'Invoked' by (qmail ##### invoked by uid 78).
Though the qmail number varies, the "invoked by uid 78" part is always constant. What is uid 78 referring to, and do you know what the problem is with my business mail?
The 'uid 78' that you are seeing in your emails refers to user ID (uid) 78, which invoked the qmail process. There are two types of users who could have invoked qmail: human or system. You, for example, are obviously a human user, while programs like Apache and qmail are system users, not human users. The fact that the uid is constant makes tracking down your problem a lot easier. If you search for the uid 78, inside the /etc/passwd file, using the grep command-line text search tool, for example, you should find the user associated with this uid. So here's a possible command, for example:
# grep 78 /etc/passwd
If you find that user id 78 is associated with a human user, then you can immediately suspend the user's account and take the matter further with the user directly. I suspect, though, that you will find that uid 78 is that of a system program, which will require additional investigation. On Red Hat Linux, for example, all uids below 500 are reserved for system use.
Keep in mind that programs cannot generate mail on their own. They only generate mail when instructed to do so. The first place I would look would be scripts that run on the server. One cause may be a Web form script sending mail using user ID 78's account. This could occur if you restarted your Apache Web server incorrectly using the "su," or substitute user command. The error would lead to the wrong user's environment variables being used by the Web script engine.
To avoid such problems in the future, ensure all administrators follow best practices when making changes to servers and that they log on and off using the correct accounts. Any system configuration changes or restarts should be logged following change-control procedures. If the appearance of this mail header has suddenly started, you should be able to narrow down the problem and trace it back through your change log to see who made what changes to your server and when.
This was first published in April 2009