On 17/04/24 00:51, John Stoffel via dovecot wrote:
"Peter" == Peter via dovecot dovecot@dovecot.org writes:
On 14/04/24 12:09, John Stoffel via dovecot wrote:
I think you need to update both places, so that your username and password checks are done with lowercase usernames.
Generally speaking you want auth to be case-sensitive, but go ahead and try it to see if it fixes the issue.
Umm... not for emails you don't. Since the john@stoffel.org and JOHN@stoffel.org and JOHN@STOFFEL.ORG are all the same email address... should they be different logins? Not for email...
There is a difference between expecting $random_stranger to get the case correct on an email address and expecting a user to get his own email address correct for the purpose of logging in, also keeping in mind that the user will generally get it entered *once* in their MUA and the MUA will store it for future logins expecting the case to be correct is not a huge ask in this scenario.
Also keep in mind that the username is not always going to be the same as the email address, in fact Dovecot is perfectly capable of having usernames that are entirely different to the email address that is associated with them.
In general, usernames should NOT be case sensitive, that way leads madness. Passwords on the other hand...
Both usernames and passwords are part of the authentication credentials. When you allow any authentication credential to be case-insensitive then you decrease the difficulty of any brute-force attack by quite a bit. There is no good reason to make usernames case-insensitive and very good reasons not to.
Peter