Exim queue filling with mail to root

[sevenymedia]

I manage multiple DirectAdmin servers and since a week I'm seeing a strange issue on one of them.

Since last week the Exim queue on one of them is filling up with lots of e-mails to [email protected]. I compared log lines for some messages on multiple servers. I'm missing some log lines on the failing server.

The following are log lines for a message on the failing server

2021-09-14 19:06:30 1mQBt8-0001CT-MS <= root@***** U=root P=local S=801 T="lfd on *****: Excessive resource usage: nginx (1496 (Parent PID:1496))" from <root@*****> for root
2021-09-14 19:06:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1mQBt8-0001CT-MS
2021-09-14 19:06:30 1mQBt8-0001CT-MS User 0 set for local_delivery transport is on the never_users list
2021-09-14 19:06:30 1mQBt8-0001CT-MS == root@***** R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list

And these are the log lines for a message on a server which doesn't fillup it's queue

2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky <= root@***** U=root P=local S=822 T="lfd on *****: Excessive resource usage: nginx (3159 (Parent PID:3159))" from <root@*****> for root
2021-09-14 17:02:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1mQ9xO-0001Gn-Ky
2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky User 0 set for local_delivery transport is on the never_users list
2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky == root@***** R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky ** root@*****: retry timeout exceeded
2021-09-14 17:02:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1mQ9xO-0001Gn-Ky
2021-09-14 17:02:46 1mQ9xO-0001H4-PH <= <> R=1mQ9xO-0001Gn-Ky U=mail P=local S=2131 T="Mail delivery failed: returning message to sender" from <> for root@*****
2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky Completed

So when comparing the process on both servers I'm missing the following lines on the failing server, looks like it doesn't bounce or something

2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky ** root@*****: retry timeout exceeded
2021-09-14 17:02:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1mQ9xO-0001Gn-Ky
2021-09-14 17:02:46 1mQ9xO-0001H4-PH <= <> R=1mQ9xO-0001Gn-Ky U=mail P=local S=2131 T="Mail delivery failed: returning message to sender" from <> for root@*****
2021-09-14 17:02:46 1mQ9xO-0001Gn-Ky Completed

Anybody who might be able to help my out on this one?

 

[Richard G]

It's easy, all system mails are send to root. If you don't take care that you can get root mail, you can see this happen if a lot of things happen.

There are 2 solutions for this.
1.) edit /etc/aliases and at the bottom, change
#root: marc
to
root: [email protected]
where [email protected] is an email address you want to receive system mails at.
The give the command newaliases and restart Exim.
I found this the best working method.

2.) create a .forward file in /root and put your email address in there.
Easier method but didn't seem to always work.

 

[sevenymedia]

Well actually I don't want to receive them, but the strange thing is that one the several servers the message seems to be dropped but one the 'failing' server it queued for a long time.

I checked the aliases and on both servers they're the same.. so can't really figure out why there's only one server filling up it's queue.

 

[Richard G]

Seems LFD is sending these mails to root.
Sorry, I was looking wrong, seems these are real system messages. You should investigate as to why this happens, so why is there a high resource usage on that server. This is causing all these mails.
That is why root system messages are important and imho not really smart to not receive them somewhere.

 

[sevenymedia]

I'll change the target for LFD.. but there are several alike mails which I don't really care about which should be 'dropped/bounced' or smth. But I don't really get what might be the root cause of the issue that on one server messages are dropped immediately and on the other server they're being queued.

 

[Richard G]

I don't know how many messages we are talking about, maybe it's high resource usage issue which is causing Exim to work more slowly too and thus creating a queue, hard to say.

FYI. I disabled most mails from LFD in the lfd.conf because I also don't care about temp and definite bans, so I almost don't get any mails from CSF/LFD. But root mails are enables because I do want to know about high loads and other system isseus like maybe notice from smart that is disk is not happy anymore.

 

[sevenymedia]

Think this gives a pretty good impression



I have no clue what changed in week 34.. but something did

 

[Richard G]

I have no clue what changed in week 34.. but something did

I don't have a clue either but the queue is not kept so high anymore so that seems a good thing.

 

[Richard G]

@zEitEr why the "wow" smiley? I can't have a clue if I don't know what's going on at the server or what changed.
So I'm only saying this because I can't help further at the moment (if even needed) and to me it seems that if a mail queue is not high anymore that is a good thing because then mail is going out. Right?

 

[zEitEr]

Just wondering why you replied the thread only now, no offence.

 

[Richard G]

only now, no offence.

No offence taken, I was just wondering, if I might had interpreted the results wrong.

I tend to reply to threads when I'm or was the only person helping in it (or specifically mentioned), and there is a new response coming. When I'm not sure if there is a new question, or think the TS is asking a new question and I don't know the answer, then I like to let the TS know that I don't know the answer or that I think it seems ok now, so he don't get's the impression I don't want to answer.