Mails are stored as per file bases in folder structured, each mail have own folder (just like your IMAP folders), each folder contains sub folder new (mails not mark as read) and cur (mails mark as read)
Yes those files (mails) are encrypted an compressed, but you can overcome this whit simple script. Then you can for example `grep -R “Subject:” to get subjects and find what you need.
For little more convenience search, you can modify your dovecot/extra.conf to log more file operation, but be advise this could be see as breach of your users privacy,…
plugin {
mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject
mail_log_cached_only = no
}
this will flood your log whit additional messages like
Mar 14 12:28:00 4c474d245b01 dovecot: imap(redacted@redacted)<49461><ceBNJkZw9uGwPunr>: delete: box=Trash, uid=1139, msgid=<redacted@redacted, size=81651, from=redacted <redacted@redacted>, subject=Redacted
so you can identified when your users deleted file by subject, so you will know how far in your backup you need to go,…
Also I would advice to do decryption on cold backup not on production, just to be sure you do not mess up production.