user smmsp found in repeatedly in auth.log

Running an Ubuntu server that hosts about 10 Wordpress websites

Is it normal to find this in my auth log?

Oct 26 08:40:01 andre CRON[4737]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 26 08:40:01 andre CRON[4737]: pam_unix(cron:session): session closed for user smmsp
Oct 26 09:00:01 andre CRON[6874]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 26 09:00:01 andre CRON[6874]: pam_unix(cron:session): session closed for user smmsp

I'm not sure why sessions are being opened and closed for sendmail like this.

I'm seeing this is syslog:

Oct 27 08:20:01 andre CRON[7664]: (smmsp) CMD (test -x /etc/init.d/sendmail &&     /usr/share/sendmail/sendmail cron-msp)
Oct 27 08:20:01 andre postfix/pickup[1272]: 1F29212C7FF: uid=107 from=<smmsp>
Oct 27 08:20:01 andre postfix/cleanup[7683]: 1F29212C7FF: message-id=<20141027082001.1F29212C7FF@andre>
Oct 27 08:20:01 andre postfix/qmgr[1274]: 1F29212C7FF: from=<[email protected]>, size=676, nrcpt=1 (queue active)
Oct 27 08:20:01 andre postfix/local[7685]: 1F29212C7FF: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.02, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)

This is what is in cron.d:

-rw-r--r--  1 root root  544 Feb 28  2014 php5
-rw-r--r--  1 root root  102 Apr  2  2012 .placeholder
-rw-r--r--  1 root root 2323 Apr 10  2014 sendmail

also ran this:

service sendmail status
MSP: is run via cron (20m)
MTA: is not running
QUE: Same as MTA

I'm not sure if this behavior is normal, or what smmsp is being used for.


Solution 1:

For the benefit of future readers searching for smmsp on Server Fault:

smmsp

The smmsp (SendMail Message Submission Program) user and group are specific to the Sendmail package and are not used by Postfix – or any other Mail Transfer Agent (MTA).

smmsp is the default user that Sendmail uses if you haven’t configured a specific non-root user for the sendmail command to run as. It was introduced as a security measure so that vulnerabilities in sendmail couldn’t provide an exploiter with root access to the system.

From the Sendmail Installation and Operation Guide

The binary for sendmail is located in /usr/sbin. It should be set-group-ID smmsp

See also Add smmsp to /etc/passwd from Sendmail, 4th Edition (O’Reilly).


Checking for / Removing Sendmail

From the information provided in the question, both Postfix and Sendmail are installed (and running) simultaneously. This can be verified by running,

dpkg -l | grep sendmail

To avoid conflict between the two MTAs, remove the Sendmail package(s) listed by the previous command.

It seems that many other users who thought that they’d removed Sendmail had, in fact, only uninstalled the sendmail-base and sendmail packages so they had to remove the following packages:

aptitude purge sendmail-bin sendmail-cf sendmail-doc

Here's a related post from another user who thought that they had uninstalled Sendmail from their system: Postfix/Sendmail: Frequent emails from smmsp to root.

Solution 2:

smmsp is the cron user that Postfix uses to process mail. It's just normal user activity.