CentOS 8.x Zimbra Trace received email activities in user mailbox

From Notes_Wiki

Home > CentOS > CentOS 8.x > CentOS 8.x email servers > CentOS 8.x Zimbra > CentOS 8.x Zimbra Trace received email activities in user mailbox

If we need to trace any email from once it was received by server to various activities within user mail box such as copy/delete/move then we can use following process.

  1. First determine the message-id of message via looking at /var/log/maillog or /var/log/zimbra.log files. For this we can search for From or To or based on date/time or if subject logging is enabled we can search based on subject also. Example log lines for a email in maillog / zimbra.log: 
    maillog-20210228-Feb 25 11:19:24 mail postfix/postscreen[12660]: CONNECT from [192.168.2.32]:58952 to [192.168.2.29]:25
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/postscreen[12660]: WHITELISTED [192.168.2.32]:58952
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/smtpd[12661]: connect from unknown[192.168.2.32]
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/smtpd[12661]: Anonymous TLS connection established from unknown[192.168.2.32]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    

    maillog-20210228:Feb 25 11:19:24 mail postfix/smtpd[12661]: NOQUEUE: filter: RCPT from unknown[192.168.2.32]: <user2@domain2.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; \
    

    from=<user2@domain2.com> to=<user1@domain1.com> proto=ESMTP helo=<mail.domain1.com>
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/smtpd[12661]: CD2992A44BD6: client=unknown[192.168.2.32]
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/cleanup[8991]: CD2992A44BD6: message-id=<8f80b24b897a40f2391c22d11272f5b3@domain2.com>
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/qmgr[30285]: CD2992A44BD6: from=<user2@domain2.com>, size=1542086, nrcpt=2 (queue active)
    

    maillog-20210228-Feb 25 11:19:24 mail postfix/smtpd[12661]: disconnect from unknown[192.168.2.32] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
  2. Then we need to search for messageID ( 8f80b24b897a40f2391c22d11272f5b3@domain2.com in above example logs) in /opt/zimbra/log/mailbox.log file for corresponding dates. You may find a line similar to: 
    mailbox.log.2021-02-25:2021-02-25 11:19:27,894 INFO  [LmtpServer-823] [name=user1@domain1.com;mid=50;ip=192.168.2.29;] mailop - Adding Message: id=20068, \
    

    Message-ID=<8f80b24b897a40f2391c22d11272f5b3@domain2.com>, parentId=-1, folderId=4, folderName=Junk acct=a9397f11-5904-450a-a851-6dbd0ffcf77d.
  3. Then based on above logs we can see that message ID is 20068. Then we can search for the similar messageID in all logs and get output similar to: 
    mailbox.log.2021-02-25:2021-02-25 11:19:27,894 INFO  [LmtpServer-823] [name=user1@domain1.com;mid=50;ip=192.168.2.29;] mailop - Adding Message: id=20068, \
    

    Message-ID=<8f80b24b897a40f2391c22d11272f5b3@domain2.com>, parentId=-1, folderId=4, folderName=Junk acct=a9397f11-5904-450a-a851-6dbd0ffcf77d.
    

    mailbox.log.2021-02-25:2021-02-25 11:19:27,917 INFO  [LmtpServer-823] [name=user1@domain1.com;mid=50;ip=192.168.2.29;] mailbox - outofoffice not sent \
    

    (in spam) mid=20068 rcpt='user1@domain1.com'
    

    mailbox.log.2021-02-25:2021-02-25 11:58:06,451 INFO  [ImapSSLServer-1667] [name=user1@domain1.com;mid=50;ip=192.168.2.29;oip=192.168.250.1;via=192.168.2.29(nginx/1.7.1);\
    

    ua=Zimbra/8.8.11_GA_3780;cid=41456;] mailop - Performing IMAP copy of Message  id=20068): copyId=20069, folderId=3, folderName=Trash, parentId=-20068.
    

    mailbox.log.2021-02-25:2021-02-25 11:58:09,043 INFO  [ImapSSLServer-1663] [name=user1@domain1.com;mid=50;ip=192.168.2.29;oip=192.168.250.1;via=192.168.2.29(nginx/1.7.1);\
    

    ua=Zimbra/8.8.11_GA_3780;cid=41439;] mailop - Deleting Message (id=20068).
    

    mailbox.log.2021-03-02:2021-03-02 17:43:29,584 INFO  [ImapSSLServer-2821] [name=user3@domain1.com;mid=93;ip=192.168.2.29;oip=192.168.250.1;via=192.168.2.29(nginx/1.7.1);\
    

    ua=Zimbra/8.8.11_GA_3780;cid=70847;] mailop - Performing IMAP copy of Message (id=20067): copyId=20068, folderId=4, folderName=Junk, parentId=-20067.
    From above notice that email was copied to Trash with ID 20069 while original message was deleted. Also same ID 20068 can be found in some other user user3@domain1.com also which is perhaps not related to current inquiry (Date of 2nd March and different username)
  4. Further if required we can search for ID 20069 to see what happened to message in Trash: 
    mailbox.log.2021-02-25:2021-02-25 11:58:06,451 INFO  [ImapSSLServer-1667] [name=user1@domain1.com;mid=50;ip=192.168.2.29;oip=192.168.250.1;via=192.168.2.29(nginx/1.7.1);\
    

    ua=Zimbra/8.8.11_GA_3780;cid=41456;] mailop - Performing IMAP copy of Message (id=20068): copyId=20069, folderId=3, folderName=Trash, parentId=-20068.
    

    mailbox.log.2021-02-25:2021-02-25 11:58:16,775 INFO  [ImapSSLServer-1668] [name=user1@domain1.com;mid=50;ip=192.168.2.29;oip=192.168.250.1;via=192.168.2.29(nginx/1.7.1);\
    

    ua=Zimbra/8.8.11_GA_3780;cid=41439;] mailop - Deleting Message (id=20069).
    

    mailbox.log.2021-03-03:2021-03-03 10:42:50,181 INFO  [LmtpServer-1276] [name=user3@domain1.com;mid=93;ip=192.168.2.29;] mailop - Adding Message: id=20069, \
    

    Message-ID=<86014401372466424@domain4.com>, parentId=-1, folderId=2, folderName=Inbox acct=6abc5394-594a-4acf-b3d9-4eaaad8958db.



Home > CentOS > CentOS 8.x > CentOS 8.x email servers > CentOS 8.x Zimbra > CentOS 8.x Zimbra Trace received email activities in user mailbox

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_8.x_Zimbra_Trace_received_email_activities_in_user_mailbox&oldid=5574"