The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Logs To Find IP That Checks Specific POP Account

Discussion in 'E-mail Discussions' started by orty, Nov 2, 2010.

  1. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    Hello there,

    Have a client on my server that using using POP to check an email account , downloading the messages (tried to get him to move to IMAP, no dice). Over the years, he's setup a few computers to check that same account, though he'd shut them all off, and now he's complaining that when folks e-mail him, he's not getting it. I have a gut feeling that there is some other computer out there that's checking the account and downloading the messages so that they aren't accessible from the computers he wants to check it on.

    I've changed the account's password so that the computers in his office can be set-up to use that password, but is there any simple report/script to look at or help parse the logs and see what IPs are trying to check the POP account user@domain.com? I'm using ConfigServer's MailScanner FE setup that includes MailWatch, so maybe there's a report in there, I don't know, but the logs in /var/log/maillog probably have what I need, just wanted to know if anybody knows an easy way to parse it down (as generally the only time I look at that log is when something's not working right).

    Thanks!
    -jake
     
    #1 orty, Nov 2, 2010
    Last edited: Nov 2, 2010
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The log file at "/var/log/maillog" is the correct place to look, as you indicated. I recommend trying a simple search using grep, as seen below:
    Code:
    # grep -Hin "user@domain.tld" /var/log/maillog
    The output from grep, at least if using Dovecot, should include both the IP addresses and number of bytes transferred (on two separate lines).
     
  3. orty

    orty Well-Known Member

    Joined:
    Jun 29, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bend, Oregon
    cPanel Access Level:
    Root Administrator
    That did it. Thanks! He indeed had IPs from all over checking that account, mostly Google, which means he probably setup an Android phone or Gmail account to check that account and completely forgot about it.

    I'll be able to get this client off my back now, as I think he was totally convinced I was doing this to screw with him (as I'm the payroll of one of their competitors as well).
     
  4. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Hello Guys !!

    I am in need of the same information but require a little more in-depth details from the logs.

    I need to extract the pop logs along with TO or FROM or SUBJECT variables... ( which ever possible )

    Can this be done too ?
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    It would require that the IMAP/POP server be configured to log additional information where available. I believe this may be possible using Dovecot and its included mail_log plug-in to verbosely expand the level of detail logged for including very specific information (such as the e-mail Subject header): Plugins/MailLog - Dovecot Wiki and Re: [Dovecot] Logging subjects of messages

    To determine if your mail server is Courier or Dovecot, access WebHost Manager (WHM) via the following menu path or enter the following command via root SSH access:

    WHM may be used to switch from Courier to Dovecot, if needed, or the following command can be used to switch via root SSH access:
    Code:
    # /scripts/setupmailserver dovecot
    Additional reference:
    • Help information for the aforementioned script:
      Code:
      # /scripts/setupmailserver --help
    • Dovecot configuration file path:
      Code:
      /etc/dovecot.conf
    • Commands to save a backup copy of Dovecot configurations:
      Code:
      # cp -pv /etc/dovecot.conf /etc/dovecot.conf.backup
      # cp -pv /var/cpanel/conf/dovecot/main /var/cpanel/conf/dovecot/main.backup
     
  6. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for your detailed response CpanelDon :) highly appreciate the same.

    I am currently using Courier, do you suggest we shift to Devcot ? is it advisable ?

    Please suggest !!
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Both Courier and Dovecot work well in my opinion; I believe it depends on the specific needs involved. To the best of my knowledge Dovecot is the current default selection for new installations. For reference, WebHost Manager (WHM) includes a comparison of key differences between Courier and Dovecot; this information is accessible via the following menu path (while logged-in as "root"): WHM: Main >> Service Configuration >> Mailserver Selection
     
Loading...

Share This Page