missing emails

Liutauras Adomaitis adomaitis at kolabsystems.com
Fri Sep 8 10:34:27 CEST 2017


On 2017 m. rugsėjo 8 d., penktadienis 11:18:04 EEST Sruli Saurymper wrote:
> On 07/09/17 06:26, Liutauras Adomaitis wrote:
> > On 2017 m. rugsėjo 3 d., sekmadienis 16:39:59 EEST Sruli Saurymper wrote:
> >> On 03/09/17 13:41, hede wrote:
> >>> Am Sun, 3 Sep 2017 10:40:03 +0100 schrieb Sruli Saurymper
> > 
> > <sruli at saurymper.com>:
> >>>>>> I have looked at their email client (thunderbird) and roundcube and
> >>>>>> the
> >>>>>> email is not there, however when I checked the server
> >>>>>> (/var/spool/imap/domain/d/domain.com/n/user/name/) the email is
> >>>>>> clearly
> >>>>>> there.
> >>> 
> >>> You could check it via telnet / openssl s_client.
> >>> 
> >>> Search the web for how to do so. For example:
> >>> openssl s_client -crlf -connect imapserver.example.com:993
> >>> A login imapuser imappassword
> >>> B select INBOX
> >>> C UID SEARCH FROM "somebody"
> >>> 
> >>>  -> check if your mail is found
> >>> 
> >>> D fetch 123 rfc822.header
> >>> 
> >>>  -> if it's mail #123, then check if it's readable
> >>> 
> >>> E logout
> >>> 
> >>> 
> >>> Maybe it's marked as deleted (for examble by a spam filter like
> >>> mailwasher) so thunderbird and roundcube won't show it. Or the cyrus-,
> >>> thunderbird- and/or roundcube databases are corrupted - there are a ways
> >>> to fix this. (
> >>> 
> >>>  thunderbird: rebuild imap tree by rebuilding the global database.
> >>>  cyrus: "su - cyrus; /usr/lib/cyrus-imapd/reconstruct -r
> >>>  user/[username at domain.tld]">
> >>> 
> >>> )
> >>> 
> >>> I'm just guessing - I don't have any real clue...
> >> 
> >> Couldn't fetch any headers but the search found 6 emails, I have 6 in
> >> the Inbox, so it did not find the one in question.
> >> How can I check if a email has DELETED flag?
> > 
> > You can use:
> > /usr/lib/cyrus-imapd/cyrdump <mailbox> | less
> > command to dump mailbox. That should also have a list of messages with
> > deleted flag.
> > /usr/lib/cyrus-imapd/unexpunge -l <mailbox>
> > command should show the list of email which are expunged from the mailbox,
> > but still available for recovery. Unlike as with /deleted flag, the
> > recovery of expunged emails can be done by Cyrus IMAP addministrator from
> > console only. Messages expunged from mailbox are not accessible for user
> > via IMAP in any way.
> > 
> > Liutauras
> 
> Thanks, /usr/lib/cyrus-imapd/unexpunge -l <mailbox> did show that they
> are expunged.
> However you wrote that expunged email are only recoverable by console, I
> wonder how the MailWasher application can read it.
> Most importantly how / where can I see in the logs the full trail of how
> / who deleted / expunged the email?
> 
> Many thanks
> Sruli
> 
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users

Finding information who deleted the email maybe tricky if at all possible.
In /var/log/maillog (on CentOS) you should be looking for lines containing 
"Expunge" string. Try to match the mailbox the email was expunge from and the 
information which get about expunged email with command /usr/lib/cyrus-imapd/
unexpunge (Expg date for example).
If you find the match you should be able to trace back Cyrus IMAP session and 
it should contain some information about from which IP, what user created the 
session during which the email was expunged. Also you have to have in mind 
that if mail filters are running on client side, move message to other folder 
on client side will look like message expunge. 

I don't know what is "MailWasher".

Liutauras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20170908/282ad99c/attachment.sig>


More information about the users mailing list