Mailbox recovery

Jonuji · 2025-04-07T06:41:04+00:00

Hey guys!

So after the new update (2025-03a) I had some database issues and needed to reset the whole mail server.
I mainly used one inbox with about 300 mails.

Is there any way (I’ve got an snapshot of the broken server) to backup/recover these emails somehow?

If so: how and with what?
There are recover options for SOGo and deleted inboxes, but they aren’t deleted so they wouldn’t be there tho.

Please help!

(I’ve learned from my lesson and backup now..)

DocFraggle · 2025-04-07T07:07:35+00:00

Jonuji You would need to decrypt all files in your old vmail directory of the snapshot using the old private key, then reencrypt them with the new private key and move them to your new vmail directory.

See Mail crypt - mailcow: dockerized documentation

docs.mailcow.email

Mail crypt - mailcow: dockerized documentation

None

As the above examples are done inside the dovecot container you would need to do the decryption from the snapshot host system, so install dovecot to be able to use doveadm, and alter the path for “public_key_path” and “private_key_path” (located at /var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/data/) and the search base to “/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/data”

So decrypting on the broken host system should look like

cd /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data

find /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/ -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
doveadm fs get compress lz4:1:crypt:private_key_path=/var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/_data/ecprivkey.pem:public_key_path=/var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/_data/ecpubkey.pem:posix:prefix=/ \
  "$file" > "/tmp/$(basename "$file")"
  if [[ -s "/tmp/$(basename "$file")" ]]; then
    chmod 600 "/tmp/$(basename "$file")"
    chown 5000:5000 "/tmp/$(basename "$file")"
    mv "/tmp/$(basename "$file")" "$file"
  else
    rm "/tmp/$(basename "$file")"
  fi
fi
done

No guarantees though

Jonuji · 2025-04-07T08:14:47+00:00

DocFraggle Thank you really much! The decrypting worked.

Just wanted to ask: If I want to encrypt it again: which steps are there?
Like: would I replace the new folder with the old or just update something? I really don’t know. I see the guide with how to encrypt it, but I’m not sure if I would do everything right?

But thank you for your help until now!

DocFraggle · 2025-04-07T09:33:41+00:00

Jonuji I would try to replace it and run the encryption from within your dovecot container ONLY for the replaced mailbox directory. For example:

cd /opt/mailcow-dockerized
docker compose exec dovecot-mailcow /bin/bash

find /var/vmail/YOUR.DOMAIN/MAILBOX_NAME/ -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
doveadm fs put crypt private_key_path=/mail_crypt/ecprivkey.pem:public_key_path=/mail_crypt/ecpubkey.pem:posix:prefix=/ \
  "$file" "$file"
  chmod 600 "$file"
  chown 5000:5000 "$file"
fi
done

So adjust the path for the find command to your replaced mailbox directory

Jonuji · 2025-04-07T10:32:41+00:00

DocFraggle
So now there is another error in the dovecot container, also after restarting and down/up:
dovecot-mailcow-1 | Apr 7 12:22:29 f6317d05ceed dovecot: pop3-login: Disconnected: Disconnected: Too many bad commands (no auth attempts in 0 secs): user=<>, rip=199.45.155.110, lip=172.22.1.250

My steps

Decrypting -> works directly and I can also manually read the content
Transfer to new instance with fresh mailcow
replaced mailbox “xxx” with the old “xxx” (not domain, it was a mailbox)
ran the docker dovecot with the commands and encrypted it
docker compose down/up

Result: SOGo:

An error occured while communicating with the mail server

(and the error above)
What I also did before that (Deleted: Created a snapshot beforehand and recovered):

Decrypting
Transfer
Encrypting with local dovecot
Moved 2 mailboxes (whole domain) to the /var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/_data/ path (Important: Files were not replaced, just new were added)
docker compose down/up

Result: no old mails are showing up in my inbox

Edit: I tried to prove that it’s encrypted and yea it looks like I can’t read it with just printing it out like while decrypted.. so this shouldn’t be the problem tho

DocFraggle · 2025-04-07T10:46:23+00:00

Logging in to other mailboxes still works?

Jonuji · 2025-04-07T10:49:41+00:00

DocFraggle I tried it right now and yea it did work perfectly fine mhh

DocFraggle should I maybe not replace the mail inbox but just add the old files?

But I probably tried this too and there the mailbox was working but not displaying the old mails idk

DocFraggle · 2025-04-07T11:18:31+00:00

Hmm, I just had a look, there are files in the maildir which are not encrypted, i.e. the dovecot-* files etc.
I don’t know if somebody ever tested the command from the docs before…

I suggest you move the unencrypted mailbox directory to the new mailcow and encrypt ONLY the mail files afterwards. It’s a little bitt of a hassle, but maybe test it with the mailbox’ root inbox directory first. That would be the directory

/var/vmail/YOUR.DOMAIN/MAILBOX_NAME/Maildir/cur

If you then can login via SoGo and read at least the inbox files, that would be the solution

Jonuji · 2025-04-07T12:33:08+00:00

DocFraggle Yea so I tried it just with cur directorys (also .Sent/cur …) and it still returns an error. Maybe I’ll try to not just import the mailbox but maybe the whole _data? (or somehow anything like that).

I also can’t find any other method. Idk anymore :/

DocFraggle · 2025-04-07T12:49:03+00:00

Jonuji the whole _data

If you try that you have to replace the ecpubkey.pem and ecprivkey.pem files in /var/lib/docker/volumes/mailcowdockerized_crypt-vol-1/_data/ with the files from your broken installation