This came to me as an Outlook problem, but it's really generic to the server.

If you grant access to one of your folders to an account, and then that account is deleted, the original grant stays around, and various things get weird.

For example, here's the business end of an Outlook Sync Failure Notice.

<acl>
<grant d="validuser@example.com" zid="8a43b9d0-89f6-435f-8e86-92c707cbb27f" gt="usr" perm="rwidxa"/>
<grant d="" invalid="1" zid="daa4356d-db70-4c0e-aa27-5790a07ff0d3" gt="usr" perm="rwidxa"/>
<grant d="" invalid="1" zid="d7b95e6d-ea8c-4b5b-9186-7dc75ee4cb65" gt="usr" perm="rwidx"/>
</acl>

Should there be a way to reap obsolete ACLs? I suppose I could imagine a need to leave them in, just so that if you delete and restore an account, it gets its old rights back. (Assuming that a zmrestore reuses the zimbraId. Does it?)

If there is not going to be a way to reap obsolete ACLs, should all interfaces prune reported ACLs of dead zimbraIds before returning them to clients? Or must all clients tolerate dangling references? Currently, Outlook fails (if the user has the "a" right), and while I can't remember the details, I think I've seen problems in ZWC as well.