--- cyrus-imapd-2.2.12/lib/acl_afs.c.orig	2005-07-14 17:12:53 +0300
+++ cyrus-imapd-2.2.12/lib/acl_afs.c	2005-07-14 17:17:44 +0300
@@ -119,12 +119,17 @@
     char *thisid, *nextid;
     int oldaccess = 0;
     char *rights;
+    int identifier_found = 0;
+    int identifier_overridden = 0;
 
     /* Convert 'identifier' into canonical form */
     if (*identifier == '-') {
 	char *canonid = auth_canonifyid(identifier+1, 0);
-	if (!canonid) {
+	if (!canonid && access != 0L) {
 	    return -1;
+	} else if (!canonid && access == 0L) {
+	    canonid = identifier+1;
+	    identifier_overridden = 1;
 	}
 	newidentifier = xmalloc(strlen(canonid)+2);
 	newidentifier[0] = '-';
@@ -135,9 +140,15 @@
 	}
     }
     else {
+	newidentifier = xmalloc(strlen(identifier)+1);
+	strlcpy(newidentifier, identifier, strlen(identifier)+1);
+	
 	identifier = auth_canonifyid(identifier, 0);
-	if (!identifier) {
+	if (!identifier && access != 0L) {
 	    return -1;
+	} else if(!identifier && access == 0L) {
+            identifier = newidentifier;
+            identifier_overridden = 1;
 	}
 	if (canonproc) {
 	    access = canonproc(canonrock, identifier, access);
@@ -165,6 +176,7 @@
 	*nextid++ = '\0';
 
 	if (strcmp(identifier, thisid) == 0) {
+            identifier_found = 1;
 	    oldaccess = cyrus_acl_strtomask(rights);
 	    break;
 	}
@@ -172,6 +184,15 @@
 	nextid[-1] = '\t';
     }
 
+    /* 
+     * In case we have overridden the canonification of the
+     * identifier, but still the identifier does not exist in
+     * the mailboxdb, then return error as normally expected.
+     */
+    if(identifier_overridden && !identifier_found) {
+        return -1;
+    }
+
     switch (mode) {
     case ACL_MODE_SET:
 	break;