Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email Access Logs per domain on a shared VPS server

Discussion in 'E-mail Discussion' started by webmasteryoda, Jul 7, 2017.

  1. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Hello

    I need to filter email access logs per domain on a shared VPS server.

    I need it for a webmail and for pop3/smtp.

    Is there a way to filter it on a domain base, as I have ~80 users on the server?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Just use grep on the following log files:

    /var/log/maillog
    /var/log/exim_mainlog

    Do you have any specific examples on what you are trying to pull, then we can toss you some examples.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes.

    example: office@exampledomain.com

    I need to know who logged in / tried to login to that mail account.
    Via webmail and email client.

    Can you help me with that?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    The %40 is your @ sign below:

    Code:
    grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
    That will show you the IP using the login form for webmail for that specific email.

    Code:
    grep imap-login /var/log/maillog |grep office@exampledomain.com
    If you look at "rip" that is the remote IP connecting to the mail server via the email client.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    webmasteryoda likes this.
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,409
    Likes Received:
    1,955
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    There are no features that provide separate mail access logs for each domain name or account, but you can search the global log for entries related to a specific domain name, as mentioned in the previous post.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    webmasteryoda likes this.
  6. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks a lot.

    That helped me.

    One more thing:
    grep imap-login /var/log/maillog |grep office@exampledomain.com
    gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

    And another one:
    Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

    Thanks again
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,409
    Likes Received:
    1,955
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You may also want to search the log based on the date/time. For instance, if you find the time of the specific entry, then you could search for all entries around that time with a command such as:

    Code:
    grep "Jul  7 11:" /var/log/maillog
    The /var/log/maillog file is rotated based on your system's log rotation configuration (typically configured through the /etc/logrotate.conf file), so it's possible the older logs have been removed. That said, you could review /var/log directory to see if any archived copies are available (e.g. /var/log/maillog.1).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks Michael

    There is no rotation for /usr/local/cpanel/logs/access_log

    maillog is rotating, but that doesnt give me access logs for webmail.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,409
    Likes Received:
    1,955
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Login activity for webmail should still exist in the /var/log/maillog file. EX:

    Code:
    Jul  7 11:48:52 hostname dovecot: imap-login: Login: user=<test1@cptest01.tld>, method=PLAIN, rip=::1, lip=::1, mpid=32500, secured, session=<1234567890>
    Jul  7 11:48:52 hostname dovecot: imap(test1@cptest01.tld): Logged out in=427, out=2247, bytes=427/2247
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Ok, I understand now.
    As far as I saw, there are no access log IPs recorded in maillog (that is what I primarily need)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

    Actually, try checking:

    Code:
    head -1 /usr/local/cpanel/logs/login_log
    Does that go back further?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    That gave me this:

    [2017-04-21 21:28:40 +0200] info [whostmgrd] xx.xxx.xxx.xxx - root "GET /3rdparty/cloudlinux/lve_ext_scritps.js HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Yeah so that is a good thing since it goes back further, so you can now grep via that log since you require it to go back to June 9th which that goes back to April. That would only show you webmail though, but you can simply do

    Code:
    grep office@exampledomain.com  /usr/local/cpanel/logs/login_log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    webmasteryoda likes this.
  14. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Bingo!

    [2017-06-09 17:08:58 +0200] info [webmaild] xx.xxx.xxx.xx - office@exampledomain.com "GET /cpsess3817214300/webmail/paper_lantern/mail/filters/editfilter.html?account=&filtername=anotherexampledomain.com HTTP/1.1" FAILED LOGIN webmaild: cookie ip check: IP address has changed

    I suspect that this is the user whom I was looking for. His IP was changed, maybe he was using Thor or something similar?
    He was logged in to exampledomain.com webmail. And anotherexampledomain.com is the one which is misused to fake email communication.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    720
    Likes Received:
    123
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Could be many reasons but that is one.

    I wouldn't bother trying to block by IP's as if it was malicious there are thousands and thousands of other IP's attackers can use, you would be better off just changing the password to something much stronger than what it was originally.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    webmasteryoda likes this.
  16. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    93
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Sure.

    Its cPHulk thing and Config Server Firewall thing.
    But you are right for suggesting the password change to a stronger one.
    That particular account is very old, and it was migrating from server to server, so easy password remained throughout that process.
    This is offtopic, but I am 100% sure that password is not brute-forced. It must have been aquired from the infected windows computer.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice