Updated to 11.134.0.20 and now email is failing
Websites are up but WHM is blocked (assuming this is temporary) but all email logins are failing (for all of my hosting clients).
In the log it says there is an SSL error. This started at around 2am this morning.
May 1 05:44:20 server3 dovecot[2776]: imap-login: Login aborted: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::ssl/tls alert certificate unknown: SSL alert number 46 (disconnected during TLS handshake) (tls_handshake_not_finished): user=<>, rip=116.91.213.89, lip=101.0.111.18, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::ssl/tls alert certificate unknown: SSL alert number 46.
I'm wondering - are these entries attempts at auth bypass? When I got up this morning the 3 emails I have on the server were failing with an auth issue. Now it looks to be working again.
Gary
-
Hey there! The first thing you should do is run our check tool to ensure your system isn't compromised:
If that comes back clean, can you send me the output of this command?
cat /etc/dovecot/fts.conf
0 -
The check came up with some 'injection indicators'. I purged all the session files in /var/cpanel/sessions/raw/ and it came back clean. No joy with the command though.
cat: /etc/dovecot/fts.conf: No such file or directory
0 -
What happens when you try "/scripts/upcp --force" on that machine?
0 -
I ran that yesterday when I received the email from CPanel and then ran it again around 3 hours ago. I've just run it again now and these are the last few lines of the output:
=> Log opened from /usr/local/cpanel/scripts/updatenow (76925) at Fri May 1 08:15:54 2026
[2026-05-01 08:15:54 +1000] Running version '11.134.0.20' of updatenow.
[2026-05-01 08:15:54 +1000] Detected version '11.134.0.20' from version file.
[2026-05-01 08:15:54 +1000] Target version set to '11.134.0.20'
[2026-05-01 08:15:54 +1000] Up to date (11.134.0.20)
=> Log closed Fri May 1 08:15:54 2026
----------------------------------------------------------------------------------------------------
=> Log opened from cPanel Update (upcp) - Slave (75032) at Fri May 1 08:15:54 2026
[2026-05-01 08:15:54 +1000] 95% complete
[2026-05-01 08:15:54 +1000] Running /usr/local/cpanel/scripts/postupcp
[2026-05-01 08:16:18 +1000] Running Standardized hooks
[2026-05-01 08:16:23 +1000] 100% complete
[2026-05-01 08:16:23 +1000]
[2026-05-01 08:16:23 +1000] cPanel update completed
[2026-05-01 08:16:23 +1000] A log of this update is available at /var/cpanel/updatelogs/update.75032.1138436.1777575799.log
[2026-05-01 08:16:23 +1000] Removing upcp pidfile
[2026-05-01 08:16:23 +1000]
[2026-05-01 08:16:23 +1000] Completed all updates
=> Log closed Fri May 1 08:16:23 20260 -
That would seem to indicate the update completed without an issue. Does "/usr/local/cpanel/cpanel -V" confirm this?
If not, you'd need to open that log file it shows to see if there's anything else to find, but that looks good to me.
0 -
/usr/local/cpanel/cpanel -V
134.0 (build 20)Yes - it was the same yesterday. Whatever happened to cause the auth issues seems to have happened around 5am this morning. When I got up I saw that I had no access to WHM and the 3 mailboxes that I have on the server were all giving an auth error. They stopped giving an error an hour or so later.
I just had a look through the /var/log/maillog and this appears to be the actual error. The issue started at around 5am and looks like it ended around 30 minutes later. Here are 3 of the log entries (there were around 20 of the 'crypt() failed' lines.
May 1 05:32:55 server3 dovecot[2776]: auth-worker(gary@somewhere.com,x.x.x.x)<28005><gdH1h7JQfG9n/ML5>: request [69]: Error:
cpauthd: Invalid password in passdb: crypt() failed: Invalid argumentMay 1 05:03:57 server3 dovecot[2776]: auth-worker(gary@somewhere.com,x.x.x.x)<3064><TWlbILJQ0Gdn/ML5>: request [45]: Error:
cpauthd: Invalid password in passdb: crypt() failed: Invalid argumentMay 1 05:33:16 server3 dovecot[2776]: imap-login: Login aborted: Logged out (auth service reported temporary failure, 6 attempts in
21 secs) (temp_fail): user=<gary@somewhere.com>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, session=<gdH1h7JQfG9n/ML5>....and the log entry when it started working ok again:
May 1 05:44:58 server3 dovecot[2776]: imap-login: Logged in: user=<gary@somewhere.com>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=31773, TLS, session=<crIBs7JQ0rFn/ML5>0 -
So things are working well at this point? I'm wondering if the update also resolved the mail issue.
0 -
Yes - everything seems okay except that I can't log in to WHM still. Is this intentional? I see there is an instruction to block those ports but only if the update can't be applied.
0 -
We should probably clarify what "can't" login means - can you not reach the login page at all, or are you failing to authenticate once you get there?
If the former, the port has been blocked and that needs to be undone by you or your provider. If the latter, the root password may have been changed.
0 -
Yes - sorry. One of my most common complaints about others is issue descriptions such as 'my mail isn't working'.
It's timing out when I try to connect so it may be that the provider has temporarily blocked some ports.
As always, thank you for your excellent support.
Gary
0 -
That would be my guess then as well.
Since the update has completed AND the scan isn't showing any comprise risks, it would be fine to open those ports at this time.
0 -
My guess is that when people were unable to authenticate, you or your host had disabled cpsrvd. When you disable cpsrvd, you can no longer authenticate in dovecot.
netstat -plan|grep cpsrvd
tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN 1753/cpsrvd (SSL) -
unix 2 [ ACC ] STREAM LISTENING 33055 1753/cpsrvd (SSL) - /usr/local/cpanel/var/cpwrapd.sock
unix 2 [ ACC ] STREAM LISTENING 33056 1753/cpsrvd (SSL) - /usr/local/cpanel/var/cpauthd.sock
unix 2 [ ACC ] STREAM LISTENING 33057 1753/cpsrvd (SSL) - /usr/local/cpanel/var/cpdoveauthd.sock
unix 2 [ ACC ] STREAM LISTENING 33058 1753/cpsrvd (SSL) - /usr/local/cpanel/var/cpdoveauth_domainownerd.sock0 -
I think you are probably right. It was only for 30 minutes or so and then they blocked the cPanel and WHM ports for around 24 hours while they reset root passwords on all the servers they host.
0
Please sign in to leave a comment.
Comments
13 comments