How to log who and when deleted some email (dovecot)

Post Reply
User avatar
myVesta
Site Admin
Posts: 934
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 8 times
Been thanked: 6 times

First:

Code: Select all

sed -i "1s|^|mail_plugins = \$mail_plugins mail_log notify\n|" /etc/dovecot/dovecot.conf
Then (copy-paste the whole block):

Code: Select all

cat <<EOF >/etc/dovecot/conf.d/90-plugin.conf
##
## Plugin settings
##

# All wanted plugins must be listed in mail_plugins setting before any of the
# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
# their configuration. Note that %variable expansion is done for all values.

plugin {
  #setting_name = value

  # Events to log. Defined in src/plugins/mail-log/mail-log-plugin.c - also available: flag_change save mailbox_create
  # autoexpunge is included in expunge
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename

  # Also available: Defined in src/plugins/mail-log/mail-log-plugin.c - flags vsize from subject
  mail_log_fields = uid box msgid from subject

  # Don't log fields that require opening the email (v2.2.28+).
  #mail_log_cached_only = yes
}
EOF
Finally, restart dovecot:

Code: Select all

systemctl restart dovecot
After a while, when somebody delete some email, you can grep log:

Code: Select all

grep 'delete' /var/log/dovecot.log
or

Code: Select all

grep 'box=Trash' /var/log/dovecot.log
Result will be something like:

Code: Select all

Oct 12 13:35:54 imap([email protected])<8293><sYkky9TqQ95dV0dK>: Info: delete: box=Trash, uid=98, msgid=<CAE0E5YAbtVmVmYnnmskYBqEg74ZfKKQDm99+8E1LZ3bPDwNmNg@mail.gmail.com>, from=KOPAONIK APARTMAN <[email protected]>, subject=Kopaonik; Najava zakupa 12.10.2022.
In the line above, sYkky9TqQ95dV0dK is session ID.

To find IP address of this session:

Code: Select all

grep 'sYkky9TqQ95dV0dK' /var/log/dovecot.log
Look at the first line of the output:

Code: Select all

Oct 12 13:35:45 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=93.87.71.74, lip=XX.XX.XXX.XX, mpid=8293, TLS, session=<sYkky9TqQ95dV0dK>
From the line above:

Code: Select all

rip=93.87.71.74
is IP address of the client that deleted email.

Tags:
Post Reply