Here are some notes on tracking down email logins on cPanel or WHM.
IMAP Logins
IMAP logins are fairly easy to track down. Check the /var/log/maillog
Follow the log
tail -f /var/log/maillog | grep email@address.com
Or search the whole log
grep "email@address.com" /var/log/maillog
RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server
Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>
Webmail Logins
Can also view some info about Webmail connections
tail -f /var/log/maillog | grep email@address.com
or
grep "email@address.com" /var/log/maillog
When logged into webmail, the connection can look like the following.
Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166 Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>
Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in a different log.
use one of the following two commands to search the session log
tail /usr/local/cpanel/logs/session_log -f
grep "email@address.com" /var/log/maillog
The output should be similar to the following
[2023-03-27 12:31:17 -0500] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0
Notice it gives us the IP address of where the user signed in from.
You could also look at the “/usr/local/cpanel/logs/access_log” however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address.