Permanent restart of exim

dtkoe · January 16, 2023, 11:33am

I noticed some oddity with my exim . The panel always shows that it has been running for 0 minutes. It turns out every minute it restarts. What could be? Here is the exim log…

What should I do to fix it? And why is it always 0?

log exim

eris · January 16, 2023, 11:36am

Maybe this is the cause?

Otherwise check last few log lines and post them here I am not going to read trough +40kb of log files for free

dtkoe · January 16, 2023, 11:45am

I also thought that it was connected with the cron, but no. The cron was removed, but did not do anything else. The server has rebooted and all services except exim are working fine…

mainlog:

2023-01-16 15:41:28 dovecot_login authenticator failed for (localhost) [46.148.40.192]: 535 Incorrect authentication data (set_id=ofelia)
2023-01-16 15:41:29 no host name found for IP address 46.148.40.136
2023-01-16 15:41:35 no host name found for IP address 46.148.40.146
2023-01-16 15:41:36 dovecot_login authenticator failed for (localhost) [46.148.40.136]: 535 Incorrect authentication data (set_id=tID)
2023-01-16 15:41:45 dovecot_login authenticator failed for (localhost) [46.148.40.146]: 535 Incorrect authentication data (set_id=aae)
2023-01-16 15:42:06 no host name found for IP address 45.66.230.158
2023-01-16 15:42:09 dovecot_login authenticator failed for ([45.66.230.158]) [45.66.230.158]: 535 Incorrect authentication data (set_id=telecom)
2023-01-16 15:42:12 no host name found for IP address 46.148.40.149
2023-01-16 15:42:21 dovecot_login authenticator failed for (localhost) [46.148.40.149]: 535 Incorrect authentication data (set_id=embaixador)

reject log:
2023-01-16 15:38:40 dovecot_login authenticator failed for (localhost) [46.148.40.114]: 535 Incorrect authentication data (set_id=mts)
2023-01-16 15:38:42 dovecot_login authenticator failed for (localhost) [46.148.40.199]: 535 Incorrect authentication data (set_id=zv)
2023-01-16 15:38:59 dovecot_login authenticator failed for (localhost) [46.148.40.13]: 535 Incorrect authentication data (set_id=epm)
2023-01-16 15:39:35 dovecot_login authenticator failed for (localhost) [46.148.40.147]: 535 Incorrect authentication data (set_id=xo0xo0!)
2023-01-16 15:39:45 dovecot_login authenticator failed for (localhost) [46.148.40.151]: 535 Incorrect authentication data (set_id=sexynat01)
2023-01-16 15:39:53 dovecot_login authenticator failed for (localhost) [46.148.40.94]: 535 Incorrect authentication data (set_id=jsoto)
2023-01-16 15:40:21 dovecot_login authenticator failed for (localhost) [46.148.40.153]: 535 Incorrect authentication data (set_id=relay4)
2023-01-16 15:40:31 dovecot_login authenticator failed for (localhost) [46.148.40.198]: 535 Incorrect authentication data (set_id=partenaire)
2023-01-16 15:40:58 dovecot_login authenticator failed for (localhost) [46.148.40.189]: 535 Incorrect authentication data (set_id=meetingroom)
2023-01-16 15:41:04 dovecot_login authenticator failed for (localhost) [46.148.40.148]: 535 Incorrect authentication data (set_id=viveplenitud)
2023-01-16 15:41:28 dovecot_login authenticator failed for (localhost) [46.148.40.192]: 535 Incorrect authentication data (set_id=ofelia)
2023-01-16 15:41:36 dovecot_login authenticator failed for (localhost) [46.148.40.136]: 535 Incorrect authentication data (set_id=tID)
2023-01-16 15:41:45 dovecot_login authenticator failed for (localhost) [46.148.40.146]: 535 Incorrect authentication data (set_id=aae)
2023-01-16 15:42:09 dovecot_login authenticator failed for ([45.66.230.158]) [45.66.230.158]: 535 Incorrect authentication data (set_id=telecom)
2023-01-16 15:42:21 dovecot_login authenticator failed for (localhost) [46.148.40.149]: 535 Incorrect authentication data (set_id=embaixador)

dovecot log
n 16 15:39:33 auth: Info: login(?,46.148.40.147): Username character disallowed by auth_username_chars: 0x21 (username: xo0xo0!)
Jan 16 15:39:43 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:39:51 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:40:19 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:40:29 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:40:56 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:41:02 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:41:26 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:41:34 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:41:43 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:41:45 imap([email protected])<14200><uJ4z/F/ylL9VGuuq>: Info: Connection closed (IDLE running for 0.001 + waiting input for 353.941 secs, 2 B in + 10 B out, state=wait-input) in=35 out=827 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jan 16 15:41:45 imap([email protected])<14201><S6Az/F/yENtVGuuq>: Info: Connection closed (IDLE running for 0.001 + waiting input for 354.183 secs, 2 B in + 10 B out, state=wait-input) in=27 out=777 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Jan 16 15:42:07 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:42:19 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:42:25 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.167.97.38, lip=46.175.147.153, TLS, session=
Jan 16 15:42:43 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:42:48 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:42:51 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Jan 16 15:43:21 auth: Info: missing passwd file: /etc/exim4/domains//passwd

mail,log

Jan 16 14:22:14 panel spamd[2270]: spamd: connection from 127.0.0.1 [127.0.0.1]:35738 to port 783, fd 6
Jan 16 14:22:14 panel spamd[2270]: spamd: setuid to debian-spamd succeeded
Jan 16 14:22:14 panel spamd[2270]: spamd: checking message Cp5IEMPvn9d6zDX4BWk115cXIAYYbmlQL0jIaKTAVBs@expromt.speedbooking.ru for debian-spamd:113
Jan 16 14:22:14 panel spamd[2270]: spamd: clean message (-1.0/5.0) for debian-spamd:113 in 0.3 seconds, 5159 bytes.
Jan 16 14:22:14 panel spamd[2270]: spamd: result: . 0 - ALL_TRUSTED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,URIBL_BLOCKED scantime=0.3,size=5159,user=debian-spamd,uid=113,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=35738,mid=Cp5IEMPvn9d6zDX4BWk115cXIAYYbmlQL0jIaKTAVBs@expromt.speedbooking.ru,autolearn=ham autolearn_force=no
Jan 16 14:46:08 panel spamd[580]: logger: removing stderr method
Jan 16 14:46:12 panel spamd[842]: zoom: able to use 395/395 ‘body_0’ compiled rules (100%)
Jan 16 14:46:12 panel spamd[842]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.6)
Jan 16 14:46:12 panel spamd[842]: spamd: server pid: 842
Jan 16 14:46:12 panel spamd[842]: spamd: server successfully spawned child process, pid 2780
Jan 16 14:46:12 panel spamd[842]: spamd: server successfully spawned child process, pid 2785
Jan 16 14:46:12 panel spamd[842]: prefork: child states: IS
Jan 16 14:46:12 panel spamd[842]: prefork: child states: II
Jan 16 14:53:13 panel spamd[2780]: spamd: connection from 127.0.0.1 [127.0.0.1]:34670 to port 783, fd 6
Jan 16 14:53:13 panel spamd[2780]: spamd: setuid to debian-spamd succeeded
Jan 16 14:53:14 panel spamd[2780]: spamd: checking message [email protected] for debian-spamd:113
Jan 16 14:53:14 panel spamd[2780]: spamd: identified spam (8.5/5.0) for debian-spamd:113 in 0.8 seconds, 43170 bytes.
Jan 16 14:53:14 panel spamd[2780]: spamd: result: Y 8 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,RCVD_IN_PSBL,RCVD_IN_VALIDITY_RPBL,RDNS_NONE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_ABUSE_SURBL,URIBL_BLOCKED scantime=0.8,size=43170,user=debian-spamd,uid=113,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=34670,mid=[email protected],autolearn=no autolearn_force=no
Jan 16 14:53:14 panel spamd[842]: prefork: child states: II
Jan 16 15:13:49 panel spamd[585]: logger: removing stderr method
Jan 16 15:13:53 panel spamd[850]: zoom: able to use 395/395 ‘body_0’ compiled rules (100%)
Jan 16 15:13:53 panel spamd[850]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.6)
Jan 16 15:13:53 panel spamd[850]: spamd: server pid: 850
Jan 16 15:13:53 panel spamd[850]: spamd: server successfully spawned child process, pid 2360
Jan 16 15:13:53 panel spamd[850]: spamd: server successfully spawned child process, pid 2370
Jan 16 15:13:53 panel spamd[850]: prefork: child states: II

eris · January 16, 2023, 11:55am

There are mo restart is in your logs:

dovecot_login authenticator failed for (localhost) [46.148.40.146]: 535 Incorrect authentication data (set_id=aae)

Users trying to connect to Dovecote and attempt to login

Jan 16 15:39:43 auth: Info: missing passwd file: /etc/exim4/domains//passwd
Same here without a matching domain

Spamd is also not important

dtkoe · January 16, 2023, 12:36pm

Do I understand correctly that nothing needs to be done?
And this activity is related to the work of bots that connect to my server?
And in fact the server itself does not reboot?
Can fail2ban somehow be configured to block?