[Dovecot] Trim trailing whitespace from username

David Jonas djonas at vitalwerks.com
Thu May 29 02:12:54 EEST 2008


Cassidy Larson wrote:
> If you're using MySQL for your database driver you can easily use the TRIM()
> function in your query to strip off leading and ending whitespace
> characters. I do that and a "LCASE()" to
> force<http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_trim>the
> usernames to lowercase in the query.

Yes, I tried that. MySQL(4.x) actually returns the same for

  SELECT * WHERE user='this at that '
   and
  SELECT * WHERE user='this at that'

so TRIM() is only necessary if the values are CONCAT'd.

This is really just an issue with invalid chars in the username. And 
it's a rather small issue, but for some reason a ton of our clients who 
use Exchange all have spaces at the end of their usernames.

As long as having a <space> in username_chars isn't going to open me up 
to any exploits (I can't imagine how) I'll stick with it.


> I spoke too soon. Dovecot still complains about the invalid character. While
>> testing I had forgotten to update to remove <space> from username_chars. I
>> should have known really, since the invalid chars check is done before
>> var_expand() in auth_request_fix_username().
>>
>> Any other ideas? Adding <space> to the username_chars list doesn't seem
>> like a security threat, but honestly I don't know much about that.
>>
>> David
>>
>> ### From the log:
>>
>> dovecot: auth(default): client in: AUTH 1       LOGIN   service=smtp
>> resp=ZGpvbmFzQHZpdGFsd2Vya3MuY29tIA==
>> dovecot: auth(default): auth(?): Invalid username: djonas at vitalwerks.com
>> dovecot: auth(default): login(?): Username contains disallowed character:
>> 0x20
>> dovecot: auth(default): client out: FAIL        1
>>
>> # dovecot -n
>> # 1.1.rc5: /usr/local/dovecot-1.1/etc/dovecot-auth.conf
>> ...
>> disable_plaintext_auth: no
>> ...
>> auth default:
>>  mechanisms: login plain cram-md5
>> ...
>>  username_chars:
>> abcdefghijklmnopqrstuvwxyzDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at ABC
>>  username_translation: %@
>>  username_format: %LTu
>>  verbose: yes
>>  debug: yes
>>  debug_passwords: yes
>>  passdb:
>>    driver: sql
>>    args: /usr/local/dovecot-1.1/etc/dovecot-sql.conf
>>  userdb:
>>    driver: prefetch
>>  socket:
>>    type: listen
>>    client:
>>      path: /var/spool/postfix-smtp-auth/private/auth
>>      mode: 432
>>      user: postfix
>>      group: postfix
>>
>>
> 

-- 
No-IP.com


More information about the dovecot mailing list