Dovecot, imap, and mail.log

PortableTech · July 3, 2015, 7:05pm

Hey All,

This is more an annoyance than anything that really impacts the server. I have noticed that dovecot and imap spam the mail,log file pretty seriously. This is to the tune of about 3 entries per user per second. These are not failed logon attempts, but actual people either logged in through the web or via activsync.

I am not overly worried about it, but it seems a little crazy that this log file is reaching 300+ MB per week which honestly makes it a real pain to get anything useful out of. I am considering setting dovecot to log to a different file than mail.log to at least make it more useful, but I would love to better understand why there is so many entries for this process.

Here is an example of what I see, and this is just one user for one second.

Jun 29 13:45:51 mail dovecot: imap-login: Login: user=someuser@mydomain.com, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=25106, TLS, session=<ABcpqasZAQB/AAAB>
Jun 29 13:45:51 mail dovecot: imap(someuser@mydomain.com): Disconnected: Logged out in=15 out=409
Jun 29 13:45:51 mail dovecot: imap-login: Login: user=someuser@mydomain.com, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=25108, TLS, session=<mMwqqasZAwB/AAAB>
Jun 29 13:45:51 mail dovecot: imap(someuser@mydomain.com): Disconnected: Logged out in=15 out=409
Jun 29 13:45:51 mail dovecot: imap-login: Login: user=someuser@mydomain.com, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=25110, TLS, session=<6GIsqasZBQB/AAAB>
Jun 29 13:45:51 mail dovecot: imap(someuser@mydomain.com): Disconnected: Logged out in=15 out=409

Does anyone else have this same issue?

tkorves · July 4, 2015, 8:47pm

+1 from me … Would be great to have this a little bit less noisy.

JoshData · July 6, 2015, 8:40pm

What’s conneting to dovecot?

tkorves · July 6, 2015, 9:15pm

I’d guess these are clients using ZPush …

PortableTech · July 6, 2015, 9:36pm

I suspect it is zPush as well as I do not remember it being this bad initially when we only did webmail. That being said, I wil try and do some more testing to see if I can narrow it down.

JoshData · July 6, 2015, 10:23pm

Ah, right, so every request to ZPush triggers an IMAP login to check credentials. I don’t want to silence the logs, unless we can silence logins from 127.0.0.1 only, because they may be important for other reasons.

PortableTech · July 6, 2015, 10:37pm

I am not suggesting we silence the logs, but perhaps instead of having dovecot pass the logs through syslog to mail, we let dovecot just do it’s own logs into a different file. If you would like I will look into the best way to separate the logs out.