Package: exim4 Version: 4.94.2-7 Severity: important Dear Maintainer,
Occasionally our Debian exim4 receives connection attempts that fail, according to the logs due to a gnutls error: 2022-09-27 10:57:59 TLS error on connection from (win-6mz8f4q5s1j.domain) [103.151.122.163] (gnutls_handshake): A packet with illegal or unsupported version was received. These connections then end up stuck in FIN_WAIT2 indefinitely. Our net.ipv4.tcp_fin_timeout is at the default of 60 (seconds). exim4 2878963 Debian-exim 19u IPv4 49706325 0t0 TCP 192.168.41.2:465->103.151.122.163:50158 (FIN_WAIT2) This particular example has been there for well over 5 minutes now. It's coming up 20 minutes since our icinga2 alert tripped. This implies that the issue is with exim4's code waiting indefinitely for the other end to properly close the connection, which never happens. This ends up triggering icinga2 monitoring that trips if the number of exim4 processes exceeds the set amount. Eventually this would end up consuming enough RAM so as to make the system unusable. I suspect that the connection attempts are related to spam, but it's difficult to be sure given that they never succeed. I end up firewalling the source IPs and killing the processes. -- Package-specific info: Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /etc/exim4/exim4.conf # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='none' dc_other_hostnames='"fysh.org:dbm;/etc/exim/domains.db"' dc_local_interfaces='' dc_readhost='' dc_relay_domains='"dbm;/etc/exim/relays.db"' dc_minimaldns='false' dc_relay_nets='"dbm;/etc/exim/relayfrom.db"' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='false' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' mailname:fysh.org # /etc/default/exim4 EX4DEF_VERSION='' # 'combined' - one daemon running queue and listening on SMTP port # 'no' - no daemon running the queue # 'separate' - two separate daemons # 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4. # 'nodaemon' - no daemon is started at all. # 'queueonly' - only a queue running daemon is started, no SMTP listener. # setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4 QUEUERUNNER='combined' # how often should we run the queue QUEUEINTERVAL='5m' # options common to quez-runner and listening daemon COMMONOPTIONS='' # more options for the daemon/process running the queue (applies to the one # started in /etc/ppp/ip-up.d/exim4, too. QUEUERUNNEROPTIONS='' # special flags given to exim directly after the -q. See exim(8) QFLAGS='' # Options for the SMTP listener daemon. By default, it is listening on # port 25 only. To listen on more ports, it is recommended to use # -oX 25:587:10025 -oP /var/run/exim4/exim.pid SMTPLISTENEROPTIONS='' -- System Information: Debian Release: 11.5 Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.68-fysh-kvmguest (SMP w/8 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.77 ii exim4-base 4.94.2-7 ii exim4-daemon-heavy 4.94.2-7 exim4 recommends no packages. exim4 suggests no packages. -- debconf-show failed -- - Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/ GPG/PGP Key: https://miggy.org/gpg-key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME