[Dovecot] Tracing an IP of a user who deleted the message
Hello,
Dovecot writes to the log file lines like these:
May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com
I've got a bunch of users that work with the login 'office'. Is it possible to determine the IP of the user that deleted messages? If not, what can be done about it in the future?
Thank you.
-- Eugene Gladchenko EVG15-RIPE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 10 May 2007, Eugene Gladchenko wrote:
May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com
You can log the PID, too:
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%Us(%u): " mail_log_prefix = "%Us(%u) [%p]: "
Then you can trace the PID.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRkL6Oi9SORjhbDpvAQJlRQf+Kuynm+PpXPlHrbWf2gsLJlS/dx8vlYcx hP/Fn3y7SvXCJOrC3K73tMeE2BY8dQ8iqKxgQFtaDPinoQ3T/D8UIpj6z+DfOA07 z2nMh8FnchBSSNSXRAUqziYVkTOuUPBPjQP9ZXDnRmGTSdqy9VM0iuNSAP7DEOYo z1hdsL8yOSrBfwUKVaVmpxHJ77CUfyIwlVrGKDEiIG1nVGWP4MJ9VhT7SyfO+JHk lWjHpLIN+kS8wwKgYadZcUWgo5TvAXdhCWZ10j09Ep1DtovvUu2J6Dhiody9Uc65 SqFRyVUG+XsuW1UpHKK9L8rsZbNg5VaTncg5MAnq3+nOs2iCQQ5g+g== =8abn -----END PGP SIGNATURE-----
On Thu, 2007-05-10 at 12:55 +0200, Steffen Kaiser wrote:
May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com
You can log the PID, too:
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%Us(%u): " mail_log_prefix = "%Us(%u) [%p]: "
Then you can trace the PID.
And if you just need the IP, even easier to add %r directly there :)
Would it be better to have a shared mailbox called "office" with each user having their own login, and, where appropriate, with ACLs so only the relevant people can access it.
I'm not sure completely how to do this as I'm in the process of learning 1.0 after a 2 year break from Dovecot, but I'm sure it could be done.
Andy.
Eugene Gladchenko wrote:
Hello,
Dovecot writes to the log file lines like these:
May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=45E669BE.8090705@example.com, box=Sent May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=002701b483f5$7aa257e0$23833bda@example.com
I've got a bunch of users that work with the login 'office'. Is it possible to determine the IP of the user that deleted messages? If not, what can be done about it in the future?
Thank you.
participants (4)
-
Andy Shellam
-
Eugene Gladchenko
-
Steffen Kaiser
-
Timo Sirainen