This issue has been observed with Nullmailer installed on VM. Similar forwarding MTA's may exhibit similar behavior.

• Nullmailer is installed and is not configured to forward emails to SMTP relay resulting in emails queueing up in directory /var/spool/nullmailer/queue
• Nullmailer unsuccessfully attempts to resend emails on the queue periodically, writing additional data to mail.log file, resulting in increased disk usage on /var/log filesystem
• /var/log/mail.log on the VM starts to fill up with the below messages:
  

  nullmailer-send[1547]: Rescanning queue.
  nullmailer-send[1547]: Starting delivery, 2 message(s) in queue.
  nullmailer-send[1547]: Starting delivery: host: mail protocol: smtp file: 1750077549.3256
  nullmailer-send[1547]: From: <arcuser@hostname> to: <root@hostname>
  nullmailer-send[1547]: Message-Id: <1750077549.260393.3255.nullmailer@<hostname>>
  nullmailer-send[3791]: smtp: Failed: 454 4.7.1 <root@hostname>: Relay access denied
  nullmailer-send[1547]: Sending failed: Temporary error in sending the message-send[1547]: Starting delivery: host: mail protocol: smtp file: 1750076401.1982 
  nullmailer-send[1547]: From: <user@hostname> to: <root@hostname>
  nullmailer-send[1547]: Message-Id: <1750076401.076830.1979.nullmailer@<hostname>>
  nullmailer-send[3792]: smtp: Failed: 454 4.7.1 <root@hostname>: Relay access denied
  nullmailer-send[1547]: Sending failed: Temporary error in sending the message
  nullmailer-send[1547]: Delivery complete, 2 message(s) remain.

• Email contains:

  Received: (nullmailer pid 4362 invoked by uid 1001);
          Mon, 16 Jun 2025 12:51:10 -0000
  To: root@<hostname>
  From: arcuser@<hostname>
  Auto-Submitted: auto-generated
  Subject: *** SECURITY information for <hostname> ***
  Date: Mon, 16 Jun 2025 12:51:10 +0000
  Message-Id: <1750078270.151086.4361.nullmailer@<hostname>>
  
  <hostname> : Jun 16 12:51:10 : arcuser : a password is required ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=netstat -nlutp

Aria operations 8.18.x

User account 'arcuser' is an account that is automatically created during deployment of the Agent. This account is used to collect data for Telegraf agents.

The issue is caused by the 'arcuser' account attempting to use the 'netstat' command when it is not available on the OS, resulting in the email being automatically generated by the OS.

The 'netstat' command is available in the net-tools package, and must be installed for the agent to successfully collect data that requires the use of the 'netstat' command.

Follow below steps to install "net-tools" package in Ubuntu machine.

• Install "net-tools" package and stop services. 
  

  sudo apt install net-tools
  

To stop the queued emails from being sent, and truncate the mail.log file, follow the steps below. These steps are not required to stop emails being queued/sent, but are needed when mail.log grows out of bounds:

• Stop the nullmailer service:
  

  systemctl stop nullmailer

• Clear the mail queue by deleting the content in /var/spool/nullmailer/queue
• Truncate /var/log/mail.log. The below command will truncate the file to 0 bytes.
  

  truncate -s 0 /var/log/mail.log

• Start the nullmailer service.
  

  systemctl start nullmailer

Depending on the OS and permissions of the account used, you may need to use 'sudo' for the commands where this is not specifically mentioned.

For issues where mail.log keeps growing, and there are no emails related to arcuser or otherwise related to telegraf agent, please work with your OS vendor to manage this log file via log rotation.