forensic question
Andrew Morgan
morgan at orst.edu
Wed May 30 11:57:56 EDT 2007
On Tue, 29 May 2007, Tim Cline wrote:
> Greetings,
>
> I'm working on a case that involves an examination of an individual's inbox.
> I have a tarred and zipped file of the inbox, which I'm able to uncompress.
> But I would then like to read the mail in its native format (by using an
> email client, and pointing the client to the uncompressed files as local
> mail). Is this possible, given that we run a Cyrus imap server? Here are some
> details about the server:
>
> Type: IMAP4rev1
> Greeting: * OK mailserv0 Cyrus IMAP4 v1.6.13 server ready
> Capability: IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
> X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME AUTH=PLAIN AUTH=KERBEROS_V4
> UNSELECT
Wow, that's an old version of Cyrus! :)
You could handle it the way we handle restores of mailboxes here.
1. Create a folder inside someone's mailbox (yours?)
2. Untar the files there
3. Delete the cyrus.* files
4. Create a dummy cyrus.header file (touch cyrus.header; chown cyrus:mail
cyrus.header; chmod 600 cyrus.header)
5. Run reconstruct on the mailbox (su cyrus -c 'reconstruct -x -f
user.username')
6. Run quota on the mailbox (su cyrus -c 'quota -f user.username')
Andy
More information about the Info-cyrus
mailing list