FAILED ⛔: imap/exim
Hello
I get notification about failed services almost hourly. I looked around but i don't know what to do exactly, can someone help?
Thanks
-
Hey there! What is the output of this command on the server?
ps aux | grep -i imap
0 -
Hey,
Output seems normal but it get these emails
TCP Transaction Log:
<< 220-Host ESMTP Exim 4.96.2 #2 Tue, 18 Jun 2024 15:35:29 +0200
<< 220-We do not authorize the use of this system to transport unsolicited,
<< 220 and/or bulk e-mail.
>> EHLO localhost
<< 250-Host Hello localhost [127.0.0.1]
<< 250-SIZE 52428800
<< 250-8BITMIME
<< 250-PIPELINING
<< 250-PIPECONNECT
<< 250-AUTH PLAIN LOGIN
<< 250-STARTTLS
<< 250 HELP
>> AUTH PLAIN AF9fY3BhbmVsX19zZXJ2aWNlX19hdXRoX19leGltX183eEFtYjk5UEhTVmln VVN4AGRUU1BsWFpTdXNaU204S2c=
Timeout while trying to get data from service: Diedps aux | grep -i imap
dovenull 1502655 0.0 0.0 8928 7304 ? S 15:45 0:00 dovecot/imap-login
dovenull 1502659 0.0 0.0 8952 7392 ? S 15:45 0:00 dovecot/imap-login
root 1515734 0.0 0.0 8900 660 pts/0 R+ 18:34 0:00 grep --color=auto -i imap0 -
Thanks for those details - that command was just checking to make sure there wasn't a large number of logins from an attack on your server taking up resources.
Do you see anything helpful inside the Exim log at /var/log/exim_mainlog? There could also be details in /var/log/messages as well.
0 -
Hey,
For exim_mainlog i get a lot of these, i presume someone is trying to bruteforce some logins, from what i see, dictionary attacks not something targeteddovecot_login authenticator failed for (User) []:23012: 535 Incorrect authentication
/var/log/messages doesn't exist but in syslog i get these
Jun 18 19:52:16 systemd[1]: Stopping Dovecot Imap Server...
Jun 18 19:52:16 dovecot_cpshutdown[1522542]: Opened “/var/run/dovecot/master.pid” …
Jun 18 19:52:16 dovecot_cpshutdown[1522542]: Master Dovecot process = 1502647
Jun 18 19:52:16 dovecot_cpshutdown[1522542]: Executing “/usr/sbin/dovecot stop” …
Jun 18 19:52:16 dovecot: master: Warning: Killed with signal 15 (by pid=1522543 uid=0 code=kill)
Jun 18 19:52:18 dovecot_cpshutdown[1522542]: Waiting 30 seconds for process 1522543 to end …
Jun 18 19:52:18 dovecot_cpshutdown[1522542]: Done! Waiting 30 seconds for process 1502647 to end …
Jun 18 19:52:18 dovecot_cpshutdown[1522542]: Dovecot is now shut down.
Jun 18 19:52:18 dovecot_cpshutdown[1522542]: Any remaining Dovecot processes will now be terminated.
Jun 18 19:52:18 dovecot: imap-login: Warning: Killed with signal 15 (by pid=1522544 uid=0 code=kill)
Jun 18 19:52:18 dovecot: imap-login: Warning: Killed with signal 15 (by pid=1522544 uid=0 code=kill)
Jun 18 19:52:18 dovecot: config: Warning: Killed with signal 15 (by pid=1522544 uid=0 code=kill)
Jun 18 19:52:18 dovecot: log(1502657): Warning: Killed with signal 15 (by pid=1522544 uid=0 code=kill)
Jun 18 19:52:18 dovecot: log(1502657): Warning: Shutting down logging for 'auth: ' with 1 clients
Jun 18 19:52:18 dovecot: log(1502657): Warning: Shutting down logging for 'config: ' with 1 clients
Jun 18 19:52:18 dovecot: log(1502657): Warning: Shutting down logging for 'imap-login: ' with 2 clients
Jun 18 19:52:18 dovecot_cpshutdown[1522544]: Waiting for dovecot,dovecot-auth,dovecot/pop3-login,dovecot/imap-login,dovecot/anvil,dovecot/log,dovecot/config,dovecot/auth,dovecot-wrap to shutdown ...... terminated.
Jun 18 19:52:18 systemd[1]: dovecot.service: Succeeded.
Jun 18 19:52:18 systemd[1]: Stopped Dovecot Imap Server.
Jun 18 19:52:18 systemd[1]: Started Dovecot Imap Server.
Jun 18 19:52:18 dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for lmtp, imap, pop3 (core dumps disabled)0 -
Try that ps aux command again with dovecot and login and see if one of them shows a ton of connections:
ps aux | grep login
ps aux | grep dovecot0 -
This is the reply from the server
ps aux | grep login
dovenull 1523798 0.0 0.0 8520 5664 ? S 20:07 0:00 dovecot/pop3-login
dovenull 1523799 0.0 0.0 8816 6640 ? S 20:07 0:00 dovecot/imap-login
dovenull 1523802 0.0 0.0 8664 6568 ? S 20:07 0:00 dovecot/pop3-login
dovenull 1523803 0.0 0.0 8796 6916 ? S 20:07 0:00 dovecot/imap-login
root 1525498 0.0 0.0 8900 724 pts/0 S+ 20:33 0:00 grep --color=auto login
root 3700364 0.0 0.0 17596 6564 ? Ss May30 3:59 /lib/systemd/systemd-logind
root@anduin:~# ps aux | grep dovecot
root 1523789 0.0 0.0 5320 3484 ? Ss 20:07 0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
dovenull 1523798 0.0 0.0 8520 5664 ? S 20:07 0:00 dovecot/pop3-login
dovenull 1523799 0.0 0.0 8816 6640 ? S 20:07 0:00 dovecot/imap-login
dovecot 1523800 0.0 0.0 4436 1080 ? S 20:07 0:00 dovecot/anvil
root 1523801 0.0 0.0 4696 3140 ? S 20:07 0:00 dovecot/log
dovenull 1523802 0.0 0.0 8664 6568 ? S 20:07 0:00 dovecot/pop3-login
dovenull 1523803 0.0 0.0 8796 6916 ? S 20:07 0:00 dovecot/imap-login
root 1523804 0.0 0.0 9848 6332 ? S 20:07 0:00 dovecot/config
dovecot 1523805 0.0 0.0 5944 3324 ? S 20:07 0:00 dovecot/stats
dovecot 1523808 0.0 0.0 5644 4280 ? S 20:07 0:01 dovecot/auth
root 1523862 0.0 0.0 5528 3692 ? S 20:08 0:00 dovecot/auth -w
root 1525500 0.0 0.0 8900 656 pts/0 R+ 20:33 0:00 grep --color=auto dovecot0 -
Any chance you could create a ticket so the server can be examined directly? That output isn't telling me much so I'm wondering if there is another underlying issue.
0 -
If you can tell me how i can do that, i will.
0 -
You can always create a ticket from WHM >> Create a Support ticket. It will either direct you to us, or to your host, depending on where your license is purchased.
0 -
Ah ... This feature is only available if you have purchased a license directly from cPanel.
0 -
That just means you'd need to contact your host for support, which isn't all bad - they would be familiar with the hardware settings of the machine and would likely be able to quickly tell if something isn't working properly.
0 -
Sure, i will try to do that and see what happens.
Thanks for the support.
0 -
Sure thing!
0
Please sign in to leave a comment.
Comments
13 comments