The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting process/connection info for specific email addresses?

Discussion in 'E-mail Discussions' started by ryant123, Mar 9, 2012.

  1. ryant123

    ryant123 Registered

    Joined:
    Mar 9, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey everyone,

    I have a WHM/cPanel VPS that I manage, and one thing I have trouble monitoring is imap/pop3 connections to specific accounts - is there any way I can get information on past and/or current connections to specific email accounts, possibly with IP info as well? All I've been doing lately is looking at current running processes but that only provides me with the number of active connections per account.

    One of my clients is worried that someone else may have gotten access to his email account as he recently received a lockout error on a message - I believe he's using pop3 on both his phone and computer which would understandably lead to this error every so often, but I'd like to be able to investigate further.

    Thanks a lot,
    Ryan
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Ryan,

    There isn't a current method to obtain that information other than reviewing /var/log/maillog for imap and pop login details. You could try the following command to get a sorted list by login type, email account name, src IP, and destination IP:

    Code:
    grep -v "__cpanel\|no auth attempts" /var/log/maillog | grep login | awk {'print $6,$8,$10,$11'} | sort -n | uniq -c
    If you want to only search for set user's you could use the following:

    Code:
    grep -v "__cpanel\|no auth attempts" /var/log/maillog | grep login | grep email@domain.com | awk {'print $6,$8,$10,$11'} | sort -n | uniq -c
    Please replace email@domain.com with the email account.

    To see examples of the above with results from my machine, we have the following:

    Code:
    root@host [/var/log]# grep -v "__cpanel\|no auth attempts" /var/log/maillog | grep login | awk {'print $6,$8,$10,$11'} | cut -d, -f3 | sort -n | uniq -c 
         20  lip=127.0.0.1
          3  lip=208.74.124.109
    Code:
    root@host [/var/log]# grep -v "__cpanel\|no auth attempts" /var/log/maillog | grep login | grep admin@endar.com | awk {'print $6,$8,$10,$11'} | sort -n | uniq -c 
         20 imap-login: user=<admin@endar.com>, rip=127.0.0.1, lip=127.0.0.1,
          4 pop3-login: user=<admin@endar.com>, rip=208.74.121.102, lip=208.74.124.109,
    Of note, this would make a good feature request to allow this type of functionality for Dovecot / Courier logging for review in WHM. If you would like me to move this over to our feature requests area, please let me know.

    Thanks!
     
  3. summitscout

    summitscout Member

    Joined:
    Sep 7, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I was just looking for this very feature so I will appreciate if you suggest it. Thanks!
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Great, please post it in Feature Requests for cPanel/WHM area for feature requests. You are welcome to use the commands listed prior to the request being implemented or considered. Thanks!
     
Loading...

Share This Page