nn a mail server (NethServer 7.9) an email is always delivered (thousands of times). The email is in the JUNK folder of a mailbox, which is linked in 4 places via IMAP.
As Outlook is used as the mail client, the folder’s subscription cannot be switched off. Now we have the effect that the email is copied to the JUNK folder in blocks of hundreds with every synchronization (restart and later via timer).
We have tried the following countermeasures:
At first we thought the email came from outside, which is why the email is now on the local blacklist. But that doesn’t seem to be the case, because the filters aren’t working.
If I send the email with a fake sender from outside, it is recognized and not delivered. So the emails come from “inside”.
Deleted all JUNK emails from all 4 subscribers using Thunderbird and Outlook. That looks good for the moment, but after 30 minutes there are 10,000 emails in the junk folder again.
Searched the subfolder vmail/mymail@mydomain.xxx with grep on the console and deleted all emails found from the mailbox folders. Yesterday evening, the search for the email on the console level no longer produced any hits on the entire machine, this morning there are 30,000 emails in the JUNK folder again.
Dovecot exprunge doesn’t work either, as there is probably a bug there at the moment. I get an error message anyway.
The problem is that the mailbox has 120 subfolders and over 60,000 emails in the folders. The customer is quite inflexible when it comes to turning something off or something.
Header: the mail came from outside on August 22nd, 2024. All mails are exactly the same, i.e. they always have the same header.
Logs: The mail log does not document any movement of the mail, i.e. the sender cannot be found in the logs, except on August 22nd.
Password: I changed the password of the mailbox.
I think, the mails come from the mail server itself.
I searched the entire /var/lib/nethserver/vmail/ directory with grep. Surprisingly, there are mails in the /var/lib/nethserver/vmail/mail@domain.xxx/Maildir/cur directory with the sender address.
I don’t know the meaning of the directory, but the /cur directory is just like /tmp and /new can be found in every subdirectory.
The directories cannot be seen within the structure of the mailbox in Outlook.
If I delete the files or emails from the directory /var/lib/nethserver/vmail/mail@domain.xxx/Maildir/cur, they are back after 20 minutes. Could it be that the files are generated from a database?
For your information: Webtop is also installed on the system. Could there be a ping-pong effect here?
systemctl restart dovecot # or doveadm restart
# Replace "Junk" for whatever the mailbox folder name is, and "username" accordingly to the problematic one
doveadm mailbox status -u <username> mailbox Junk
doveadm expunge -u <username> mailbox Junk
# or: doveadm expunge -u <username> mailbox Junk subject "Repeating Message"
# repeat for each one of the mailbox folders you deleted messages from by non standard ways
doveadm index -u <username> mailbox Junk
doveadm mailbox status -u <username> mailbox Junk
Open and re-sync mail clients one a at time, checking for the presence of the offending message after each sync.
Yesterday I changed the password for the user, then I stopped the SOGo service, stopped the Tomcat service to disable all internal mail clients. Then I went to all users’ Outlooks and deleted all mails from the junk folder. Then I searched the entire /var/li/nethserver/vmail directory for the mail with grep -r “the_junkmail”./ and had no matches. After 2 hours, same thing, no matches. Then I started the Tomcat service again. After that, no matches. Then today I changed the password in a work mail client.
Now, 1 day later, the mails are back. Not so many, only 1000, but they are there. I checked the log files - still there is nothing in the mail log in /var/log/.
Is it possible to enable logging for Dovecot in Nethserver to see who is connecting to the mail server? Can I change the dovecot.conf - file, or makes this no sence because it’s rewritten next time?