Email Access Logs per domain on a shared VPS server

webmasteryoda · Jul 7, 2017

Hello

I need to filter email access logs per domain on a shared VPS server.

I need it for a webmail and for pop3/smtp.

Is there a way to filter it on a domain base, as I have ~80 users on the server?

Jcats · Jul 7, 2017

Just use grep on the following log files:

/var/log/maillog
/var/log/exim_mainlog

Do you have any specific examples on what you are trying to pull, then we can toss you some examples.

webmasteryoda · Jul 7, 2017

Yes.

example: office@exampledomain.com

I need to know who logged in / tried to login to that mail account.
Via webmail and email client.

Can you help me with that?

Jcats · Jul 7, 2017

webmasteryoda said: ↑

Via webmail
Click to expand...

The %40 is your @ sign below:
Code:
grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
That will show you the IP using the login form for webmail for that specific email.

webmasteryoda said: ↑

email client
Click to expand...
Code:
grep imap-login /var/log/maillog |grep office@exampledomain.com
If you look at "rip" that is the remote IP connecting to the mail server via the email client.

cPanelMichael · Jul 7, 2017

Hello,

There are no features that provide separate mail access logs for each domain name or account, but you can search the global log for entries related to a specific domain name, as mentioned in the previous post.

Thank you.

webmasteryoda · Jul 7, 2017

Jcats said: ↑
The %40 is your @ sign below:
Code:
grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
That will show you the IP using the login form for webmail for that specific email.
Code:
grep imap-login /var/log/maillog |grep office@exampledomain.com
If you look at "rip" that is the remote IP connecting to the mail server via the email client.
Click to expand...
Thanks a lot.

That helped me.

One more thing:
grep imap-login /var/log/maillog |grep office@exampledomain.com
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

And another one:
Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

Thanks again

cPanelMichael · Jul 7, 2017

webmasteryoda said: ↑

One more thing:
grep imap-login /var/log/maillog |grep office@exampledomain.com
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".
Click to expand...

You may also want to search the log based on the date/time. For instance, if you find the time of the specific entry, then you could search for all entries around that time with a command such as:
Code:
grep "Jul  7 11:" /var/log/maillog
webmasteryoda said: ↑

Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).
Click to expand...

The /var/log/maillog file is rotated based on your system's log rotation configuration (typically configured through the /etc/logrotate.conf file), so it's possible the older logs have been removed. That said, you could review /var/log directory to see if any archived copies are available (e.g. /var/log/maillog.1).

Thank you.

webmasteryoda · Jul 7, 2017

Thanks Michael

There is no rotation for /usr/local/cpanel/logs/access_log

maillog is rotating, but that doesnt give me access logs for webmail.

cPanelMichael · Jul 7, 2017

webmasteryoda said: ↑

maillog is rotating, but that doesnt give me access logs for webmail.
Click to expand...

Login activity for webmail should still exist in the /var/log/maillog file. EX:
Code:
Jul  7 11:48:52 hostname dovecot: imap-login: Login: user=<test1@cptest01.tld>, method=PLAIN, rip=::1, lip=::1, mpid=32500, secured, session=<1234567890>
Jul  7 11:48:52 hostname dovecot: imap(test1@cptest01.tld): Logged out in=427, out=2247, bytes=427/2247
Thank you.

webmasteryoda · Jul 7, 2017

Ok, I understand now.
As far as I saw, there are no access log IPs recorded in maillog (that is what I primarily need)

Jcats · Jul 7, 2017

Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:
Code:
head -1 /usr/local/cpanel/logs/login_log
Does that go back further?

webmasteryoda · Jul 7, 2017

Jcats said: ↑
Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:
Code:
head -1 /usr/local/cpanel/logs/login_log
Does that go back further?
Click to expand...
That gave me this:

[2017-04-21 21:28:40 +0200] info [whostmgrd] xx.xxx.xxx.xxx - root "GET /3rdparty/cloudlinux/lve_ext_scritps.js HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing

Jcats · Jul 7, 2017

Yeah so that is a good thing since it goes back further, so you can now grep via that log since you require it to go back to June 9th which that goes back to April. That would only show you webmail though, but you can simply do
Code:
grep office@exampledomain.com  /usr/local/cpanel/logs/login_log

webmasteryoda · Jul 7, 2017

Bingo!

[2017-06-09 17:08:58 +0200] info [webmaild] xx.xxx.xxx.xx - office@exampledomain.com "GET /cpsess3817214300/webmail/paper_lantern/mail/filters/editfilter.html?account=&filtername=anotherexampledomain.com HTTP/1.1" FAILED LOGIN webmaild: cookie ip check: IP address has changed

I suspect that this is the user whom I was looking for. His IP was changed, maybe he was using Thor or something similar?
He was logged in to exampledomain.com webmail. And anotherexampledomain.com is the one which is misused to fake email communication.

Jcats · Jul 7, 2017

Could be many reasons but that is one.

I wouldn't bother trying to block by IP's as if it was malicious there are thousands and thousands of other IP's attackers can use, you would be better off just changing the password to something much stronger than what it was originally.

webmasteryoda · Jul 7, 2017

Sure.

Its cPHulk thing and Config Server Firewall thing.
But you are right for suggesting the password change to a stronger one.
That particular account is very old, and it was migrating from server to server, so easy password remained throughout that process.
This is offtopic, but I am 100% sure that password is not brute-forced. It must have been aquired from the infected windows computer.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email Access Logs per domain on a shared VPS server

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

cPanelMichael Technical Support Community Manager
Staff Member

webmasteryoda Well-Known Member

cPanelMichael Technical Support Community Manager
Staff Member

webmasteryoda Well-Known Member

cPanelMichael Technical Support Community Manager
Staff Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Can My Hosting Provider Access my Email Accounts?

Moved Website to WIX, Cannot Access Email

Access Email on Separate Server?

Disable access to all users email accounts?

Allow Email Access from specific IP only, block everyone else

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email Access Logs per domain on a shared VPS server

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

webmasteryoda Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

webmasteryoda Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Jcats Well-Known Member

webmasteryoda Well-Known Member

Can My Hosting Provider Access my Email Accounts?

Moved Website to WIX, Cannot Access Email

Access Email on Separate Server?

Disable access to all users email accounts?

Allow Email Access from specific IP only, block everyone else

Share This Page

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member

cPanelMichael Technical Support Community Manager
Staff Member