mail log - track possible password change / attack

[stars]

I have problem with one of my clients mail account - user complain every 2 days that his password was changed.

How can I track when, by who (ip) and in what way (roundcube, directadmin) password for that mail account was changed?

I track a lot of bruteforce attacks on that mail account from china, but I doubt that password was revealed in that way. I suspect that one of client local pc's is infected.

But to prove it I need to know when and how password for mail account was change.

 

[zEitEr]

Check directadmin logs, somebody probably did it with /CMD_CHANGE_EMAIL_PASSWORD

http://help.directadmin.com/item.php?id=13

 

[stars]

There was no trace of /CMD_CHANGE_EMAIL_PASSWORD in directadmin logs. Password change could be made from roundcube, but I dont see any logs of that.

Where are imap/pop authorisation logs kept? In maillog I see only type of authorisation and ip, but there is no information if authorisation was positive or negative.

 

[zEitEr]

They all should be there in /var/log/maillog depending on your logging level and other settings, that could be changed on your side.