How to track down who removed email messages on a Plesk for Linux server with Courier-IMAP?
It is possible to define from which IP address a message was removed in a mail client for Courier-IMAP service when Debug mode is enabled.
To enable debug mode:
- Connect to the server via SSH.
After the debug mode is enabled, each removal of the message from a mail client/webmail interface will be logged to the
/var/log/maillog log file.
Messages like the below will appear:
courier-imaps: EXPUNGED, [email protected], ip=[::ffff:203.0.113.2], port=, old_name=./cur/1656476008.M583215P25458V0000000000000801I0000000001921F18.example.com,S=1756:2,ST
courier-pop3s: DELETED, [email protected], ip=[::ffff:203.0.113.2], port=, filename=cur/1656477401.M29006P14385V0000000000000801I0000000001921F1A.example.com,S=1779:2,S
The IP address in bold will be the IP address of the computer from which the email message was removed.