Missing email accounts in cPanel!

One of our clients called us and said something that I’ve never heard in the past two decades, ‘all our email accounts are missing from cPanel!’

Now, this is a rare event, this sort of thing usually happens due to an error (a major one at that), or when someone has sabotaged the system, by deliberately deleting all mailboxes (my initial hunch), or using a method designed to cause maximum disruption.

My first thought went to the fact that, and this is highly possible in today’s age of phishing, that the client’s cPanel password had been compromised and that the attacker had gone ahead and simply deleted all mailboxes.

However, this is rare since most attackers would use the system to their benefit, keeping everything running so that they can run their own scripts, or relay bulk email, quietly.

What had occurred was more the doing of someone, deliberately, to inflict maximum damage. More on that a bit later.

So, what were all users on that particular domain experiencing? All devices that connect to their IMAP boxes were requesting a password, indicating that the server was rejecting their authentication requests (using the passwords they had setup and that were working earlier).

The first thing I looked for was the mail folder at /home/$user/mail/ and found it intact with all email account folders. This led me to believe that this wasn’t deliberate deletion, which would have removed all user mail folders, but something else, most likely a misconfiguration.

Investigating a bit more with ChatGPT, yes, we use the Plus version at work all the time—there’s rarely a scenario where we don’t turn to this wonderful app, we narrowed it down quickly.

The problem? The entire /home/$user/etc/$domain folder was missing and this folder holds the actual mailbox definitions—specifically two files, passwd and shadow—that cPanel uses to detect and manage email accounts.

Without this folder, no user could connect, since the passwd file stores account usernames and basic info, while shadow stores encrypted passwords and password policy data.

Now, the quickest way to restore this folder, as suggested by cPanel in the following two articles is to use a current backup, to restore normal functionality without a hitch:

https://support.cpanel.net/hc/en-us/articles/360052477034-Email-accounts-are-missing

https://support.cpanel.net/hc/en-us/articles/4639901121175-How-to-replace-the-missing-shadow-and-passwd-files-for-email-accounts

So, we followed the method of recreating the directory and files ourselves, with a little help from ChatGPT. Here’s what transpired (the article gets super technical now, so business users can skip to the end!):

Step 1: Create the missing config folder

We recreated /home/$user/etc/$domain, which is where cPanel stores mailbox configuration files:

mkdir /home/$user/etc/$domain

In the above, $user is the cPanel account and $domain is the actual domain name.

Without that folder, cPanel cannot detect any email accounts, even if the actual mail data exists. And we assigned the right permissions to it:

chown -R $user:$user /home/$user/etc/$domain

Having the wrong ownership here can cause services like Webmail to break or not function.

Step 2: Rebuild the passwd file

This passwd file maps each email account to its mailbox path, allowing cPanel to recognize the account. So we need to add an entry inside this file for every mailbox that exists . Each line must follow this format:

emailuser:x:UID:GID::/home/$user/mail/$domain/emailuser:/home/$user

In the above, replace the following:

• emailuser is the part before the “@” (e.g., “info” from info@$domain)
• Run – id $user – in terminal and retrieve the UID and GID values. Use those values in the entry in place of UID and GID in the format above.
• The rest defines the mailbox and home paths. $user is the cPanel account and $domain is the actual domain name.

Step 3: Rebuild the shadow file

This file stores hashed passwords for each email account. Without it, users cannot log in—even if their mailbox exists. As the original file was missing, we had no password hashes. To allow cPanel to be able to list the email accounts, we created placeholder entries like the following:

emailuser:$1$dummypass$123456789012345678901/:18522::::::

In the above line, simply replace the emailuser part, and leave the rest the same. Create one line for every user.

• emailuser is the part before the @ in the email address
• The second field contains a dummy hash—it does not work for login.
• The rest of the line includes standard password aging fields

And, we did not worry about email passwords at this stage, as we planned to reset passwords later via cPanel.

Step4: Email accounts reappear in cPanel

As soon as both passwd and shadow files were recreated, we headed over to cPanel > Email accounts and confirmed that all email accounts were now visible.

Step 5: Reset email passwords and test

Next, we tested one email account by resetting its password from cPanel > Email Accounts interface and checking webmail—it worked. That’s it, after that we requested our client’s IT team to reset their passwords and update them in their email clients.

So in the end, nothing was actually lost—just the files that told cPanel the mailboxes existed. We brought everything back by recreating those files, reset the passwords, and all mail was right there, untouched. No panic, no restore, just a bit of old-school fixing.