[SOLVED] Restore mailbox after attack

[Panchux]

Minutes ago someone from Nigeria gain access to two of our employees accounts. It seems these mailboxes had weak passwords. The attacker used these accounts to send spam but he deleted the entire Sent folder from one of them.

I have a daily backup but I don't want to restore all the /opt/zimbra directory but only the damaged mailbox.

I hope you can help me,

Thanks in advance,

Pancho

[phoenix]

You can either restore your backup to a new server then extract the mailbox from that or find the mailbox on the HD then restore the items you require with zmlmtpinject. Obviously you need to enforce stong passwords for all your users.

[Panchux]

Thanks Bill!

I have a backup on the same server (other disk) and another in a remote network disk.

The one I have in the same server is a copy of the /opt/zimbra directory but I dont know how to match the user with its zimbra id.

How can I tell wich folder under /opt/zimbra/store should I restore?

Pancho

[phoenix]

Ajcody-User-Management-Topics - Zimbra :: Wiki
Account mailbox database structure - Zimbra :: Wiki

[Panchux]

Bill, As you suggested I did use zmlmtpinject. I'm not very sure if results were optimum but It worked. Once I knew where to find the user's mailbox I run this command

/opt/zimbra/bin/zmlmtpinject -s dpiccolo /home/administrador/zimbra/20101031/store/0/59/msg/0/* -r dpiccolo@unitan.net

It copied more than 600 messages to the inbox. Then I searched for the ones sent by Piccolo and moved them to the Sent folder. Mails lost their original date and time but it could be worst.

Do you think I can improve the restore process?

Thanks once again,

Pancho

[Panchux]

Bill, your suggestion worked really well but I wanted to try mounting my backup directory over the /opt/zimbra and export all messages from webui.

I did it using

/etc/init.d/zimbra stop
mount --bind /home/administrador/zimbra/20101031 /opt/zimbra
/etc/init.d/zimbra start

Then I exported all and unmounted the directory

umount /home/administrador/zimbra/20101031

And startd Zimbra again from its original path

/etc/init.d/zimbra start

Now I'm going to restore from webui and see what happens

Pancho

[Panchux]

Well this method, altough slower, worked better since messages date and time were preserved.

Using rsync to copy the entire /opt/zimbra dir really works. I think the secret is running it once while Zimbra is running, stop Zimbra, run it again and start Zimbra. This way you only stop the server for a few minutes.

It will be ideal to have a fully working backup server so the production server does not have to be stopped to mount the backup dir.

Thanks a lot,

Pancho