Dovecot POP3 Login Log Entries

I needed to know the IP address a user had been connecting from to access his email on a POP3 email server running the open-source Dovecot email software. By default, Dovect logs to syslog using mail facility, but you can change that by modifying the syslog_facility setting. The syslog configuration is often in /etc/syslog.conf or /etc/rsylog* files. E.g., on the CentOS 7 mail server on which Dovect was running the configuration was in /etc/rsyslog.conf, which had the following line within it:
oreilly.com - Your tech ebook super store
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

You can find the location of dovecot logs using the doveadm log find command.

# doveadm log find
Looking for log files from /var/log
Debug: /var/log/maillog
Info: /var/log/maillog
Warning: /var/log/maillog
Error: /var/log/maillog
Fatal: /var/log/maillog
#

Since the user had not connected from his PC to check his email account for several days, I looked in a maillog file from several days ago to determine the IP address from which he connected then and saw the following.

# grep benny /var/log/maillog.4 | grep pop3 | grep "rip="
Jun 13 02:57:23 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN
, rip=172.25.2.7, lip=192.168.0.5, mpid=21212, secured, session=<RDFhZiM1NgBILQJI>
Jun 13 04:59:10 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN
, rip=172.25.2.7, lip=192.168.0.5, mpid=32662, secured, session=<REgGGiU1CgBILQJI>
Jun 13 17:53:04 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN
, rip=172.25.2.7, lip=192.168.0.5, mpid=30622, secured, session=<6ka06S81BwBILQJI>
Jun 13 18:23:14 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN
, rip=172.25.2.7, lip=192.168.0.5, mpid=1243, secured, session=<Gl+PVTA1LABILQJI>
Jun 13 18:53:23 moonpoint dovecot: pop3-login: Login: user=>benny>, method=PLAIN
, rip=172.25.2.7, lip=192.168.0.5, mpid=3769, secured, session=<hqpuwTA1TABILQJI>
#

I searched the maillog file for all entries containing his user name with grep and then filtered the output with another grep command to locate only those entries containing "pop3" and then piped the output from that grep command into another one that searches for "rip=", since I only wanted entries that showed the remote IP address of the system from which he connected.

If I only wanted to see the remote IP address, I could add the -o or --only-matching option to grep to have it show me only the matching part of a line.

-o, --only-matching
       Print  only  the  matched  (non-empty) parts of a matching line,
       with each such part on a separate output line.

In this case I only want to see "rip=" followed by a number between 0 and 9 or a period, which can appear one or more times, so I can use the following:

# grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*"
rip=172.25.2.7
rip=172.25.2.7
rip=172.25.2.7
rip=172.25.2.7
rip=172.25.2.7
#

And, if I want to eliminate the "rip=" as well, I can use the following:

# grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*" | grep -o "[0-9.]*"
172.25.2.7
172.25.2.7
172.25.2.7
172.25.2.7
172.25.2.7

Or I could use the cut command to filter out just the IP by instructing cut to only display the second field on lines where the delimiter separating fields is the equals sign.

#  grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*" | cut -d"=" -f2
172.25.2.7
172.25.2.7
172.25.2.7
172.25.2.7
172.25.2.7
#

Note: you can use a search like that shown above to find both POP3 connections to the standard POP3 network port, port 110, and also POP3 connections to port 995. E.g., for another user who uses Outlook as her email client to connect to the POP3S port, 995, I see entries similar to the following in the mail log file.

#  grep nell /var/log/maillog | grep pop3 | grep "rip=" | tail -n 1
Jun 17 15:23:47 moonpoint dovecot: pop3-login: Login: user=<nina>, method=PLAIN,
 rip=172.25.2.21, lip=192.168.0.5, mpid=11861, TLS, session=<gJE1S341XADP/7XS>
#

I can see that her email client is using POP3S for the connection rather than an unencrypted POP3 connection, because entries for her account include "TLS".

References:

  1. Dovecot Logging
    Dovecot Wiki

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px