Question
How to track down who removed email messages on a Plesk for Linux server with Courier-IMAP?
Answer
It is possible to define from which IP address a message was removed in a mail client for Courier-IMAP service when Debug mode is enabled.
To enable debug mode:
- Connect to the server via SSH.
For IMAP
-
Open the
/etc/courier-imap/imapdfile for editing. For example, using the vi text editor:# vi /etc/courier-imap/imapd
-
Uncomment the line below by removing the
#symbol at the beginning of the line:IMAP_LOG_DELETIONS=1
Save changes and close the file.
-
Restart Courier-IMAP services by executing the command below:
# service courier-imapd restart && service courier-imaps restart
For POP3
-
Open the
/etc/courier-imap/pop3dfile for editing. For example, using the vi text editor:# vi /etc/courier-imap/pop3d
-
Uncomment the line below by removing the
#symbol at the beginning of the line:POP3_LOG_DELETIONS=1
Save changes and close the file.
-
Restart Courier-IMAP services by executing the command below:
# service courier-pop3d restart && service courier-pop3s restart
After the debug mode is enabled, each removal of the message from a mail client/webmail interface will be logged to the /var/log/maillog log file.
Messages like the below will appear:
courier-imaps: EXPUNGED, user=jdoe@example.com, ip=[::ffff:203.0.113.2], port=[29075], old_name=./cur/1656476008.M583215P25458V0000000000000801I0000000001921F18.example.com,S=1756:2,ST
courier-pop3s: DELETED, user=jdoe@example.com, ip=[::ffff:203.0.113.2], port=[32689], filename=cur/1656477401.M29006P14385V0000000000000801I0000000001921F1A.example.com,S=1779:2,S
The IP address in bold will be the IP address of the computer from which the email message was removed.