A bunch of mails sent by root@domain.com

[dfreddie]

After upgrade to 10.1.16p1 Maldua FOSS, I noticed 1411 mails sended every day by mail.domain.com (my domain)!
I've looked up in zimbra.log and I've found a lot of this:

00:04:49 mail zmconfigd[1669]: Fetching All configs
Apr 4 00:04:49 mail zmconfigd[1669]: All configs fetched in 0.07 seconds
Apr 4 00:05:00 mail /postfix-script[1534973]: the Postfix mail system is running: PID: 15781
Apr 4 00:05:01 mail postfix/pickup[1508636]: ED91B802A9: uid=0 from=<root>
Apr 4 00:05:01 mail postfix/cleanup[1520078]: ED91B802A9: message-id=<20260403210501.ED91B802A9@mail.domain.com>
Apr 4 00:05:01 mail postfix/qmgr[15784]: ED91B802A9: from=<root@mail.domain.com>, size=618, nrcpt=1 (queue active)
Apr 4 00:05:01 mail amavis[1435540]: process_request: fileno sock=19, STDIN=0, STDOUT=1
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) ESMTP :10024 /opt/zimbra/data/amavisd/tmp/amavis-20260403T221032-1435540-SVDvvc19: <root@mail.domain.com> -> <root@mail.domain.com> SIZE=618 BODY=8BITMIME Received: from mail.domain.com ([127.0.0.1]) by localhost (mail.domain.com [127.0.0.1]) (amavis, port 10024) with ESMTP for <root@mail.domain.com>; Sat, 4 Apr 2026 00:05:02 +0300 (EEST)
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp connection cache, dt: 539.5, state: 0
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) body hash: 15a1f9e5e7b2ff567e6c0e5d2085afb5
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) trace: ESMTP://[127.0.0.1]:42032 < x
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) client IP address unknown, fetched from Received: 127.0.0.1
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) Checking: 0HlDqUXwXZTv [127.0.0.1] <root@mail.domain.com> -> <root@mail.domain.com>
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) 2822.From: <root@mail.domain.com>
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) p001 1 Content-Type: text/plain, 8bit, size: 68, SHA1 digest: 765fd34e4e6c522107a8252dd59e3fb46e9ecb03
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) inspect_dsn: not a bounce
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) Checking for banned types and filenames
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) collect banned table[0]: root@mail.domain.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x556e16fe4978)
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) p.path root@mail.domain.com: "P=p001,L=1,M=text/plain,T=asc"
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) presenting full original message to scanners as /opt/zimbra/data/amavisd/tmp/amavis-20260403T221032-1435540-SVDvvc19/parts/p002
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) run_av Using (ClamAV-clamd): (code) CONTSCAN /opt/zimbra/data/amavisd/tmp/amavis-20260403T221032-1435540-SVDvvc19/parts\n
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) ClamAV-clamd: Connecting to socket /opt/zimbra/data/clamav/clamav.sock
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) new socket by IO::Socket::UNIX to /opt/zimbra/data/clamav/clamav.sock, timeout set to 10
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) verifycn_name:
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) ClamAV-clamd: Sending CONTSCAN /opt/zimbra/data/amavisd/tmp/amavis-20260403T221032-1435540-SVDvvc19/parts\n to socket /opt/zimbra/data/clamav/clamav.sock
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) rw_loop read: got eof
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) run_av (ClamAV-clamd): CLEAN
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) run_av (ClamAV-clamd) result: clean
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) calling SA parse (0), SA vers 4.0.1, 4.000001, data as STRING_REF, recips_ind [0], user: "zimbra"
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) spam_scan: score=-1.9 autolearn=ham autolearn_force=no tests=[BAYES_00=-1.9,NO_RELAYS=-0.001,URIBL_DBL_BLOCKED_OPENDNS=0.001] recips=0
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) mangling NO: 0 (was: disclaimer), discl_allowed=0, <root@mail.domain.com> -> <root@mail.domain.com>
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) do_notify_and_quar: ccat=CleanTag (1,1) ("1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(), qar_mth=
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) delivery method is 1, recips: root@mail.domain.com
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) spam-tag, <root@mail.domain.com> -> <root@mail.domain.com>, No, score=-1.9 required=6.6 tests=[BAYES_00=-1.9, NO_RELAYS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp session: setting up a new session
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) new socket using IO::Socket::IP to [127.0.0.1]:10025, timeout 35
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) verifycn_name: 127.0.0.1
Apr 4 00:05:02 mail postfix/amavisd/smtpd[1515545]: connect from localhost[127.0.0.1]
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp greeting: 220 mail.domain.com ESMTP Postfix, dt: 1.5 ms
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp cmd> EHLO localhost
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp resp to EHLO: 250 mail.domain.com\nPIPELINING\nSIZE 52428800\nVRFY\nETRN\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) AUTH not needed, user='', MTA offers ''
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp cmd> MAIL FROM:<root@mail.domain.com> BODY=7BIT
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp cmd> RCPT TO:<root@mail.domain.com> ORCPT=rfc822;root@mail.domain.com
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp cmd> DATA
Apr 4 00:05:02 mail postfix/amavisd/smtpd[1515545]: 534CA8021F: client=localhost[127.0.0.1]
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp resp to MAIL (pip): 250 2.1.0 Ok
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp resp to RCPT (pip) (<root@mail.domain.com>): 250 2.1.5 Ok
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp cmd> QUIT
Apr 4 00:05:02 mail postfix/cleanup[1520078]: 534CA8021F: message-id=<20260403210501.ED91B802A9@mail.domain.com>
Apr 4 00:05:02 mail postfix/amavisd/smtpd[1515545]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 4 00:05:02 mail postfix/qmgr[15784]: 534CA8021F: from=<root@mail.domain.com>, size=1266, nrcpt=1 (queue active)
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) smtp resp to data-dot (<root@mail.domain.com>): 250 2.0.0 Ok: queued as 534CA8021F, dt: 7.5 ms
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) Amavis::Out::SMTP::Session close, disconnecting
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) 0HlDqUXwXZTv FWD from <root@mail.domain.com> -> <root@mail.domain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 534CA8021F
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) status counters: InMsgsStatus{Relayed,RelayedUntagged,RelayedUntaggedInbound}
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) Passed CLEAN {RelayedInbound}, [127.0.0.1] <root@mail.domain.com> -> <root@mail.domain.com>, Message-ID: <20260403210501.ED91B802A9@mail.domain.com>, mail_id: 0HlDqUXwXZTv, Hits: -1.9, size: 618, queued_as: 534CA8021F, 363 ms
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) TIMING-SA [total 246 ms, cpu 203 ms] - parse: 1.29 (0.5%), extract_message_metadata: 2.7 (1.1%), tests_pri_-10000: 3.2 (1.3%), get_uri_detail_list: 1.83 (0.7%), tests_pri_-2000: 3.1 (1.3%), tests_pri_-1000: 3.5 (1.4%), tests_pri_-950: 2.2 (0.9%), tests_pri_-900: 2.2 (0.9%), tests_pri_-100: 69 (28.1%), check_dkim_adsp: 42 (17.2%), check_spf: 0.71 (0.3%), tests_pri_-90: 15 (6.0%), check_bayes: 12 (5.0%), b_tokenize: 3.6 (1.5%), b_tok_get_all: 2.8 (1.2%), b_comp_prob: 2.4 (1.0%), b_tok_touch_all: 0.30 (0.1%), b_finish: 0.95 (0.4%), tests_pri_0: 96 (39.0%), tests_pri_10: 2.3 (0.9%), tests_pri_500: 2.6 (1.1%), learn: 27 (10.8%), b_learn: 21 (8.5%), b_count_change: 7 (2.7%), get_report: 0.75 (0.3%)
Apr 4 00:05:02 mail amavis[1435540]: (1435540-15) sending SMTP response: "250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 534CA8021F"
Apr 4 00:05:02 mail postfix/smtp[1520076]: ED91B802A9: to=<root@mail.domain.com>, orig_to=<root>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.4, delays=0.03/0/0/0.36, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 534CA8021F)
Apr 4 00:05:02 mail postfix/qmgr[15784]: ED91B802A9: removed

Any help, please!!

[liverpoolfcfan]

What is in the emails?

It shows they are being delivered to root@your domain - so where does root's email go to? Do you have an alias that is sending them to a mailbox?

[dfreddie]

The mails are "removed". No trace of them but are counted in daily reports as sent mails.

[liverpoolfcfan]

If you send an email to root@mail.domain.com - what happens to it?

When you see - Apr 4 00:05:02 mail postfix/qmgr[15784]: ED91B802A9: removed - it just means that delivery to the mailbox was successful so it was removed from the mail queue.

Do you have an account for root@mail.domain.com?
Do you have a Distribution List - root@mail.domain.com?
Do you have root@mail.domain.com added as an alias on another account?

The mail must be going somewhere. What happens if you send an email to root@mail.domain.com ? Does it get delivered, or do you get delivery failure?

[liverpoolfcfan]

You can check if you have any account with an alias of root@mail.domain.com by

Code: Select all

su - zimbra
zmprov ga root@mail.domain.com 

[dfreddie]

zmprov ga root@mail.domain.com
ERROR: account.NO_SUCH_ACCOUNT (no such account: root@mail.domain.com)

Of course I've replaced domain.com with my real domain!

Every day I got exactly 1411 mails from root@mail.domain.com ...

[liverpoolfcfan]

Do you have a lot of CRON jobs running under root?

You could try running (as the root user)

Code: Select all

crontab -e

and adding a known mailbox as the sender/receiver of the CRON emails. Place the MAILTO/MAILFROM at the top of the crontab file

Code: Select all

MAILTO=myMailbox@mail.domain.com
MAILFROM=myMailbox@mail.domain.com

This would allow you to see if it is cron related.