{"id":4933,"date":"2023-03-29T18:49:00","date_gmt":"2023-03-29T23:49:00","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=4933"},"modified":"2025-04-29T18:12:48","modified_gmt":"2025-04-29T23:12:48","slug":"troubleshooting-email-logins-on-cpanel-whm","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/troubleshooting-email-logins-on-cpanel-whm\/","title":{"rendered":"Troubleshooting email logins on cPanel\/WHM"},"content":{"rendered":"\n<p><em>In this post we explore tracking down email logs relating to both Webmail and imap logins.<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/support.cpanel.net\/hc\/en-us\/articles\/1500012467681-How-To-List-Email-Login-History\">https:\/\/support.cpanel.net\/hc\/en-us\/articles\/1500012467681-How-To-List-Email-Login-History<\/a><\/p>\n\n\n\n<p>\u2139\ufe0fThere are a few different logs that contain email logins.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">\/var\/log\/maillog      &lt;-- IMAP Logins\n\/var\/log\/exim_mainlog &lt;-- SMTP \n\/usr\/local\/cpanel\/logs\/session_log  &lt;-- Webmail logins, logouts, IP changes\n\/usr\/local\/cpanel\/logs\/login_log  &lt;-- Failed webmail logins\n\/usr\/local\/cpanel\/logs\/cphulkd.log  &lt;-- cphulk log <\/code><\/pre>\n\n\n\n<p>Here are some notes on tracking down email logins on cPanel or WHM.  <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IMAP Logins<\/h2>\n\n\n\n<p>IMAP logins are fairly easy to track down.  Check the \/var\/log\/maillog<\/p>\n\n\n\n<p>Follow the log<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tail -f \/var\/log\/maillog | grep email@address.com<\/pre>\n\n\n\n<p>Or search the whole log<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">grep \"email@address.com\" \/var\/log\/maillog<\/pre>\n\n\n\n<p>RIP = Remote IP.  That is the public IP address of your client<br>LIP = Local IP is the IP address of the WHM\/cPanel mail server<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=&lt;email@address.com&gt;, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=&lt;Q2sNAb3Q4OgkYXBa&gt;<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Webmail Logins<\/h2>\n\n\n\n<p>You can also view some info about Webmail connections in the main mail log.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tail -f \/var\/log\/maillog | grep email@address.com<\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">grep \"email@address.com\" \/var\/log\/maillog<\/pre>\n\n\n\n<p>When logged into webmail, the connection can look like the following.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)&lt;1234567&gt;: Disconnected: Logged out in=148, out=1166, bytes=148\/1166\n\nMar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=&lt;email@address.com&gt;, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=&lt;1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB&gt;<\/code><\/pre>\n\n\n\n<p>Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it&#8217;s just in the <code>session_log<\/code>.<\/p>\n\n\n\n<p>Use one of the following two commands to search the session log.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tail -f \/usr\/local\/cpanel\/logs\/session_log<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">grep \"email@address.com\" \/usr\/local\/cpanel\/logs\/session_log<\/pre>\n\n\n\n<p>The output should be similar to the following.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0<\/code><\/pre>\n\n\n\n<p>Notice it gives us the IP address of where the user signed in from.<\/p>\n\n\n\n<p>You can also look at the <code>\/usr\/local\/cpanel\/logs\/access_log<\/code> however the @ sign is percent encoded &#8220;%40&#8221;. That could cause issues if you are trying to grep out the email address.  make sure the email is in double quotes. <code>grep \"email%40address.com\" \/usr\/local\/cpanel\/logs\/session_log<\/code><\/p>\n\n\n\n<p><strong>Details on the Session and Login logs.<\/strong><\/p>\n\n\n\n<p>The following are examples of a valid login, logout, and what happens when the IP changes.<\/p>\n\n\n\n<p>The Login file will show failed login attempt.<\/p>\n\n\n\n<p><em>If you receive a <code>Binary file (standard input) matches<\/code> error, try running grep with the -a option.<\/em><\/p>\n\n\n\n<p><strong>Valid Login<\/strong><\/p>\n\n\n\n<p>The following is what a valid webmail login looks like.  <\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.20 NEW email@address.com:1mt4zP_CjWYrHCaG address=192.168.1.20,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0\n<\/code><\/pre>\n\n\n\n<p><strong>Logout<\/strong><\/p>\n\n\n\n<p>The following is the log entry when a user logs out.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">[2023-03-27 12:31:21 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:1mt4zP_CjWYrHCaG logout<\/code><\/pre>\n\n\n\n<p><strong>Change of IP address<\/strong><\/p>\n\n\n\n<p>If your computer swaps networks and the IP changes, you&#8217;ll see that show up in the log like the following.  This can also happen if someone happened to steal the cookies, and has tried logging in from a different network.  cPanel detects this, and logs both sessions out.<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code class=\"\">[2023-03-27 12:33:46 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:a513oaqb2f5845m2p badpass [cookie ip check: IP address has changed: IP Address [192.168.1.100] != Current IP Address [192.168.1.20]]\n<\/code><\/pre>\n\n\n\n<p>Note that this behavior can be changed in the WHM Tweak settings.  &#8220;Cookie IP validation&#8221;<br><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same \/24.<\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n\n\n\n<p><strong>Failed Webmail Logins<\/strong><\/p>\n\n\n\n<p>Failed webmail login attempts will show up in <code>\/usr\/local\/cpanel\/logs\/login_log<\/code><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SMTP Logins<\/h2>\n\n\n\n<p>If you need to track down SMTP or IPs that are sending out emails, check out the <code>\/var\/log\/exim_mainlog<\/code><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tail -f \/var\/log\/exim_mainlog<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">grep \"email@address.com\" \/var\/log\/exim_mainlog<\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post we explore tracking down email logs relating to both Webmail and imap logins. https:\/\/support.cpanel.net\/hc\/en-us\/articles\/1500012467681-How-To-List-Email-Login-History \u2139\ufe0fThere are a few different logs that contain email logins. Here are some notes on tracking down email logins on cPanel or WHM. &hellip; <a href=\"https:\/\/www.incredigeek.com\/home\/troubleshooting-email-logins-on-cpanel-whm\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[195],"tags":[196,337,551,969,503,1435,382],"class_list":["post-4933","post","type-post","status-publish","format-standard","hentry","category-cpanel","tag-cpanel-2","tag-imap","tag-login","tag-logins","tag-security","tag-webmail","tag-whm"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=4933"}],"version-history":[{"count":11,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4933\/revisions"}],"predecessor-version":[{"id":5983,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4933\/revisions\/5983"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=4933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=4933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=4933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}