The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

One rogue message backs up everything

Discussion in 'E-mail Discussions' started by CldSwm, Jun 11, 2011.

  1. CldSwm

    CldSwm Registered

    Joined:
    Jun 11, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi, I have one email message that seems to get stuck in the mail queue and for whatever reason stops any other emails from going through.

    I would have thought that exim would recognize that the email isn't working and move on to the rest, however this doesn't happen. Everything just stops working. I can manually deliver everything around that one email, however this obviously isn't ideal.

    At first the error that the bad email was giving was this:
    R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host lb.mail.msu.edu [35.9.75.15]: 421 Downstream server error

    Now the error that the bad email is giving is this:
    R=lookuphost T=remote_smtp defer (-18): Remote host lb.mail.msu.edu [35.9.75.15] closed connection in response to initial connection

    It's been in the queue now for 23 hours.

    I would just delete the message, however this isn't a good option because this email address is on one of my clients email lists so I'd rather have the email address bounce back so its automatically added to their bounce list.

    So really its a two part question that I'd really appreciate some insight on. 1. Why does the mail queue back up just because one message can't be delivered. 2. why hasn't the message bounced/is there a way to force the bounce as opposed to deleting it. 3. how to avoid an issue like this in the future.

    Also just so you know I've already tried the following which had no effect:
    /usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null
    /usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null
    /usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null
    /scripts/courierup -- force
    /scripts/eximup --force
    restarted exim


    Thanks so much for your thoughts!!
     
  2. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Was there ever a solution to this??? I'm now experiencing the same thing. One particular server is simply not sending all the messages. There are over 973 messages in the queue, and the servers load is very high (15.06)... I can clear this by running: exim -v -qff from the command line and it will start sending all those messages. After a few hours, the queue will be back down to 12 or so (which is reasonable). But a few hours later, the queue will be back at 700+ messages just stuck...

    I can not run the exim -v -qff several times a day to clear this up... Something is causing those messages to backup...
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you tried to check the exim logs as to why some of the messages are sitting in the queue? Check individual emails that are sitting there in WHM > Mail Queue Manager, then in SSH run the following for that message ID:

    Code:
    exigrep ID /var/log/exim_mainlog
    Where ID is the exim ID number of the message in the queue.
     
  4. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Seems to be because the load average is too high...

    "no immediate delivery: load average 26.43"

    However, exim is what is causing the load to be that high. (it's at 4.37 now), and if I shut exim down for a few minutes, the load goes down. But it goes back up as soon as exim is restarted.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You'll have to go through the mails in /var/log/exim_mainlog or check the stats in WHM > View Sent Summary area to see what is causing it. Someone is either sending out too many emails or receiving far too many.
     
  6. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Interesting. User: -remote- sent out 26K messages since 5/6/2012. I don't have a user -remote- :)
     
  7. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Trying to view the detail for just the -remote- user and it fails (even for just a 5 minute reporting interval).
    I get: DeliveryReporter API internal failure : Timeout : Alarm at /usr/local/cpanel/bin/emailtrack line 24
     
  8. -GR-

    -GR- Active Member

    Joined:
    May 2, 2012
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Sounds like someone is using your server for a relay or if you are hosting other accounts someone is using your server for spam. Do you have port 25 blocked? Are you running CSF?
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    cPanel machines are not configured to allow remote relaying without authentication (POP3 before SMTP). It would be really cool if people didn't claim a server to be a relay, since this freaks people out sometimes and isn't the case. If a user is sending emails, the account is either exploited (has an insecure script that is being used that exists on the account) or someone is sending emails on the account and faking their identity after authenticating. Localhost has to actually authenticate in some manner (be it user uploaded script using PHP mail() that exists owned as the user on the machine, or by authenticating before sending, or by logging into webmail) before it can relay emails. Remote relaying simply is not going to occur.

    I'm confused about port 25 blocked portion. You cannot block port 25 and have emails function.
     
  10. -GR-

    -GR- Active Member

    Joined:
    May 2, 2012
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I didn't mean as an open relay. I know Cpanel does a good job out of the box with this. I was more meaning that without Csf or lfd to automatically block failed log in attempts then it is open to where someone could finally authenticate and then use it for sending emails.

    In CSF there is an option in the settings to block port 25 coming in. I send all of my email through SSL.
     
  11. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Yes, I do have csf/lfd installed. There is nothing unusual going on that I have noticed.
     
  12. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Ok, so I kept running exim -v -qff until the message queue was down to about 6 messages remaining.
    of those 5 of them were spam, and one was a bounce message.

    Deleted all of them, and restarted exim
    There were zero messages in the queue.

    As of this morning however, there are now 687 messages in the queue, and they do NOT appear to be processing. The rest of my cPanel servers don't have this problem, and there are around 7 to 30 in the queue.

    The load is still up and there is no evidence of a spammer or compromised account sending out messages.
     
  13. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Ok, so I just got a ton of these messages:

    spamd failed @ Tue May 8 12:27:48 2012. A restart was attempted automagically.

    Service Check Method: [check command]

    Number of Restart Attempts: 27

    Cmd Service Check Raw Output: Spamd is not running
    Raw Output: Subject: Test spam mail (GTUBE)
    Message-ID: <GTUBE1.1010101@example.net>
    Date: Wed, 23 Jul 2003 23:30:00 +0200
    From: Sender <sender@example.net>
    To: Recipient <recipient@example.net>
    Precedence: junk
    MIME-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit

    This is the GTUBE, the
    Generic
    Test for
    Unsolicited
    Bulk
    Email

    If your spam filter supports it, the GTUBE provides a test by which you
    can verify that the filter is installed correctly and is detecting incoming
    spam. You can send yourself a test mail containing the following string of
    characters (in upper case and with no white spaces and line breaks):

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

    You should send this test mail from an account outside of your network.


    Now, I have seen this generic test email before but the date on this one says "July 2003"!! (I know headers can be forged), so is this from cPanel?? Full headers show it's coming from cPanel ChkServd Service Monitor, so assuming so, but I have not ever seen this coming from any other cPanel server before.

    I also checked and spamd is running just fine.

    But so far, I have over 500 of these messages coming in..
     
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    When a service appears to be restarting or failing for cPanel, you can definitely submit a ticket in that instance for us to investigate it. Please go to WHM > Support Center > Contact cPanel or use the link in my signature for opening up a ticket with us for this current issue. Thanks!
     
  15. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Unless you have an /etc/alwaysrelay file and are allowing unauthenticated people to relay off the server, its more likely -remote- is just messages coming in from remote servers that are being delivered to local or virtual users.
     
  16. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Tristan and Nick,

    Thank you. I do not have an /etc/alwaysrelay file (good). When I arrived this morning, I only had 38 messages in the queue, and the spamd failure messages have stopped. I had assumed that whatever the problem was had corrected itself.

    No... I just checked and have now 1269 messages in the queue.

    They are still coming in every few minutes and Exim is running, but apparently not processing them.
    So once again, I have to run: exim -v -qff to force a queue run.

    That will take about an hour but the messages will then deliver (or bounce) accordingly.

    Here's an output from exiwhat

    exiwhat
    6390 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 26 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
    14669 handling incoming connection from [209.250.242.81]:19432
    16305 handling incoming connection from (fast-2979bb2e53) [175.110.158.96]:24516
    16901 handling incoming connection from [209.17.171.184]:36710
    17034 handling incoming connection from [64.34.184.72]:51810
    17453 handling TLS incoming connection from exchange.cph.com.lb [77.42.159.100]:24224
    17460 handling incoming connection from [190.120.230.116]:59131


    Load right now is at 4.69. (not great, but not that bad either).
     
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you had the chance to submit the ticket previously requested be opened? If so, please provide that ticket number. Of note, tickets can be submitted by anyone with a licensed copy of cPanel for no additional cost.
     
  18. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Hi Tristan, yes, I just submitted it... I now have 3 servers having this problem.
    Ticket# 2654806

    Thanks
     
Loading...

Share This Page