https://support.cpanel.net/hc/en-us/articles/1500012467681-How-To-List-Email-Login-History
ℹ️There are a few different logs that contain email logins.
/var/log/maillog
/usr/local/cpanel/logs/session_log
/usr/local/cpanel/logs/login_log
/var/log/exim_mainlogHere are some notes on tracking down email logins on cPanel or WHM.
IMAP Logins
IMAP logins are fairly easy to track down. Check the /var/log/maillog
Follow the log
tail -f /var/log/maillog | grep email@address.com
Or search the whole log
grep "email@address.com" /var/log/maillog
RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server
Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>
Webmail Logins
You can also view some info about Webmail connections in the main mail log.
tail -f /var/log/maillog | grep email@address.com
or
grep "email@address.com" /var/log/maillog
When logged into webmail, the connection can look like the following.
Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166 Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>
Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in a different log.
Use one of the following two commands to search the session log.
tail -f /usr/local/cpanel/logs/session_log
grep "email@address.com" /usr/local/cpanel/logs/session_log
The output should be similar to the following.
[2023-03-27 12:31:17 -0500] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0
Notice it gives us the IP address of where the user signed in from.
You could also look at the “/usr/local/cpanel/logs/access_log” however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address.
SMTP Logins
If you need to track down SMTP or IPs that are sending out emails, check out the /var/log/exim_mainlog
tail -f /var/log/exim_mainlog
grep "email@address.com" /var/log/exim_mainlog