Topic: How to move mail from one server to another (SME 6.01)

[mono]

Unfortunatly, our old 5.6 mailserver has been hacked.
I upgraded it to 6.01, but I cannot be 100% sure that it's reliable.
I've installed a new and "patched-up" 6.01 server and need to transfer old our old email to the new server.
What is the preferred way to do this?
Can I somehow "just copy" the email and where is it placed on the server.
Any "hands-on" advice is highly welcome!
TiA.
Terje

[kmccarn]

Well - we weren't coming from a SME - but were moving to a SME.

We used:

http://migrationtool.sourceforge.net/

Hope that helps.

[Brenno]

mono,  you can use rsync to move the data from your old server to your new one.  There are several how-to's here to show you the technique.

Just make sure you're running the same version of SME on both servers, as some of the directory structures change between releases and that can complicate things.

I had to upgrade my 5.6 machine to 6.0 in order to move it to a new 6.0 machine - sounds like you're on the right track so far.

Without posting specifics, what leads you to believe you've been hacked?  Do you keep your contribs and whatnot updated?

[mono]

Thanks to both for the suggestions!
I'm pretty sure we've been hacked and that someone is using the email server to send spam as I both get error messages for messages not delivered and is also being blacklisted, based on the IP adress
This server was up for replacement and I didn't update 5.6 lately, so now I've learned my lesson ...
Will try the rsync advice first and hopefully I'm lucky.
Best regards,
Terje

[Brenno]

Are you running on a dynamic external IP?  My server got blacklisted when my static high-speed went down and my dial-up failover kicked in.  This was because the IP I got on the dialup was dynamic, and many servers & ISPs blacklist dynamic IPs as a safeguard against spam and viruses.  This was fixed with a quick phone call to my ISP so I now get the same IP no matter what.

As for the errors about messages not delivered, don't discount the effects of spoofing.  I see maybe 25 - 35 rejections a day from users on my server.  If you look closely at the message headers, you can see that the mail didn't originate from your server.  It's more likely than not that someone's email address has been used to send spam/viruses.

[mono]

I'm sure that someone got control of the of our SME emailserver, as it is fixed IP and also I can/could see remote connections via i.e. Sme6admin.
Anyway, I'm still stuck on how to do this; where is the email actually located?
I'm now trying to run a Backup to workstation  of /var and hope to be able to restore that on the new server. Will this be any good?
If I do a total backup/restore, I fear that whatever was compromised in the old server will be so in the new one as well.
It's poved much harder backing up and restoring data from SME than I hoped for and further advice would be highly welcome.
Best regards,
Terje

[Brenno]

You can use the backup/restore feature built-in to the server-manager panel.  This backup would ideally be restored to a fresh install.  Fortunately, I've never had to do this myself so I can't speak to it's effectiveness.

You have an interesting point regarding backing up the compromise itself (similar to WindowsXP restore which, more often than not, restores old viruses!) Look into the rootkit hunter for SME which can apparently be useful in determining whether or not you've actually been compromised.  My server logs regularly show attempted connections - these are common exploits attempted by viruses and script kiddies.  Have faith that your box is secure until it's shown otherwise

How many users and approx. how much data do you have on your server? I'm pondering the feasibility, worst case scenario, of rebuilding the server manually.

[mono]

Thanks for the efforts and help!
I've enclosed a copy of open ports when the server I believe is compromised is attached to the internet (via a Linksys router, for now).
I'm not sure about which ports the SME uses for mail, but it seems to me that this is "proof" that there's some kind of unwanted activity going on.
I'm not an expert, so advise here is highly appreciated, once again.
I've used E-smith/SME since 4.1 (or thereabout), but never had any problems. I've installed on a lot of machines and sometimes had to do complete restore for various reasons, but am now very in doubt if it is wise, or any use at all to restore to a "fresh" machine if the "old" machine in fact is compromised.
I only have 10 users, but approx. 8GB worth of email that I really want to transfer somehow, but don't know how to procede ...
Terje


Active tcp connections tcp with external(blue)/local(green) connections highlighted


Local IP:port Foreign IP:port State
192.168.1.195:www 192.168.1.106:3408 ESTABLISHED
192.168.1.195:www 192.168.1.106:3407 TIME_WAIT
192.168.1.195:60091 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60089 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60088 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60086 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60085 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60084 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60083 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60082 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60081 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60080 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60079 64.68.123.249:smtp ESTABLISHED
192.168.1.195:60078 64.68.123.249:smtp ESTABLISHED
192.168.1.195:59802 47.129.25.87:smtp LAST_ACK
192.168.1.195:59803 47.129.25.87:smtp LAST_ACK
192.168.1.195:59801 47.129.25.87:smtp LAST_ACK
192.168.1.195:59790 47.129.25.87:smtp CLOSING
192.168.1.195:60039 64.157.4.78:smtp ESTABLISHED
192.168.1.195:60076 64.157.4.78:smtp FIN_WAIT2
192.168.1.195:60069 64.157.4.78:smtp ESTABLISHED
127.0.0.1:http-admin 127.0.0.1:60090 ESTABLISHED
192.168.1.195:58022 193.17.41.44:smtp ESTABLISHED
192.168.1.195:58074 193.17.41.44:smtp ESTABLISHED
192.168.1.195:60017 210.80.199.74:smtp ESTABLISHED
192.168.1.195:60024 210.80.199.74:smtp FIN_WAIT2
192.168.1.195:60025 210.80.199.74:smtp ESTABLISHED
192.168.1.195:58043 193.17.41.43:smtp ESTABLISHED
192.168.1.195:58041 193.17.41.43:smtp ESTABLISHED
127.0.0.1:60090 127.0.0.1:http-admin ESTABLISHED
127.0.0.1:60087 127.0.0.1:http-admin TIME_WAIT

[gardnc]

mono,

Mail is located in:

/home/e-smith/files/users

username

/Maildir

If the user names are the same on each server you should be able to copy Maildir for each user from the old server to the new.

Larry

[mono]

Thanks!
So far I've had problems copying files from this location via i.e. ftp, but I'm trying backup2workstation now and hopefully I'll be able to backup and restore on another server without problems.
One question though: Are users really identified by the system by user names or user IDs and this a concern here?
Terje

[gardnc]

By user name.  But the actual email file names have the server name as a part of it and can be part of your problem.  FTP or anyother method should work to copy.  Then perhaps a file name change script would be needed.  User ID is not the issue in the transfer of the data.

Larry

[gardnc]

Try sending an emal to the new server to a user that has mail on the old server and look at the email file name differeces.  I think that is your problem.

Larry

[mono]

Thanks!
I'm doing the backup now and will try restore tomorrow and will try to look for names etc.
I cannot remember right now, but it's not easy to change the server name for the new server, is it?
Terje

[gardnc]

Sure it is, login as admin in a command shell prompt to reconfigure, select reconfigure and one of the items is the server name.

[mono]

I ended up using WinSCP via ssh to copy mail files to a workstation and then to the new server, which turned out to work fine, with the exeption of subfolders  ...
Thanks!
Terje