WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-15 16:36

On Nov 13 2019, the following windows server 2012 R2 updates were installed and I use hmail latest hMailServer-5.6.7-B2425.

One or more of these appeared to rocket hmail to 100% CPU utilisation even when clamwin and spamassassin were turned off. This despite several server and many hmail reboots.
I eventually reinstalled hmail from scratch but the high cpu came back in 30% increments over 30 minutes until I uninstalled the windows updates.
There was nothing in the hmail logs that could explain this, even in debug mode.

2019-11 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB4524445) - (Could not be uninstalled.)

2019-11 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4525243) - (Uninstalled and did not present for reinstall)

Windows Malicious Software Removal Tool x64 - November 2019 (KB890830) - (Uninstalled and not later presented)

2019-10 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Server 2012 R2 for x64 (KB4520408) - (Could not be uninstalled but later presented as optional and ignored._

After uninstalling these where possible (see bracketed comments), it seems that hmail is back to its normal minimal cpu usage.

Has anyone any ideas?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by jimimaseye » 2019-11-17 22:40

So of all you have listed, the culprit is either:

KB4525243 or Windows Malicious Software Removal Tool x64 - November 2019 (KB890830) as they are the only ones you have uninstalled. And my money is on that it isnt Windows Malicious Software Removal Tool (KB890830). Therefore it is KB4525243. As these are usually a mishmash of different 'situations' or conditions tackled and *fixed* (ahem!), and that these have been the cause in the past of Hmailserver random strange behaviours (solved only by removing such updates) then it doesnt surprise me.

I dont have a production server anymore but am about to install the windows 7 version on my laptop ("November 12, 2019—KB4525235 (Monthly Rollup)".

Hey ho. Here we go. If it goes belly up I will let you know.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-18 14:04

I sopke too soon! Even after removing the updates that I could and definitely KB4525243, a few hours later the high cpu returned in 33% increments and I have been unable to determine the cause. At present the only solution is to restart hmail regularly which is crazy.

Running procmon shows this error repeatedly and continuing around the same time as the jump in cpu.
11:41:02 hMailServer.exe 3828 FASTIO_NETWORK_QUERY_OPEN C:\inetpub\wwwroot\pci\logs\hMail\hmailserver_2019-11-18.log FAST IO DISALLOWED

But it might also have been this series
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegEnumValue HKLM\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\hmail NO MORE ENTRIES Index: 6, Length: 8,108
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
11:48:38 hMailServer.exe 3828 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
11:48:38 hMailServer.exe 3828 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName NAME NOT FOUND Length: 144
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\System\DNSClient REPARSE Desired Access: Query Value
11:48:38 hMailServer.exe 3828 RegOpenKey HKLM\SOFTWARE\Policies\Microsoft\System\DNSClient NAME NOT FOUND Desired Access: Query Value

But why ODBC errors when everything is working, I cannot understand.
I still have SSL and antivirus off, and no spamassassin, but normal antispam params inc spamhaus, spamcop in DNS Blacklists.

Does anyone know how to report on such a jump in usage with more accuracy without watching the task manager and procmon all the time?

Any ideas gratefully received.

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-18 15:52

What SQL DB do you use and what about the "hMail" ODBC Alias in your logs?

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-18 19:35

Hi
I am using MySql 8 and have been for a long time before this happened last week.
Sorry, what do you mean by " the "hMail" ODBC Alias in your logs"

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-18 22:37

This

11:48:38 hMailServer.exe 3828 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read

The Registry Hive Key HKU is designed for Application and User specific settings. As you can see, under ODBC.INI there is a "hMail" called Datasource defined but doesn't work as expected and caused a NOT FOUND error.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-19 13:19

You may be onto something here, thanks.
There are no registry entries for ODBC, which is only under HKEY_USERS\S-1-5-21-3293545019-4099588382-1224259965-1001
regodbc.jpg
And there is nothing relating to ODBC in the hmailserver class above. But surely these would be created on the hmail re-install that I did?
If not, where can I find the correct settings please?

Obviously hmail is finding its Unicode ODBC Driver in the DataSource 32bit, as the mysql database is not affected by this.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-19 13:26

I may have pinned down the timing and it might be this set of procmon entries that causes the leap in cpu which certainly points at the Registry and more than one entry that hmail is looking for. So how to clean and reset ALL hmail registry entries is the next question if the re-install is not working.

18:43.9 hMailServer.exe 5940 FASTIO_NETWORK_QUERY_OPEN C:\Program Files (x86)\hMailServer\Data\{8384C527-8D50-4E8D-8A68-D1CAB340EC3B}.eml FAST IO DISALLOWED
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\Providers REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\Configuration REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\Providers REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\Configuration REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegQueryValue HKCR\Wow6432Node\CLSID\{C8B522CB-5CF3-11CE-ADE5-00AA0044773D}\SPTimeOut NAME NOT FOUND Length: 144
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegEnumValue HKLM\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\hmail NO MORE ENTRIES Index: 6, Length: 8,108
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
18:43.9 hMailServer.exe 5940 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
18:43.9 hMailServer.exe 5940 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName NAME NOT FOUND Length: 144
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\System\DNSClient REPARSE Desired Access: Query Value
18:43.9 hMailServer.exe 5940 RegOpenKey HKLM\SOFTWARE\Policies\Microsoft\System\DNSClient NAME NOT FOUND Desired Access: Query Value
18:49.6 hMailServer.exe 5940 FASTIO_NETWORK_QUERY_OPEN C:\inetpub\wwwroot\pci\logs\hMail\hmailserver_2019-11-19.log FAST IO DISALLOWED

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-19 13:53

Hmm Fast io disallowed looks like another part of the Problem, which is caused by the faulty Windows Update.
hMailServer uses the BOOST C++ Framework and espacialy
its Async IO Component ASIO. On Windows ASIO needs a functioning I/O Completion port to reliable adjust hMailServers File, Networking and Memory utilisation.
According to your Procmon logs, Fast IO is now restricted and disallowed since you installed the faulty Windows patch. As result hMailServer cannot work any longer asynchronously as designed and is trying to do its Job in a sychronous way which requires a lor more System resources.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-19 17:25

Mmm,
3 of the 4 updates were uninstalled but security update KB4524445 cannot be, as even using wusa, it says "it is required and cannot be uninstalled".
It is described as "2019-11 Servicing Stack Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 " which is suspiciously similar to the FAST IO issue you describe.
Any other way to get rid of it, other than reinstalling the whole server?

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-19 19:25

Try
1) Uninstalling hMailServer but leave the hMailServer and its Datafolder intact
2) Reset your Windows Updatesystem with the following Commands

On Command prompt run (As Administrator)
net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc

Then Delete the file:
C:\Windows\system32\catroot2
and folder
C:\Windows\SoftwareDistribution

Next start the Windows Services
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc

Goto Windows Update and search for Updates, let Windows find and install all Updates.
Re-Install hMailServer fresh on the old hMailServer installation again.

Report back.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-20 11:52

Thanks Dravion, I will certainly try this at the earliest next week as there are some critical users at present.
I will report back when complete.

How about the ODBC errors? Last time I re-installed hmail, it obviously did not add them into the registry.
regards Nigel

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-22 11:48

Hi
I have managed to pin down the events that cause hmail to go into hyperdrive. It is almost certainly these registry errors

09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegEnumValue HKLM\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\hmail NO MORE ENTRIES Index: 6, Length: 8,108
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKU\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\hMail NAME NOT FOUND Desired Access: Read
09:39:33 hMailServer.exe 4952 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegCreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Parameters REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\Windows NT\DnsClient REPARSE Desired Access: Read
09:39:33 hMailServer.exe 4952 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\PrimaryDomainName NAME NOT FOUND Length: 144
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\Software\Wow6432Node\Policies\Microsoft\System\DNSClient REPARSE Desired Access: Query Value
09:39:33 hMailServer.exe 4952 RegOpenKey HKLM\SOFTWARE\Policies\Microsoft\System\DNSClient NAME NOT FOUND Desired Access: Query Value

I agree that resetting the windows updates is a good plan, but these registry entries were not re-created last time I re-installed hmail, and although hmail calls these entries, is it not the case that it does not create them?
In that case, is there a way to recreate what hmail is looking for, without resetting the whole server?

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-22 13:47

You realy should reset your Windows Update cache first (this will not harm any installed updates) so Windows can repair the Update System if it has any Errors itself. After this instalk all updates you have left, because maybe there is a fix for your Problem alkready.

After this you can open a Windows Comnabd prompt
as Admin and run Windows Selfrepair with comnand
sfc /scannow

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-11-24 03:49

I still don't understand why there is ODBC driver involved

That's not normal for hMailserver is it?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-24 18:18

mattg wrote:
2019-11-24 03:49
I still don't understand why there is ODBC driver involved

That's not normal for hMailserver is it?
The hMailServer Database Manager uses ODBC for example MS-SQL-Server or MS-OLE DB Provider for accessing MS-SQL-CE. Its not needed by MySQL or PistgreSQL.

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-11-25 03:45

I use ADODB connections far more when I using MS SQL Server (not for hMailserver).
The only time I'd use ODBC is linking to Excel ...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-25 16:44

RE ODBC
I use ODBC in my eventhandler.vbs for some events, eg, to update a mailing list when a mailshot bounces. That probably explains why it is used, but not why it was getting errors.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-25 16:50

RE UPDATES
Many thanks for your help, Dravion, I have run those commands and the CPU usage has been normal for several hours. I hope I am not speaking too soon!

Only 9 important updates then presented, one of which was KB4525243 security which I had been unable to uninstall previously and obviously avoided re-installing it.
It seems very likely that this was the culprit.

I am still getting FASTIO errors though on the logfile.
Last edited by NigelRoth on 2019-11-25 16:59, edited 1 time in total.

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-11-25 16:52

I'd guess that the windows updated has secured the ODBC connections some more and the registry entries got updated (or secured) with the windows patch...


Do the registry entrees exist?
If so , I'd check the permission on that section of the registry, for the user that runs the hMailserver SERVICE (normally 'local system' I think)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-25 17:18

Mattg
No registry errors have appeared in procmon since the re-install. I checked some of the entries that were reported before and "ALL Applications" have read access as well as usual full admin and user rights. Only the FASTIO errors persist.

FYI - There were quite a few errors in the the sfc scan that seem all to have been corrected but none related to hmail that I can see in the cbs.log.

C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-25 18:57

Okay,

ReRun SFC /scannow again and see if now any Error is fixed.
Sometimes SFC doesn't repair anything. If it comes back with more Error, please report back
and make sure you have your Windows Server 2012 R2 Original DVD or USB Stick ready and inserted for the next
step.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-26 16:37

SFC did not report any errors, many thanks Dravion, still normal CPU!

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-26 19:10

Ok, Problem solved :)

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-26 23:57

Unfortunately the problem is not solved.
After more than 24 hours of minimal CPU usage, the problem returned and the only way to stop these incremential 30% increases is to restart hmail via task scheduler every 30 minutes.
There have been no windows updates, but I will run procmon again tomorrow.

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-27 02:44

Just for clarification.
Do you run any VBScript or DCOM API accessing Scripts or Apps as your CPU usage spikes up?

Do you use SSDs or normal Harddrives?
Is your Server running on a public ip address?
Is hMailServer the official MX for your Domain?
Do you run hMail from within a VM?
Is hMailServer.exe consuming lots of Memory?

PS:
Grab your Windows Server 2012 R2 Install DVD or USB-Stick, you need it for further InDepth Windows checking and repair. License codes or Serial key is not needed.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-27 11:25

Hi Dravion
Yes, my eventhandler.vbs uses custom scripts, but these have been in place for years. There does not appear to be any correlation with cpu increases.
The server is SSD (VPS from databasemart with 4 cores) and I have 3 private IPs, each with multiple domains. E.g., mail.slb.co.uk
Each domain has its own mail MX and hmailserver covers all the domains, albeit through one of the IPs.
hMail is not run within a VM other than the VPS.
Yes, hMailserver.exe starts at 0% and now increases by 30% every 10-15 minutes until it is using 100% of the whole CPU. (Hence scheduled restart every 30 mins). Previously the jump was 30-60 minutes.

As it is a rented VPS, my only option for reinstalling Windows is to reset the whole server from scratch, which I would like to avoid, mainly because resetting all the options is a pain. Data is well backed up.

Just run sfc again and its clean.
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.

Procmon is now showing a HUGE number of failures by hmailserver.exe, which make no sense, eg, these and many others. I have attached part of the logfile as a screen shot as txt and csv cannot be uploaded here.
53:37.2 hMailServer.exe 5592 RegOpenKey HKCR\ActivatableClasses\CLSID\{335CE9E1-32C5-4CB0-8BF6-CB925196E4D6} NAME NOT FOUND Desired Access: Read
53:37.2 hMailServer.exe 5592 RegOpenKey HKCR\Wow6432Node\CLSID\{335CE9E1-32C5-4CB0-8BF6-CB925196E4D6}\TreatAs NAME NOT FOUND Desired Access: Query Value
53:37.2 hMailServer.exe 5592 RegOpenKey HKCR\Wow6432Node\CLSID\{335CE9E1-32C5-4CB0-8BF6-CB925196E4D6}\InprocServer32 NAME NOT FOUND Desired Access: Read
53:37.2 hMailServer.exe 5592 RegOpenKey HKCR\Wow6432Node\CLSID\{335CE9E1-32C5-4CB0-8BF6-CB925196E4D6}\InprocHandler32 NAME NOT FOUND Desired Access: Query Value
53:37.2 hMailServer.exe 5592 RegOpenKey HKCR\Wow6432Node\CLSID\{335CE9E1-32C5-4CB0-8BF6-CB925196E4D6}\InprocHandler NAME NOT FOUND Desired Access: Query Value
53:37.2 hMailServer.exe 5592 RegOpenKey HKLM\SOFTWARE\Microsoft\WindowsRuntime\CLSID\{1FE5E5F1-870A-4139-9EC1-DFFA3A9A58C8} NAME NOT FOUND Desired Access: Read
Attachments
logfile.jpg

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-27 14:32

REINSTALLED
As before but this time ran sfc (no errors) and disk clean (1.5gb of win upd) before trying new win update,
Reinstalled MySql 32 bit ODBC.
Deleted from task scheduler - user feed synch with bogus username and disabled 3 others similar as well as the hmail restart.

Ran win upd but 4 of the 9 prev reinstalled were seemingly already installed and no new updates avail.

No effect - within 30 minutes up to 34% hmail CPU usagem and rising!

I did manage to trap the 200+ procmon errors at the time the leap happened and have attached a zip of the txt file.
Attachments
logfile.zip
(3.74 KiB) Downloaded 22 times

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-27 17:08

Ok, the Registry logs doesn't help much to understand your Problem.
Please run hMailAdmin and tick all log settings to max, let hMailServer run and zip the logsfiles in your hMailServer\logs
folder and attache it to your next reply.

First of all, your should do a DISM Repair on your Windows Server OS before starting with other actions.

DISM Check and Repair:
1) Open a Windows Command Prompt as Admin
2) typ in the following command
DISM /Online /Cleanup-Image /RestoreHealth /source:WIM:X:\Sources\Install.wim:1 /LimitAccess
(replace X: with your real DVD or USB Stick Drive letter which contains the Windows Server 2012 R2 Install files)

Report back if it could or could not find any errors and if it was able to fix all Errors

After this, run the following command
dism /Online /Cleanup-Image /AnalyzeComponentStore

Restart your Windows Server and take and report back.

PS: You also should install atleast your latest Mainboard Drivers.
If you are unsure what drivers do you need, use the OpenSource Driver Helper tool called Snappy
http://sdi-tool.org/releases/SDI_R1909.zip

1) Download and unzip
2) Run SDI_auto.bat ad Admin
3) Download only Index for this PC, wait.
4) Check the Drivers you need. You should Install all CPU, Mainboard and Chipset Drivers first.

#Its important to eliminate CPU Spikes in Windows to install the best drivers, according to Microsofts Mark Russovichs blog,
read https://blogs.technet.microsoft.com/mar ... pu-spikes/

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-11-27 18:29

Hi Dravion, I really appreciate your advice.
Unfortunately as it is a rented VPS, I have no access to the drivers or install disk/drive. I can only reset the entire server and reinstall all my stuff from scratch - last resort!

I have checked through the drivers in Device Manager and there are no issues reported. Since no new hardware has been added and there did not appear to be any device driver updates via windows, I would be surprised if this was the cause.

I had already set the hMail logging to include debug and the log zip is attached. I do not use IMAP and AWstats or TCP debugs showed nothing before. If you think it will help though, I have attached the log with the latest restart including the other settings.

I did try changing the logging setting to "keep files open" (thinking this might be causing the FASTIO error) and first time got the error "Changes could not be saved. RPC Server is unavailable Exception form hResult 0x800706BA". But RPC is running in Services. I tried to set it again and did not get the error. Restarted hMail and it's possible that has reduced the many FASTIO DISALLOWED errors although there are still some.

I ran "DISM.exe /Online /Cleanup-image /Restorehealth" earlier and it made no difference but I rebooted anyway.

I have run "dism /Online /Cleanup-Image /AnalyzeComponentStore" and it also was clean

C:\Windows\system32>dism /Online /Cleanup-Image /AnalyzeComponentStore
Deployment Image Servicing and Management tool
Version: 6.3.9600.19408
Image Version: 6.3.9600.19397
[===========================99.8%========================= ]
Component Store (WinSxS) information:
Windows Explorer Reported Size of Component Store : 8.57 GB
Actual Size of Component Store : 8.43 GB
Shared with Windows : 4.83 GB
Backups and Disabled Features : 3.06 GB
Cache and Temporary Data : 541.25 MB
Date of Last Cleanup : 2019-11-27 11:47:56
Number of Reclaimable Packages : 0
Component Store Cleanup Recommended : No
The operation completed successfully.

I am still getting 34% leap every 10-15 minutes and I am sure it is the registry errors that cause this, but other than reinstalling the server completely, do not see any other way at present.
Attachments
hmailserver_2019-11-27.zip
(389.61 KiB) Downloaded 22 times

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-11-27 18:33

Ok, than you should backup your data and reinstall the os.

If you update, install only fixes, no new features.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-01 17:08

Thanks for the help anyway.

A thought - I have over 6000 rule criteria across 100 rules. Is there a limit in hmail as this would have been the only other change made normally several times a week as new spam needs to be blocked? Are the criteria held in memory once accessed?

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-12-01 21:00

NigelRoth wrote:
2019-12-01 17:08
Thanks for the help anyway.

A thought - I have over 6000 rule criteria across 100 rules. Is there a limit in hmail as this would have been the only other change made normally several times a week as new spam needs to be blocked? Are the criteria held in memory once accessed?

Any role is a processing step for the Microprocessor.

String matching is the most, performance impacting operation which can be made in the programming World, regardless if
its a script or or compiled executable in binary code.

And as you can see, any possible Rule operation in hMailServer is based on a String matching operation.

Code: Select all

  pNode->AppendAttr(_T("Type"), StringParser::IntToString(type_));
      pNode->AppendAttr(_T("Subject"), subject_);
      pNode->AppendAttr(_T("Body"), body_);
      pNode->AppendAttr(_T("FromAddress"), from_address_);
      pNode->AppendAttr(_T("FromName"), from_name_);
      pNode->AppendAttr(_T("IMAPFolder"), imapfolder_);
      pNode->AppendAttr(_T("FileName"), filename_);
      pNode->AppendAttr(_T("To"), to_);
      pNode->AppendAttr(_T("ScriptFunction"), script_function_);
      pNode->AppendAttr(_T("SortOrder"), StringParser::IntToString(sort_order_));
      pNode->AppendAttr(_T("Header"), header_name_);
      pNode->AppendAttr(_T("Value"), value_);
      pNode->AppendAttr(_T("RouteID"), StringParser::IntToString(route_id_));

If you have 100 Rules with 600 Criterias, it means you have 600x String matching Operations on any hMailServer processing
cycle loop.

I would be very helpful to know something like this in the first place, before we taking steps repairing Windows...

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-02 14:55

Sure, I understand, but wondered if recent additions to the rules and criteria might have tipped a limit.

I have over 7000 string matching criteria spread over 170 rules. Most criteria are matched on From contains or Body contains specific words, but there are a few wildcard string domain matches e.g. *.top (which is becoming a common nuisance). I try to arrange them in ruleorder of descending hits.
All accepted emails are logged to the database on acceptance before the rules are processed.
Plus all the rules include a small VBS script to update the database log as blocked if matched.

sbsllc
New user
New user
Posts: 7
Joined: 2018-06-25 21:29

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by sbsllc » 2019-12-05 14:56

Do we still feel that high CPU usages was caused by the windows update or do we feel this is being caused by the number of rules being processed?

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-06 14:33

I am sure it was the updates, but have not yet reinstalled the server.
The CPU usage only started jumping up, the day of the updates. No issues known prior to that.
The jumps did not coincide with any rule processing as far as I can see.
However, I am going to try disabling the rules completely for a while over this weekend.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-08 11:00

Disabling all the rules made no difference to the CPU usage which leaps 34% until it consumes 100% in anything from 45 mins to several hours.
There is no correlation with rules or any other activity that I can see. (Of course while running perfmon, it only leaps when you're not watching! But the log shows nothing relevant I can see).
Next step is to re-install the server from scratch.

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-12-08 13:08

NigelRoth wrote:
2019-12-08 11:00
Disabling all the rules made no difference to the CPU usage which leaps 34% until it consumes 100% in anything from 45 mins to several hours.
There is no correlation with rules or any other activity that I can see. (Of course while running perfmon, it only leaps when you're not watching! But the log shows nothing relevant I can see).
Next step is to re-install the server from scratch.
Try the same on real Hardware. Maybe it's an VM Problem and your Hostsystem doesn't scale well or has a bug.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-09 18:42

As I said, I don't have my own server, and there have been no other changes to the server other than the win update 13 Nov, so it is very unlikely to be anything else.
I have been using this server for many years without issues.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-18 12:45

Although I have not reinstalled the server yet, I may have come across a possible cause. The leaps in cpu usage are irregular but
I noticed that some ip addresses do not send when asked but repeatedly keep trying, each time they appear to be connected to sessions not being closed when the remote server fails to send when told to,
Here are 3 jumps at 21:24 session 887,
21:29 session 897
and 21:37 session 909 - all from the same sender on different but linked ips.
Other instances are also from "major" ips such as amazon which is surprising.

136 "debug" 5152 "2019-12-17 21:24:34.849" "creating session 889"
137 "debug" 5152 "2019-12-17 21:24:34.849" "tcp connection started for session 887"
138 "smtpd" 5152 887 "2019-12-17 21:24:34.849" "54.240.10.86" "sent: 220 pci here"
139 "smtpd" 3548 887 "2019-12-17 21:24:34.880" "54.240.10.86" "received: ehlo a10-86.smtp-out.amazonses.com"
140 "smtpd" 3548 887 "2019-12-17 21:24:34.880" "54.240.10.86" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
141 "smtpd" 5380 887 "2019-12-17 21:24:34.911" "54.240.10.86" "received: mail from:|0100016f15bf856d-e8170eb6-2e8b-4510-a761-b8f8609b07a0-000000@bounces.duolingo.com|"
142 "debug" 5380 "2019-12-17 21:24:34.974" "spam test: spamtestdnsblacklists, score: 0"
143 "debug" 5380 "2019-12-17 21:24:34.989" "spam test: spamtesthelohost, score: 0"
144 "debug" 5380 "2019-12-17 21:24:34.989" "spam test: spamtestmxrecords, score: 0"
145 "debug" 5380 "2019-12-17 21:24:35.005" "spam test: spamtestspf, score: 0"
146 "debug" 5380 "2019-12-17 21:24:35.005" "total spam score: 0"
147 "smtpd" 5380 887 "2019-12-17 21:24:35.021" "54.240.10.86" "sent: 250 ok"
148 "smtpd" 3548 887 "2019-12-17 21:24:35.052" "54.240.10.86" "received: rcpt to:|nigel@selnet.co.uk|"
149 "smtpd" 3548 887 "2019-12-17 21:24:35.052" "54.240.10.86" "sent: 250 ok"
150 "smtpd" 5152 887 "2019-12-17 21:24:35.083" "54.240.10.86" "received: data"
151 "smtpd" 5152 887 "2019-12-17 21:24:35.099" "54.240.10.86" "sent: 354 ok, send."
152 "debug" 3548 "2019-12-17 21:24:35.239" "adding task asynchronoustask to work queue asynchronous task queue"
153 "debug" 3424 "2019-12-17 21:24:35.239" "executing task asynchronoustask in work queue asynchronous task queue"
154 "debug" 3424 "2019-12-17 21:24:35.255" "total spam score: 0"
155 "debug" 3424 "2019-12-17 21:24:35.255" "executing event onacceptmessage"
156 "debug" 5152 "2019-12-17 21:25:24.989" "creating session 890"
157 "debug" 5152 "2019-12-17 21:25:24.989" "tcp connection started for session 889"
158 "smtpd" 5152 889 "2019-12-17 21:25:24.989" "185.234.219.113" "sent: 220 pci here"
159 "smtpd" 3548 889 "2019-12-17 21:25:25.286" "185.234.219.113" "received: ehlo zdorovetska.com"
160 "smtpd" 3548 889 "2019-12-17 21:25:25.286" "185.234.219.113" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
161 "smtpd" 3960 889 "2019-12-17 21:25:25.443" "185.234.219.113" "received: auth login"
162 "smtpd" 3960 889 "2019-12-17 21:25:25.443" "185.234.219.113" "sent: 334 vxnlcm5hbwu6"
163 "smtpd" 3548 889 "2019-12-17 21:25:25.583" "185.234.219.113" "received: chj1zwjhc0b6zg9yb3zldhnrys5jb20="
164 "smtpd" 3548 889 "2019-12-17 21:25:25.583" "185.234.219.113" "sent: 334 ugfzc3dvcmq6"
165 "smtpd" 5380 889 "2019-12-17 21:25:25.724" "185.234.219.113" "received: ***"
166 "smtpd" 5380 889 "2019-12-17 21:25:25.755" "185.234.219.113" "sent: 535 authentication failed. restarting authentication process."
remote 167 "debug" 5380 "2019-12-17 21:25:25.958" "the read operation failed. bytes transferred: 0 remote ip: 185.234.219.113, session: 889, code: 2, message: end of file"
168 "debug" 5380 "2019-12-17 21:25:25.958" "ending session 889"
169 "debug" 5152 "2019-12-17 21:25:40.708" "creating session 891"
170 "debug" 5152 "2019-12-17 21:25:40.708" "tcp connection started for session 890"
171 "smtpd" 5152 890 "2019-12-17 21:25:40.708" "185.142.99.149" "sent: 220 pci here"
172 "smtpd" 5152 890 "2019-12-17 21:25:40.708" "185.142.99.149" "received: ehlo daledlac.xyz"
173 "smtpd" 5152 890 "2019-12-17 21:25:40.708" "185.142.99.149" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
174 "smtpd" 3960 890 "2019-12-17 21:25:40.708" "185.142.99.149" "received: mail from:|pierre@daledlac.xyz|"
175 "debug" 3960 "2019-12-17 21:25:40.771" "spam test: spamtestdnsblacklists, score: 0"
176 "debug" 3960 "2019-12-17 21:25:40.818" "spam test: spamtesthelohost, score: 0"
177 "debug" 3960 "2019-12-17 21:25:40.818" "spam test: spamtestmxrecords, score: 0"
178 "debug" 3960 "2019-12-17 21:25:40.849" "spam test: spamtestspf, score: 0"
179 "debug" 3960 "2019-12-17 21:25:40.849" "total spam score: 0"
180 "smtpd" 3960 890 "2019-12-17 21:25:40.849" "185.142.99.149" "sent: 250 ok"
181 "smtpd" 5380 890 "2019-12-17 21:25:40.849" "185.142.99.149" "received: rcpt to:|deen.swarray@anglocyprushomes.com|"
182 "smtpd" 5380 890 "2019-12-17 21:25:40.849" "185.142.99.149" "sent: 550 unknown user"
183 "smtpd" 3960 890 "2019-12-17 21:25:40.864" "185.142.99.149" "received: quit"
184 "debug" 3960 "2019-12-17 21:25:40.864" "deleting message file."
185 "smtpd" 3960 890 "2019-12-17 21:25:40.864" "185.142.99.149" "sent: 221 goodbye"
186 "debug" 3548 "2019-12-17 21:25:40.864" "ending session 890"



250 "debug" 5152 "2019-12-17 21:29:09.193" "creating session 897"
251 "debug" 5152 "2019-12-17 21:29:09.193" "tcp connection started for session 896"
252 "smtpd" 5152 896 "2019-12-17 21:29:09.193" "185.251.33.194" "sent: 220 pci here"
253 "smtpd" 3960 896 "2019-12-17 21:29:09.630" "185.251.33.194" "received: ehlo lpv-ct.it"
254 "smtpd" 3960 896 "2019-12-17 21:29:09.630" "185.251.33.194" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
255 "smtpd" 3960 896 "2019-12-17 21:29:10.083" "185.251.33.194" "received: mail from: |rogerallen@lpv-ct.it|"
256 "debug" 3960 "2019-12-17 21:29:10.114" "spam test: spamtestdnsblacklists, score: 3"
257 "debug" 3960 "2019-12-17 21:29:10.161" "spam test: spamtesthelohost, score: 2"
258 "debug" 3960 "2019-12-17 21:29:10.239" "spam test: spamtestmxrecords, score: 2"
259 "debug" 3960 "2019-12-17 21:29:10.239" "spam test: spamtestspf, score: 0"
260 "debug" 3960 "2019-12-17 21:29:10.239" "total spam score: 7"
261 "smtpd" 3960 896 "2019-12-17 21:29:10.239" "185.251.33.194" "sent: 250 ok"
262 "smtpd" 3548 896 "2019-12-17 21:29:10.568" "185.251.33.194" "received: rcpt to: |pguerassimov@slb.co.uk|"
263 "smtpd" 3548 896 "2019-12-17 21:29:10.568" "185.251.33.194" "sent: 550 unknown user"
remote 264 "debug" 3960 "2019-12-17 21:29:10.943" "the read operation failed. bytes transferred: 0 remote ip: 185.251.33.194, session: 896, code: 2, message: end of file"
265 "debug" 3960 "2019-12-17 21:29:10.943" "deleting message file."
266 "debug" 3960 "2019-12-17 21:29:10.943" "ending session 896"
267 "debug" 5152 "2019-12-17 21:29:34.630" "creating session 898"
268 "debug" 5152 "2019-12-17 21:29:34.630" "tcp connection started for session 897"
269 "smtpd" 5152 897 "2019-12-17 21:29:34.646" "54.240.10.226" "sent: 220 pci here"
270 "smtpd" 5152 897 "2019-12-17 21:29:34.677" "54.240.10.226" "received: ehlo a10-226.smtp-out.amazonses.com"
271 "smtpd" 5152 897 "2019-12-17 21:29:34.677" "54.240.10.226" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
272 "smtpd" 3960 897 "2019-12-17 21:29:34.708" "54.240.10.226" "received: mail from:|0100016f15bf856d-e8170eb6-2e8b-4510-a761-b8f8609b07a0-000000@bounces.duolingo.com|"
273 "debug" 3960 "2019-12-17 21:29:34.739" "spam test: spamtestdnsblacklists, score: 0"
274 "debug" 3960 "2019-12-17 21:29:34.786" "spam test: spamtesthelohost, score: 0"
275 "debug" 3960 "2019-12-17 21:29:34.786" "spam test: spamtestmxrecords, score: 0"
276 "debug" 3960 "2019-12-17 21:29:34.802" "spam test: spamtestspf, score: 0"
277 "debug" 3960 "2019-12-17 21:29:34.802" "total spam score: 0"
278 "smtpd" 3960 897 "2019-12-17 21:29:34.802" "54.240.10.226" "sent: 250 ok"
279 "smtpd" 3548 897 "2019-12-17 21:29:34.833" "54.240.10.226" "received: rcpt to:|nigel@selnet.co.uk|"
280 "smtpd" 3548 897 "2019-12-17 21:29:34.833" "54.240.10.226" "sent: 250 ok"
281 "smtpd" 5152 897 "2019-12-17 21:29:34.864" "54.240.10.226" "received: data"
282 "smtpd" 5152 897 "2019-12-17 21:29:34.864" "54.240.10.226" "sent: 354 ok, send."
283 "debug" 4764 "2019-12-17 21:29:35.005" "adding task asynchronoustask to work queue asynchronous task queue"
284 "debug" 3172 "2019-12-17 21:29:35.005" "executing task asynchronoustask in work queue asynchronous task queue"
285 "debug" 3172 "2019-12-17 21:29:35.005" "total spam score: 0"
286 "debug" 3172 "2019-12-17 21:29:35.005" "executing event onacceptmessage"
287 "debug" 5152 "2019-12-17 21:30:08.630" "creating session 899"
blocked 288 "debug" 5152 "2019-12-17 21:30:08.630" "client connection from 45.82.153.83 was not accepted. blocked either by ip range or by connection limit."
289 "debug" 5152 "2019-12-17 21:30:08.630" "ending session 898"
290 "debug" 5152 "2019-12-17 21:31:09.771" "creating session 900"
291 "debug" 5152 "2019-12-17 21:31:09.771" "tcp connection started for session 899"


584 "debug" 5152 "2019-12-17 21:37:02.849" "creating session 909"
blocked 585 "debug" 5152 "2019-12-17 21:37:02.849" "client connection from 45.82.153.83 was not accepted. blocked either by ip range or by connection limit."
586 "debug" 5152 "2019-12-17 21:37:02.849" "ending session 908"
587 "debug" 5152 "2019-12-17 21:37:06.364" "creating session 910"
588 "debug" 5152 "2019-12-17 21:37:06.364" "tcp connection started for session 909"
589 "smtpd" 5152 909 "2019-12-17 21:37:06.364" "54.240.31.182" "sent: 220 pci here"
590 "smtpd" 5424 909 "2019-12-17 21:37:06.396" "54.240.31.182" "received: ehlo a31-182.smtp-out.amazonses.com"
591 "smtpd" 5424 909 "2019-12-17 21:37:06.396" "54.240.31.182" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
592 "smtpd" 3824 909 "2019-12-17 21:37:06.427" "54.240.31.182" "received: mail from:|0100016f15bf856d-e8170eb6-2e8b-4510-a761-b8f8609b07a0-000000@bounces.duolingo.com|"
593 "debug" 3824 "2019-12-17 21:37:06.474" "spam test: spamtestdnsblacklists, score: 0"
594 "debug" 3824 "2019-12-17 21:37:06.489" "spam test: spamtesthelohost, score: 0"
595 "debug" 3824 "2019-12-17 21:37:06.536" "spam test: spamtestmxrecords, score: 0"
596 "debug" 3824 "2019-12-17 21:37:06.552" "spam test: spamtestspf, score: 0"
597 "debug" 3824 "2019-12-17 21:37:06.552" "total spam score: 0"
598 "smtpd" 3824 909 "2019-12-17 21:37:06.552" "54.240.31.182" "sent: 250 ok"
599 "smtpd" 5424 909 "2019-12-17 21:37:06.599" "54.240.31.182" "received: rcpt to:|nigel@selnet.co.uk|"
600 "smtpd" 5424 909 "2019-12-17 21:37:06.599" "54.240.31.182" "sent: 250 ok"
601 "smtpd" 5152 909 "2019-12-17 21:37:06.630" "54.240.31.182" "received: data"
602 "smtpd" 5152 909 "2019-12-17 21:37:06.630" "54.240.31.182" "sent: 354 ok, send."
603 "debug" 3548 "2019-12-17 21:37:06.771" "adding task asynchronoustask to work queue asynchronous task queue"
604 "debug" 3812 "2019-12-17 21:37:06.771" "executing task asynchronoustask in work queue asynchronous task queue"
605 "debug" 3812 "2019-12-17 21:37:06.771" "total spam score: 0"
606 "debug" 3812 "2019-12-17 21:37:06.771" "executing event onacceptmessage"
607 "debug" 5152 "2019-12-17 21:39:31.489" "creating session 911"
608 "debug" 5152 "2019-12-17 21:39:31.489" "tcp connection started for session 910"
609 "smtpd" 5152 910 "2019-12-17 21:39:31.489" "185.234.219.113" "sent: 220 pci here"
610 "smtpd" 5152 910 "2019-12-17 21:39:31.661" "185.234.219.113" "received: ehlo zdorovetska.com"
611 "smtpd" 5152 910 "2019-12-17 21:39:31.661" "185.234.219.113" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
612 "smtpd" 4764 910 "2019-12-17 21:39:31.802" "185.234.219.113" "received: auth login"
613 "smtpd" 4764 910 "2019-12-17 21:39:31.802" "185.234.219.113" "sent: 334 vxnlcm5hbwu6"
614 "smtpd" 4652 910 "2019-12-17 21:39:31.943" "185.234.219.113" "received: ywnjb3vudhnaemrvcm92zxrza2euy29t"
615 "smtpd" 4652 910 "2019-12-17 21:39:31.943" "185.234.219.113" "sent: 334 ugfzc3dvcmq6"
616 "smtpd" 3548 910 "2019-12-17 21:39:32.099" "185.234.219.113" "received: ***"
logon 617 "smtpd" 3548 910 "2019-12-17 21:39:32.114" "185.234.219.113" "sent: 535 authentication failed. too many invalid logon attempts."
618 "debug" 3960 "2019-12-17 21:39:32.271" "ending session 910"

Here is the perfmon confirming these times.
p2.gif
If I am right, then this looks more like a problem in hmail but possibly initiated by the windows update that started all this on Nov 13.

One other thing, all these 3 failed emails have been stored in the data folder despite not appearing to be received. There are 6 subsequent attempts from this sender but which occured overnight while the hmail process was at 100% cpu. Other eml's still in the data folder relate to the initial ips that I spotted this discrepancy with.

And it has just jumped again from the same sender at 10:57!

Thoughts please.
Nigel

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-19 17:46

Having run 24 hours without incident since the last post, it has repeated with the same lack of end session for 2 more ips within a few minutes of each other.
Some input on this would be much appreciated.

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-12-20 00:04

The 'adding task asynchronoustask' immediately after the lines you've marked in red has made me think about AV checks or SpamAssassin

Please run this and post the results
viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-20 15:34

I am not running spamassassin, clamav or clamwin or any other check except spamhaus and spamcop at present. If a msg is blocked by them, hmail does not get as far as the asynch task anyway.
I am running malwarebytes service but not connected to hmail.

Is there a way to determine which asynch task is being called?

My event script is self-contained other than using ODBC but this was the case long before the first incident.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-20 16:08

The diagnostic is below, but it does not appear to report any errors. (although I have removed a redundant domain).
The general greylisting was disabled, but I note that some domains had it set, so I have now enabled it fully.

Code: Select all

2019-12-20   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - alxxxxxxxxxxx.com              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\key1.Domain1.com.pem
                                                Selector:    key1

   "Domain2.com" - anxxxxxxxxxxxxxx.com           Enabled: True
      |- "Alias1.com" - anxxxxxxxxxxxxxxxx.co.uk
      |- "Alias2.com" - anxxxxxxxxxxxxxx.co.uk
      |- "Alias3.com" - anxxxxxxxxxxxxxxxx.com
      |- "Alias4.com" - anxxxxxxxxxxxxxx.uk
      |- "Alias5.com" - anxxxxxxxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain3.com" - igxxxxx.co.uk                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain4.com" - inxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain5.com" - nixxxxxxxxxxx.com              Enabled: True
      |- "Alias6.com" - lixxxxxxxxxxxxxxxxxxx.orx

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\key1.Domain5.com.pem
                                                Selector:    key1

   "Domain6.com" - prxxxxxxxxxxxxxxxxxxxxxxx.com  Enabled: True
      |- "Alias7.com" - prxxxxxxxxxxxxxxxxxxxxxxx.co.uk
      |- "Alias8.com" - suxxxxxxxxx.com
      |- "Alias9.com" - suxxxxxxxxx.co.uk
      |- "Alias10.com" - prxxxxxxxxxxxxxxxxxxxxxxx.uk
      |- "Alias11.com" - suxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:  200   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting: !! ENABLED BUT NOT ACTIVATED!! 
                                                Private key: c:\key1.propertyclubinternational.pem
                                                Selector:    key1

   "Domain7.com" - slx.co.uk                      Enabled: True
      |- "Alias12.com" - sexxxx.co.uk
      |- "Alias13.com" - slx.uk
      |- "Alias14.com" - sexxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   50   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting: !! ENABLED BUT NOT ACTIVATED!! 
                                                Private key: c:\key1.Domain7.com.pem
                                                Selector:    key1

   "Domain8.com" - yuxxxxx.com                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:     False

   "Domain9.com" - zdxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-20 16:39

I've re-run the diagnostic as it seems the first run was not complete

Code: Select all

2019-12-20   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - alxxxxxxxxxxx.com              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\key1.Domain1.com.pem
                                                Selector:    key1

   "Domain2.com" - anxxxxxxxxxxxxxx.com           Enabled: True
      |- "Alias1.com" - anxxxxxxxxxxxxxxxx.co.uk
      |- "Alias2.com" - anxxxxxxxxxxxxxx.co.uk
      |- "Alias3.com" - anxxxxxxxxxxxxxxxx.com
      |- "Alias4.com" - anxxxxxxxxxxxxxx.uk
      |- "Alias5.com" - anxxxxxxxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain3.com" - igxxxxx.co.uk                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain4.com" - inxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain5.com" - nixxxxxxxxxxx.com              Enabled: True
      |- "Alias6.com" - lixxxxxxxxxxxxxxxxxxx.orx

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\key1.Domain5.com.pem
                                                Selector:    key1

   "Domain6.com" - prxxxxxxxxxxxxxxxxxxxxxxx.com  Enabled: True
      |- "Alias7.com" - prxxxxxxxxxxxxxxxxxxxxxxx.co.uk
      |- "Alias8.com" - suxxxxxxxxx.com
      |- "Alias9.com" - suxxxxxxxxx.co.uk
      |- "Alias10.com" - prxxxxxxxxxxxxxxxxxxxxxxx.uk
      |- "Alias11.com" - suxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:  200   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting: !! ENABLED BUT NOT ACTIVATED!! 
                                                Private key: c:\key1.propertyclubinternational.pem
                                                Selector:    key1

   "Domain7.com" - slx.co.uk                      Enabled: True
      |- "Alias12.com" - sexxxx.co.uk
      |- "Alias13.com" - slx.uk
      |- "Alias14.com" - sexxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   50   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting: !! ENABLED BUT NOT ACTIVATED!! 
                                                Private key: c:\key1.Domain7.com.pem
                                                Selector:    key1

   "Domain8.com" - yuxxxxx.com                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:     False

   "Domain9.com" - zdxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 104.217.253.193 - 104.217.253.193     Priority: 30     Name: Music

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 104.217.253.203 - 104.217.253.203     Priority: 30     Name: PCI

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 104.217.253.24 - 104.217.253.24     Priority: 30     Name: SLB

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


   !!  Warning:  DEFAULT DOMAIN is SET  !! - "Domain6.com"
------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:           60  (1.00 hours, 0.04 days)
                              Minutes to Autoban:            120  (2.00 hours, 0.08 days)

There is a total of 22 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 15   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:     False
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:   3  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject:  True    Verify DKIM:       False    
              Subject Text: "[SP]"
  Spam delete threshold: 8         Maximum message size: 2048

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
              0.0.0.0            to    255.255.255.255              *[@t]*nhs[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]*gov[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]stearn[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]parliament[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]cultureireland[dot]gov[dot]ie
              0.0.0.0            to    255.255.255.255              *[@t]avniche[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]*linkedin[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]qisqi[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]lawyercyprus[dot]com
              0.0.0.0            to    255.255.255.255              scopeinvest1[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]biossl[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]busybeesestateagents-cyprus[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]propertyclubinternational[dot]com
              0.0.0.0            to    255.255.255.255              busybeesestateagents[@t]yahoo[dot]com
              0.0.0.0            to    255.255.255.255              nigelroth[@t]hotmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]goldingproducts[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]fidesgroup[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]skype[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]aabol[dot]sc
              0.0.0.0            to    255.255.255.255              *[@t]godaddy[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]vn-am[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]europacbank[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]mayconsulting[dot]eu
              0.0.0.0            to    255.255.255.255              *[@t]cards[dot]natwest[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]eastgateresource[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]bernlite[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              jamie[dot]canaltime[@t]btconnect[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]CheckTLS[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]globaledge[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]heartinternet[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              fraturrisi[@t]yahoo[dot]it
              0.0.0.0            to    255.255.255.255              nigelmroth[@t]yahoo[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]estainsurance[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]andertons[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              dumamuse[@t]aol[dot]com
              0.0.0.0            to    255.255.255.255              *brstrnc[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]ajrholdings[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]erroll[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]hay[dot]org
              0.0.0.0            to    255.255.255.255              *[@t]nmplegal[dot]com
              0.0.0.0            to    255.255.255.255              laurie[dot]roth[@t]hotmail[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]richardoberlander[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]facebookmail[dot]com
              0.0.0.0            to    255.255.255.255              peter[dot]roth1[@t]btinternet[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]estainsurance[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]amazon[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              support[@t]databasemart[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]turkishairlines[dot]com
              0.0.0.0            to    255.255.255.255              customercare[@t]support[dot]flights-uk[dot]gotogate[dot]com
              0.0.0.0            to    255.255.255.255              [@t]companieshouse[dot]gov[dot]uk
              0.0.0.0            to    255.255.255.255              beablooddonor[dot]brstrnc[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              brstrnc0[@t]m78[dot]siteground[dot]biz
              0.0.0.0            to    255.255.255.255              *[@t]*mbna[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]siemens-home[dot]bsh-group[dot]com
              0.0.0.0            to    255.255.255.255              service[@t]paypal[dot]co[dot]uk
              104.217.253.24     to    104.217.253.24               *
              104.217.253.193    to    104.217.253.193              *
              104.217.253.203    to    104.217.253.203              *
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 465   / SMTP   -   None                
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_2019-12-20.log
    Error:    C:\inetpub\wwwroot\pci\Logs\hmail\ERROR_hmailserver_2019-12-20.log
    Event:    C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_events.log - Not present
    Awstats:  C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -      .
                        TCPIP       -      .
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\inetpub\wwwroot\pci\Logs\hmail
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          nigelroth
PasswordEncryption=1
Port=              3306
Server=            localhost
Internal=          0
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.98, Hmailserver Forum.

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-12-21 01:03

Do you have any SURBL entries ?
The report shows none active, but some still may exist...

Also, you have a default domain. Is there a reason? This will normally result in much more spam for you
and you have SSLv3.0 enabled. That is broken and you should turn it off unless you have a very specific reason not to.

And can you please add TCP/IP logging
That may show us what is being searched with the asynchronous task
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-21 15:00

There is multi.surbl.org listed but disabled. I have never used it, but can delete it. Please advise.

I have removed the default domain although that does have an SSL Cert, but have disabled SSL 3, leaving all TLS enabled for now.
I have added TCP logging and restarted.

Having said that, and I may be speaking too soon, the jumps have not happened in the last 36 hours - reason unknown but I had blocked the offending IPs found so far in the windows firewall. I realise this is a temp measure, but there are some 4000 other ips blocked for different reasons.

I will post again if and when there is another incident and see what the TCP log shows.
Thanks

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-12-21 16:04

Please remove the SURBL

The cert wasn't used anyway (in SSL/TLS settings), but still could be even without the default domain, or the domain actually being in use

If the Cert matches your Localhost name, and also matches all of the MX records for each of the domains, then the cert would work fine
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-21 18:46

OK, done. Thanks Mattg, let's see what happens - hopefully it won't! :)

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-23 14:48

OK, just jumped and almost certainly did not close session 219 even after 10 mins.

Heres the log
1151 "debug" 4852 "2019-12-23 12:28:51.467" "ending session 217"
1152 "debug" 4852 "2019-12-23 12:29:12.424" "creating session 219"
1153 "tcpip" 4852 "2019-12-23 12:29:12.424" "tcp - 84.127.240.113 connected to 104.217.253.24:25."
1154 "debug" 4852 "2019-12-23 12:29:12.424" "tcp connection started for session 218"
1155 "smtpd" 4852 218 "2019-12-23 12:29:12.424" "84.127.240.113" "sent: 220 pci here"
1156 "smtpd" 5228 218 "2019-12-23 12:29:12.643" "84.127.240.113" "received: ehlo 84.127.240.113.static.user.ono.com"
1157 "smtpd" 5228 218 "2019-12-23 12:29:12.643" "84.127.240.113" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
1158 "smtpd" 5228 218 "2019-12-23 12:29:12.877" "84.127.240.113" "received: mail from: |scottbell@ono.com|"
match: 1159 "tcpip" 5228 "2019-12-23 12:29:12.908" "dns lookup: 113.240.127.84.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 1160 "tcpip" 5228 "2019-12-23 12:29:12.955" "dns lookup: 113.240.127.84.bl.spamcop.net, 1 addresses found: 127.0.0.2, match: true"
1161 "debug" 5228 "2019-12-23 12:29:12.955" "spam test: spamtestdnsblacklists, score: 3"
1162 "debug" 5228 "2019-12-23 12:29:13.080" "spam test: spamtesthelohost, score: 0"
1163 "debug" 5228 "2019-12-23 12:29:13.096" "spam test: spamtestmxrecords, score: 0"
1164 "debug" 5228 "2019-12-23 12:29:13.752" "spam test: spamtestspf, score: 3"
1165 "debug" 5228 "2019-12-23 12:29:13.752" "total spam score: 6"
1166 "smtpd" 5228 218 "2019-12-23 12:29:13.752" "84.127.240.113" "sent: 250 ok"
1167 "smtpd" 3300 218 "2019-12-23 12:29:13.986" "84.127.240.113" "received: rcpt to: |jow@slb.co.uk|"
1168 "smtpd" 3300 218 "2019-12-23 12:29:13.986" "84.127.240.113" "sent: 550 unknown user"
remote 1169 "debug" 4852 "2019-12-23 12:29:14.221" "the read operation failed. bytes transferred: 0 remote ip: 84.127.240.113, session: 218, code: 2, message: end of file"
1170 "debug" 4852 "2019-12-23 12:29:14.221" "deleting message file."
1171 "debug" 4852 "2019-12-23 12:29:14.221" "ending session 218"
1172 "debug" 4852 "2019-12-23 12:29:15.346" "creating session 220"
1173 "tcpip" 4852 "2019-12-23 12:29:15.346" "tcp - 198.2.141.36 connected to 104.217.253.193:25."
1174 "debug" 4852 "2019-12-23 12:29:15.346" "tcp connection started for session 219"
1175 "smtpd" 4852 219 "2019-12-23 12:29:15.346" "198.2.141.36" "sent: 220 pci here"
1176 "smtpd" 5228 219 "2019-12-23 12:29:15.377" "198.2.141.36" "received: ehlo mail36.atl231.mcsv.net"
1177 "smtpd" 5228 219 "2019-12-23 12:29:15.377" "198.2.141.36" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
1178 "smtpd" 3300 219 "2019-12-23 12:29:15.393" "198.2.141.36" "received: mail from:|bounce-mc.us11_44338345.1374965-3f8af6bfd7@mail36.atl231.mcsv.net|"
match: 1179 "tcpip" 3300 "2019-12-23 12:29:15.439" "dns lookup: 36.141.2.198.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 1180 "tcpip" 3300 "2019-12-23 12:29:15.471" "dns lookup: 36.141.2.198.bl.spamcop.net, 0 addresses found: (none), match: false"
1181 "debug" 3300 "2019-12-23 12:29:15.471" "spam test: spamtestdnsblacklists, score: 0"
1182 "debug" 3300 "2019-12-23 12:29:15.486" "spam test: spamtesthelohost, score: 0"
1183 "debug" 3300 "2019-12-23 12:29:15.518" "spam test: spamtestmxrecords, score: 0"
1184 "debug" 3300 "2019-12-23 12:29:15.533" "spam test: spamtestspf, score: 0"
1185 "debug" 3300 "2019-12-23 12:29:15.533" "total spam score: 0"
1186 "smtpd" 3300 219 "2019-12-23 12:29:15.533" "198.2.141.36" "sent: 250 ok"
1187 "smtpd" 4852 219 "2019-12-23 12:29:15.549" "198.2.141.36" "received: rcpt to:|info@nickrothmusic.com|"
1188 "smtpd" 4852 219 "2019-12-23 12:29:15.564" "198.2.141.36" "sent: 250 ok"
1189 "smtpd" 3300 219 "2019-12-23 12:29:15.580" "198.2.141.36" "received: data"
1190 "smtpd" 3300 219 "2019-12-23 12:29:15.580" "198.2.141.36" "sent: 354 ok, send."
task 1191 "debug" 1244 "2019-12-23 12:29:15.643" "adding task asynchronoustask to work queue asynchronous task queue"
task 1192 "debug" 5536 "2019-12-23 12:29:15.643" "executing task asynchronoustask in work queue asynchronous task queue"
1193 "debug" 5536 "2019-12-23 12:29:15.643" "total spam score: 0"
1194 "debug" 5536 "2019-12-23 12:29:15.659" "executing event onacceptmessage"
1195 "debug" 4852 "2019-12-23 12:29:38.674" "creating session 221"
1196 "tcpip" 4852 "2019-12-23 12:29:38.674" "tcp - 27.154.32.202 connected to 104.217.253.24:25."
1197 "debug" 4852 "2019-12-23 12:29:38.674" "tcp connection started for session 220"
1198 "smtpd" 4852 220 "2019-12-23 12:29:38.674" "27.154.32.202" "sent: 220 pci here"
1199 "smtpd" 1244 220 "2019-12-23 12:29:41.627" "27.154.32.202" "received: ehlo tmcnallycpa.com"
1200 "smtpd" 1244 220 "2019-12-23 12:29:41.627" "27.154.32.202" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
1201 "smtpd" 3300 220 "2019-12-23 12:29:43.439" "27.154.32.202" "received: mail from: |marcuswhite@tmcnallycpa.com|"
match: 1202 "tcpip" 3300 "2019-12-23 12:29:43.471" "dns lookup: 202.32.154.27.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 1203 "tcpip" 3300 "2019-12-23 12:29:43.486" "dns lookup: 202.32.154.27.bl.spamcop.net, 1 addresses found: 127.0.0.2, match: true"
1204 "debug" 3300 "2019-12-23 12:29:43.486" "spam test: spamtestdnsblacklists, score: 3"
1205 "debug" 3300 "2019-12-23 12:29:43.549" "spam test: spamtesthelohost, score: 2"
1206 "debug" 3300 "2019-12-23 12:29:43.580" "spam test: spamtestmxrecords, score: 0"
1207 "debug" 3300 "2019-12-23 12:29:43.596" "spam test: spamtestspf, score: 3"
1208 "debug" 3300 "2019-12-23 12:29:43.596" "total spam score: 8"
1209 "smtpd" 3300 220 "2019-12-23 12:29:43.596" "27.154.32.202" "sent: 550 blocked by spf ()"
reason: 1210 "application" 3300 "2019-12-23 12:29:43.596" "hmailserver spamprotection rejected rcpt (sender: marcuswhite@tmcnallycpa.com, ip:27.154.32.202, reason: blocked by spf ())"
remote 1211 "debug" 3300 "2019-12-23 12:29:45.971" "the read operation failed. bytes transferred: 0 remote ip: 27.154.32.202, session: 220, code: 2, message: end of file"
1212 "debug" 3300 "2019-12-23 12:29:45.971" "ending session 220"
1213 "debug" 4852 "2019-12-23 12:29:58.596" "creating session 222"
1214 "tcpip" 4852 "2019-12-23 12:29:58.596" "tcp - 104.131.248.46 connected to 104.217.253.193:25."
blocked 1215 "debug" 4852 "2019-12-23 12:29:58.596" "client connection from 104.131.248.46 was not accepted. blocked either by ip range or by connection limit."
1216 "debug" 4852 "2019-12-23 12:29:58.596" "ending session 221"
1217 "debug" 4852 "2019-12-23 12:31:53.627" "creating session 223"
1218 "tcpip" 4852 "2019-12-23 12:31:53.627" "tcp - 41.170.12.92 connected to 104.217.253.24:25."

And here's the status
191223 12.29.jpg
Running Diagnostic and will post when done

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-23 15:30

Here's the latest diagnostic and I don't see anything in this or the log which identifies anything unusual apart from the open session 219, and it's not clear which IP that is from.
It looks like the session started, didn't connect to an IP and started using 34% cpu.

Code: Select all

2019-12-23   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - alxxxxxxxxxxx.com              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: c:\key1.Domain1.com.pem
                                                Selector:    key1

   "Domain2.com" - anxxxxxxxxxxxxxx.com           Enabled: True
      |- "Alias1.com" - anxxxxxxxxxxxxxxxx.co.uk
      |- "Alias2.com" - anxxxxxxxxxxxxxx.co.uk
      |- "Alias3.com" - anxxxxxxxxxxxxxxxx.com
      |- "Alias4.com" - anxxxxxxxxxxxxxx.uk
      |- "Alias5.com" - anxxxxxxxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:      True

   "Domain3.com" - inxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:      True

   "Domain4.com" - nixxxxxxxxxxx.com              Enabled: True
      |- "Alias6.com" - lixxxxxxxxxxxxxxxxxxx.orx

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   20   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\key1.Domain4.com.pem
                                                Selector:    key1

   "Domain5.com" - prxxxxxxxxxxxxxxxxxxxxxxx.com  Enabled: True
      |- "Alias7.com" - prxxxxxxxxxxxxxxxxxxxxxxx.co.uk
      |- "Alias8.com" - suxxxxxxxxx.com
      |- "Alias9.com" - suxxxxxxxxx.co.uk
      |- "Alias10.com" - prxxxxxxxxxxxxxxxxxxxxxxx.uk
      |- "Alias11.com" - suxxxxxxxxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:  200   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: c:\key1.propertyclubinternational.pem
                                                Selector:    key1

   "Domain6.com" - slx.co.uk                      Enabled: True
      |- "Alias12.com" - sexxxx.co.uk
      |- "Alias13.com" - slx.uk
      |- "Alias14.com" - sexxxx.uk

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:    20000   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:   50   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: c:\key1.Domain6.com.pem
                                                Selector:    key1

   "Domain7.com" - yuxxxxx.com                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:      True

   "Domain8.com" - zdxxxxxxxxx.com                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:   20                    
                                                                   Greylisting:      True
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 104.217.253.193 - 104.217.253.193     Priority: 30     Name: Music

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 104.217.253.203 - 104.217.253.203     Priority: 30     Name: PCI

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 104.217.253.24 - 104.217.253.24     Priority: 30     Name: SLB

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:           60  (1.00 hours, 0.04 days)
                              Minutes to Autoban:            120  (2.00 hours, 0.08 days)

There is a total of 21 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 15   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:     False
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:   3  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject:  True    Verify DKIM:       False    
              Subject Text: "[SP]"
  Spam delete threshold: 8         Maximum message size: 2048

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2

SURBL ENTRIES:
   No entries

GREYLISTING:
  Greylisting:   True       Defer mins: 60       Days Unused: 2      Days Used: 10
                            Bypass SPF: True     Bypass A/MX: True

Greylist WHITELIST ENTRIES:
   No entries

Greylist DOMAINS enabled:
           Domain1.com
           Domain2.com
                 |--   Alias1.com
                 |--   Alias2.com
                 |--   Alias3.com
                 |--   Alias4.com
                 |--   Alias5.com
           Domain3.com
           Domain5.com
                 |--   Alias7.com
                 |--   Alias8.com
                 |--   Alias9.com
                 |--   Alias10.com
                 |--   Alias11.com
           Domain6.com
                 |--   Alias12.com
                 |--   Alias13.com
                 |--   Alias14.com
           Domain7.com
           Domain8.com

WHITELISTING
              0.0.0.0            to    255.255.255.255              *[@t]*nhs[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]*gov[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]stearn[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]parliament[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]cultureireland[dot]gov[dot]ie
              0.0.0.0            to    255.255.255.255              *[@t]avniche[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]*linkedin[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]qisqi[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]lawyercyprus[dot]com
              0.0.0.0            to    255.255.255.255              scopeinvest1[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]biossl[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]busybeesestateagents-cyprus[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]propertyclubinternational[dot]com
              0.0.0.0            to    255.255.255.255              busybeesestateagents[@t]yahoo[dot]com
              0.0.0.0            to    255.255.255.255              nigelroth[@t]hotmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]goldingproducts[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]fidesgroup[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]skype[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]aabol[dot]sc
              0.0.0.0            to    255.255.255.255              *[@t]godaddy[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]vn-am[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]europacbank[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]mayconsulting[dot]eu
              0.0.0.0            to    255.255.255.255              *[@t]cards[dot]natwest[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]eastgateresource[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]bernlite[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              jamie[dot]canaltime[@t]btconnect[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]CheckTLS[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]globaledge[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]heartinternet[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              fraturrisi[@t]yahoo[dot]it
              0.0.0.0            to    255.255.255.255              nigelmroth[@t]yahoo[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]estainsurance[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]andertons[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              dumamuse[@t]aol[dot]com
              0.0.0.0            to    255.255.255.255              *brstrnc[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]ajrholdings[dot]net
              0.0.0.0            to    255.255.255.255              *[@t]erroll[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]hay[dot]org
              0.0.0.0            to    255.255.255.255              *[@t]nmplegal[dot]com
              0.0.0.0            to    255.255.255.255              laurie[dot]roth[@t]hotmail[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]richardoberlander[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]facebookmail[dot]com
              0.0.0.0            to    255.255.255.255              peter[dot]roth1[@t]btinternet[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]estainsurance[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]amazon[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              support[@t]databasemart[dot]com
              0.0.0.0            to    255.255.255.255              *[@t]turkishairlines[dot]com
              0.0.0.0            to    255.255.255.255              customercare[@t]support[dot]flights-uk[dot]gotogate[dot]com
              0.0.0.0            to    255.255.255.255              [@t]companieshouse[dot]gov[dot]uk
              0.0.0.0            to    255.255.255.255              beablooddonor[dot]brstrnc[@t]gmail[dot]com
              0.0.0.0            to    255.255.255.255              brstrnc0[@t]m78[dot]siteground[dot]biz
              0.0.0.0            to    255.255.255.255              *[@t]*mbna[dot]co[dot]uk
              0.0.0.0            to    255.255.255.255              *[@t]siemens-home[dot]bsh-group[dot]com
              0.0.0.0            to    255.255.255.255              service[@t]paypal[dot]co[dot]uk
              104.217.253.24     to    104.217.253.24               *
              104.217.253.193    to    104.217.253.193              *
              104.217.253.203    to    104.217.253.203              *
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 465   / SMTP   -   None                
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_2019-12-23.log
    Error:    C:\inetpub\wwwroot\pci\Logs\hmail\ERROR_hmailserver_2019-12-23.log
    Event:    C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_events.log - Not present
    Awstats:  C:\inetpub\wwwroot\pci\Logs\hmail\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\inetpub\wwwroot\pci\Logs\hmail
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          nigelroth
PasswordEncryption=1
Port=              3306
Server=            localhost
Internal=          0
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.98, Hmailserver Forum.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-23 16:15

Further jumps almost certainly caused by this ip 198.2.141.36 which is another that doesn't send when told to and caused 2 more jumps until I blocked it in the firewall.
Oddly, session 44 ended these times, but the same session number was used twice by the same IP.
However, this IP is MailChimp so like the earlier Amazon is not really one that should have to be blocked. Again this brings me back to the windows update of 13 Nov which started this and which I suspect hmail does not like for some reason.

2209 "debug" 6480 "2019-12-23 12:56:20.930" "creating session 15"
2210 "tcpip" 6480 "2019-12-23 12:56:20.930" "tcp - 198.2.141.36 connected to 104.217.253.193:25."
2211 "debug" 6480 "2019-12-23 12:56:20.930" "tcp connection started for session 14"
2212 "smtpd" 6480 14 "2019-12-23 12:56:20.930" "198.2.141.36" "sent: 220 pci here"
2213 "smtpd" 5640 14 "2019-12-23 12:56:20.945" "198.2.141.36" "received: ehlo mail36.atl231.mcsv.net"
2214 "smtpd" 5640 14 "2019-12-23 12:56:20.945" "198.2.141.36" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
2215 "smtpd" 6480 14 "2019-12-23 12:56:20.965" "198.2.141.36" "received: mail from:|bounce-mc.us11_44338345.1374965-3f8af6bfd7@mail36.atl231.mcsv.net|"
match: 2216 "tcpip" 6480 "2019-12-23 12:56:20.992" "dns lookup: 36.141.2.198.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 2217 "tcpip" 6480 "2019-12-23 12:56:21.008" "dns lookup: 36.141.2.198.bl.spamcop.net, 0 addresses found: (none), match: false"
2218 "debug" 6480 "2019-12-23 12:56:21.008" "spam test: spamtestdnsblacklists, score: 0"
2219 "debug" 6480 "2019-12-23 12:56:21.024" "spam test: spamtesthelohost, score: 0"
2220 "debug" 6480 "2019-12-23 12:56:21.024" "spam test: spamtestmxrecords, score: 0"
2221 "debug" 6480 "2019-12-23 12:56:21.024" "spam test: spamtestspf, score: 0"
2222 "debug" 6480 "2019-12-23 12:56:21.024" "total spam score: 0"
2223 "smtpd" 6480 14 "2019-12-23 12:56:21.024" "198.2.141.36" "sent: 250 ok"
2224 "smtpd" 5404 14 "2019-12-23 12:56:21.055" "198.2.141.36" "received: rcpt to:|info@nickrothmusic.com|"
2225 "smtpd" 5404 14 "2019-12-23 12:56:21.055" "198.2.141.36" "sent: 250 ok"
2226 "smtpd" 6480 14 "2019-12-23 12:56:21.071" "198.2.141.36" "received: data"
2227 "smtpd" 6480 14 "2019-12-23 12:56:21.071" "198.2.141.36" "sent: 354 ok, send."
task 2228 "debug" 6516 "2019-12-23 12:56:21.134" "adding task asynchronoustask to work queue asynchronous task queue"
task 2229 "debug" 6392 "2019-12-23 12:56:21.134" "executing task asynchronoustask in work queue asynchronous task queue"
2230 "debug" 6392 "2019-12-23 12:56:21.134" "total spam score: 0"
2231 "debug" 6392 "2019-12-23 12:56:21.134" "executing event onacceptmessage"
2232 "debug" 6480 "2019-12-23 12:56:58.993" "creating session 16"
2233 "tcpip" 6480 "2019-12-23 12:56:58.993" "tcp - 46.105.209.45 connected to 104.217.253.24:25."

3624 "debug" 920 "2019-12-23 13:46:21.036" "creating session 44"
3625 "tcpip" 920 "2019-12-23 13:46:21.036" "tcp - 198.2.141.36 connected to 104.217.253.193:25."
3626 "debug" 920 "2019-12-23 13:46:21.036" "tcp connection started for session 43"
3627 "smtpd" 920 43 "2019-12-23 13:46:21.036" "198.2.141.36" "sent: 220 pci here"
3628 "smtpd" 1088 43 "2019-12-23 13:46:21.051" "198.2.141.36" "received: ehlo mail36.atl231.mcsv.net"
3629 "smtpd" 1088 43 "2019-12-23 13:46:21.051" "198.2.141.36" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
3630 "smtpd" 920 43 "2019-12-23 13:46:21.083" "198.2.141.36" "received: mail from:|bounce-mc.us11_44338345.1374965-3f8af6bfd7@mail36.atl231.mcsv.net|"
match: 3631 "tcpip" 920 "2019-12-23 13:46:21.098" "dns lookup: 36.141.2.198.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 3632 "tcpip" 920 "2019-12-23 13:46:21.129" "dns lookup: 36.141.2.198.bl.spamcop.net, 0 addresses found: (none), match: false"
3633 "debug" 920 "2019-12-23 13:46:21.129" "spam test: spamtestdnsblacklists, score: 0"
3634 "debug" 920 "2019-12-23 13:46:21.145" "spam test: spamtesthelohost, score: 0"
3635 "debug" 920 "2019-12-23 13:46:21.145" "spam test: spamtestmxrecords, score: 0"
3636 "debug" 920 "2019-12-23 13:46:21.145" "spam test: spamtestspf, score: 0"
3637 "debug" 920 "2019-12-23 13:46:21.145" "total spam score: 0"
3638 "smtpd" 920 43 "2019-12-23 13:46:21.145" "198.2.141.36" "sent: 250 ok"
3639 "smtpd" 1088 43 "2019-12-23 13:46:21.161" "198.2.141.36" "received: rcpt to:|info@nickrothmusic.com|"
3640 "smtpd" 1088 43 "2019-12-23 13:46:21.177" "198.2.141.36" "sent: 250 ok"
3641 "smtpd" 920 43 "2019-12-23 13:46:21.192" "198.2.141.36" "received: data"
3642 "smtpd" 920 43 "2019-12-23 13:46:21.192" "198.2.141.36" "sent: 354 ok, send."
task 3643 "debug" 2740 "2019-12-23 13:46:21.270" "adding task asynchronoustask to work queue asynchronous task queue"
task 3644 "debug" 2960 "2019-12-23 13:46:21.270" "executing task asynchronoustask in work queue asynchronous task queue"
3645 "debug" 2960 "2019-12-23 13:46:21.270" "total spam score: 0"
3646 "debug" 2960 "2019-12-23 13:46:21.270" "executing event onacceptmessage"
3647 "debug" 920 "2019-12-23 13:47:20.333" "creating session 45"
3648 "tcpip" 920 "2019-12-23 13:47:20.333" "tcp - 46.225.242.179 connected to 104.217.253.24:25."

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-12-23 16:25

DO you have any antivirus running on that machine, including Windows defender?
Have you EXCLUDED the hmailserver data directory from scanning ?
Have you disabled SMTP 'inspection'?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-23 18:42

I had the clamwin update service running, but not interactive and with no connection to hmail It is not configured for scheduled scans so did not have any folders filtered out. I periodically run a manual scan. However, this was the case long before 13 Nov. I have closed even that and rebooted the server to make sure.
I sometimes run Malwarebytes manually.

Windows Firewall is running (I don't think it was called Defender until after 2012) and I have blocks on some 4000 IPs independently of the standard hmail rule which allows all. (These rules are used to prevent access from unwanted IPs after several unwanted probes such as sql injection).
There are 2 other hmail rules ( I believe standard) for TCP and UDP allow on port 110.

I've not come across SMTP 'inspection' - where should I be looking?

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by mattg » 2019-12-24 00:19

ClamWin, even when not set to be integrated, is likely to be running
add the hMailserver data directory to it's excluded locations list

Some routers and firewall or edge devices do mail inspection as mail is passing through them

Defender isn't just the firewall, it's also the default Windows Antivirus. Exclude the hMailserver directory from scanning in that too
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-24 11:47

Since removing clamwin yesterday, multiple jumps overnight to 100%, and again this morning after restarting,so that's not the cause.
Again Ips from Amazon are the probable cause.

As far as I can see Defender is not installed or running, only Firewall. I don't know how to prevent Firewall from looking at a folder, doesn't it only monitor programs, ports and protocols not including SMTP?
hmail191224.jpg
As per this, although the onaccept seems to be for a previous msg, and 18.216.218.204 is the same mysecuritycamera.org that has come up before and does not send on request.

2662 "tcpip" 2480 "2019-12-24 09:39:56.991" "tcp - 18.216.218.204 connected to 104.217.253.24:25."
2663 "debug" 2480 "2019-12-24 09:39:56.991" "tcp connection started for session 13"
2664 "smtpd" 2480 13 "2019-12-24 09:39:57.007" "18.216.218.204" "sent: 220 pci here"
2665 "smtpd" 3620 13 "2019-12-24 09:39:57.069" "18.216.218.204" "received: ehlo phylobago.mysecuritycamera.org"
2666 "smtpd" 3620 13 "2019-12-24 09:39:57.085" "18.216.218.204" "sent: 250-mail.propertyclubinternational.com[nl]250-size 20480000[nl]250-auth login[nl]250 help"
2667 "smtpd" 3620 13 "2019-12-24 09:39:57.116" "18.216.218.204" "received: mail from:|bounce@phylobago.mysecuritycamera.org|"
match: 2668 "tcpip" 3620 "2019-12-24 09:39:57.147" "dns lookup: 204.218.216.18.zen.spamhaus.org, 0 addresses found: (none), match: false"
match: 2669 "tcpip" 3620 "2019-12-24 09:39:57.194" "dns lookup: 204.218.216.18.bl.spamcop.net, 0 addresses found: (none), match: false"
2670 "debug" 3620 "2019-12-24 09:39:57.194" "spam test: spamtestdnsblacklists, score: 0"
2671 "debug" 3620 "2019-12-24 09:39:57.194" "spam test: spamtesthelohost, score: 2"
2672 "debug" 3620 "2019-12-24 09:39:57.226" "spam test: spamtestmxrecords, score: 2"
2673 "debug" 3620 "2019-12-24 09:39:57.241" "spam test: spamtestspf, score: 0"
2674 "debug" 3620 "2019-12-24 09:39:57.241" "total spam score: 4"
2675 "smtpd" 3620 13 "2019-12-24 09:39:57.241" "18.216.218.204" "sent: 250 ok"
2676 "smtpd" 900 13 "2019-12-24 09:39:57.288" "18.216.218.204" "received: rcpt to:|nigel@selnet.co.uk|"
2677 "debug" 900 "2019-12-24 09:39:57.288" "spf passed, skipping greylisting."
2678 "smtpd" 900 13 "2019-12-24 09:39:57.288" "18.216.218.204" "sent: 250 ok"
2679 "smtpd" 900 13 "2019-12-24 09:39:57.366" "18.216.218.204" "received: data"
2680 "smtpd" 900 13 "2019-12-24 09:39:57.366" "18.216.218.204" "sent: 354 ok, send."
task 2681 "debug" 900 "2019-12-24 09:39:57.507" "adding task asynchronoustask to work queue asynchronous task queue"
task 2682 "debug" 5764 "2019-12-24 09:39:57.507" "executing task asynchronoustask in work queue asynchronous task queue"
2683 "debug" 5764 "2019-12-24 09:39:57.507" "total spam score: 0"
2684 "debug" 5764 "2019-12-24 09:39:57.507" "executing event onacceptmessage"
2685 "debug" 2480 "2019-12-24 09:40:06.147" "creating session 15"
2686 "tcpip" 2480 "2019-12-24 09:40:06.147" "tcp - 80.82.79.235 connected to 104.217.253.203:25."

Is there a way of identifying the aysnch task that might be causing this? Or blocking the domain on first connection? hmail does not start checking rules until the message has been received. I have added procmon to the tasks, maybe that might show something

It's now recurring every few minutes as different amazon ips hit and dont respond. I cant block every amazon ip 18.128.0.0 - 18.255.255.255 !!

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-12-24 13:10

What is this?

2684 "debug" 5764 "2019-12-24 09:39:57.507" "executing event onacceptmessage"

There is something triggered after the Email in question was already received.

NigelRoth
Normal user
Normal user
Posts: 68
Joined: 2008-09-06 15:12

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by NigelRoth » 2019-12-24 14:52

As I said, it appears to be from a previous msg, but there is no way of knowing and I pointed it out as unusual as other instances have not had this.
The hmail log is not specific enough for items like this, as is the case with the asynch task that seems to be the problem. I repeat - is there any way of identifying which asynch task is called?

In this case, the msg at that time was not added to my database log as should have happened in my onacceptmessage script. However neither was any other at that time.
I have blocked a huge range of Amazon IPs now, hopefully until this is resolved.

palinka
Senior user
Senior user
Posts: 1562
Joined: 2017-09-12 17:57

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by palinka » 2019-12-24 15:47

I've been following this not very carefully. Correct me if I'm wrong but it appears there are open connections that trigger this issue you're having. Perhaps forcibly disconnecting them could solve your problem?

Hmailserver user RvdH has created a utility for that.

https://d-fault.nl/files

Search the board for instructions on how to use it.

User avatar
Dravion
Senior user
Senior user
Posts: 1614
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WIn Server 2012 R2 Updates causing hMailServer to go 100% CPU

Post by Dravion » 2019-12-24 16:42

NigelRoth wrote:
2019-12-24 14:52
As I said, it appears to be from a previous msg, but there is no way of knowing and I pointed it out as unusual as other instances have not had this.
The hmail log is not specific enough for items like this, as is the case with the asynch task that seems to be the problem. I repeat - is there any way of identifying which asynch task is called?

In this case, the msg at that time was not added to my database log as should have happened in my onacceptmessage script. However neither was any other at that time.
I have blocked a huge range of Amazon IPs now, hopefully until this is resolved.
If you have spiking performance issues while your hMailServer receives Email from a remote SMTP-Server, turn of all VBScripting for Inbound Emails or better turn off
all Scripting for a while. VB-Scripts can do a lot of harm, especially if you mix Asynchronous and Synchronous.

Every VB-Script needs to be interpreted and compiled to binary Machine code Instructions every time the Script is activated.
This can be complex and consumes lots of CPU cycles, especially if you have a lot of RegEx and String matching involved.

The other Problem is, hMailServer SMTP uses the BOOST C++ Framework ASIO Networking Library and all connections (In and Out) are NOT processed
Synchronous. Asynchronous Connection are regularly paused or on hold while VB-Script operations needs to be processed in synchronous fashion which
caused Wait states for VB-Script until BOOST ASIO is in a synchronous state and processing can be processed. But the VB-Script Host needs
to check for ASIO's readiness which causes loops which can stress or max out a CPU easily.

Just turn VB-Scripting in hMailAdmin of completely, check for spikes and report back.

Post Reply