IMAP Keeps Failing

[c0re]

Hey community,

I have a rather puzzling issue with the imap server. It's running courier at the moment and recently (in the last 2 weeks or so) I've been occasionally receiving emails about imap having failed. Usually it corrects itself after 5 or 6 attempts, but there are also other times where it seems unable to start for hours on end. The email that I keep receiving is the following:

imap failed @ Sun Feb 26 22:26:02 2012. A restart was attempted automagically.

Service Check Method: [tcp connect]

Failure Reason: TCP Transaction Log:
<< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.
>> A001 LOGIN __cpanel__service__auth__imap__K5a77KDo1evd2JKnsdyMOTudYM32h_IaK2nYsC7oKww2TOz3UP6wGkox6obuU6BO dlBMdrCKNZebp6O2wnzHxAJt7hFS7Qt3Eu5rwLvcs98dkimvNofOFGIArZqAS0js
<< * BYE Temporary problem, please try again later
imap: ** [* BYE Temporary problem, please try again later != A001 OK]
: Died at /usr/local/cpanel/Cpanel/TailWatch/ChkServd.pm line 572, <GEN3> line 2.


Number of Restart Attempts: 28

Now after some searching, I did seem to get it working again last week by doing the following:

/scripts/restartsrv_cppop
/scripts/restartsrv_imap
/scripts/courierup --force
/scripts/eximup –force
/scripts/checkperlmodules –full –force
/scripts/upcp –force

Finally, I did also try switching to dovecot, but for some reason users still could not log into webmail on dovecot so I switched back to courier...

The problems returned a couple of days later, however, and I'm really not sure where else to look to solve this issue. Curiously, when I try to restart imap from WHM, it shows the following (but IMAP shows as down in the service status and it does not actually work).

Waiting for imap to restart...............finished.

couriertcpd (/usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=50 -maxperip=30 -nodnslookup -noidentlookup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir) running as root with PID 10998
authdaemond (/usr/libexec/courier-authlib/authdaemond) running as root with PID 10975

imap started ok

I do apologize for being a Linux n00b - I spend most of my time administering IIS7/IIS7.5 servers which tend to produce much "friendlier" error messages.

Thanks for reading!

 

[Promethyl]

Any resolution on this? I'm experiencing it as well.

 

[wwwcad]

Any resolution on this? I'm experiencing it as well.

Same problem here.

 

[acenetryan]

Try increasing the number of authentication daemons in WHM -> Mailserver Configuration.

 

[alexio]

Try increasing the number of authentication daemons in WHM -> Mailserver Configuration.

I'm also just started experiencing this issue as of 5 days ago.

When you say to try increasing the authentication daemons...
Mine is set to 5...which I assume is the default.
Should I up it to say, 7, and see if the issue persists, or do you suggest a higher number?

Thanks ;-)

 

[cPanelMichael]

Hello

Look for instances of "authentication error: Input/output error" in /var/log/maillog. EX:

# grep "Input/output error" /var/log/maillog

You will typically see several occurrences of this error when there are not enough authentication daemons.

However, it could also indicate there are IP addresses with several failed login attempts which should be blocked. For example, you can run this command:

# grep 'LOGIN FAILED' /var/log/maillog|awk '{print $9}'|sort|uniq -c | sort -n

Blocking the IP addresses that have several failed connection attempts (this is typically a brute force attack) in your firewall can be useful in these types of cases.

Thank you.

 

[cPanelTristan]

Of note, if you have cPHulk Brute Force Protection enabled, it isn't blocking the courier LOGIN FAILED connections because cPHulk doesn't currently work for courier to detect failed logins. It only works for Dovecot. We have an internal case (39736) about this issue, since it cannot be fixed until the pluggable authentication project has been completed.

If you do have failed logins causing a high number of connections to Courier and in turn impacting services, you could always install CSF to block the brute force attacks on the server instead, since cPHulk cannot currently do it. CSF details for installation are available here:

http://forums.cpanel.net/f185/where-do-lookup-brute-force-attacks-243182.html#post1002822