[Dovecot] using Lazy_Expunge to enforce retention policy

[Jim Salter]

Hi,

I've been experimenting with using Lazy_Expunge as a tool to enforce 
document retention policies (by keeping users from deleting emails 
forever, instead expiring them after a set time).  My problem is, how do 
I keep the user from deleting/expunging mails *inside the expunge folder 
itself*?

I am using dovecot-1.2.10 built from FreeBSD's ports tree, and I am 
using the following settings for the "expunged" folder of Lazy_Expunge, 
as part of the "three namespaces" approach suggested in the wiki:

# namespaces for lazy_expunge plugin:
namespace private {
   prefix = .EXPUNGED/
   separator = /
   location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED
}

When a user expunges mail, it shows up in the folder listed just fine.  
But if the user expunges mail from /that/ folder, it's gone forever, 
which defeats the purpose in regard to "enforcing retention."

As a partial workaround, I tried adding hidden=yes and list=no to the 
setting, and restarting dovecot:

# namespaces for lazy_expunge plugin:
namespace private {
   prefix = .EXPUNGED/
   separator = /
   location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED
   hidden = yes
   list = no
}

The problem is, while this does indeed *hide* the namespace from the 
user, it doesn't prevent them from *using* it if they know about it - I 
discovered this because Thunderbird still "remembered" the namespace 
from before I hid it; experimenting confirmed that, yes, I could still 
use Thunderbird to go into my expunged folder and permanently delete any 
email in it.  If I remove the account from Thunderbird *completely* and 
reset it up from scratch, I can no longer "see" the namespace - but 
that's weak security at best, as I can still manually navigate to it and 
wreak havoc.

How can I use Lazy_Expunge to completely PREVENT users from deleting 
email permanently?

Thank you!