Skip to main content

EXIM problems with spammers - 421 Too many concurrent SMTP connections

unifique

I've been having problems in my cPanel servers. Specifically the error:

"The service “exim” appears to be down. 

Reason:

TCP Transaction Log:
<< 421 Too many concurrent SMTP connections; please try again later.
exim: ** [421 Too many concurrent SMTP connections; please try again later. != 220 ]
: Died"

EXIM stops working due to the large number of connections and becomes unavailable until cPanel itself starts it again. Investigating the problem, I realize that in my server are too many established connections through port 25. This connections are coming from very strange countries, that usually my costumers dont send or receive emails. 

I'm sure these are connections coming from spammers and I need a useful way to prevent these connections. What I've been doing is using CSF to block the countries from which these connections normally come. CSF has a tool called CC_DENY_PORTS =, where I can block IP ranges from a specific country for connections to port 25. 

Unfortunately, blocking IPs by country ends up causing other problems:

- The server's performance is compromised, resource consumption increases and response latency increases. Considering that there are thousands of new firewall rules in the operating system's IPTABLES.

- Also, sometimes one of my clients needs to send or receive messages to a blocked country and this message is compromised.

Through the command "netstat -plan| grep :25 |awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n", I can see that I normally have more than 100 active connections from strange IPs and in some cases, these IPs have more than 2 active connections.

The current CSF/LFD settings do not identify these connections as malicious and allow them to be established, so I need a more effective way to deal with my situation. It can be with CSF/LFD, Imunify360 (which I also have and is currently responsible for cleaning malicious files from websites) or any other tool.

Increasing the number of connections in the EXIM "smtp_accept_max" parameter is not an option, since it would also increase the number of unwanted connections.

System Information:

cPanel Version: 11.128.0.15
OS: CloudLinux 8

Comments

1 comment

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  I see this was also posted to our Reddit page, where the best recommendation was a tool like mailscanner.

    You mentioned that you can see the IPs when using the netstat command - is there no pattern that would make it easy to block at the firewall level?

    I'm not sure if I have good recommendation on the cPanel side of things to deal with this, as this same issue could just as easily happen on a non-cPanel server.  If there is that much traffic happening it might be best to look into external firewall options to lower the resource usage on the server itself.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post