I needed to know the IP address a user had been connecting from to access his email on a POP3 email server running the open-source Dovecot email software. By default, Dovect logs to syslog using mail facility, but you can change that by modifying the
syslog_facility
setting. The syslog configuration is often in
/etc/syslog.conf
or /etc/rsylog*
files. E.g., on the
CentOS 7 mail server on which Dovect was running the configuration was in
/etc/rsyslog.conf
, which had the following line within it:
# Log all the mail messages in one place. mail.* -/var/log/maillog
You can find the location of dovecot logs using the doveadm log find
command.
# doveadm log find Looking for log files from /var/log Debug: /var/log/maillog Info: /var/log/maillog Warning: /var/log/maillog Error: /var/log/maillog Fatal: /var/log/maillog #
Since the user had not connected from his PC to check his email account for several days, I looked in a maillog file from several days ago to determine the IP address from which he connected then and saw the following.
# grep benny /var/log/maillog.4 | grep pop3 | grep "rip=" Jun 13 02:57:23 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=21212, secured, session=<RDFhZiM1NgBILQJI> Jun 13 04:59:10 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=32662, secured, session=<REgGGiU1CgBILQJI> Jun 13 17:53:04 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=30622, secured, session=<6ka06S81BwBILQJI> Jun 13 18:23:14 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=1243, secured, session=<Gl+PVTA1LABILQJI> Jun 13 18:53:23 moonpoint dovecot: pop3-login: Login: user=>benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=3769, secured, session=<hqpuwTA1TABILQJI> #
[ More Info ]