Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email Access Logs per domain on a shared VPS server

Discussion in 'E-mail Discussions' started by webmasteryoda, Jul 7, 2017.

  1. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Hello

    I need to filter email access logs per domain on a shared VPS server.

    I need it for a webmail and for pop3/smtp.

    Is there a way to filter it on a domain base, as I have ~80 users on the server?
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Just use grep on the following log files:

    /var/log/maillog
    /var/log/exim_mainlog

    Do you have any specific examples on what you are trying to pull, then we can toss you some examples.
     
  3. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Yes.

    example: office@exampledomain.com

    I need to know who logged in / tried to login to that mail account.
    Via webmail and email client.

    Can you help me with that?
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    The %40 is your @ sign below:

    Code:
    grep "office%40exampledomain.com" /usr/local/cpanel/logs/access_log |grep login_only
    That will show you the IP using the login form for webmail for that specific email.

    Code:
    grep imap-login /var/log/maillog |grep office@exampledomain.com
    If you look at "rip" that is the remote IP connecting to the mail server via the email client.
     
    webmasteryoda likes this.
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    There are no features that provide separate mail access logs for each domain name or account, but you can search the global log for entries related to a specific domain name, as mentioned in the previous post.

    Thank you.
     
    webmasteryoda likes this.
  6. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks a lot.

    That helped me.

    One more thing:
    grep imap-login /var/log/maillog |grep office@exampledomain.com
    gave me nothing, so I grepped lmtp and found some logins (my client uses pop3), but there is no IPs, just "msgid" and at the end "saved mail to INBOX".

    And another one:
    Webmail logs are present from 14. june to 07. july. There is no older logs backup? (I need it for 09. jun).

    Thanks again
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You may also want to search the log based on the date/time. For instance, if you find the time of the specific entry, then you could search for all entries around that time with a command such as:

    Code:
    grep "Jul  7 11:" /var/log/maillog
    The /var/log/maillog file is rotated based on your system's log rotation configuration (typically configured through the /etc/logrotate.conf file), so it's possible the older logs have been removed. That said, you could review /var/log directory to see if any archived copies are available (e.g. /var/log/maillog.1).

    Thank you.
     
  8. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Thanks Michael

    There is no rotation for /usr/local/cpanel/logs/access_log

    maillog is rotating, but that doesnt give me access logs for webmail.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Login activity for webmail should still exist in the /var/log/maillog file. EX:

    Code:
    Jul  7 11:48:52 hostname dovecot: imap-login: Login: user=<test1@cptest01.tld>, method=PLAIN, rip=::1, lip=::1, mpid=32500, secured, session=<1234567890>
    Jul  7 11:48:52 hostname dovecot: imap(test1@cptest01.tld): Logged out in=427, out=2247, bytes=427/2247
    Thank you.
     
  10. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Ok, I understand now.
    As far as I saw, there are no access log IPs recorded in maillog (that is what I primarily need)
     
  11. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Yeah unfortuntely maillog won't show you any IP since the authentication comes from the server, not remotely, since you cannot go back any further in the cPanel access logs, you are kind of stuck.

    Actually, try checking:

    Code:
    head -1 /usr/local/cpanel/logs/login_log
    Does that go back further?
     
  12. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    That gave me this:

    [2017-04-21 21:28:40 +0200] info [whostmgrd] xx.xxx.xxx.xxx - root "GET /3rdparty/cloudlinux/lve_ext_scritps.js HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing
     
  13. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Yeah so that is a good thing since it goes back further, so you can now grep via that log since you require it to go back to June 9th which that goes back to April. That would only show you webmail though, but you can simply do

    Code:
    grep office@exampledomain.com  /usr/local/cpanel/logs/login_log
     
    webmasteryoda likes this.
  14. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Bingo!

    [2017-06-09 17:08:58 +0200] info [webmaild] xx.xxx.xxx.xx - office@exampledomain.com "GET /cpsess3817214300/webmail/paper_lantern/mail/filters/editfilter.html?account=&filtername=anotherexampledomain.com HTTP/1.1" FAILED LOGIN webmaild: cookie ip check: IP address has changed

    I suspect that this is the user whom I was looking for. His IP was changed, maybe he was using Thor or something similar?
    He was logged in to exampledomain.com webmail. And anotherexampledomain.com is the one which is misused to fake email communication.
     
  15. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    599
    Likes Received:
    92
    Trophy Points:
    153
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Could be many reasons but that is one.

    I wouldn't bother trying to block by IP's as if it was malicious there are thousands and thousands of other IP's attackers can use, you would be better off just changing the password to something much stronger than what it was originally.
     
    webmasteryoda likes this.
  16. webmasteryoda

    webmasteryoda Well-Known Member

    Joined:
    Apr 3, 2013
    Messages:
    88
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Serbia
    cPanel Access Level:
    Root Administrator
    Sure.

    Its cPHulk thing and Config Server Firewall thing.
    But you are right for suggesting the password change to a stronger one.
    That particular account is very old, and it was migrating from server to server, so easy password remained throughout that process.
    This is offtopic, but I am 100% sure that password is not brute-forced. It must have been aquired from the infected windows computer.
     
Loading...

Share This Page