Hello, I’ve been using aaPanel with a working mail server and several plugins for quite some time without any issues. After switching to aaPanel PRO and installing multiple paid plugins, I started noticing the following: The system is attempting to send emails from root@hostname, even though I haven’t configured or triggered this manually. There is no SMTP relay set for the root user, so the emails are being bounced (relay = none). These messages are not related to any of my configured mail server accounts. The /var/log/journal directory is growing by more than 4GB per day. Even after manual cleanup with journalctl, it quickly fills up again. Frequent entries come from services such as postfix, dovecot, cron, atd, sshd, and others. I also noticed a significant increase in resource usage (CPU and memory) after installing the PRO version and paid plugins. I assumed the resource usage was expected due to the added functionality, so I didn’t question it at first. But now I’m wondering whether the email behavior and heavy logging are part of that or a sign of something misconfigured. I haven’t made any manual changes to the server outside of the aaPanel interface. Could you please help me understand whether this is expected behavior or if something should be fixed or adjusted? Thank you very much.

aaPanel_Kern Thanks for the explanation. I still think this needs to be improved. The Fail2Ban plugin currently sends email alerts via the system mailer (Postfix), even though there is no email configuration option in the aaPanel UI. This causes: Unwanted emails from root@hostname High system log usage due to bounced messages Increased CPU, memory, and disk I/O usage I recommend adding a setting in the plugin to: Disable or enable email alerts Use the configured SMTP settings from aaPanel Right now, users have to manually edit Fail2Ban config files, but these changes can be reset by the plugin. It would be great to have an official fix or at least a warning in the UI. Thanks!

Abnormal Mail and Log Activity on aaPanel

jaehyun1122

Hello,

I’ve been using aaPanel with a working mail server and several plugins for quite some time without any issues.
After switching to aaPanel PRO and installing multiple paid plugins, I started noticing the following:

The system is attempting to send emails from root@hostname, even though I haven’t configured or triggered this manually.
There is no SMTP relay set for the root user, so the emails are being bounced (relay = none).
These messages are not related to any of my configured mail server accounts.
The /var/log/journal directory is growing by more than 4GB per day.
Even after manual cleanup with journalctl, it quickly fills up again.
Frequent entries come from services such as postfix, dovecot, cron, atd, sshd, and others.
I also noticed a significant increase in resource usage (CPU and memory) after installing the PRO version and paid plugins.
I assumed the resource usage was expected due to the added functionality, so I didn’t question it at first.
But now I’m wondering whether the email behavior and heavy logging are part of that or a sign of something misconfigured.

I haven’t made any manual changes to the server outside of the aaPanel interface.
Could you please help me understand whether this is expected behavior or if something should be fixed or adjusted?

Thank you very much.

aaPanel_Kern

Hello,
It is recommended that you check which program occupies CPU?
Are there any large amount of emails being sent?
Can you view what the email sent by root is?

jaehyun1122

aaPanel_Kern

Hello,

Thank you for your response.

I checked the mail content using postcat -vq 7034C302A2A and confirmed that it is a system-generated email from Fail2Ban, not a spam message or malicious script.

Below is the masked content of the email:

Subject: [Fail2Ban] sshd: banned <IP_ADDRESS> from <HOSTNAME>
Date: Fri, 13 Jun 2025 01:19:10 +0900
From: Fail2Ban <root@<HOSTNAME>>
To: root@localhost

Hi,

The IP <IP_ADDRESS> has just been banned by Fail2Ban after
5 attempts against sshd.

Here is more information about <IP_ADDRESS>:
(missing whois program)

Lines containing failures of <IP_ADDRESS> (max 1000):
2025-06-13T01:17:45: Invalid user ...
2025-06-13T01:17:52: Connection closed ...
2025-06-13T01:18:50: Invalid user demo ...
2025-06-13T01:18:52: Failed password ...
2025-06-13T01:18:53: Connection closed ...
...

Regards,
Fail2Ban

This confirms that at least some of the messages in the queue are legitimate security notifications. However, I will continue investigating the remaining entries.

Best regards.

jaehyun1122

jaehyun1122
I researched more but it's all fail2ban related emails!

aaPanel_Kern

Hello,
Generally, emails will be sent only if the IP is blocked. Please check which service it is? SSH?
If it is recommended to modify the ssh port, the security group of the server provider needs to open the corresponding port before modifying it

jaehyun1122

aaPanel_Kern

Hi, thanks for the explanation.

I noticed that Fail2Ban alert emails aren’t sent via aaPanel’s settings (aapanel@mydomain.com >> mymail@gmail.com), but instead from root@hostname to root@localhost, using the system’s local mailer (like Postfix). This doesn’t match the configured sender and may cause delivery issues.

I didn’t enable email alerts manually — it may be coming from a default action like action_mwl.
SSH is likely the main trigger right now, but I’ve also enabled jails for FTP and database ports, so those could generate alerts too.

Is this the expected behavior?
And is there a way to make Fail2Ban use aaPanel’s settings?

Thanks!

aaPanel_Kern

Hello, you can modify this configuration, but modifying Fail2Ban in aapanel will restore the default

jaehyun1122

aaPanel_Kern

Thanks for the explanation.

I still think this needs to be improved. The Fail2Ban plugin currently sends email alerts via the system mailer (Postfix), even though there is no email configuration option in the aaPanel UI.

This causes:

Unwanted emails from root@hostname
High system log usage due to bounced messages
Increased CPU, memory, and disk I/O usage

I recommend adding a setting in the plugin to:

Disable or enable email alerts
Use the configured SMTP settings from aaPanel

Right now, users have to manually edit Fail2Ban config files, but these changes can be reset by the plugin. It would be great to have an official fix or at least a warning in the UI.

Thanks!

jaehyun1122

Hi, I removed Fail2Ban and monitored the server for a few days.
As you can see in the graph, the system resource usage dropped a lot — everything is much more stable now.

The problem seems to be from Fail2Ban sending too many email alerts (like action_mwl), which caused high CPU, disk I/O, and large logs.

Is there any plan to update the plugin to allow disabling email alerts or using the aaPanel SMTP settings?

Thanks!

aaPanel_Kern

Thank you for your feedback, we will optimize it

jaehyun1122