Secure IMAP Mailbox Backup Tool
About this project
During an email server migration, losing emails is a major risk for businesses. Mail Backup addresses this need by providing IT consultants with a reliable tool to export, verify, and archive an entire mailbox before the switchover. The tool connects directly to the client's IMAP server through a secure web interface. The consultant can browse the folder tree, view emails and their attachments, then launch a full export with a single click. The backup is generated in the background with real-time progress tracking, avoiding any timeout issues even on large mailboxes. The standout feature is its three-level verification system. Each exported email is checked: size verification, .eml format parsing, and attachment validation. An automatic import test simulates reimporting emails on a test server to ensure the backup is usable. A comprehensive verification report is generated in HTML format, viewable offline, accompanying the backup ZIP. The architecture was designed with security in mind: no passwords are stored (neither in a database nor on disk), IMAP credentials exist only in memory for the duration of the session, and all communications use TLS. The application requires no database,all state lives in RAM with a 30-minute TTL.
Key Features
- Universal IMAP Connection: Support for all hosting providers (OVH, Gmail, Outlook, Gandi, o2switch, IONOS, Infomaniak) with preconfigured presets and SSL/TLS connection.
- Email Browsing: Full folder tree exploration, email reading, and individual attachment download directly from the browser.
- Verified ZIP Export: Full backup with folder and date-based structure, CSV index, and automatic three-level verification (size, parsing, attachments).
- Automatic Import Test: Simulated reimport on a test IMAP server to ensure the backup is usable before migration.
- Compliance Report: Standalone HTML report generation detailing each verification result, viewable offline and deliverable to the client.
- Zero Data Storage: No passwords or emails are saved. Database-free architecture with volatile RAM sessions and automatic expiration.
IMAP Login Page
Login interface with quick hosting provider selection and secure SSL/TLS connection
IMAP Folder Tree
Folder view with message counters and individual or full export options
Real-time Backup Progress
Real-time backup tracking with detailed progress per IMAP folder
Integrity Verification Report
Detailed report confirming the integrity of each backed up folder
Import Test and Download
Final validation with successful import test (303/303 OK) and verified backup download
Challenges
The main technical challenge was working around the 30-second HTTP timeout constraint imposed by the Scalingo hosting platform. Generating a full backup can take several minutes depending on mailbox size, making a traditional synchronous download impossible. The solution involved implementing an asynchronous architecture with a background generation thread, an AJAX polling system for real-time progress tracking, and writing the ZIP to the temporary filesystem rather than RAM to prevent memory overflow. A second challenge was ensuring data integrity without a database. The "zero-storage" architecture requires managing IMAP sessions in memory while protecting against concurrent access, since Python's imaplib library is not thread-safe. A locking mechanism prevents any IMAP interaction during backup generation.
Learnings
This project deepened my understanding of PaaS deployment constraints, including HTTP timeout management, container memory limitations, and ephemeral filesystem behavior. I also strengthened my web application security skills by implementing comprehensive hardening (CSP headers, Permissions-Policy, secure cookies, CSRF protection) that achieved an A grade on SecurityHeaders.com. The key takeaway is that a simple, well-designed architecture — with no database, no message queue, no Redis — can be perfectly suited for a targeted business tool, provided you understand and accept its limitations (single container, volatile sessions).