Hi,

I've been experimenting with using Lazy_Expunge as a tool to enforce document retention policies (by keeping users from deleting emails forever, instead expiring them after a set time). My problem is, how do I keep the user from deleting/expunging mails *inside the expunge folder itself*?

I am using dovecot-1.2.10 built from FreeBSD's ports tree, and I am using the following settings for the "expunged" folder of Lazy_Expunge, as part of the "three namespaces" approach suggested in the wiki:

# namespaces for lazy_expunge plugin: namespace private { prefix = .EXPUNGED/ separator = / location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED }

When a user expunges mail, it shows up in the folder listed just fine.
But if the user expunges mail from /that/ folder, it's gone forever, which defeats the purpose in regard to "enforcing retention."

As a partial workaround, I tried adding hidden=yes and list=no to the setting, and restarting dovecot:

# namespaces for lazy_expunge plugin: namespace private { prefix = .EXPUNGED/ separator = / location = maildir:/usr/local/vpopmail/domains/%d/%n/EXPUNGED hidden = yes list = no }

The problem is, while this does indeed *hide* the namespace from the user, it doesn't prevent them from *using* it if they know about it - I discovered this because Thunderbird still "remembered" the namespace from before I hid it; experimenting confirmed that, yes, I could still use Thunderbird to go into my expunged folder and permanently delete any email in it. If I remove the account from Thunderbird *completely* and reset it up from scratch, I can no longer "see" the namespace - but that's weak security at best, as I can still manually navigate to it and wreak havoc.

How can I use Lazy_Expunge to completely PREVENT users from deleting email permanently?

Thank you!