Warden has a comprehensive set of reports to track SMTP auth logins and POP3/IMAP logins. Admins can find them under the Reports tab. These reports can also be added to the Warden dashboard so you will always have them handy.
Important: These reports use the systemd-journal as their data source so the journal must not have errors and be functioning properly. See here for more information.
- To track which email accounts are authenticating successfully and sending mail use the SMTP Auth - Success - User or SMTP Auth - Success - User Client Addr reports.
- To track which email accounts are authenticating successfully using POP3/IMAP checking their mail use the POP3/IMAP - Success - User or POP3/IMAP - Success - User Client Addr reports.
- To track which email accounts are being targeted with SMTP auth brute force attacks use the SMTP Auth - Failure - User or SMTP Auth - Failure - UserClient Addr reports.
- To track which email accounts are being targeted with POP3/IMAP brute force attacks use the POP3/IMAP - Failure - User or POP3/IMAP - Failure - User Client Addr reports.