Sometimes it can be useful to check the email login history for specific email accounts. For example, if a user suspects unauthorized access to email accounts. The log file in this case is:
/var/log/maillogFor example a search for the domain name example.com will return:
Apr 5 13:29:14 s03 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 11 secs): user=<stantonhollie69@example.com>, method=PLAIN, rip=98.181.99.206, lip=104.193.110.155, TLS, session=<38c2U4+ixZNitWPO>
Apr 5 13:40:56 s03 dovecot: lmtp(amy@example.com)<4834><KJ2KMzgmil7iEgAAHXfTaw>: lmtp-server: conn unix:pid=4833,uid=47 [1]: rcpt amy@example.com: msgid=<0.0.0.3C.1D60B7567C661C2.13D16D@mail.csgfff.com>: saved mail to INBOX
Apr 5 13:40:56 s03 dovecot: lmtp(amy@example.com)<4834><KJ2KMzgmil7iEgAAHXfTaw>: lmtp-server: conn unix:pid=4833,uid=47 [1]: rcpt amy@example.com: msgid=<0.0.0.3C.1D60B7567C661C2.13D16D@mail.csgfff.com>: saved mail to INBOX
Apr 5 13:50:51 s03 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<stantonhollie69@example.com>, method=PLAIN, rip=177.135.103.94, lip=104.193.110.155, TLS: Connection closed, session=<GpPgoI+iXOCxh2de>
Apr 5 13:50:51 s03 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<stantonhollie69@example.com>, method=PLAIN, rip=177.135.103.94, lip=104.193.110.155, TLS: Connection closed, session=<GpPgoI+iXOCxh2de>
Apr 5 14:00:11 s03 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<stantonhollie69@example.com>, method=PLAIN, rip=159.192.137.113, lip=104.193.110.155, TLS: Connection closed, session=<3SMzwo+iueqfwIlx>
Apr 5 14:00:11 s03 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<stantonhollie69@example.com>, method=PLAIN, rip=159.192.137.113, lip=104.193.110.155, TLS: Connection closed, session=<3SMzwo+iueqfwIlx>From the shell, you can run a command like
# cat /var/log/maillog | grep texttofind# cat /var/log/maillog | grep 'auth failed'to list all occurrences of the specified text.
Resources:
Search in log files with CSF