Compromised: rebuilding questions (mail)
 

Howdy,

Discovered yesterday that a community server that I run had been compromised (still haven't id'ed the point of entry--been too busy rebuilding), and have spent the past day building a new machine. Machine's up and I've gotten web services restored. Now I'm moving on to restoring mail.

I'm running SuSE 9.0, using Postfix/Procmail/Cyrus for mail. I'm hoping to migrate old mail messages from the cracked HD, but I'm really not sure how to do it; google hasn't been paritcularly revealing on the subject, so I thought I'd check in here to see if anyone had any suggestions (or knew of websites that did).

I'm assuming that my process needs to be:

1) Recreate user accounts (so that when I turn mail back on, messages are not bounced). First on shell, then on Cyrus?

2) Configure Postfix.

3) Configure Procmail

4) Start mail services

5) Migrate old mail messages


So, two different questions, I guess: are these the right order of steps to take (and are there easy ways of recreating the user accounts on shell/cyrus)? How do I go about migrating the old mail messages?

Any other thoughts or suggestions on the process of rebuilding? I've been careful to ensure the new machine is fully updated and is as hardened as I am able to make it (of course, that was true of the old machine as well :( ).

thanks,
NB

Re: Compromised: rebuilding questions (mail)
 

What did you have running, did you do, that was not sufficient?

Just so that I can build in a couple of extras.

Hope that's not too insensitive a question? :o

Firewall, ssh, xinetd IP limitations, limit root account, chkrootkit, logwatch, password rotation, IP Firewall filtering on trusted machines, virus spam filter. :confused: