1 Topic by dipr

  • dipr
  • Member
  • Offline
  • Registered: 2024-12-20
  • Posts: 1

Topic: incomming mail deleted seconds after handover to dovecot

I am puzzled by a very strange behaviour of iRedMail yesterday.

There is a mail comming in and handed off to dovecot:

Dec 19 07:28:01 ctb postfix/pipe[1107101]: 4YDLFs2RJHz5FYk: to=<xxx@renner.to>, relay=dovecot, delay=0.16, delays=0.06/0.02/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service)


Dovecot gets said message at 7:28:01 in the morning, only to delete it 2 seconds later
via IMAP delete command, claimed to come from my account (and my PC):

Dec 19 07:28:03 ctb dovecot[1080]: imap(xxx@renner.to)<822046><3hilRogprOxQbMtl>: delete: box=INBOX, uid=11572, msgid= <DUZPR05MB11044CB443B321A4EF41A0E2E9E062@DUZPR05MB11044.eurprd05.prod.outloo..., size=417651, from=<xxx@pe-data.de>, subject=AW: Semaphor Datei, Mechanismus, flags=(\Deleted \Seen \Recent)
Dec 19 07:28:05 ctb dovecot[1080]: imap-login: Login: user=<xxx@renner.to>, method=PLAIN, rip=212.17.88.122, lip=164.68.111.104, mpid=1107154, TLS, TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits), session=<vzgHopkpDsPUEVh6>
Dec 19 07:28:06 ctb dovecot[1080]: imap(xxx@renner.to)<1107154><vzgHopkpDsPUEVh6>: Disconnected: Connection closed (UID FETCH finished 0.132 secs ago) in=290 out=425404 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=872 body_count=1 body_bytes=423116

I've never seen that message, customer alerted me to the contents and forwarded a copy to me.
That sender must long be greylisted, we mail a lot, hence defnitiely not "unknown".
His mails normally arrive as expected.

=> how can that message be deleted via IMAP right after receiving it,  almost automatically?

The weird part is, long after the chat with the customer I finally found the message in my
maildir as "cur/1734589681.M476230P1107102.ctb.renner.to,S=417651,W=423116:2,ST" ,
however it was still nowhere to be found when doing a server-side IMAP search using Thunderbird.
I tried   doveadm force-resync -u xxx@renner.to "*"    to no avail: finished almost instantly, Thunderbird search still doesn't find the message.
While greping around that file all of a sudden is gone from my server!

=> how come the message was still on disk long after that spurious IMAP Delete command ?
=> what cleanup process did physically remove the file ?


Win10:
Thunderbird 128.5.2esr (64-Bit)

Rocky Linux 9.5:
iredmail 1.6.8  MariaDB
dovecot 2.3.16
ngix 1.20.1

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,136

Re: incomming mail deleted seconds after handover to dovecot

Seems the message was flagged with a `\Deleted` flag.

"\Deleted" flag marks the message as "to be deleted" but not removed immediately, it will be actually removed when mail client issues the expunge command.

You have to check whether there's any imap client (e.g. MUA) or sieve rule which does this. iRedMail doesn't have such operation by default.