Email Access Logs per domain on a shared VPS server

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Just use grep on the following log files:

/var/log/maillog
/var/log/exim_mainlog

Do you have any specific examples on what you are trying to pull, then we can toss you some examples.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Via webmail
The %40 is your @ sign below:

Code:
grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
That will show you the IP using the login form for webmail for that specific email.

email client
Code:
grep imap-login /var/log/maillog |grep [email protected]
If you look at "rip" that is the remote IP connecting to the mail server via the email client.
 
  • Like
Reactions: webmasteryoda

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

There are no features that provide separate mail access logs for each domain name or account, but you can search the global log for entries related to a specific domain name, as mentioned in the previous post.

Thank you.
 
  • Like
Reactions: webmasteryoda

webmasteryoda

Well-Known Member
Apr 3, 2013
98
7
58
Serbia
cPanel Access Level
Root Administrator
The %40 is your @ sign below:

Code:
grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
That will show you the IP using the login form for webmail for that specific email.



Code:
grep imap-login /var/log/maillog |grep [email protected]
If you look at "rip" that is the remote IP connecting to the mail server via the email client.
Thanks a lot.

That helped me.

One more thing:
grep imap-login /var/log/maillog |grep [email protected]
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

And another one:
Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

Thanks again
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
One more thing:
grep imap-login /var/log/maillog |grep [email protected]
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".
You may also want to search the log based on the date/time. For instance, if you find the time of the specific entry, then you could search for all entries around that time with a command such as:

Code:
grep "Jul  7 11:" /var/log/maillog
Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).
The /var/log/maillog file is rotated based on your system's log rotation configuration (typically configured through the /etc/logrotate.conf file), so it's possible the older logs have been removed. That said, you could review /var/log directory to see if any archived copies are available (e.g. /var/log/maillog.1).

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
maillog is rotating, but that doesnt give me access logs for webmail.
Login activity for webmail should still exist in the /var/log/maillog file. EX:

Code:
Jul  7 11:48:52 hostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=32500, secured, session=<1234567890>
Jul  7 11:48:52 hostname dovecot: imap([email protected]): Logged out in=427, out=2247, bytes=427/2247
Thank you.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:

Code:
head -1 /usr/local/cpanel/logs/login_log
Does that go back further?
 

webmasteryoda

Well-Known Member
Apr 3, 2013
98
7
58
Serbia
cPanel Access Level
Root Administrator
Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:

Code:
head -1 /usr/local/cpanel/logs/login_log
Does that go back further?
That gave me this:

[2017-04-21 21:28:40 +0200] info [whostmgrd] xx.xxx.xxx.xxx - root "GET /3rdparty/cloudlinux/lve_ext_scritps.js HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Yeah so that is a good thing since it goes back further, so you can now grep via that log since you require it to go back to June 9th which that goes back to April. That would only show you webmail though, but you can simply do

Code:
grep [email protected]  /usr/local/cpanel/logs/login_log
 
  • Like
Reactions: webmasteryoda

webmasteryoda

Well-Known Member
Apr 3, 2013
98
7
58
Serbia
cPanel Access Level
Root Administrator
Bingo!

[2017-06-09 17:08:58 +0200] info [webmaild] xx.xxx.xxx.xx - [email protected] "GET /cpsess3817214300/webmail/paper_lantern/mail/filters/editfilter.html?account=&filtername=anotherexampledomain.com HTTP/1.1" FAILED LOGIN webmaild: cookie ip check: IP address has changed

I suspect that this is the user whom I was looking for. His IP was changed, maybe he was using Thor or something similar?
He was logged in to exampledomain.com webmail. And anotherexampledomain.com is the one which is misused to fake email communication.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Could be many reasons but that is one.

I wouldn't bother trying to block by IP's as if it was malicious there are thousands and thousands of other IP's attackers can use, you would be better off just changing the password to something much stronger than what it was originally.
 
  • Like
Reactions: webmasteryoda

webmasteryoda

Well-Known Member
Apr 3, 2013
98
7
58
Serbia
cPanel Access Level
Root Administrator
Sure.

Its cPHulk thing and Config Server Firewall thing.
But you are right for suggesting the password change to a stronger one.
That particular account is very old, and it was migrating from server to server, so easy password remained throughout that process.
This is offtopic, but I am 100% sure that password is not brute-forced. It must have been aquired from the infected windows computer.