conf, uncomment
#  lmtp		cmd="lmtpd" listen="lmtp" prefork=0

Restart cyrus and telnet lmtp:

telnet $myip 24
LHLO foo.bar
MAIL FROM:<foo at bar>
RCPT TO:<brad at bradcan.homelinux.com>

if lmtp does not find the user it will answer something like

550-Mailbox unknown.  Either there is no mailbox associated with this
550-name or you do not have authorization to see it.
550 5.1.1 User unknown

Cheers