Failed IMAP

[GoWilkes]

I've been getting a ton of these for the last few days, and I can't figure out why. I've gotten at least 20 of them today, each one followed by another email about a minute later that IMAP is recovered.

It says to make sure that 127.0.0.1:143 isn't blocked in the firewall or by iptables, but I have both of these disabled completely. It also says to make sure that it's not listed in Host Access Control, which appears to be empty.

Any guesses on why this is happening? Here is a copy of the email I'm getting, with my server name and IP changed:

The service “imap” appears to be down.

Server foo.example.com Primary IP Address 123.45.67.89 Service Name imap Service Status failed Notification The service “imap” appears to be down. Service Check Method The system failed to connect to this service’s TCP/IP port. Reason TCP Transaction Log: << * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. >> A001 LOGIN __cpanel__service__auth__imap__QYKXNeFEU6Qi0Ujl8doGnp823VZhNNN_CCPwGoqp_db_JUilFCJJ9bwf_AZp6yQs atr3otc2Z6UA7GdRReXvUmKFW94An5AEW0fbZnUnzkOZHXgkORxmYjf5TvXwk22E << * OK Waiting for authentication process to respond.. imap: ** [* OK Waiting for authentication process to respond.. != A001 OK] : Died Number of Restart Attempts 1 Service Check Raw Output The 'dovecot' service passed the check: dovecot (/usr/sbin/dovecot) is running as root with PID 20371 (pidfile+/proc check method). Startup Log Starting Dovecot Imap: [ OK ] Memory Information Used 1.68 GB Available 2.11 GB Installed 3.79 GB Load Information 1.25 1.40 1.37 Uptime 14 days, 15 hours, 22 minutes, and 8 seconds IOStat Information avg-cpu: %user %nice %system %iowait %steal %idle 21.74 0.58 18.59 0.25 0.14 58.69 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn xvda 108.83 443.94 797.92 561553710 1009307034 xvdb 4.48 18.94 19.03 23959244 24077160 Top Processes PID​ Owner​ CPU %​ Memory %​ Command​ 8508 mysql 33.43 19.53 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/tmp/mysqld.error.log --open-files-limit=10000 --pid-file=/var/lib/mysql/gonc02.goncinc.com.pid 6385 nobody 2.70 0.65 /usr/sbin/httpd -k start 6340 nobody 2.09 1.33 /usr/sbin/httpd -k start 6416 root 1.46 0.26 dovecot/config 2687 cpanelconnecttrack 1.08 0.12 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket less 400 and not dst port 80 and not dst port 443 and tcp[13] & 8==0 The chkservd process attempts to connect to “127.0.0.1:143” in order to validate that this service is functioning. If you blocked connections with iptables or the “Host Access Control” interface in WHM, this failure may be a false positive.

 

[cPanelLauren]

That's odd, it's not a normal port to be closed. From the server what is the output of the following:

nmap -Pn 127.0.0.1 -p143

 

[GoWilkes]

Sorry for such a late reply, I never get emails when someone replies anymore :-( The problem had more or less gone away for awhile, but today it's back with the same error.

I had to install nmap, but I didn't configure it or anything. When I ran it, this was the result:

# nmap -Pn 127.0.01 -p143

Starting Nmap 5.51 ( http://nmap.org ) at 2020-06-28 16:51 EDT
Invalid target host specification: 127.0.01
QUITTING!

The port does appear to be open, though:

# netstat -ln |fgrep 143
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN
tcp        0      0 :::143                      :::*                        LISTEN

iptables shouldn't be an issue, I keep it turned off because it keeps blocking a local internet provider and I can't make it stop >:-( I've also turned off CSF because it, too, keeps blocking local IPs.

One of my employees uses a POP account on the server, and she reported today that she's getting a lot of errors in Outlook while connecting to it. She hasn't forwarded one of those errors to me yet, but I suspect that it's related.

 

[keat63]

I think Laurens instruction has a slight typo and should be:

nmap -Pn 127.0.0.1 -p143



Also, would rewriting exim config make any difference?

 

[keat63]

As for turning off CSF, that's something i wouldn't personally recommend.
Instead, try and determine what's causing the issue and fix that particular issue or whitelist the IP's

 

[GoWilkes]

I think Laurens instruction has a slight typo and should be:

nmap -Pn 127.0.0.1 -p143

Well duh!! LOL I didn't catch that missing ., either. OK, here's the output:

# nmap -Pn 127.0.0.1 -p143

Starting Nmap 5.51 ( http://nmap.org ) at 2020-06-29 15:50 EDT
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.00013s latency).
PORT    STATE SERVICE
143/tcp open  imap

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

So the port looks to be open, but I've still gotten about 40 emailed reports today.

Also, would rewriting exim config make any difference?

I just tried by making a minor modification to Exim Configuration in WHM and saving it, which I think rebuilds it... I'll keep you posted :-O

As for turning off CSF, that's something i wouldn't personally recommend.
Instead, try and determine what's causing the issue and fix that particular issue or whitelist the IP's

This was a last-ditch effort on my end... a few months ago, it was reported that people using Charter / Spectrum internet couldn't access any of my sites. After some research, I discovered that disabling iptables "solved" the problem.

I don't have Charter anywhere, so I have no real way of testing other than to turn things on and wait to see if people complain. So it's been easier to just leave everything off and worry about it later :-/

 

[cPanelLauren]

I think Laurens instruction has a slight typo and should be:

nmap -Pn 127.0.0.1 -p143

Thanks! I've fixed it now. Sorry about that guys.

If disabling iptables resolved the issue you might try the following:

Disable CSF

csf -x

Flush IPTables

iptables --flush

To confirm nothing is listed:

iptables --list

to save the iptables configuration

iptables-save

restart CSF

csf -e

Then check if the issue persists. If it does persist then either some port you have not opened in CSF is the culprit or you have an IP/s in /etc/csf/csf.deny that should be able to access.

 

[GoWilkes]

Also, would rewriting exim config make any difference?

Just following up, it didn't seem to help... I left right after my last post and just got back in, I've had 16 emails from cPanel saying that IMAP wasn't responding :-(

The issue with Charter is totally different, I'll revisit that after I get this one fixed :-/

 

[cPanelLauren]

Sorry for such a late reply, I never get emails when someone replies anymore :-(

This is the 3rd or 4th report I've seen of this so I've made some changes to how this is handled on the forums, please let me know if you do not start receiving emails.

For the nmap output - so long as that's what you ran on the server itself it looks fine. If you run the same command but with your actual IP from outside the server do you get the same output?

Dovecot should listen on all of these:

[[email protected] ~]# netstat -plan |egrep ':143|:993|:995|:110' |grep LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      2118/dovecot
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      2118/dovecot
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      2118/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      2118/dovecot
tcp6       0      0 :::993                  :::*                    LISTEN      2118/dovecot
tcp6       0      0 :::995                  :::*                    LISTEN      2118/dovecot
tcp6       0      0 :::110                  :::*                    LISTEN      2118/dovecot
tcp6       0      0 :::143                  :::*                    LISTEN      2118/dovecot

But if you have others concerned with pop the ports for that are listed above as well.

When you manually restart imap is there a long delay for restart or any errors that are output? You can do this with the following command:

/scripts/restartsrv_imap

Is anything noted in /var/log/maillog when you do see the issue occur?

 

[GoWilkes]

Dovecot should listen on all of these:

My results seem the same as yours:

# netstat -plan |egrep ':143|:993|:995|:110' |grep LISTEN
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      10527/dovecot
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      10527/dovecot
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      10527/dovecot
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      10527/dovecot
tcp        0      0 :::110                      :::*                        LISTEN      10527/dovecot
tcp        0      0 :::143                      :::*                        LISTEN      10527/dovecot
tcp        0      0 :::993                      :::*                        LISTEN      10527/dovecot
tcp        0      0 :::995                      :::*                        LISTEN      10527/dovecot

When you manually restart imap is there a long delay for restart or any errors that are output?

This seems OK to me:

# /scripts/restartsrv_imap
Waiting for âdovecotâdovecotâ

Service Status
        dovecot (/usr/sbin/dovecot) is running as root with PID 20550 (pidfile+/proc check method).

Startup Log
        Starting Dovecot Imap: [  OK  ]

Log Messages
        Jun 30 14:52:05 [SERVER_NAME] dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for lmtp, imap, pop3 (core dumps disabled)
        Jun 30 14:52:04 [SERVER_NAME] dovecot: log(10532): Warning: Shutting down logging for 'imap: ' with 1 clients
        Jun 30 14:52:04 [SERVER_NAME] dovecot: log(10532): Warning: Shutting down logging for 'imap-login: ' with 1 clients
        Jun 30 14:52:04 [SERVER_NAME] dovecot: log(10532): Warning: Shutting down logging for 'auth: ' with 1 clients
        Jun 30 14:52:04 [SERVER_NAME] dovecot: log(10532): Warning: Killed with signal 15 (by pid=20533 uid=0 code=kill)

dovecot restarted successfully.

Is anything noted in /var/log/maillog when you do see the issue occur?

Well... maillog is around 80M! I had an IMAP warning at 2:21pm, so I deleted everything before 2:20 and after 2:22 to narrow it down, and I still have 445 lines. That's way too much to post, but I don't really know how to read it well enough to narrow it down, either.

There are 153 lines at 14:20:14, all similar:

## I changed my actual server name to [SERVER_NAME]
# the email address here is set up as a forward in cPanel, but I don't know 197.50.137.4
# I also notice that it's trying to connect to port 579?
Jun 30 14:20:14 [SERVER_NAME] dovecot: auth: Error: policy([email protected],197.50.137.4,<zPK+OVGp6YzFMokE>): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused

# the email address at this one doesn't exist, though, and I still don't know the IP 212.70.149.34
Jun 30 14:20:14 [SERVER_NAME] dovecot: auth: Error: policy([email protected],212.70.149.34): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused

Then at 14:20:16 - 14:20:41, I have these ominous sounding lines that I don't entirely understand:

# I don't know any of the IPs set for rip=
Jun 30 14:20:16 [SERVER_NAME] dovecot: imap-login: Disconnected (auth failed, 1 attempts in 62 secs): user=<[email protected]>, method=PLAIN, rip=72.221.232.142, lip=[SERVER_IP], session=<0ShvNlGpHslI3eiO>
Jun 30 14:20:17 [SERVER_NAME] dovecot: imap-login: Disconnected (auth failed, 1 attempts in 36 secs): user=<[email protected]>, method=PLAIN, rip=190.210.182.93, lip=[SERVER_IP], session=<SV8ROFGp9cK+0rZd>
Jun 30 14:20:19 [SERVER_NAME] dovecot: imap-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<[email protected]>, method=PLAIN, rip=197.50.137.4, lip=[SERVER_IP], session=<zPK+OVGp6YzFMokE>
Jun 30 14:20:33 [SERVER_NAME] dovecot: master: Warning: Killed with signal 15 (by pid=10495 uid=0 code=kill)
Jun 30 14:20:34 [SERVER_NAME] dovecot: imap-login: Warning: Killed with signal 15 (by pid=10497 uid=0 code=kill)
Jun 30 14:20:34 [SERVER_NAME] dovecot: imap-login: Disconnected: Shutting down (disconnected while authenticating, waited 21 secs): user=<>, method=PLAIN, rip=115.84.91.155, lip=[SERVER_IP], session=<euj0OVGpN8hzVFub>
Jun 30 14:20:34 [SERVER_NAME] dovecot: imap-login: Disconnected: Shutting down (no auth attempts in 125 secs): user=<>, rip=92.126.222.172, lip=[SERVER_IP], TLS handshaking, session=<cA0xO1GpS+Vcft6s>
Jun 30 14:20:34 [SERVER_NAME] dovecot: anvil: Warning: Killed with signal 15 (by pid=10497 uid=0 code=kill)
Jun 30 14:20:34 [SERVER_NAME] dovecot: imap-login: Error: read(anvil) failed: EOF
Jun 30 14:20:34 [SERVER_NAME] dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jun 30 14:20:34 [SERVER_NAME] dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
Jun 30 14:20:34 [SERVER_NAME] dovecot: log(1445): Warning: Killed with signal 15 (by pid=10497 uid=0 code=kill)
Jun 30 14:20:34 [SERVER_NAME] dovecot: log(1445): Warning: Shutting down logging for 'auth: ' with 1 clients
Jun 30 14:20:34 [SERVER_NAME] dovecot: log(1445): Warning: Shutting down logging for 'imap-login: ' with 2 clients
Jun 30 14:20:41 [SERVER_NAME] dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for lmtp, imap, pop3 (core dumps disabled)

Immediately after that section, I have these:

# again with port 579
Jun 30 14:20:42 [SERVER_NAME] dovecot: auth: Error: policy([email protected],[MY_HOME_IP],<4gm0O1GpCtpLqsxZ>): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 14:20:42 [SERVER_NAME] dovecot: auth: Error: policy([email protected],[MY_HOME_IP],<P3u0O1GpC9pLqsxZ>): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 14:20:42 [SERVER_NAME] dovecot: auth: Error: policy([email protected],[MY_HOME_IP],<4gm0O1GpCtpLqsxZ>): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 14:20:43 [SERVER_NAME] dovecot: pop3-login: Login: user=<real_account[email protected]>, method=PLAIN, rip=[MY_HOME_IP], lip=[SERVER_IP] , mpid=10562, TLS, session=<4gm0O1GpCtpLqsxZ>
Jun 30 14:20:43 [SERVER_NAME] dovecot: pop3([email protected])<10562><4gm0O1GpCtpLqsxZ>: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0, bytes=12/43

Then I see this for one of the accounts on the server:

Jun 30 14:20:59 [SERVER_NAME] spamd[938]: spamd: clean message (-1.9/3.0) for [ACCOUNT_NAME]:538 in 15.1 seconds, 14073 bytes.
Jun 30 14:20:59 [SERVER_NAME] spamd[938]: spamd: result: . -1 - BAYES_00,HTML_MESSAGE,SPF_PASS,URIBL_BLOCKED scantime=15.1,size=14073,user=[ACCOUNT_NAME],uid=538,required_score=3.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33617,mid=<[email protected]od.outlook.com>,bayes=0.000004,autolearn=no autolearn_force=no,shortcircuit=no
Jun 30 14:20:59 [SERVER_NAME] dovecot: auth: Error: policy(?,193.35.51.13): Policy server HTTP error: Absolute request timeout expired (Request queued 3.000 secs ago, not yet sent, 0.000 in other ioloops)
Jun 30 14:21:00 [SERVER_NAME] spamd[14645]: prefork: child states: B
Jun 30 14:21:00 [SERVER_NAME] spamd[938]: spamd: connection from localhost.localdomain [127.0.0.1]:33618 to port 783, fd 6
Jun 30 14:21:00 [SERVER_NAME] spamd[938]: spamd: setuid to [ACCOUNT_NAME] succeeded
Jun 30 14:21:00 [SERVER_NAME] spamd[14645]: spamd: server successfully spawned child process, pid 10652
Jun 30 14:21:00 [SERVER_NAME] spamd[14645]: prefork: adjust: 0 idle children less than 1 minimum idle children. Increasing spamd children: 10652 started.
Jun 30 14:21:00 [SERVER_NAME] spamd[938]: spamd: checking message <[email protected]od.outlook.com> for [ACCOUNT_NAME]:538
Jun 30 14:21:00 [SERVER_NAME] spamd[14645]: prefork: child states: BI
Jun 30 14:21:01 [SERVER_NAME] dovecot: lmtp(10658): Connect from local
Jun 30 14:21:02 [SERVER_NAME] dovecot: lmtp([email protected][ACCOUNT_NAME].com)<10658><Dnx+OY2C+16iKQAAcwVzmw>: msgid=? <[email protected]od.outlook.com>: saved mail to INBOX
Jun 30 14:21:02 [SERVER_NAME] dovecot: lmtp(10658): Disconnect from local: Client has quit the connection (state=READY)

I also see a ton of these that stand out because of the "ioloops" reference that I don't understand:

Jun 30 14:22:18 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_that_doesnt_exist_anymore.com,141.98.80.159): Policy server HTTP error: Absolute request timeout expired (Request queued 3.000 secs ago, not yet sent, 0.000 in other ioloops)

Does any of that look like a culprit? I tried to only show what looked suspicious, but if that's all good then I have plenty more... any guidance on what to look for?

 

[GoWilkes]

Update, I've compared 3 times in the maillog and found a pattern.

I received an email at 15:29:29 yesterday, so going back 30 seconds:

Jun 30 15:29:10 [SERVER_NAME] spamd[938]: spamd: identified spam (7.2/5.0) for account_on_server:572 in 14.1 seconds, 17661 bytes.
Jun 30 15:29:10 [SERVER_NAME] spamd[938]: spamd: result: Y 7 - BAYES_00,CPANEL_XYZ,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,FSL_BULK_SIG,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,PDS_OTHER_BAD_TLD,PYZOR_CHECK,SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE scantime=14.1,size=17661,user=account_on_server,uid=572,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39757,mid=<5ZeJuhoziTuVB07sGTit0U0u[email protected]harvestunity.xyz>,bayes=0.000000,autolearn=no autolearn_force=no,shortcircuit=no
Jun 30 15:29:10 [SERVER_NAME] spamd[14645]: prefork: child states: I
Jun 30 15:29:14 [SERVER_NAME] dovecot: master: Warning: Killed with signal 15 (by pid=32431 uid=0 code=kill)
Jun 30 15:29:16 [SERVER_NAME] dovecot: pop3-login: Warning: Killed with signal 15 (by pid=32435 uid=0 code=kill)
Jun 30 15:29:16 [SERVER_NAME] dovecot: pop3-login: Disconnected: Shutting down (disconnected while authenticating, waited 70 secs): user=<>, method=PLAIN, rip=75.170.204.89, lip=[SERVER_IP], TLS, session=<6MG3LFKp+t9LqsxZ>
Jun 30 15:29:16 [SERVER_NAME] dovecot: anvil: Warning: Killed with signal 15 (by pid=32435 uid=0 code=kill)
Jun 30 15:29:16 [SERVER_NAME] dovecot: imap-login: Error: read(anvil) failed: EOF
Jun 30 15:29:16 [SERVER_NAME] dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jun 30 15:29:16 [SERVER_NAME] dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
Jun 30 15:29:16 [SERVER_NAME] dovecot: log(20555): Warning: Killed with signal 15 (by pid=32435 uid=0 code=kill)
Jun 30 15:29:16 [SERVER_NAME] dovecot: log(20555): Warning: Shutting down logging for 'auth: ' with 1 clients
Jun 30 15:29:16 [SERVER_NAME] dovecot: log(20555): Warning: Shutting down logging for 'imap-login: ' with 1 clients
Jun 30 15:29:16 [SERVER_NAME] dovecot: log(20555): Warning: Shutting down logging for 'pop3-login: ' with 1 clients
Jun 30 15:29:24 [SERVER_NAME] dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for lmtp, imap, pop3 (core dumps disabled)
Jun 30 15:29:25 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com.com,212.70.149.18): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 15:29:25 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com,212.70.149.18): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 15:29:28 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com,78.128.113.117): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 15:29:28 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com,78.128.113.117): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 15:29:28 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jun 30 15:29:29 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused

Then I received an email today at 15:45:25, and going back 30 seconds:

Jul  1 15:44:55 [SERVER_NAME] spamd[360]: spamd: identified spam (9.8/7.0) for account_on_server:515 in 14.3 seconds, 4257 bytes.
Jul  1 15:44:55 [SERVER_NAME] spamd[360]: spamd: result: Y 9 - BAYES_99,BAYES_999,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,JMQ_SPF_NEUTRAL_ALL,PYZOR_CHECK,SPF_PASS,T_REMOTE_IMAGE,T_SPF_HELO_TEMPERROR,URIBL_BLOCKED scantime=14.3,size=4257,user=account_on_server,uid=515,required_score=7.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=34302,mid=<[email protected]>,bayes=1.000000,autolearn=no autolearn_force=no,shortcircuit=no
Jul  1 15:44:55 [SERVER_NAME] spamd[32277]: prefork: child states: I
Jul  1 15:44:58 [SERVER_NAME] spamd[360]: spamd: connection from localhost.localdomain [127.0.0.1]:34314 to port 783, fd 6
Jul  1 15:44:58 [SERVER_NAME] spamd[360]: spamd: setuid to account_on_server succeeded
Jul  1 15:44:58 [SERVER_NAME] spamd[360]: spamd: checking message <[email protected]> for account_on_server:538
Jul  1 15:45:12 [SERVER_NAME] dovecot: master: Warning: Killed with signal 15 (by pid=12023 uid=0 code=kill)
Jul  1 15:45:12 [SERVER_NAME] spamd[360]: spamd: identified spam (7.6/3.0) for account_on_server:538 in 14.2 seconds, 4282 bytes.
Jul  1 15:45:12 [SERVER_NAME] spamd[360]: spamd: result: Y 7 - AC_FROM_MANY_DOTS,BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,JMQ_SPF_NEUTRAL_ALL,PYZOR_CHECK,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED scantime=14.2,size=4282,user=account_on_server,uid=538,required_score=3.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=34314,mid=<[email protected]>,bayes=0.489536,autolearn=no autolearn_force=no,shortcircuit=no
Jul  1 15:45:12 [SERVER_NAME] spamd[32277]: prefork: child states: B
Jul  1 15:45:12 [SERVER_NAME] spamd[360]: spamd: connection from localhost.localdomain [127.0.0.1]:34320 to port 783, fd 6
Jul  1 15:45:12 [SERVER_NAME] spamd[360]: spamd: setuid to account_on_server succeeded
Jul  1 15:45:12 [SERVER_NAME] spamd[360]: spamd: checking message <[email protected]> for account_on_server:538
Jul  1 15:45:12 [SERVER_NAME] spamd[32277]: spamd: server successfully spawned child process, pid 12027
Jul  1 15:45:12 [SERVER_NAME] spamd[32277]: prefork: adjust: 0 idle children less than 1 minimum idle children. Increasing spamd children: 12027 started.
Jul  1 15:45:12 [SERVER_NAME] spamd[32277]: prefork: child states: BI
Jul  1 15:45:13 [SERVER_NAME] dovecot: imap-login: Warning: Killed with signal 15 (by pid=12056 uid=0 code=kill)
Jul  1 15:45:13 [SERVER_NAME] dovecot: imap-login: Disconnected: Shutting down (disconnected while authenticating, waited 6 secs): user=<>, method=PLAIN, rip=75.170.204.89, lip=[SERVER_IP], TLS, session=<SZl0h2ap8fNLqsxZ>
Jul  1 15:45:13 [SERVER_NAME] dovecot: anvil: Warning: Killed with signal 15 (by pid=12056 uid=0 code=kill)
Jul  1 15:45:13 [SERVER_NAME] dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
Jul  1 15:45:13 [SERVER_NAME] dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
Jul  1 15:45:13 [SERVER_NAME] dovecot: imap-login: Error: read(anvil) failed: EOF
Jul  1 15:45:13 [SERVER_NAME] dovecot: log(562): Warning: Killed with signal 15 (by pid=12056 uid=0 code=kill)
Jul  1 15:45:13 [SERVER_NAME] dovecot: log(562): Warning: Shutting down logging for 'auth: ' with 1 clients
Jul  1 15:45:13 [SERVER_NAME] dovecot: log(562): Warning: Shutting down logging for 'imap-login: ' with 2 clients
Jul  1 15:45:20 [SERVER_NAME] dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for lmtp, imap, pop3 (core dumps disabled)
Jul  1 15:45:21 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com,212.70.149.34): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jul  1 15:45:21 [SERVER_NAME] dovecot: auth: Error: policy([email protected]_on_server.com,212.70.149.34): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jul  1 15:45:25 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jul  1 15:45:25 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused

Then another at 16:11:40:

Jul  1 16:11:10 [SERVER_NAME] dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 21 secs): user=<[email protected]_on_server.com>, method=PLAIN, rip=193.169.255.18, lip=184.173.178.60, session=<OFhc42aprNzBqf8S>
Jul  1 16:11:27 [SERVER_NAME] dovecot: master: Warning: Killed with signal 15 (by pid=20355 uid=0 code=kill)
Jul  1 16:11:27 [SERVER_NAME] dovecot: imap-login: Warning: Killed with signal 15 (by pid=20356 uid=0 code=kill)
Jul  1 16:11:27 [SERVER_NAME] dovecot: imap-login: Disconnected: Shutting down (no auth attempts in 116 secs): user=<>, rip=113.190.36.114, lip=[SERVER_IP], TLS, session=<NIab5WapwY1xviRy>
Jul  1 16:11:27 [SERVER_NAME] dovecot: log(12158): Warning: Killed with signal 15 (by pid=20356 uid=0 code=kill)
Jul  1 16:11:27 [SERVER_NAME] dovecot: log(12158): Warning: Shutting down logging for 'auth: ' with 1 clients
Jul  1 16:11:27 [SERVER_NAME] dovecot: log(12158): Warning: Shutting down logging for 'imap-login: ' with 2 clients
Jul  1 16:11:28 [SERVER_NAME] spamd[360]: spamd: connection from localhost.localdomain [127.0.0.1]:36050 to port 783, fd 6
Jul  1 16:11:28 [SERVER_NAME] spamd[360]: spamd: setuid to account_on_server succeeded
Jul  1 16:11:28 [SERVER_NAME] spamd[360]: spamd: checking message <[email protected]> for account_on_server:545
Jul  1 16:11:35 [SERVER_NAME] dovecot: master: Dovecot v2.3.7.2 (3c910f64b) starting up for lmtp, imap, pop3 (core dumps disabled)
Jul  1 16:11:39 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jul  1 16:11:40 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused
Jul  1 16:11:40 [SERVER_NAME] dovecot: auth: Error: policy(__cpanel__service__auth__icontact__zwua8n7g11ne9l0j,127.0.0.1): Policy server HTTP error: connect(127.0.0.1:579) failed: Connection refused

It looks to me like the first line shows that it's taking 14-21 seconds to identify an email as spam, so maybe that's causing everything to time out?

Or is it an excess of spam being received?

Or is the server trying to SEND an excess of spam?

I also see that "anvil" is being killed and says "permission denied" in the first 2, but I don't know what that is. The first reference to "anvil" before 16:11:40, though (the last report) was at 15:45:13, so I think that might just be a coincidence on the other two.