Eugene Gladchenko
2007-May-10 10:15 UTC
[Dovecot] Tracing an IP of a user who deleted the message
Hello, Dovecot writes to the log file lines like these: May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> I've got a bunch of users that work with the login 'office'. Is it possible to determine the IP of the user that deleted messages? If not, what can be done about it in the future? Thank you. -- Eugene Gladchenko EVG15-RIPE
Steffen Kaiser
2007-May-10 10:55 UTC
[Dovecot] Tracing an IP of a user who deleted the message
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 10 May 2007, Eugene Gladchenko wrote:> May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent > May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent > May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> > May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> >You can log the PID, too: # Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%Us(%u): " mail_log_prefix = "%Us(%u) [%p]: " Then you can trace the PID. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRkL6Oi9SORjhbDpvAQJlRQf+Kuynm+PpXPlHrbWf2gsLJlS/dx8vlYcx hP/Fn3y7SvXCJOrC3K73tMeE2BY8dQ8iqKxgQFtaDPinoQ3T/D8UIpj6z+DfOA07 z2nMh8FnchBSSNSXRAUqziYVkTOuUPBPjQP9ZXDnRmGTSdqy9VM0iuNSAP7DEOYo z1hdsL8yOSrBfwUKVaVmpxHJ77CUfyIwlVrGKDEiIG1nVGWP4MJ9VhT7SyfO+JHk lWjHpLIN+kS8wwKgYadZcUWgo5TvAXdhCWZ10j09Ep1DtovvUu2J6Dhiody9Uc65 SqFRyVUG+XsuW1UpHKK9L8rsZbNg5VaTncg5MAnq3+nOs2iCQQ5g+g==8abn -----END PGP SIGNATURE-----
Andy Shellam
2007-May-10 16:54 UTC
[Dovecot] Tracing an IP of a user who deleted the message
Would it be better to have a shared mailbox called "office" with each user having their own login, and, where appropriate, with ACLs so only the relevant people can access it. I'm not sure completely how to do this as I'm in the process of learning 1.0 after a 2 year break from Dovecot, but I'm sure it could be done. Andy. Eugene Gladchenko wrote:> Hello, > > Dovecot writes to the log file lines like these: > > May 10 13:19:04 mailserver dovecot: IMAP(office): copy -> Trash: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent > May 10 13:19:05 mailserver dovecot: IMAP(office): deleted: uid=1131, msgid=<45E669BE.8090705 at example.com>, box=Sent > May 10 13:53:08 mailserver dovecot: IMAP(office): copy -> Trash: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> > May 10 13:53:08 mailserver dovecot: IMAP(office): deleted: uid=1719, msgid=<002701b483f5$7aa257e0$23833bda at example.com> > > I've got a bunch of users that work with the login 'office'. Is it > possible to determine the IP of the user that deleted messages? If not, > what can be done about it in the future? > > Thank you. > >