You can configure vpopmail logging (compile time only, as far as I
know), which then will show you various information depending on the
level you have chosen.
On Wed, 2007-02-21 at 16:56 -0600, Max Esquivel wrote:
> Hi all. Im not sure this is the right ML so if it is not I apologize
> and please point me in the right direction. Thanks!
> I have a qmail server (qmail, vpopmail-no mysql). I have ssome 500
> client email accounts distributed over some 30 domain names. Im
> having serious SPAM problems in the sense that some spammer is using
> legit username/pw combinatioss to authenticate and send his/her
> garbage. I cant , for the life of me, determine which accounts are
> suspect or are compromised. On my system, mail.log (/var/log/mail/
> log) provides good info for pop and spamd activity, showing what user
> a pop connection is opened and closed for like so:
> Feb 21 14:48:57 sjo pop3d: Connection, ip=[::ffff:22.214.171.124]
> Feb 21 14:48:57 sjo pop3d: LOGIN, [EMAIL PROTECTED], ip=
> Feb 21 14:48:57 sjo pop3d: LOGOUT, [EMAIL PROTECTED], ip=
> [::ffff:126.96.36.199], top=0, retr=0, rcvd=12, sent=39, time=0
> Since I am interested in smtp though, I look at /var/log/qmail/smtpd/
> current and find that the info only tells me the connecting IP,
> target IP and stasus info:
> @4000000045dccd01188edb8c tcpserver: pid 4555 from 188.8.131.52
> @4000000045dccd01188ffc9c tcpserver: ok 4555 sjo.sinapsisglobal.com:
> 184.108.40.206:25 :220.127.116.11::4430
> @4000000045dccd020d221944 tcpserver: end 4551 status 0
> @4000000045dccd020d2228e4 tcpserver: status: 12/120
> @4000000045dccd021e11902c tcpserver: end 4555 status 256
> Is there any way to configure the smtp log to show which account is
> being logged in or auth'ed to send, sort of like what the pop log shows?
> Any help will be immensely appreciated.