Trace mail downloaded from server?

JunCol

Member
Jun 19, 2015
6
1
3
Singapore
cPanel Access Level
Reseller Owner
Hi guys,

Is there a way that we can trace if a particular email (POP3) is being downloaded to a particular device?

Intermittently, we would have users feedback that there's missing emails or emails not being received.
Checking the webmail (Horde) shows that the mentioned email is there in the mailbox. That mail subject is not shown in bold text, indicating that it's being read or already downloaded and a copy is left on server.
We initially, think that it could be due to unstable connection (which some of our offices are suffering from), and/or antivirus's antispam removing email w/o any notifications.

Now it happens to me.
That missing mail appears in the webmail and shown in not bold text. Meaning it's been downloaded. But it does not appear in my laptop's outlook.
The email sent 3 mins before it, is appearing in both my laptop outlook, and webmail.
The email sent 15mins after it, is appearing in both my laptop outlook, and webmail.

Our network here is very stable. That removes the possibility of unstable network. Sophos Endpoint protection does not have antispam feature. So it's not possible to be due to that too.
 

Max Miles

Registered
Apr 21, 2018
3
0
1
India
cPanel Access Level
Root Administrator
Hello,

I don't think you will be able to find who downloaded the mails.However if you have root level access, you can check the /var/log/maillog to see Which IP connected to which email account via which protocol (POP or IMAP). I guess looking at that would give you an idea at what timestamps were the particular email accounts accessed and based on that you can come to conclusion.

Regards,
Max Miles
 

JunCol

Member
Jun 19, 2015
6
1
3
Singapore
cPanel Access Level
Reseller Owner
i'm using Outlook 2010.
The rest of the guys are mix of Outlook 2013, 2016.

Just wondered.
Is there some form of acknowledgement of each email being downloaded successfully?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
You can most certainly do this if you have root access to the server, using /var/log/maillog.

By default you'll see the following (as an example in the maillog for pop3 access:

Code:
Jun 21 10:33:13 server dovecot: pop3([email protected])<40486><j43WK9eLbtW4XsUC>: Disconnected: Logged out top=0/0, retr=848/35230089, del=0/848, size=35211518, bytes=8396/35261172
You'll want to note specifically the following:

Retrieved 848 messages out of a maximum of 35230089
Code:
retr=848/35230089
Deleted 0 out of a maximum of 848 messages (meaning they're all still present on the server)
Code:
del=0/848
Total size of the download/exchange in bytes
Code:
size=35211518