[Dovecot] Trim trailing whitespace from username
David Jonas
djonas at vitalwerks.com
Thu May 29 02:12:54 EEST 2008
Cassidy Larson wrote:
> If you're using MySQL for your database driver you can easily use the TRIM()
> function in your query to strip off leading and ending whitespace
> characters. I do that and a "LCASE()" to
> force<http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_trim>the
> usernames to lowercase in the query.
Yes, I tried that. MySQL(4.x) actually returns the same for
SELECT * WHERE user='this at that '
and
SELECT * WHERE user='this at that'
so TRIM() is only necessary if the values are CONCAT'd.
This is really just an issue with invalid chars in the username. And
it's a rather small issue, but for some reason a ton of our clients who
use Exchange all have spaces at the end of their usernames.
As long as having a <space> in username_chars isn't going to open me up
to any exploits (I can't imagine how) I'll stick with it.
> I spoke too soon. Dovecot still complains about the invalid character. While
>> testing I had forgotten to update to remove <space> from username_chars. I
>> should have known really, since the invalid chars check is done before
>> var_expand() in auth_request_fix_username().
>>
>> Any other ideas? Adding <space> to the username_chars list doesn't seem
>> like a security threat, but honestly I don't know much about that.
>>
>> David
>>
>> ### From the log:
>>
>> dovecot: auth(default): client in: AUTH 1 LOGIN service=smtp
>> resp=ZGpvbmFzQHZpdGFsd2Vya3MuY29tIA==
>> dovecot: auth(default): auth(?): Invalid username: djonas at vitalwerks.com
>> dovecot: auth(default): login(?): Username contains disallowed character:
>> 0x20
>> dovecot: auth(default): client out: FAIL 1
>>
>> # dovecot -n
>> # 1.1.rc5: /usr/local/dovecot-1.1/etc/dovecot-auth.conf
>> ...
>> disable_plaintext_auth: no
>> ...
>> auth default:
>> mechanisms: login plain cram-md5
>> ...
>> username_chars:
>> abcdefghijklmnopqrstuvwxyzDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at ABC
>> username_translation: %@
>> username_format: %LTu
>> verbose: yes
>> debug: yes
>> debug_passwords: yes
>> passdb:
>> driver: sql
>> args: /usr/local/dovecot-1.1/etc/dovecot-sql.conf
>> userdb:
>> driver: prefetch
>> socket:
>> type: listen
>> client:
>> path: /var/spool/postfix-smtp-auth/private/auth
>> mode: 432
>> user: postfix
>> group: postfix
>>
>>
>
--
No-IP.com
More information about the dovecot
mailing list