syslog_facility setting. The syslog configuration is often in
/etc/syslog.conf or /etc/rsylog* files. E.g., on the
CentOS 7 mail server on which Dovect was running the configuration was in
/etc/rsyslog.conf, which had the following line within it:
# Log all the mail messages in one place. mail.* -/var/log/maillog
You can find the location of dovecot logs using the doveadm log find
command.
# doveadm log find Looking for log files from /var/log Debug: /var/log/maillog Info: /var/log/maillog Warning: /var/log/maillog Error: /var/log/maillog Fatal: /var/log/maillog #
Since the user had not connected from his PC to check his email account for several days, I looked in a maillog file from several days ago to determine the IP address from which he connected then and saw the following.
# grep benny /var/log/maillog.4 | grep pop3 | grep "rip=" Jun 13 02:57:23 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=21212, secured, session=<RDFhZiM1NgBILQJI> Jun 13 04:59:10 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=32662, secured, session=<REgGGiU1CgBILQJI> Jun 13 17:53:04 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=30622, secured, session=<6ka06S81BwBILQJI> Jun 13 18:23:14 moonpoint dovecot: pop3-login: Login: user=<benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=1243, secured, session=<Gl+PVTA1LABILQJI> Jun 13 18:53:23 moonpoint dovecot: pop3-login: Login: user=>benny>, method=PLAIN , rip=172.25.2.7, lip=192.168.0.5, mpid=3769, secured, session=<hqpuwTA1TABILQJI> #
I searched the maillog file for all entries containing his user name with grep and then filtered the output with another grep command to locate only those entries containing "pop3" and then piped the output from that grep command into another one that searches for "rip=", since I only wanted entries that showed the remote IP address of the system from which he connected.
If I only wanted to see the remote IP address, I could add the
-o or --only-matching option to grep to have it
show me only the matching part of a line.
-o, --only-matching
Print only the matched (non-empty) parts of a matching line,
with each such part on a separate output line.In this case I only want to see "rip=" followed by a number between 0 and 9 or a period, which can appear one or more times, so I can use the following:
# grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*" rip=172.25.2.7 rip=172.25.2.7 rip=172.25.2.7 rip=172.25.2.7 rip=172.25.2.7 #
And, if I want to eliminate the "rip=" as well, I can use the following:
# grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*" | grep -o "[0-9.]*" 172.25.2.7 172.25.2.7 172.25.2.7 172.25.2.7 172.25.2.7
Or I could use the cut command to filter out just the IP by instructing cut to only display the second field on lines where the delimiter separating fields is the equals sign.
# grep benny /var/log/maillog.4 | grep pop3 | grep -o "rip=[0-9.]*" | cut -d"=" -f2 172.25.2.7 172.25.2.7 172.25.2.7 172.25.2.7 172.25.2.7 #
Note: you can use a search like that shown above to find both POP3 connections to the standard POP3 network port, port 110, and also POP3 connections to port 995. E.g., for another user who uses Outlook as her email client to connect to the POP3S port, 995, I see entries similar to the following in the mail log file.
# grep nell /var/log/maillog | grep pop3 | grep "rip=" | tail -n 1 Jun 17 15:23:47 moonpoint dovecot: pop3-login: Login: user=<nina>, method=PLAIN, rip=172.25.2.21, lip=192.168.0.5, mpid=11861, TLS, session=<gJE1S341XADP/7XS> #
I can see that her email client is using POP3S for the connection rather than an unencrypted POP3 connection, because entries for her account include "TLS".
References: