Skip to main content

Updated to 11.134.0.20 and now email is failing

Comments

13 comments

  • cPRex Jurassic Moderator

    Hey there!  The first thing you should do is run our check tool to ensure your system isn't compromised:

    https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

    If that comes back clean, can you send me the output of this command?

    cat /etc/dovecot/fts.conf
    0
  • Gary

    The check came up with some 'injection indicators'. I purged all the session files in /var/cpanel/sessions/raw/ and it came back clean. No joy with the command though.

    cat: /etc/dovecot/fts.conf: No such file or directory

     

    0
  • cPRex Jurassic Moderator

    What happens when you try "/scripts/upcp --force" on that machine?

    0
  • Gary

    I ran that yesterday when I received the email from CPanel and then ran it again around 3 hours ago. I've just run it again now and these are the last few lines of the output:

    => Log opened from /usr/local/cpanel/scripts/updatenow (76925) at Fri May  1 08:15:54 2026
    [2026-05-01 08:15:54 +1000]   Running version '11.134.0.20' of updatenow.
    [2026-05-01 08:15:54 +1000]   Detected version '11.134.0.20' from version file.
    [2026-05-01 08:15:54 +1000]   Target version set to '11.134.0.20'
    [2026-05-01 08:15:54 +1000]   Up to date (11.134.0.20)
    => Log closed Fri May  1 08:15:54 2026
    ----------------------------------------------------------------------------------------------------
    => Log opened from cPanel Update (upcp) - Slave (75032) at Fri May  1 08:15:54 2026
    [2026-05-01 08:15:54 +1000]   95% complete
    [2026-05-01 08:15:54 +1000]   Running /usr/local/cpanel/scripts/postupcp
    [2026-05-01 08:16:18 +1000]   Running Standardized hooks
    [2026-05-01 08:16:23 +1000]   100% complete
    [2026-05-01 08:16:23 +1000]   
    [2026-05-01 08:16:23 +1000]     cPanel update completed
    [2026-05-01 08:16:23 +1000]   A log of this update is available at /var/cpanel/updatelogs/update.75032.1138436.1777575799.log
    [2026-05-01 08:16:23 +1000]   Removing upcp pidfile
    [2026-05-01 08:16:23 +1000]   
    [2026-05-01 08:16:23 +1000] Completed all updates
    => Log closed Fri May  1 08:16:23 2026

     

    0
  • cPRex Jurassic Moderator

    That would seem to indicate the update completed without an issue.  Does "/usr/local/cpanel/cpanel -V" confirm this?  

    If not, you'd need to open that log file it shows to see if there's anything else to find, but that looks good to me.

    0
  • Gary

    /usr/local/cpanel/cpanel -V
    134.0 (build 20)

    Yes - it was the same yesterday. Whatever happened to cause the auth issues seems to have happened around 5am this morning. When I got up I saw that I had no access to WHM and the 3 mailboxes that I have on the server were all giving an auth error. They stopped giving an error an hour or so later.

    I just had a look through the /var/log/maillog and this appears to be the actual error. The issue started at around 5am and looks like it ended around 30 minutes later. Here are 3 of the log entries (there were around 20 of the 'crypt() failed' lines.

    May  1 05:32:55 server3 dovecot[2776]: auth-worker(gary@somewhere.com,x.x.x.x)<28005><gdH1h7JQfG9n/ML5>: request [69]: Error:
     cpauthd: Invalid password in passdb: crypt() failed: Invalid argument

    May  1 05:03:57 server3 dovecot[2776]: auth-worker(gary@somewhere.com,x.x.x.x)<3064><TWlbILJQ0Gdn/ML5>: request [45]: Error: 
    cpauthd: Invalid password in passdb: crypt() failed: Invalid argument

    May  1 05:33:16 server3 dovecot[2776]: imap-login: Login aborted: Logged out (auth service reported temporary failure, 6 attempts in
     21 secs) (temp_fail): user=<gary@somewhere.com>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, session=<gdH1h7JQfG9n/ML5>

    ....and the log entry when it started working ok again:
    May  1 05:44:58 server3 dovecot[2776]: imap-login: Logged in: user=<gary@somewhere.com>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=31773, TLS, session=<crIBs7JQ0rFn/ML5>

     

    0
  • cPRex Jurassic Moderator

    So things are working well at this point?  I'm wondering if the update also resolved the mail issue.

    0
  • Gary

    Yes - everything seems okay except that I can't log in to WHM still. Is this intentional? I see there is an instruction to block those ports but only if the update can't be applied.

     

    0
  • cPRex Jurassic Moderator

    We should probably clarify what "can't" login means - can you not reach the login page at all, or are you failing to authenticate once you get there?

    If the former, the port has been blocked and that needs to be undone by you or your provider.  If the latter, the root password may have been changed.

    0
  • Gary

    Yes - sorry. One of my most common complaints about others is issue descriptions such as 'my mail isn't working'.

    It's timing out when I try to connect so it may be that the provider has temporarily blocked some ports.

    As always, thank you for your excellent support.

    Gary

    0
  • cPRex Jurassic Moderator

    That would be my guess then as well.

    Since the update has completed AND the scan isn't showing any comprise risks, it would be fine to open those ports at this time.

    0
  • mtindor

    My guess is that when people were unable to authenticate, you or your host had disabled cpsrvd.   When you disable cpsrvd, you can no longer authenticate in dovecot.

     

    netstat -plan|grep cpsrvd 
    tcp        0      0 0.0.0.0:2082            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    tcp        0      0 0.0.0.0:2083            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    tcp        0      0 0.0.0.0:2086            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    tcp        0      0 0.0.0.0:2087            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    tcp        0      0 0.0.0.0:2095            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    tcp        0      0 0.0.0.0:2096            0.0.0.0:*               LISTEN      1753/cpsrvd (SSL) - 
    unix  2      [ ACC ]     STREAM     LISTENING     33055    1753/cpsrvd (SSL) -  /usr/local/cpanel/var/cpwrapd.sock
    unix  2      [ ACC ]     STREAM     LISTENING     33056    1753/cpsrvd (SSL) -  /usr/local/cpanel/var/cpauthd.sock
    unix  2      [ ACC ]     STREAM     LISTENING     33057    1753/cpsrvd (SSL) -  /usr/local/cpanel/var/cpdoveauthd.sock
    unix  2      [ ACC ]     STREAM     LISTENING     33058    1753/cpsrvd (SSL) -  /usr/local/cpanel/var/cpdoveauth_domainownerd.sock

    0
  • Gary

    I think you are probably right. It was only for 30 minutes or so and then they blocked the cPanel and WHM ports for around 24 hours while they reset root passwords on all the servers they host.

     

    0

Please sign in to leave a comment.