English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Imap user with deleting emails
-
I have an IMAP user where some emails are being expunged but the user says he did not delete them but about 4 seconds later in one example after being created in the user directory the log shows expunged so I believe him and think some process on one of his devices is doing it but I only get a partial transcript that has no ip address information for the process that is deleting it is there some way i can get some kind of debugging data that would help track this issue down, he has several devices. Thanks
Partial Transcript user names and domains changed
Mon 2023-11-06 09:31:17.841: LOCAL message: pd5001050732965.msg
Mon 2023-11-06 09:31:17.841: * From: "Some User" <Someuser@somedomain.com>
Mon 2023-11-06 09:31:17.841: * To: <Someuser@somedomain.com>, <Someuser@somedomain.com>
Mon 2023-11-06 09:31:17.841: * Subject: Statement.xlsx
Mon 2023-11-06 09:31:17.841: * Message-ID: <026501da10d7$057b7140$107253c0$@somedomain.com>
Mon 2023-11-06 09:31:17.841: * Size: 46170; <c:\mdaemon\users\somedomain.com\someuser\md5001002493230.msg>Mon 2023-11-06 09:31:21.934: <-- uhrd UID EXPUNGE 295229
Mon 2023-11-06 09:31:21.934: * Message md5001002493230.msg deleted
Mon 2023-11-06 09:31:21.936: Sending EXPUNGE response (not logged)...
-
Arron Staff
Make sure you are logging detailed mail sessions. Setup / Server Settings / Logging / Log Mode
You'll also want to Log an ID string in mail sessions so you can easily find the entire session. You can find this by going to Setup / Server Settings / Logging / More Settings, check the box for "Log ID string in mail session log." In the log snippet below "[00015743]" is the ID that is added by this switch.
With this enabled you will see an additional ID logged that you can then search for to find the entire session. The very beginning of the session will show you the IP and what user the session is authenticated as. Keep in mind, some IMAP clients keep sessions active for days, so you may still have to look through logs from previous days to find the beginning of the session.
In order for a message to be expunged, it must first be marked for deletion. The EXPUNGE command might just be occurring because a client is set to automatically expunge mail that is marked for deletion. You'll probably want to find how the message is getting marked for deletion in the first place. A message being marked for deletion will look something like this:
Mon 2023-11-06 15:38:41.009: [00015743] <-- A43 UID STORE 2207 +FLAGS.SILENT (\Deleted)
-
Thanks Arron for the help it's appreciated as ususal.
