Hi Ian,
On Wed, 27 Nov 2024, at 4:36 PM, Ian Willis wrote:
From an audit perspective is it possible to identify who deletes an email?
If you have "auditlog: yes" in imapd.conf, then it's possible.
Look for lines in syslog containing "auditlog: touched" that have the mailbox/uid combination or guid of the message you're interested in, and which have the "DE" flag (\Deleted) in the sysflags field, but not in the oldflags field. This will tell you when the \Deleted flag was added to that message. Here's an example:
2024-11-29T09:42:21.900625+11:00 debian 2242210101/imap[1502197]: auditlog: touched sessionid=<2242210101-1732833741-1502197-2-7579318699797239627> mailbox=<user.cassandane.INBOX.foo> uniqueid=<e6d21814-495a-473b-9962-7c325ada7b2f> uid=<1> guid=<1f03c8a6dc994addf5eb22c9b9796e8c1c9118d0> cid=<NIL> modseq=<7> oldflags=<> sysflags=<DE|SE>
Once you find the line where the action you're interested in occurred, search for its sessionid to find what other actions that session performed. The first one will be the login, telling you who it was. Here, it was the user "cassandane":
2024-11-29T09:44:18.190167+11:00 debian 2244170101/imap[1502663]: login: localhost [127.0.0.1] cassandane plaintext User logged in SESSIONID=<2244170101-1732833858-1502663-2-1998118600021540285>
The same pattern is true generally: find the auditlog line where the interesting action occurred, then search on the sessionid to find whose session it was (and what else they did). For example, you could search for "auditlog: expunge" to find out who EXPUNGEd it after it was flagged \Deleted.
Cheers,
ellie
