Imap failure notices on many servers after upgrade

[max_payne]

Chkservd is reporting imap failures with the following:

[B]Service Name[/B] imap
[B]Service Status[/B] failed 
[B]Notification[/B] The service “imap” appears to be down.
[B]Service Check Method[/B] The system failed to connect to this service’s TCP/IP port.
[B]Reason[/B] 
TCP Transaction Log:
<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.
>> A001 LOGIN __cpanel__service__auth__imap__4_8xl04p1fqfrjYsIwVYloQTuR80iQeQfHKzFIwJ8KE6PjtYHeW5OIFe5ijZzoYz YVsYxHdH1e3ggUcTh9KOG5UfDFKXDdsJV0wVGsY4jPQRDtZFSvTk5DzbyoKxoGLx
<< * BYE Temporary problem, please try again later
imap: ** [* BYE Temporary problem, please try again later != A001 OK]
: Died

This is happening across multiple servers. Is this a known issue?

 

[Kellykk2005]

We have been having this problem for the last few weeks. It did seem to crop up after a cpanel/whm upgrade.
The service “imap” appears to be down. Here is the email from the cpanel monitor. any help would be greatly apprechiated.

fyi: I do see this in /var/log/maillog:

Jun 25 21:50:22 host1 imapd-ssl: LOGOUT, user=<removed>, ip=[::ffff:98.191.201.25], headers=0, body=0, rcvd=322, sent=63422, time=21, starttls=1

Jun 25 21:50:22 host1 imapd-ssl: Unexpected SSL connection shutdown.
------------------------------------

Service Check Method

The system failed to connect to this service’s TCP/IP port.

Reason

TCP Transaction Log:

<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.

>> A001 LOGIN __cpanel__service__auth__imap__eI8yxx23QD6YIbnuJxDP3tlSYz_H8UoAJD91XT8MaluzeUg7rGUR3LclN9OO_Ay2 Gb5a2bQyULAp2sBFT2fw_iiXKbpToliEdSD0W2TzvwJ7JGzlQEvzhHk2TOqPiic_

<< * BYE Temporary problem, please try again later

imap: ** [* BYE Temporary problem, please try again later != A001 OK]

: Died

 

[max_payne]

We have been having this problem for the last few weeks. It did seem to crop up after a cpanel/whm upgrade.
The service “imap” appears to be down. Here is the email from the cpanel monitor. any help would be greatly apprechiated.

fyi: I do see this in /var/log/maillog:

Jun 25 21:50:22 host1 imapd-ssl: LOGOUT, user=<removed>, ip=[::ffff:98.191.201.25], headers=0, body=0, rcvd=322, sent=63422, time=21, starttls=1

Jun 25 21:50:22 host1 imapd-ssl: Unexpected SSL connection shutdown.
------------------------------------

Service Check Method

The system failed to connect to this service’s TCP/IP port.

Reason

TCP Transaction Log:

<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.

>> A001 LOGIN __cpanel__service__auth__imap__eI8yxx23QD6YIbnuJxDP3tlSYz_H8UoAJD91XT8MaluzeUg7rGUR3LclN9OO_Ay2 Gb5a2bQyULAp2sBFT2fw_iiXKbpToliEdSD0W2TzvwJ7JGzlQEvzhHk2TOqPiic_

<< * BYE Temporary problem, please try again later

imap: ** [* BYE Temporary problem, please try again later != A001 OK]

: Died

Yes, this issue started popping up after the cPanel upgrade to 11.50. It's happening on multiple VPS servers and is not an isolated issue. Anyone from cPanel have any insight on this?

 

[kbisignani]

Same thing here - upgraded to 11.50 on my VPS and all of a sudden I'm getting calls from clients that they can't check their email, and then I see this failure report come through. Checking the logs, I'm finding, right before the crash email is sent, the following error:

Jun 25 03:12:27 swan pop3d: LOGIN FAILED, user=[email protected], ip=[::ffff:xxx.xx.xxx.xx]
Jun 25 03:12:27 swan pop3d: authentication error: Input/output error

The log has a dozens of instances like this, with some using pop3d, some imapd...


I'm trying a upgrade to 11.50.20 and seeing if that resolves the issue, even though I don't really see anything in the changelog that sounds like this issue was fixed. But I'm willing to try anything.

I'm also using Courier... I've contemplated switching to Dovecot to see if that resolves the issue but since this is used by a number of clients I'm afraid to start messing with their email...

 

[cPanelNick]

Please open a ticket at https://tickets.cpanel.net/submit/ so we can help.

This is not something we have seen commonly on 11.50. The only ticket I could find that looked similar was the result of an out of disk space condition.

Also, I'd definitely recommend switching dovecot as we see significantly less problems with it.

 

[kbisignani]

Thank you Nick - I've done that. Guess I'll keep my fingers crossed that we can get this resolved!
Support Request Id 6750949

 

[kbisignani]

To update those following the thread, we've increased the amount of authentication daemons. This setting is found in WHM > Service Configuration > Mailserver Configuration and then scroll all the way to the bottom. Number of Authentication Daemons was set to "2" on my setup. We've changed it to 8 just a few moments ago and are crossing our fingers and hope this works.

My guess is that something in the 11.50 update created some type of instability between the IMAP service and the authentication mechanisms, which probably should be investigated further, but as a temporary workaround I'll be content if this keeps IMAP from crashing!

 

[cPanelMichael]

To update those following the thread, we've increased the amount of authentication daemons.

Hello

This could indicate a brute force attack on your mail server. The following command is useful if you are using Courier:

grep 'LOGIN FAILED' /var/log/maillog|awk '{print $9}'|sort|uniq -c | sort -n

It will list IP addresses with failed logins to the mail server. You may want to block any IP addresses with an excessive number of failed login attempts, or install a third-party firewall management utility such as CSF if you have not already done so.

Thank you.