Page MenuHomePhorge

[pykolab] Command kolab acl-cleanup fails if mailboxes with non-7-bit characters exist
Open, Needs TriagePublic


Affected version



When running the command

kolab acl-cleanup <some_subject>

the command fails with the exception:

Traceback (most recent call last):
  File "/usr/sbin/kolab", line 41, in <module>
    kolab = Cli()
  File "/usr/lib/python3/dist-packages/pykolab/cli/", line 77, in __init__
  File "/usr/lib/python3/dist-packages/pykolab/cli/", line 135, in execute
    commands[cmd_name]['function'](conf.cli_args, kw)
  File "/usr/lib/python3/dist-packages/pykolab/cli/", line 52, in execute
    acls = imap.list_acls(folder)
  File "/usr/lib/python3/dist-packages/pykolab/imap/", line 1221, in list_acls
    return self.imap.lam(self.folder_utf7(folder))
  File "/usr/lib/python3/dist-packages/", line 764, in lam
    res, acl = self.__docommand("getacl", self.decode(mailbox))
  File "/usr/lib/python3/dist-packages/", line 580, in __docommand
    self.__doexception(function, msg[0], *args)
  File "/usr/lib/python3/dist-packages/", line 548, in __doexception
    self.__doraise( function.upper(), msg )
  File "/usr/lib/python3/dist-packages/", line 557, in __doraise
    raise CYRUSError( idError[0], mode, msg )
cyruslib.CYRUSError: (30, 'GETACL', b'Mailbox does not exist')

Tracking down the issue revealed that the problematic mailbox contains special characters (in particular the letter "Ö":

2024-04-19 11:05:49,693 pykolab.imap DEBUG [19807]  [GETACL "user/mailboxname/O&"] BAD: b'Mailbox does not exist'

Looking at the encoded mailbox name, it seems that the names is UTF7 encoded twice ("&-ANY-" instead of "&ANY-"). This originates from mixing commands from pykolab.imap that rely on UTF7 output with commands that rely on UTF8 input. Specifically on, imap.lm() is used with returns folder names in UTF7 encoding. These folder names are passed to imap_list_acls() on which expects UTF8 input.

Possible solutions

  1. Replace with imap.list_folders().
  2. While debugging, I found that there is already a method imap.cleanup_acls() (see here), which should likely be used instead of reimplementing this functionality in

Further discussion

After thinking about it for a while and reading the original it seems to me that this CLI command was intended to be run without an aci_subject to find all dangling ACLs by querying the user list. Using option 2 above would not solve this. However, the original function also did not implement that part and works only if the aci_subject is provided.


Ticket Type