dovecot - Jul 2010 - using Lazy_Expunge to enforce retention policy

Hi,

I've been experimenting with using Lazy_Expunge as a tool to enforce 
document retention policies (by keeping users from deleting emails 
forever, instead expiring them after a set time).  My problem is, how do 
I keep the user from deleting/expunging mails *inside the expunge folder 
itself*?

I am using dovecot-1.2.10 built from FreeBSD's ports tree, and I am 
using the following settings for the "expunged" folder of
Lazy_Expunge,
as part of the "three namespaces" approach suggested in the wiki:

# namespaces for lazy_expunge plugin:
namespace private {
   prefix = .EXPUNGED/
   separator = /
   location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED
}

When a user expunges mail, it shows up in the folder listed just fine.  
But if the user expunges mail from /that/ folder, it's gone forever, 
which defeats the purpose in regard to "enforcing retention."

As a partial workaround, I tried adding hidden=yes and list=no to the 
setting, and restarting dovecot:

# namespaces for lazy_expunge plugin:
namespace private {
   prefix = .EXPUNGED/
   separator = /
   location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED
   hidden = yes
   list = no
}

The problem is, while this does indeed *hide* the namespace from the 
user, it doesn't prevent them from *using* it if they know about it - I 
discovered this because Thunderbird still "remembered" the namespace 
from before I hid it; experimenting confirmed that, yes, I could still 
use Thunderbird to go into my expunged folder and permanently delete any 
email in it.  If I remove the account from Thunderbird *completely* and 
reset it up from scratch, I can no longer "see" the namespace - but 
that's weak security at best, as I can still manually navigate to it and 
wreak havoc.

How can I use Lazy_Expunge to completely PREVENT users from deleting 
email permanently?

Thank you!

On 7/25/10 3:37 PM -0400 Jim Salter wrote:
> How can I use Lazy_Expunge to completely PREVENT users from deleting
> email permanently?
Don't list the namespace at all.  Users then will not be able to get
to it.

Alternatively, create an ACL denying delete/expunge permission.  Then
users can still access the deleted mail.

On Sun, 2010-07-25 at 15:37 -0400, Jim Salter wrote:
> How can I use Lazy_Expunge to completely PREVENT users from deleting 
> email permanently?
I guess currently there is no easy way to do it. You could use
non-guessable prefixes, but that's security through obscurity..

I was first thinking about using a default ACL file, but that doesn't
really work either. I guess I should some day implement proper "default
ACLs for a namespace" support..