Email Access Logs per domain on a shared VPS server

[webmasteryoda]

Hello

I need to filter email access logs per domain on a shared VPS server.

I need it for a webmail and for pop3/smtp.

Is there a way to filter it on a domain base, as I have ~80 users on the server?

 

[Jcats]

Just use grep on the following log files:

/var/log/maillog
/var/log/exim_mainlog

Do you have any specific examples on what you are trying to pull, then we can toss you some examples.

 

[webmasteryoda]

Yes.

example: [email protected]

I need to know who logged in / tried to login to that mail account.
Via webmail and email client.

Can you help me with that?

 

[Jcats]

Via webmail

The %40 is your @ sign below:

grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only

That will show you the IP using the login form for webmail for that specific email.

email client

grep imap-login /var/log/maillog |grep [email protected]

If you look at "rip" that is the remote IP connecting to the mail server via the email client.

 

[cPanelMichael]

Hello,

There are no features that provide separate mail access logs for each domain name or account, but you can search the global log for entries related to a specific domain name, as mentioned in the previous post.

Thank you.

 

[webmasteryoda]

The %40 is your @ sign below:

grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only

That will show you the IP using the login form for webmail for that specific email.

grep imap-login /var/log/maillog |grep [email protected]

If you look at "rip" that is the remote IP connecting to the mail server via the email client.

Thanks a lot.

That helped me.

One more thing:
grep imap-login /var/log/maillog |grep [email protected]
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

And another one:
Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

Thanks again

 

[cPanelMichael]

One more thing:
grep imap-login /var/log/maillog |grep [email protected]
gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

You may also want to search the log based on the date/time. For instance, if you find the time of the specific entry, then you could search for all entries around that time with a command such as:

grep "Jul  7 11:" /var/log/maillog

Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

The /var/log/maillog file is rotated based on your system's log rotation configuration (typically configured through the /etc/logrotate.conf file), so it's possible the older logs have been removed. That said, you could review /var/log directory to see if any archived copies are available (e.g. /var/log/maillog.1).

Thank you.

 

[webmasteryoda]

Thanks Michael

There is no rotation for /usr/local/cpanel/logs/access_log

maillog is rotating, but that doesnt give me access logs for webmail.

 

[cPanelMichael]

maillog is rotating, but that doesnt give me access logs for webmail.

Login activity for webmail should still exist in the /var/log/maillog file. EX:

Jul  7 11:48:52 hostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=32500, secured, session=<1234567890>
Jul  7 11:48:52 hostname dovecot: imap([email protected]): Logged out in=427, out=2247, bytes=427/2247

Thank you.

 

[webmasteryoda]

Ok, I understand now.
As far as I saw, there are no access log IPs recorded in maillog (that is what I primarily need)

 

[Jcats]

Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:

head -1 /usr/local/cpanel/logs/login_log

Does that go back further?

 

[webmasteryoda]

Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

Actually, try checking:

head -1 /usr/local/cpanel/logs/login_log

Does that go back further?

That gave me this:

[2017-04-21 21:28:40 +0200] info [whostmgrd] xx.xxx.xxx.xxx - root "GET /3rdparty/cloudlinux/lve_ext_scritps.js HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing

 

[Jcats]

Yeah so that is a good thing since it goes back further, so you can now grep via that log since you require it to go back to June 9th which that goes back to April. That would only show you webmail though, but you can simply do

grep [email protected]  /usr/local/cpanel/logs/login_log

 

[webmasteryoda]

Bingo!

[2017-06-09 17:08:58 +0200] info [webmaild] xx.xxx.xxx.xx - [email protected] "GET /cpsess3817214300/webmail/paper_lantern/mail/filters/editfilter.html?account=&filtername=anotherexampledomain.com HTTP/1.1" FAILED LOGIN webmaild: cookie ip check: IP address has changed

I suspect that this is the user whom I was looking for. His IP was changed, maybe he was using Thor or something similar?
He was logged in to exampledomain.com webmail. And anotherexampledomain.com is the one which is misused to fake email communication.

 

[Jcats]

Could be many reasons but that is one.

I wouldn't bother trying to block by IP's as if it was malicious there are thousands and thousands of other IP's attackers can use, you would be better off just changing the password to something much stronger than what it was originally.

 

[webmasteryoda]

Sure.

Its cPHulk thing and Config Server Firewall thing.
But you are right for suggesting the password change to a stronger one.
That particular account is very old, and it was migrating from server to server, so easy password remained throughout that process.
This is offtopic, but I am 100% sure that password is not brute-forced. It must have been aquired from the infected windows computer.