Hey,
Everything sounds pretty good but another thing to consider might be modifying the existing dspam code to store messages in Maildir, instead of mbox? Or to store the entire quarantine (and the other WebUI files) inside of the database.
Why to bother writing mail storage system, while it has been already done by others, and maintained well in several real good IMAP servers, and IMAP client libraries (libs both for perl and php)? I think many-many hours of development AND maintenance time could be spared if dspam would just connect to an IMAP server with it's own user, and store quarantained mails for separate users in separate IMAP folders.
Further advantage is that with an advanced imap server, which handles ACLs, you could add the proper access rights to the qurantain folder for its respective user, so you could manage your quarantain right from your mail reader. How's that?
My 2c. Peter
