Email Recovery.

[pradip]

Hi

One of my email user id has been compromised and all emails of inbox deleted, I don't have a backup mechanism in place, also emails are not in trash. So I don't have any idea about how to debug this issue. Can anybody help me out about to recover the deleted emails from hacker.

I have not enable dumpster folder so that i can recover it from that. Please help me out somebody as that mailbox was of senior management.

Regards,

Pradip Thite

[phoenix]

Quote:

Originally Posted by pradip

One of my email user id has been compromised and all emails of inbox deleted, I don't have a backup mechanism in place, also emails are not in trash. So I don't have any idea about how to debug this issue. Can anybody help me out about to recover the deleted emails from hacker.

If the mail has been deleted from the Inbox and Trash folders then the mail is gone, it's not possible to recover it.

Quote:

Originally Posted by pradip

I have not enable dumpster folder so that i can recover it from that. Please help me out somebody as that mailbox was of senior management.

Then they should know better than to use an insecure password on their mailbox. You should implement strong password rules in Zimbra.

[pradip]

Thanks Bill,

Will do that, actually i had a same problem mention by blueflametuna at below link
Accounts compromised - changed forwarding

2011-02-02 03:19:13,087 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - BatchRequest
2011-02-02 03:19:13,088 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - (batch) GetInfoRequest
2011-02-02 03:19:13,519 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - (batch) SearchRequest

Is there any solution to avoid this in future or can we block that access from.
where i also got similar log of

[bofh]

Hmm but honestly - no backup at all?

not even with the zdesktop backup function?
man.... omg

as phoenix already said no chance of getting it back
but really after havong those issues you never made a backup? not even once ?

if you got an old backup you can temp restore it export that inbox restore the actual zimbra and restore the saved inbox so at least an old version is done

of course only if you got something

[pradip]

Actually No,

I am a newbie in Zimbra so i have not tried any backup script available on forum. Now i think i have to start using that so that i can restore a mails.
Could you suggest any reliable source of backup script for FOSS as there are many script available on forum but i am little bit afraid to use one of them, please suggest me any reliable and easy script for BACKUP & RESTORE PER USER
Very Important.

Thanks,
Pradip

[phoenix]

Quote:

Originally Posted by pradip

Is there any solution to avoid this in future or can we block that access from.

If your users are allowed access from the internet then you should implement strong passwords, look at those settings in the Admin UI. If the 'attacks' are frequent and brute force then you could use something like fail2ban or similar solutions (assuming your server is on a public IP), search the forums and the internet for details

Quote:

Originally Posted by pradip

I am a newbie in Zimbra so i have not tried any backup script available on forum. Now i think i have to start using that so that i can restore a mails.
Could you suggest any reliable source of backup script for FOSS as there are many script available on forum but i am little bit afraid to use one of them, please suggest me any reliable and easy script for BACKUP & RESTORE PER USER
Very Important.

Any of the backup scripts in the forums should work, for single user backup/restore there are a couple of solutions in the forums, take a look at those and use them on a test server. When you're happy that you can backup/restore single user accounts to your requirements and you've documented how to use the backup then implement it on your live server. You have to make sure that you know exactly how the scripts work and you are confident that it will do what you need. Any scripts you use from the forums are community supported, if you really want an effective solution with support then Zimbra NE is the solution.

You might also consider setting up an archive facility in your environment where all inbound/outbound mail is sent to a second server for archiving purposes. There are details in the forums on how to do this with "always_bcc" and products such as MaiArchiva.

[pradip]

Thanks Bill for your help..

Pradip

[bofh]

About backup
Ne backup is not bad but it lacks some features which are needed to have a relyable backup

most important the ability to backup offsite (nfs or another mounted drive) - i mean you can do that but the problem is what happens if that connection drops during backup

of course you can do backup on the same machine and later rsync or use another backup software to sync it away - still not the backupsolution we would need.


the community script have similar issues about relyability.
scripting is a fine thing but more complicated it gets more problematic it will be
none of the scripts have by default any kind of fallback or warning if for example storage on the offsite location is full or misses because of no connection

those things among some others have to taken into account even if your backup box is 5 meter aways form the zimbra device many things can happen (broken switch, full/damaged disk, changed firewall and so on)


so i recommend a real active client / server backup solution.
i do not recommend produtcs here but there a lot out there - if you got a tape backup server and wanna stick with opensource software you can give bacula a shot


i personally use for ne ans oss versions our onlinebackup software because it do excalty whats needed
it reconnect on fail for a time
it reports back everytime also in case of a fail
it encrypt and compress bevore upload
and more important i can reduce downtime with several backups a day because of using one datapool and infile deltas


to make a real backup you need to shutdown zimbra (oss) NE version can do without if you use the ne backup solution
so what i do is i make several hot backups (they are not usefull but they upload most of the data) and one cold
that way i got a downtime of 3.5 minutes for a hole cold server backup even if i have 5 or 10 gig more data

also the steady reports are very important - with a filter in zimbras inbox i see them only if it fails - if its ok they are in archive


downside is they are not per user level backup -
so if i want to restore a single mailbox ife to restore lates backup on a virtual host start zimbra there - extract by rest the mailbox and upload it to the real zimbra server
but this works

ife also an ne server but i do not longer use the backup there simply because ife to reduce the amount of data
double and tripplebackup make no sense just to restore one mailbox a month a bit easier...

of course its always a thing about amount of data we are talking about.


btw bevore you find your solution you can simply copy hole zimbra while running - then shutdown - recopy and overwrite only different files - (or do that with rsync) just to have at least anything with minimum downtime
which you should do bevore any update of zimbra anyway