clarify what happens on lock vs email

I tested this by locking `aguestuser`'s account (tpo/tpa/team#40772), and running ud-generate on alberti. The user was still present on alberti in: `/var/cache/userdir-ldap/hosts/forward-alias`.

clarify what happens on lock vs email
a4eec8c4 · anarcat · 51762dec · a4eec8c4
Verified Commit a4eec8c4 authored 2 years ago by anarcat
--- a/howto/retire-a-user.md
+++ b/howto/retire-a-user.md
@@ -34,9 +34,8 @@ Note that this only keeps the user from accessing servers, it does
 the `passwd` database on servers. This is because the user might still
 own files and we do not want to have files un-owned.

-Note that it's unclear if we should add an email alias in the
-`virtual` file when the account expires, see [ticket #32558](https://bugs.torproject.org/32558) for
-details.
+It also does *not* remove the email alias (the `emailForward` field in
+[LDAP](howto/ldap)), for that you need to delete the account altogether.

 ## Deleting an account

@@ -45,6 +44,10 @@ to come back again. For this, the actual LDAP entries for the user
 must be removed with `ldapvi`, but only after the files for that user
 have been destroyed or given to another user.

+Note that it's unclear if we should add an email alias in the
+`virtual` file when the account expires, see [ticket #32558](https://bugs.torproject.org/32558) for
+details.
+
 ## Retiring from other services

 Then you need to go through the [service list](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service) and pay close