Hi, I've been experimenting with using Lazy_Expunge as a tool to enforce document retention policies (by keeping users from deleting emails forever, instead expiring them after a set time). My problem is, how do I keep the user from deleting/expunging mails *inside the expunge folder itself*? I am using dovecot-1.2.10 built from FreeBSD's ports tree, and I am using the following settings for the "expunged" folder of Lazy_Expunge, as part of the "three namespaces" approach suggested in the wiki: # namespaces for lazy_expunge plugin: namespace private { prefix = .EXPUNGED/ separator = / location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED } When a user expunges mail, it shows up in the folder listed just fine. But if the user expunges mail from /that/ folder, it's gone forever, which defeats the purpose in regard to "enforcing retention." As a partial workaround, I tried adding hidden=yes and list=no to the setting, and restarting dovecot: # namespaces for lazy_expunge plugin: namespace private { prefix = .EXPUNGED/ separator = / location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED hidden = yes list = no } The problem is, while this does indeed *hide* the namespace from the user, it doesn't prevent them from *using* it if they know about it - I discovered this because Thunderbird still "remembered" the namespace from before I hid it; experimenting confirmed that, yes, I could still use Thunderbird to go into my expunged folder and permanently delete any email in it. If I remove the account from Thunderbird *completely* and reset it up from scratch, I can no longer "see" the namespace - but that's weak security at best, as I can still manually navigate to it and wreak havoc. How can I use Lazy_Expunge to completely PREVENT users from deleting email permanently? Thank you!
Frank Cusack
2010-Jul-26 04:46 UTC
[Dovecot] using Lazy_Expunge to enforce retention policy
On 7/25/10 3:37 PM -0400 Jim Salter wrote:> How can I use Lazy_Expunge to completely PREVENT users from deleting > email permanently?Don't list the namespace at all. Users then will not be able to get to it. Alternatively, create an ACL denying delete/expunge permission. Then users can still access the deleted mail.
Timo Sirainen
2010-Jul-26 17:38 UTC
[Dovecot] using Lazy_Expunge to enforce retention policy
On Sun, 2010-07-25 at 15:37 -0400, Jim Salter wrote:> How can I use Lazy_Expunge to completely PREVENT users from deleting > email permanently?I guess currently there is no easy way to do it. You could use non-guessable prefixes, but that's security through obscurity.. I was first thinking about using a default ACL file, but that doesn't really work either. I guess I should some day implement proper "default ACLs for a namespace" support..