Cassidy Larson wrote:
If you're using MySQL for your database driver you can easily use the TRIM() function in your query to strip off leading and ending whitespace characters. I do that and a "LCASE()" to forcehttp://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_trimthe usernames to lowercase in the query.
Yes, I tried that. MySQL(4.x) actually returns the same for
SELECT * WHERE user='this@that ' and SELECT * WHERE user='this@that'
so TRIM() is only necessary if the values are CONCAT'd.
This is really just an issue with invalid chars in the username. And it's a rather small issue, but for some reason a ton of our clients who use Exchange all have spaces at the end of their usernames.
As long as having a <space> in username_chars isn't going to open me up to any exploits (I can't imagine how) I'll stick with it.
I spoke too soon. Dovecot still complains about the invalid character. While
testing I had forgotten to update to remove <space> from username_chars. I should have known really, since the invalid chars check is done before var_expand() in auth_request_fix_username().
Any other ideas? Adding <space> to the username_chars list doesn't seem like a security threat, but honestly I don't know much about that.
David
### From the log:
dovecot: auth(default): client in: AUTH 1 LOGIN service=smtp resp=ZGpvbmFzQHZpdGFsd2Vya3MuY29tIA== dovecot: auth(default): auth(?): Invalid username: djonas@vitalwerks.com dovecot: auth(default): login(?): Username contains disallowed character: 0x20 dovecot: auth(default): client out: FAIL 1
# dovecot -n # 1.1.rc5: /usr/local/dovecot-1.1/etc/dovecot-auth.conf ... disable_plaintext_auth: no ... auth default: mechanisms: login plain cram-md5 ... username_chars: abcdefghijklmnopqrstuvwxyzDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ABC username_translation: %@ username_format: %LTu verbose: yes debug: yes debug_passwords: yes passdb: driver: sql args: /usr/local/dovecot-1.1/etc/dovecot-sql.conf userdb: driver: prefetch socket: type: listen client: path: /var/spool/postfix-smtp-auth/private/auth mode: 432 user: postfix group: postfix
-- No-IP.com