In this post we explore tracking down email logs relating to both Webmail and imap logins.
https://support.cpanel.net/hc/en-us/articles/1500012467681-How-To-List-Email-Login-History
ℹ️There are a few different logs that contain email logins.
/var/log/maillog <-- IMAP Logins
/var/log/exim_mainlog <-- SMTP
/usr/local/cpanel/logs/session_log <-- Webmail logins, logouts, IP changes
/usr/local/cpanel/logs/login_log <-- Failed webmail logins
/usr/local/cpanel/logs/cphulkd.log <-- cphulk log Here are some notes on tracking down email logins on cPanel or WHM.
IMAP Logins
IMAP logins are fairly easy to track down. Check the /var/log/maillog
Follow the log
tail -f /var/log/maillog | grep email@address.com
Or search the whole log
grep "email@address.com" /var/log/maillog
RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server
Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>Webmail Logins
You can also view some info about Webmail connections in the main mail log.
tail -f /var/log/maillog | grep email@address.com
or
grep "email@address.com" /var/log/maillog
When logged into webmail, the connection can look like the following.
Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166
Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in the session_log.
Use one of the following two commands to search the session log.
tail -f /usr/local/cpanel/logs/session_log
grep "email@address.com" /usr/local/cpanel/logs/session_log
The output should be similar to the following.
[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0Notice it gives us the IP address of where the user signed in from.
You can also look at the /usr/local/cpanel/logs/access_log however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address. make sure the email is in double quotes. grep "email%40address.com" /usr/local/cpanel/logs/session_log
Details on the Session and Login logs.
The following are examples of a valid login, logout, and what happens when the IP changes.
The Login file will show failed login attempt.
If you receive a Binary file (standard input) matches error, try running grep with the -a option.
Valid Login
The following is what a valid webmail login looks like.
[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.20 NEW email@address.com:1mt4zP_CjWYrHCaG address=192.168.1.20,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0
Logout
The following is the log entry when a user logs out.
[2023-03-27 12:31:21 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:1mt4zP_CjWYrHCaG logoutChange of IP address
If your computer swaps networks and the IP changes, you’ll see that show up in the log like the following. This can also happen if someone happened to steal the cookies, and has tried logging in from a different network. cPanel detects this, and logs both sessions out.
[2023-03-27 12:33:46 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:a513oaqb2f5845m2p badpass [cookie ip check: IP address has changed: IP Address [192.168.1.100] != Current IP Address [192.168.1.20]]
Note that this behavior can be changed in the WHM Tweak settings. “Cookie IP validation”
Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24.
Failed Webmail Logins
Failed webmail login attempts will show up in /usr/local/cpanel/logs/login_log
SMTP Logins
If you need to track down SMTP or IPs that are sending out emails, check out the /var/log/exim_mainlog
tail -f /var/log/exim_mainlog
grep "email@address.com" /var/log/exim_mainlog