mailsuite 2.0.2__tar.gz → 2.2.0__tar.gz

{mailsuite-2.0.2 → mailsuite-2.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mailsuite
-Version: 2.0.2
+Version: 2.2.0
 Summary: A Python package for retrieving, parsing, and sending emails
 Project-URL: Homepage, https://github.com/seanthegeek/mailsuite/
 Project-URL: Documentation, https://seanthegeek.github.io/mailsuite/
@@ -17,6 +17,7 @@ Classifier: License :: OSI Approved :: Apache Software License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.9
+Requires-Dist: authres>=1.2.0
 Requires-Dist: cryptography>=41.0.0
 Requires-Dist: dkimpy>=1.1.0
 Requires-Dist: dnspython>=2.0.0
@@ -49,38 +50,43 @@ A Python package for retrieving, parsing, and sending emails.
 
 ## Features
 
-- Simplified IMAP client
-  - Retrieve email from any folder
-  - Create new folders
-  - Move messages to other folders
-  - Delete messages
-  - Monitor folders for new messages using the IMAP ``IDLE`` command
-  - Always use ``/`` as the folder hierarchy separator, and convert to the
-    server's hierarchy separator in the background
-  - Always remove folder name characters that conflict with the server's
-    hierarchy separators
-  - Prepend the namespace to the folder path when required
-  - Automatically reconnect when needed
-  - Work around quirks in Gmail, Microsoft 365, Exchange, Dovecot, and
-    DavMail
+- Provider-agnostic mailbox abstraction (`mailsuite.mailbox`)
+  - Single `MailboxConnection` interface for IMAP, Microsoft Graph, Gmail,
+    and on-disk Maildir
+  - Fetch message identifiers from any folder, retrieve their raw RFC 822
+    content, and move or delete messages
+  - Folder management across every backend — create, rename, move, merge,
+    delete, and existence checks, with consistent `FolderExistsError` /
+    `FolderNotFoundError` semantics
+  - Watch a folder for new messages — the IMAP `IDLE` command (with periodic
+    session refresh) on the IMAP backend, polling on the cloud backends
+  - Unified `send_message()` on backends that support sending (Microsoft
+    Graph, Gmail) — IMAP and Maildir users send through
+    `mailsuite.smtp.send_email`
+  - Username/password or OAuth2 (XOAUTH2 / OAUTHBEARER) login for IMAP and SMTP
+  - Automatic IMAP reconnection after dropped connections and timeouts
+  - Always uses `/` as the folder hierarchy separator, converting to the
+    server's separator and prepending its namespace automatically, and
+    stripping folder-name characters that collide with the separator
+  - Works around backend quirks across Gmail, Microsoft 365, Exchange,
+    Dovecot, and DavMail, including:
+    - Gmail / Google Workspace returning an empty `IDLE` response
+    - Random Microsoft 365 / Exchange `BAD` / "unexpected response" errors
+    - Nonstandard hierarchy separators and namespaces
 - Consistent email parsing
   - SHA256 hashes of attachments
-  - Parsed ``Authentication-Results`` and ``DKIM-Signature`` headers
-  - Parse Microsoft Outlook ``.msg`` files using `msgconvert`
+  - Parsed `Authentication-Results` and `DKIM-Signature` headers
+  - Parse Microsoft Outlook `.msg` files using `msgconvert`
 - Simplified email creation and sending
   - Easily add attachments, plain text, and HTML
-  - Uses opportunistic encryption (``STARTTLS``) with SMTP by default
+  - Uses opportunistic encryption (`STARTTLS`) with SMTP by default
 - DKIM signing and verification
   - Generate RSA keypairs and the matching DNS TXT record
-  - Sign outbound mail with a sensible default header set (with `From`,
-    `To`, `Cc`, `Subject` oversigned)
+  - Sign outbound mail with a sensible default header set
   - Verify one or many `DKIM-Signature` headers on a received message
-- Provider-agnostic mailbox abstraction (`mailsuite.mailbox`)
-  - Single `MailboxConnection` interface for IMAP, Microsoft Graph,
-    Gmail, and on-disk Maildir
-  - Unified `send_message()` on backends that support sending (Microsoft
-    Graph, Gmail) — IMAP and Maildir users send through
-    `mailsuite.smtp.send_email`
+- ARC (Authenticated Received Chain) sealing and verification
+  - Seal forwarded mail with an ARC set, extending an existing chain
+  - Verify the ARC chain on a received message and read its `cv` result
 
 ## Installation
 
@@ -90,6 +96,11 @@ Base install (IMAP, SMTP, DKIM, Maildir, parsing):
 pip install mailsuite
 ```
 
+If you would like to be able to parse Microsoft Outlook `.msg` files, install
+`msgconvert`. On Debian-based Linux distributions, `msgconvert` can be installed
+via `sudo apt-get install libemail-outlook-message-perl`. Other systems can use
+`cpan -i Email::Outlook::Message`.
+
 The Microsoft Graph and Gmail backends are optional extras — the cloud
 SDKs aren't pulled in unless you ask for them:
 
@@ -136,7 +147,7 @@ mailbox, grant `Mail.ReadWrite` and `Mail.Send`.
 
 Delegated flows (`DeviceCode`, `UsernamePassword`) targeting a shared
 mailbox — i.e. when the `mailbox` argument differs from `username` —
-use the `.Shared` variants. App-only flows (`ClientSecret`,
+use the `.Shared` variants. App-only flows (`ClientAssertion`, `ClientSecret`,
 `Certificate`) do not need the `.Shared` variants since application
 permissions span every mailbox in the tenant (unless restricted by an
 [Application Access Policy](https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access)).

{mailsuite-2.0.2 → mailsuite-2.2.0}/README.md

@@ -7,38 +7,43 @@ A Python package for retrieving, parsing, and sending emails.
 
 ## Features
 
-- Simplified IMAP client
-  - Retrieve email from any folder
-  - Create new folders
-  - Move messages to other folders
-  - Delete messages
-  - Monitor folders for new messages using the IMAP ``IDLE`` command
-  - Always use ``/`` as the folder hierarchy separator, and convert to the
-    server's hierarchy separator in the background
-  - Always remove folder name characters that conflict with the server's
-    hierarchy separators
-  - Prepend the namespace to the folder path when required
-  - Automatically reconnect when needed
-  - Work around quirks in Gmail, Microsoft 365, Exchange, Dovecot, and
-    DavMail
+- Provider-agnostic mailbox abstraction (`mailsuite.mailbox`)
+  - Single `MailboxConnection` interface for IMAP, Microsoft Graph, Gmail,
+    and on-disk Maildir
+  - Fetch message identifiers from any folder, retrieve their raw RFC 822
+    content, and move or delete messages
+  - Folder management across every backend — create, rename, move, merge,
+    delete, and existence checks, with consistent `FolderExistsError` /
+    `FolderNotFoundError` semantics
+  - Watch a folder for new messages — the IMAP `IDLE` command (with periodic
+    session refresh) on the IMAP backend, polling on the cloud backends
+  - Unified `send_message()` on backends that support sending (Microsoft
+    Graph, Gmail) — IMAP and Maildir users send through
+    `mailsuite.smtp.send_email`
+  - Username/password or OAuth2 (XOAUTH2 / OAUTHBEARER) login for IMAP and SMTP
+  - Automatic IMAP reconnection after dropped connections and timeouts
+  - Always uses `/` as the folder hierarchy separator, converting to the
+    server's separator and prepending its namespace automatically, and
+    stripping folder-name characters that collide with the separator
+  - Works around backend quirks across Gmail, Microsoft 365, Exchange,
+    Dovecot, and DavMail, including:
+    - Gmail / Google Workspace returning an empty `IDLE` response
+    - Random Microsoft 365 / Exchange `BAD` / "unexpected response" errors
+    - Nonstandard hierarchy separators and namespaces
 - Consistent email parsing
   - SHA256 hashes of attachments
-  - Parsed ``Authentication-Results`` and ``DKIM-Signature`` headers
-  - Parse Microsoft Outlook ``.msg`` files using `msgconvert`
+  - Parsed `Authentication-Results` and `DKIM-Signature` headers
+  - Parse Microsoft Outlook `.msg` files using `msgconvert`
 - Simplified email creation and sending
   - Easily add attachments, plain text, and HTML
-  - Uses opportunistic encryption (``STARTTLS``) with SMTP by default
+  - Uses opportunistic encryption (`STARTTLS`) with SMTP by default
 - DKIM signing and verification
   - Generate RSA keypairs and the matching DNS TXT record
-  - Sign outbound mail with a sensible default header set (with `From`,
-    `To`, `Cc`, `Subject` oversigned)
+  - Sign outbound mail with a sensible default header set
   - Verify one or many `DKIM-Signature` headers on a received message
-- Provider-agnostic mailbox abstraction (`mailsuite.mailbox`)
-  - Single `MailboxConnection` interface for IMAP, Microsoft Graph,
-    Gmail, and on-disk Maildir
-  - Unified `send_message()` on backends that support sending (Microsoft
-    Graph, Gmail) — IMAP and Maildir users send through
-    `mailsuite.smtp.send_email`
+- ARC (Authenticated Received Chain) sealing and verification
+  - Seal forwarded mail with an ARC set, extending an existing chain
+  - Verify the ARC chain on a received message and read its `cv` result
 
 ## Installation
 
@@ -48,6 +53,11 @@ Base install (IMAP, SMTP, DKIM, Maildir, parsing):
 pip install mailsuite
 ```
 
+If you would like to be able to parse Microsoft Outlook `.msg` files, install
+`msgconvert`. On Debian-based Linux distributions, `msgconvert` can be installed
+via `sudo apt-get install libemail-outlook-message-perl`. Other systems can use
+`cpan -i Email::Outlook::Message`.
+
 The Microsoft Graph and Gmail backends are optional extras — the cloud
 SDKs aren't pulled in unless you ask for them:
 
@@ -94,7 +104,7 @@ mailbox, grant `Mail.ReadWrite` and `Mail.Send`.
 
 Delegated flows (`DeviceCode`, `UsernamePassword`) targeting a shared
 mailbox — i.e. when the `mailbox` argument differs from `username` —
-use the `.Shared` variants. App-only flows (`ClientSecret`,
+use the `.Shared` variants. App-only flows (`ClientAssertion`, `ClientSecret`,
 `Certificate`) do not need the `.Shared` variants since application
 permissions span every mailbox in the tenant (unless restricted by an
 [Application Access Policy](https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access)).

{mailsuite-2.0.2 → mailsuite-2.2.0}/mailsuite/__init__.py

@@ -1,3 +1,3 @@
 """A Python package to simplify receiving, parsing, and sending email"""
 
-__version__ = "2.0.2"
+__version__ = "2.2.0"

mailsuite-2.2.0/mailsuite/arc.py

@@ -0,0 +1,207 @@
+"""Authenticated Received Chain (ARC) sealing and verification (RFC 8617)
+
+ARC lets a sequence of intermediaries (mailing lists, forwarders, gateways)
+record the email authentication results they observed, so that a later
+receiver can trust those results even when SPF/DKIM/DMARC break in transit.
+Each hop adds an *ARC set* of three header fields keyed by an instance
+number (``i=``):
+
+* ``ARC-Authentication-Results`` (AAR) — a snapshot of the
+  ``Authentication-Results`` this hop produced.
+* ``ARC-Message-Signature`` (AMS) — a DKIM-like signature over the message
+  as this hop saw it.
+* ``ARC-Seal`` (AS) — a signature over the ARC header fields, binding the
+  chain together and recording its cumulative validity (``cv=``).
+
+This module wraps ``dkimpy``'s ARC implementation behind an API shaped
+like :mod:`mailsuite.dkim`.
+"""
+
+import logging
+from typing import Any, Callable, List, Optional, Union
+
+import dkim as _dkim
+
+logger = logging.getLogger(__name__)
+logger.addHandler(logging.NullHandler())
+
+
+class ARCError(RuntimeError):
+    """Raised when an ARC error occurs"""
+
+
+def seal_email(
+    message: Union[str, bytes],
+    selector: str,
+    domain: str,
+    private_key: Union[str, bytes],
+    authserv_id: str,
+    signed_headers: Optional[List[str]] = None,
+    timestamp: Optional[int] = None,
+) -> Union[str, bytes]:
+    """
+    Adds an ARC set (seal) to an email and returns the sealed RFC 822 message
+
+    The new ARC set is prepended to the message. If the message already
+    carries one or more ARC sets, this adds the next instance and extends
+    the chain.
+
+    The message **must** contain an ``Authentication-Results`` header whose
+    authserv-id equals ``authserv_id`` — that is the authentication this hop
+    is attesting to, and it is copied into the ``ARC-Authentication-Results``
+    header. Per RFC 8617 the chain is sealed only when such results exist. If
+    none match — or, when extending an existing chain, the matching results
+    record no prior ARC result (``arc=``) to continue from — no ARC set is
+    produced and :class:`ARCError` is raised.
+
+    Args:
+        message: An RFC 822 message
+        selector: The DKIM selector for the sealing domain
+        domain: The sealing (ADMD) domain
+        private_key: A PEM-encoded RSA private key
+        authserv_id: The authentication-service identifier of this hop (the
+            authserv-id used in its ``Authentication-Results`` headers, often
+            the receiving host's name). Only ``Authentication-Results``
+            headers carrying this id are folded into the seal.
+        signed_headers: Header names the ``ARC-Message-Signature`` should
+            cover. Defaults to dkimpy's recommended set — the headers present
+            in the message that it lists as SHOULD-sign (``From``, ``To``,
+            ``Cc``, ``Subject``, ``Date``, ``Message-ID``, the ``List-*``
+            headers, etc.), with ``From`` oversigned. ``From`` must be
+            included.
+        timestamp: The ``t=`` value (epoch seconds) stamped into the AMS and
+            AS. Defaults to the current time.
+
+    Returns: The sealed RFC 822 message. The return type matches the input
+        type — ``str`` in, ``str`` out; ``bytes`` in, ``bytes`` out.
+
+    Raises:
+        ARCError: If the message has no matching ``Authentication-Results``
+            header (nothing to seal), an existing chain cannot be continued,
+            or the inputs are otherwise malformed (e.g. ``From`` is not
+            signed).
+    """
+    if isinstance(message, str):
+        message_bytes: bytes = message.encode("utf-8")
+    else:
+        message_bytes = bytes(message)
+
+    if isinstance(private_key, str):
+        private_key_bytes: bytes = private_key.encode("ascii")
+    else:
+        private_key_bytes = bytes(private_key)
+
+    sign_kwargs = {"timestamp": timestamp, "logger": logger}
+    if signed_headers is not None:
+        sign_kwargs["include_headers"] = [
+            header.encode("ascii") for header in signed_headers
+        ]
+
+    try:
+        arc_set = _dkim.arc_sign(
+            message_bytes,
+            selector.encode("ascii"),
+            domain.encode("ascii"),
+            private_key_bytes,
+            authserv_id.encode("ascii"),
+            **sign_kwargs,
+        )
+    except _dkim.DKIMException as e:
+        raise ARCError(str(e))
+
+    if not arc_set:
+        raise ARCError(
+            f"No ARC set produced: no Authentication-Results header for "
+            f"authserv_id {authserv_id!r} was found, or the existing chain "
+            f"is terminated"
+        )
+
+    sealed = b"".join(arc_set) + message_bytes
+    if isinstance(message, str):
+        return sealed.decode("utf-8", errors="replace")
+    return sealed
+
+
+def verify_arc_chain(
+    message: Union[str, bytes],
+    minkey: int = 1024,
+    dns_func: Optional[Callable[[str], bytes]] = None,
+) -> dict:
+    """
+    Verifies the ARC chain on an RFC 822 message
+
+    The chain validation value (``cv``) summarises the whole chain:
+
+    * ``"pass"`` — every ARC set verified and the chain is intact.
+    * ``"none"`` — the message is not ARC sealed.
+    * ``"fail"`` — the chain is broken (a signature did not verify, a seal
+      reported failure, or an instance reported an invalid status).
+
+    Per RFC 8617 the most recent ``ARC-Message-Signature`` must validate and
+    every ``ARC-Seal`` in the chain must validate for a ``"pass"``.
+
+    Args:
+        message: An RFC 822 message
+        minkey: The minimum acceptable RSA key size in bits
+        dns_func: An optional function taking a DNS name and returning the
+            raw TXT record value as bytes. Useful for testing or for using a
+            custom resolver. Defaults to dkimpy's built-in resolver.
+
+    Returns: A dict with the following keys:
+
+        - ``valid`` (``bool``): ``True`` only when ``cv`` is ``"pass"``
+        - ``cv`` (``str``): the chain validation value (``"pass"``,
+          ``"fail"``, or ``"none"``)
+        - ``reason`` (``str``): a human-readable explanation of the result
+        - ``instances`` (``list``): per-ARC-set results in ascending
+          instance order, each a dict with:
+
+          - ``instance`` (``int``): the ``i=`` instance number
+          - ``ams_domain`` (``str``): the AMS ``d=`` signing domain
+          - ``ams_selector`` (``str``): the AMS ``s=`` selector
+          - ``ams_valid`` (``bool``): whether the AMS verified
+          - ``as_domain`` (``str``): the AS ``d=`` signing domain
+          - ``as_selector`` (``str``): the AS ``s=`` selector
+          - ``as_valid`` (``bool``): whether the AS verified
+          - ``cv`` (``str``): the ``cv=`` value recorded in this AS
+    """
+    if isinstance(message, str):
+        message_bytes: bytes = message.encode("utf-8")
+    else:
+        message_bytes = bytes(message)
+
+    verify_kwargs = {"minkey": minkey, "logger": logger}
+    if dns_func is not None:
+        verify_kwargs["dnsfunc"] = dns_func
+    cv, results, reason = _dkim.arc_verify(message_bytes, **verify_kwargs)
+
+    def _decode(value: Any) -> Any:
+        if isinstance(value, bytes):
+            return value.decode("ascii", errors="replace")
+        return value
+
+    # arc_verify returns CV_Pass/CV_Fail/CV_None (bytes), or Python ``None``
+    # when a seal reported failure and terminated the chain — treat that as a
+    # failed chain.
+    cv_value = "fail" if cv is None else _decode(cv)
+
+    instances = [
+        {
+            "instance": result.get("instance"),
+            "ams_domain": _decode(result.get("ams-domain")),
+            "ams_selector": _decode(result.get("ams-selector")),
+            "ams_valid": bool(result.get("ams-valid")),
+            "as_domain": _decode(result.get("as-domain")),
+            "as_selector": _decode(result.get("as-selector")),
+            "as_valid": bool(result.get("as-valid")),
+            "cv": _decode(result.get("cv")),
+        }
+        for result in sorted(results, key=lambda r: r.get("instance", 0))
+    ]
+
+    return {
+        "valid": cv_value == "pass",
+        "cv": cv_value,
+        "reason": reason,
+        "instances": instances,
+    }

{mailsuite-2.0.2 → mailsuite-2.2.0}/mailsuite/imap.py

@@ -18,11 +18,11 @@ logger = logging.getLogger(__name__)
 
 
 class MaxRetriesExceeded(RuntimeError):
-    """Raised when the maximum number of retries in exceeded"""
+    """Raised when the maximum number of retries is exceeded"""
 
 
 def _chunks(list_like_object, n: int):
-    """Yield successive n-sized chunks from l."""
+    """Yield successive n-sized chunks from list_like_object."""
     for i in range(0, len(list_like_object), n):
         yield list_like_object[i : i + n]
 
@@ -34,14 +34,20 @@ class IMAPClient(imapclient.IMAPClient):
         self, folder_name: Union[str, bytes, bytearray, memoryview]
     ) -> str:
         """
-        Returns an appropriate path based on the namespace (if any) and
-        hierarchy separator
+        Translate a caller's ``/``-delimited folder path to the server's form.
+
+        The point of this method is that callers can always use ``/`` as the
+        hierarchy separator, even on servers whose native separator is
+        something else (e.g. ``.`` on some Dovecot/Courier setups): it maps
+        ``/`` onto the server's native separator and applies the
+        personal-namespace prefix, so the same folder paths work unchanged
+        across servers.
 
         Args:
-            folder_name: The path to correct
+            folder_name: A ``/``-delimited folder path
 
         Returns:
-            A corrected path
+            The path using the server's native separator and namespace prefix
         """
         if isinstance(folder_name, memoryview):
             folder_name = folder_name.tobytes()
@@ -69,8 +75,18 @@ class IMAPClient(imapclient.IMAPClient):
                 return result.decode("utf-8", "replace")
             return str(result)
 
-        folder_name = folder_name.replace(self._path_prefix, "")
+        # Strip only a leading namespace prefix before re-adding it below. An
+        # unanchored replace() would also delete the prefix where it appears
+        # inside the path, relocating the folder: with prefix "INBOX/",
+        # "Projects/INBOX/old" would normalize to "INBOX/Projects/old" instead
+        # of the correct "INBOX/Projects/INBOX/old".
+        if self._path_prefix and folder_name.startswith(self._path_prefix):
+            folder_name = folder_name[len(self._path_prefix):]
         if not self._hierarchy_separator == "/":
+            # Map the caller's "/" delimiter onto the server's native separator
+            # so "/" works regardless of what the server uses. (Any literal
+            # native-separator characters are dropped first, since "/" is the
+            # delimiter callers are expected to use.)
             folder_name = folder_name.replace(self._hierarchy_separator, "")
             folder_name = folder_name.replace("/", self._hierarchy_separator)
         folder_name = "{0}{1}".format(self._path_prefix, folder_name)
@@ -95,6 +111,9 @@ class IMAPClient(imapclient.IMAPClient):
         idle_callback(self)
         idle_start_time = time.monotonic()
         self.idle()
+        # Mark the loop active so a reconnect (reset_connection -> __init__)
+        # re-arms this loop in place instead of starting a nested IDLE loop.
+        self._idle_running = True
         while True:
             try:
                 # Refresh the IDLE session every 5 minutes to stay connected
@@ -113,7 +132,12 @@ class IMAPClient(imapclient.IMAPClient):
                         self.idle()
                     else:
                         for r in responses:
-                            if r[0] != 0 and r[1] == b"RECENT":
+                            # New mail is signalled by an untagged EXISTS (the
+                            # new message count); RECENT is optional and many
+                            # servers never send it, so react to either.
+                            if r[1] == b"EXISTS" or (
+                                r[1] == b"RECENT" and r[0] != 0
+                            ):
                                 self.idle_done()
                                 idle_callback(self)
                                 idle_start_time = time.monotonic()
@@ -122,13 +146,20 @@ class IMAPClient(imapclient.IMAPClient):
             except (KeyError, socket.error, BrokenPipeError, ConnectionResetError):
                 logger.debug("IMAP error: Connection reset")
                 self.reset_connection()
+                idle_callback(self)
+                idle_start_time = time.monotonic()
+                self.idle()
             except imapclient.exceptions.IMAPClientError as error:
                 error = error.__str__().lstrip("b'").rstrip("'").rstrip(".")
                 # Workaround for random Exchange/Microsoft 365 IMAP errors
                 if "unexpected response" in error or "BAD" in error:
                     self.reset_connection()
+                    idle_callback(self)
+                    idle_start_time = time.monotonic()
+                    self.idle()
             except KeyboardInterrupt:
                 break
+        self._idle_running = False
         try:
             self.idle_done()
         except BrokenPipeError:
@@ -168,8 +199,7 @@ class IMAPClient(imapclient.IMAPClient):
             max_retries: The maximum number of retries after a timeout
             initial_folder: The initial folder to select
             idle_callback: The function to call when new messages are detected
-            idle_timeout: Number of seconds to wait for an IDLE
-                                  response
+            idle_timeout: Number of seconds to wait for an IDLE response
             oauth2_token: A static OAuth2 access token. For long-running
                 connections (IDLE, reconnects after timeouts) prefer
                 ``oauth2_token_provider`` so a fresh token is fetched on
@@ -305,7 +335,10 @@ class IMAPClient(imapclient.IMAPClient):
         ) as error:
             error = error.__str__().lstrip("b'").rstrip("'").rstrip(".")
             raise imapclient.exceptions.IMAPClientError(error)
-        if idle_callback is not None:
+        # Skip starting IDLE if a loop is already running on this connection:
+        # reset_connection() re-runs __init__ from inside the loop, and a
+        # nested _start_idle would stack IDLE loops on every reconnect.
+        if idle_callback is not None and not getattr(self, "_idle_running", False):
             self._start_idle(idle_callback, idle_timeout=idle_timeout)
 
     def reset_connection(self):
@@ -436,7 +469,13 @@ class IMAPClient(imapclient.IMAPClient):
         )
         try:
             imapclient.IMAPClient.delete_messages(self, messages, silent=silent)
-            imapclient.IMAPClient.expunge(self, messages)
+            # Expunging specific UIDs (UID EXPUNGE) requires the UIDPLUS
+            # capability; on servers without it, fall back to a plain EXPUNGE,
+            # which removes all messages flagged \\Deleted in the folder.
+            if self.has_capability("UIDPLUS"):
+                imapclient.IMAPClient.expunge(self, messages)
+            else:
+                imapclient.IMAPClient.expunge(self)
         except (socket.timeout, imaplib.IMAP4.abort):
             _attempt = _attempt + 1
             if _attempt > self.max_retries:
@@ -503,16 +542,16 @@ class IMAPClient(imapclient.IMAPClient):
                             ",".join(str(uid) for uid in chunk), folder_path
                         )
                     )
-                    self.copy(msg_uids, folder_path)
-                    self.delete_messages(msg_uids)
+                    self.copy(chunk, folder_path)
+                    self.delete_messages(chunk)
             else:
                 logger.info(
                     "Moving message UID(s) {0} to {1} by copy".format(
                         ",".join(str(uid) for uid in chunk), folder_path
                     )
                 )
-                self.copy(msg_uids, folder_path)
-                self.delete_messages(msg_uids)
+                self.copy(chunk, folder_path)
+                self.delete_messages(chunk)
 
     def move_messages(
         self, msg_uids: Union[int, List[int]], folder_path: str, _attempt: int = 1

{mailsuite-2.0.2 → mailsuite-2.2.0}/mailsuite/mailbox/__init__.py

@@ -11,7 +11,11 @@ but referencing the class will surface a clear error if they aren't.
 
 from typing import TYPE_CHECKING
 
-from mailsuite.mailbox.base import MailboxConnection
+from mailsuite.mailbox.base import (
+    FolderExistsError,
+    FolderNotFoundError,
+    MailboxConnection,
+)
 from mailsuite.mailbox.imap import IMAPConnection
 from mailsuite.mailbox.maildir import MaildirConnection
 
@@ -21,6 +25,8 @@ if TYPE_CHECKING:
 
 __all__ = [
     "MailboxConnection",
+    "FolderExistsError",
+    "FolderNotFoundError",
     "IMAPConnection",
     "MaildirConnection",
     "MSGraphConnection",