Logs To Find IP That Checks Specific POP Account

[orty]

Hello there,

Have a client on my server that using using POP to check an email account , downloading the messages (tried to get him to move to IMAP, no dice). Over the years, he's setup a few computers to check that same account, though he'd shut them all off, and now he's complaining that when folks e-mail him, he's not getting it. I have a gut feeling that there is some other computer out there that's checking the account and downloading the messages so that they aren't accessible from the computers he wants to check it on.

I've changed the account's password so that the computers in his office can be set-up to use that password, but is there any simple report/script to look at or help parse the logs and see what IPs are trying to check the POP account user@domain.com? I'm using ConfigServer's MailScanner FE setup that includes MailWatch, so maybe there's a report in there, I don't know, but the logs in /var/log/maillog probably have what I need, just wanted to know if anybody knows an easy way to parse it down (as generally the only time I look at that log is when something's not working right).

Thanks!
-jake

[cPanelDon]

Hello there,

Have a client on my server that using using POP to check an email account , downloading the messages (tried to get him to move to IMAP, no dice). Over the years, he's setup a few computers to check that same account, though he'd shut them all off, and now he's complaining that when folks e-mail him, he's not getting it. I have a gut feeling that there is some other computer out there that's checking the account and downloading the messages so that they aren't accessible from the computers he wants to check it on.

I've changed the account's password so that the computers in his office can be set-up to use that password, but is there any simple report/script to look at or help parse the logs and see what IPs are trying to check the POP account user@domain.com? I'm using ConfigServer's MailScanner FE setup that includes MailWatch, so maybe there's a report in there, I don't know, but the logs in /var/log/maillog probably have what I need, just wanted to know if anybody knows an easy way to parse it down (as generally the only time I look at that log is when something's not working right).

Thanks!
-jake

The log file at "/var/log/maillog" is the correct place to look, as you indicated. I recommend trying a simple search using grep, as seen below:

Code:

# grep -Hin "user@domain.tld" /var/log/maillog

The output from grep, at least if using Dovecot, should include both the IP addresses and number of bytes transferred (on two separate lines).

[orty]

That did it. Thanks! He indeed had IPs from all over checking that account, mostly Google, which means he probably setup an Android phone or Gmail account to check that account and completely forgot about it.

I'll be able to get this client off my back now, as I think he was totally convinced I was doing this to screw with him (as I'm the payroll of one of their competitors as well).

[furquan]

Hello Guys !!

I am in need of the same information but require a little more in-depth details from the logs.

I need to extract the pop logs along with TO or FROM or SUBJECT variables... ( which ever possible )

Can this be done too ?

[cPanelDon]

Hello Guys !!

I am in need of the same information but require a little more in-depth details from the logs.

I need to extract the pop logs along with TO or FROM or SUBJECT variables... ( which ever possible )

Can this be done too ?

It would require that the IMAP/POP server be configured to log additional information where available. I believe this may be possible using Dovecot and its included mail_log plug-in to verbosely expand the level of detail logged for including very specific information (such as the e-mail Subject header): Plugins/MailLog - Dovecot Wiki and Re: [Dovecot] Logging subjects of messages

To determine if your mail server is Courier or Dovecot, access WebHost Manager (WHM) via the following menu path or enter the following command via root SSH access:

• WHM: Main >> Service Configuration >> Mailserver Selection
• Code:

  # /scripts/setupmailserver --current

WHM may be used to switch from Courier to Dovecot, if needed, or the following command can be used to switch via root SSH access:

Code:

# /scripts/setupmailserver dovecot

Additional reference:

• Help information for the aforementioned script:
  
  Code:

  # /scripts/setupmailserver --help

• Dovecot configuration file path:
  
  Code:

  /etc/dovecot.conf

• Commands to save a backup copy of Dovecot configurations:
  
  Code:

  # cp -pv /etc/dovecot.conf /etc/dovecot.conf.backup
  # cp -pv /var/cpanel/conf/dovecot/main /var/cpanel/conf/dovecot/main.backup

[furquan]

Thank you for your detailed response CpanelDon highly appreciate the same.

I am currently using Courier, do you suggest we shift to Devcot ? is it advisable ?

Please suggest !!

[cPanelDon]

Thank you for your detailed response CpanelDon highly appreciate the same.

I am currently using Courier, do you suggest we shift to Devcot ? is it advisable ?

Please suggest !!

Both Courier and Dovecot work well in my opinion; I believe it depends on the specific needs involved. To the best of my knowledge Dovecot is the current default selection for new installations. For reference, WebHost Manager (WHM) includes a comparison of key differences between Courier and Dovecot; this information is accessible via the following menu path (while logged-in as "root"): WHM: Main >> Service Configuration >> Mailserver Selection