Mail not working on server (sending and receiving)

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
I inherited a server some months ago and found that some of the accounts were seemed to be sending out spam mail. At the time there were records like this in exim_mainlog


2017-06-28 23:02:42 1dQPj7-0005Mm-JP <=
[email protected] H=([127.0.0.1]) [78.90.72.196]:41899
P=esmtpa A=dovecot_plain:[email protected]_of_my_site.com S=15548
[email protected]_of_my_sites.com T="Hand regard:
following the hand with the eyes!" for [email protected]

I deleted the email account in question and all email accounts for that website.

Also at that time I found that the directory for /var/spool/exim was filling up by several GB in the space of hours and the servers disk was becoming full because of it. I cant recall what I did exactly but I think I may have deleted or removed something that I followed in a guide and the disk usage stopped anyway.

Since then though mail doesnt seem to work on the server at all and I need to fix it now. It seems that no messages sent to any of the email addresses for the accounts are received and no mails from cron jobs and other tools are received by the root email and test emails are never received too.

Exim is still running though, here is some sample output from /exim_mainlog

2017-10-13 05:28:34 SMTP connection from [51.254.125.108]:46176 (TCP/IP connection count = 2)
2017-10-13 05:28:36 dovecot_login authenticator failed for 108.ip-51-254-125.eu (ADMIN) [51.254.125.108]:46176: 535 Incorrect authentication data ([email protected]_site.com)
2017-10-13 05:28:36 SMTP connection from [127.0.0.1]:59006 (TCP/IP connection count = 3)
2017-10-13 05:28:36 SMTP connection from 108.ip-51-254-125.eu (ADMIN) [51.254.125.108]:46176 closed by QUIT


2017-10-13 05:28:55 1e2T9p-0002wB-Jh Sender identification U=another_site D=another_site.net [email protected]_site.net
2017-10-13 05:28:55 1e2uKp-0001KM-Kt Sender identification U=another_site D=another_site.net [email protected]_site.net
2017-10-13 05:28:55 1e2pHa-0004vO-Vz Message is frozen
2017-10-13 05:28:56 1e2vqV-0002Ey-GI Message is frozen
2017-10-13 05:28:56 1e2uxV-0003Vm-47 Message is frozen

a few other details:

In the WHM sent summary there is no activity and same for the mail delivery reports.

Mail queue manager seems to have a lot of activity in it, all messages there are either frozen or queued and seem to be from [System] and trying to go to either root, cpanel or [email protected], there are also some mails trying to send from one of our sites to other email addresses I dont recognise (I would guess they are wither users signed up to the site or people that have left a comment).

Im not sure how to tackle this, should I submit a ticket?

I should add that a lot of the messages are not needed and Id be ok with re-instaling everything from scrath for the mail on the server if needed.

thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello,

Do you notice any output to /var/log/exim_paniclog when encountering an issue with sending or receiving?

Thank you.
 

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
Hello,

Do you notice any output to /var/log/exim_paniclog when encountering an issue with sending or receiving?

Thank you.
This is all I see in the current paniclog:

2017-10-16 00:32:36 socket bind() to port 587 for address (any IPv6) failed: Address already in use: daemon abandoned

I have the logs rotated weekly and the older ones are compressed but the logs dated 15th and 8th have nothing in them
 

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
This is all I see in the current paniclog:

2017-10-16 00:32:36 socket bind() to port 587 for address (any IPv6) failed: Address already in use: daemon abandoned

I have the logs rotated weekly and the older ones are compressed but the logs dated 15th and 8th have nothing in them
..also this is what I can see listening on port 587

tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 21565/exim
tcp 0 0 :::587 :::* LISTEN 21565/exim
 

David_spm

Well-Known Member
May 28, 2017
57
0
6
Thailand
cPanel Access Level
Root Administrator
One other thing, this is the output from a test mail I tried to send:

-bash-4.1$ echo "Subject: test" | /usr/sbin/exim -v [email protected]
LOG: MAIN
cwd=/home/me 3 args: /usr/sbin/exim -v [email protected]
LOG: MAIN
<= [email protected] U=me P=local S=323 T="test"
-bash-4.1$ LOG: MAIN
cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1e3zV1-0000MA-Py
delivering 1e3zV1-0000MA-Py
LOG: MAIN
** [email protected] R=enforce_mail_permissions: Gid 577 is not permitted to relay mail, or has directly called /usr/sbin/exim instead of /usr/sbin/sendmail.
LOG: MAIN
cwd=/var/spool/exim 8 args: /usr/sbin/exim -v -t -oem -oi -f <> -E1e3zV1-0000MA-Py
LOG: MAIN
<= <> R=1e3zV1-0000MA-Py U=mailnull P=local S=1645 T="Mail delivery failed: returning message to sender"
LOG: MAIN
cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1e3zV2-0000MF-23
delivering 1e3zV2-0000MF-23
LOG: MAIN
Completed
LMTP<< 220 server.myhostname.com Dovecot ready.
LMTP>> LHLO server.myhostname.com
LMTP<< 250-server.myhostname.com
LMTP<< 250-STARTTLS
LMTP<< 250-8BITMIME
LMTP<< 250-ENHANCEDSTATUSCODES
LMTP<< 250 PIPELINING
LMTP>> MAIL FROM:<>
LMTP<< 250 2.1.0 OK
LMTP>> RCPT TO:<[email protected]>
LMTP<< 250 2.1.5 OK
LMTP>> DATA
LMTP<< 354 OK
LMTP>> writing message and terminating "."
LMTP<< 250 2.0.0 <[email protected]> EN0WGsBa5FlsBQAAQA8zkQ Saved
LMTP>> QUIT
LMTP<< 221 2.0.0 OK
LOG: MAIN
=> me <[email protected]> R=localuser T=dovecot_delivery S=1798 C="250 2.0.0 <[email protected]> EN0WGsBa5FlsBQAAQA8zkQ Saved"
LOG: MAIN
Completed
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
Your last output is just improper use of the commands, not a sign of your issue. Opening a ticket will allow us to provide you with the best support. Once opened, you can paste the ticket ID here, and we can update this thread with the outcome. Looking over your output, I am not sure if any information relevant to your issue has been provided. Ideally, you would provide a full transaction which failed(i.e. 'exigrep <exim-msg-id> /var/log/exim_mainlog').

With that said, a random guess is that perhaps one of your exim databases is corrupt as in the post below:
Exim db corrupt with a few entries?