Imap failure notices on many servers after upgrade

max_payne

Active Member
Feb 1, 2013
33
1
6
cPanel Access Level
Root Administrator
Chkservd is reporting imap failures with the following:

Code:
[B]Service Name[/B] imap
[B]Service Status[/B] failed 
[B]Notification[/B] The service “imap” appears to be down.
[B]Service Check Method[/B] The system failed to connect to this service’s TCP/IP port.
[B]Reason[/B] 
TCP Transaction Log:
<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.
>> A001 LOGIN __cpanel__service__auth__imap__4_8xl04p1fqfrjYsIwVYloQTuR80iQeQfHKzFIwJ8KE6PjtYHeW5OIFe5ijZzoYz YVsYxHdH1e3ggUcTh9KOG5UfDFKXDdsJV0wVGsY4jPQRDtZFSvTk5DzbyoKxoGLx
<< * BYE Temporary problem, please try again later
imap: ** [* BYE Temporary problem, please try again later != A001 OK]
: Died
This is happening across multiple servers. Is this a known issue?
 
Last edited by a moderator:

Kellykk2005

Registered
Jun 25, 2015
1
0
1
orange county, ca
cPanel Access Level
Root Administrator
We have been having this problem for the last few weeks. It did seem to crop up after a cpanel/whm upgrade.
The service “imap” appears to be down. Here is the email from the cpanel monitor. any help would be greatly apprechiated.

fyi: I do see this in /var/log/maillog:

Code:
Jun 25 21:50:22 host1 imapd-ssl: LOGOUT, user=<removed>, ip=[::ffff:98.191.201.25], headers=0, body=0, rcvd=322, sent=63422, time=21, starttls=1

Jun 25 21:50:22 host1 imapd-ssl: Unexpected SSL connection shutdown.
------------------------------------

Service Check Method

The system failed to connect to this service’s TCP/IP port.

Reason

TCP Transaction Log:

<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.

>> A001 LOGIN __cpanel__service__auth__imap__eI8yxx23QD6YIbnuJxDP3tlSYz_H8UoAJD91XT8MaluzeUg7rGUR3LclN9OO_Ay2 Gb5a2bQyULAp2sBFT2fw_iiXKbpToliEdSD0W2TzvwJ7JGzlQEvzhHk2TOqPiic_

<< * BYE Temporary problem, please try again later

imap: ** [* BYE Temporary problem, please try again later != A001 OK]

: Died
 
Last edited by a moderator:

max_payne

Active Member
Feb 1, 2013
33
1
6
cPanel Access Level
Root Administrator
We have been having this problem for the last few weeks. It did seem to crop up after a cpanel/whm upgrade.
The service “imap” appears to be down. Here is the email from the cpanel monitor. any help would be greatly apprechiated.

fyi: I do see this in /var/log/maillog:

Code:
Jun 25 21:50:22 host1 imapd-ssl: LOGOUT, user=<removed>, ip=[::ffff:98.191.201.25], headers=0, body=0, rcvd=322, sent=63422, time=21, starttls=1

Jun 25 21:50:22 host1 imapd-ssl: Unexpected SSL connection shutdown.
------------------------------------

Service Check Method

The system failed to connect to this service’s TCP/IP port.

Reason

TCP Transaction Log:

<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.

>> A001 LOGIN __cpanel__service__auth__imap__eI8yxx23QD6YIbnuJxDP3tlSYz_H8UoAJD91XT8MaluzeUg7rGUR3LclN9OO_Ay2 Gb5a2bQyULAp2sBFT2fw_iiXKbpToliEdSD0W2TzvwJ7JGzlQEvzhHk2TOqPiic_

<< * BYE Temporary problem, please try again later

imap: ** [* BYE Temporary problem, please try again later != A001 OK]

: Died

Yes, this issue started popping up after the cPanel upgrade to 11.50. It's happening on multiple VPS servers and is not an isolated issue. Anyone from cPanel have any insight on this?
 

kbisignani

Member
Jan 29, 2012
17
0
51
cPanel Access Level
Root Administrator
Same thing here - upgraded to 11.50 on my VPS and all of a sudden I'm getting calls from clients that they can't check their email, and then I see this failure report come through. Checking the logs, I'm finding, right before the crash email is sent, the following error:

Jun 25 03:12:27 swan pop3d: LOGIN FAILED, user=[email protected], ip=[::ffff:xxx.xx.xxx.xx]
Jun 25 03:12:27 swan pop3d: authentication error: Input/output error

The log has a dozens of instances like this, with some using pop3d, some imapd...


I'm trying a upgrade to 11.50.20 and seeing if that resolves the issue, even though I don't really see anything in the changelog that sounds like this issue was fixed. But I'm willing to try anything.

I'm also using Courier... I've contemplated switching to Dovecot to see if that resolves the issue but since this is used by a number of clients I'm afraid to start messing with their email...
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,482
35
208
cPanel Access Level
DataCenter Provider
Please open a ticket at https://tickets.cpanel.net/submit/ so we can help.

This is not something we have seen commonly on 11.50. The only ticket I could find that looked similar was the result of an out of disk space condition.

Also, I'd definitely recommend switching dovecot as we see significantly less problems with it.
 

kbisignani

Member
Jan 29, 2012
17
0
51
cPanel Access Level
Root Administrator
To update those following the thread, we've increased the amount of authentication daemons. This setting is found in WHM > Service Configuration > Mailserver Configuration and then scroll all the way to the bottom. Number of Authentication Daemons was set to "2" on my setup. We've changed it to 8 just a few moments ago and are crossing our fingers and hope this works.

My guess is that something in the 11.50 update created some type of instability between the IMAP service and the authentication mechanisms, which probably should be investigated further, but as a temporary workaround I'll be content if this keeps IMAP from crashing!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
To update those following the thread, we've increased the amount of authentication daemons.
Hello :)

This could indicate a brute force attack on your mail server. The following command is useful if you are using Courier:

Code:
grep 'LOGIN FAILED' /var/log/maillog|awk '{print $9}'|sort|uniq -c | sort -n
It will list IP addresses with failed logins to the mail server. You may want to block any IP addresses with an excessive number of failed login attempts, or install a third-party firewall management utility such as CSF if you have not already done so.

Thank you.