Hi Peter, > Is their anyway of working out which account has sent the email from > roundcube?
Yes. Check /var/log/maillog. RoundCube uses SMTP-Auth to authenticate against the MTA when it sends emails. So the username of the account sending the emails is logged. Below is an example where user "admin" sent an Email via RoundCube: 1.) IMAP login of user "admin" as he logged into RoundCube: Mar 24 15:12:19 cbx dovecot: imap-login: Login: user=<admin>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured 2.) User "admin" sends a message: Mar 24 15:12:20 cbx sendmail[26191]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Mar 24 15:12:20 cbx sendmail[26191]: AUTH=server, relay=localhost [127.0.0.1], authid=admin, mech=PLAIN, bits=0 3.) Said message is being processed: Mar 24 15:12:20 cbx milter-greylist: User admin authenticated, bypassing greylisting Mar 24 15:12:20 cbx sendmail[26191]: o2OECJls026191: from=<[email protected]>, size=328, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] So if you suspect RoundCube being the culprit (i.e.: user with weak password had his account details guessed and someone is now using the installed RoundCube with those details), then you could grep the maillog for these lines: cat /var/log/maillog | grep "AUTH=server" |grep "authid=" That ought to list all SMTP-Auth'ed logins to Sendmail. If that also shows legitimate remote connections from dialup users, you may want to trim it down further to show only SMTP-Auth connections from localhost: cat /var/log/maillog | grep "AUTH=server" |grep "authid=" |grep "relay=localhost" Which should list only the RoundCube logins to SMTP-Auth. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
