Accentuated email addresses stored in LDAP
Hello everyone,
I have successfully set up Dovecot with an LDAP backend, and everything works like a charm, except one small use case.
I know it is possible, so if anyone knows a solution, thank you!
Basically, I just want to send an email to one of my email address, which contains an accent, i.e. andré@homebox.space....
Every other alias works, but not those with accents. They are correctly stored in the LDAP database, using base64.
I suspect I would need to use base64 again before the lookup, but I don't know how to do and if it is even possible.
My filter is set up as this:
filter=(&(objectClass=posixAccount)(|(uid=%n)(mail=%u)(mailLocalAddress=%u)))
It works perfectly for any email without accent.
Thanks for your help.
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: LDAP initialization took 7 msecs
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: auth client connected (pid=0)
Mar 18 22:14:28 homebox dovecot[24636]: quota-status(andré@homebox.space): Debug: Loading modules from directory: /usr/lib/dovecot/modules Mar 18 22:14:28 homebox dovecot[24636]: quota-status(andré@homebox.space): Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: master in: USER 1 andré@homebox.space service=quota-status
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: ldap(andré@homebox.space): user search: base=dc=homebox,dc=space scope=subtree filter=(&(objectClass=posixAccount)(|(uid=andré)(mailLocalAddress=andré@homebox.space))) fields=homeDirectory,uidNumber,gidNumber,mail
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: ldap(andré@homebox.space): no fields returned by the server
Mar 18 22:14:28 homebox dovecot[24636]: auth: ldap(andré@homebox.space): unknown user
Mar 18 22:14:28 homebox dovecot[24636]: auth: Debug: userdb out: NOTFOUND 1
Mar 18 22:14:28 homebox dovecot[24636]: quota-status(andré@homebox.space): Debug: auth USER input:
Mar 18 22:14:28 homebox postfix/smtpd[24734]: NOQUEUE: reject: RCPT from smtpfr.rodier.me[164.132.53.161]: 554 5.7.1 <andré@homebox.space>: Recipient address rejected: Unknown user; from=<root@smtpuk.rodier.me> to=<andré@homebox.space> pro to=ESMTP helo=<smtpuk.rodier.me>
Mar 18 22:14:28 homebox postfix/smtpd[24734]: disconnect from smtpfr.rodier.me[164.132.53.161] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
On 19.03.2018 07:58, Alexander Dalloz wrote:
Am 18.03.2018 um 23:25 schrieb André Rodier:
Every other alias works, but not those with accents. They are correctly stored in the LDAP database, using base64.
Why do you even think a character like 'é' would be legal in the local part of an email address?
Alexander
Hi!
This is slightly more complicated than that. UTF-8 is legal part of local part of an email address, if SMTPUTF8 is used (as per RFC 6532). Dovecot does not yet fully support UTF-8 in certain parts, particularly we do not yet support RFC 6855 (IMAP Support for UTF-8), but we are working on getting that to work, after which you can log in with UTF-8 usernames and passwords reliably.
Aki
On 19/03/18 06:30, Aki Tuomi wrote:
On 19.03.2018 07:58, Alexander Dalloz wrote:
Am 18.03.2018 um 23:25 schrieb André Rodier:
Every other alias works, but not those with accents. They are correctly stored in the LDAP database, using base64.
Why do you even think a character like 'é' would be legal in the local part of an email address?
Alexander
Hi!
This is slightly more complicated than that. UTF-8 is legal part of local part of an email address, if SMTPUTF8 is used (as per RFC 6532). Dovecot does not yet fully support UTF-8 in certain parts, particularly we do not yet support RFC 6855 (IMAP Support for UTF-8), but we are working on getting that to work, after which you can log in with UTF-8 usernames and passwords reliably.
Aki
Thank you, Aki,
Does it means Dovecot LMTP supports querying the LDAP server using UTF-8 characters?
In this case, the problem might not be Dovecot, but OpenLDAP.
I had to use base64 encoding to store email addresses, because they are rejected otherwise, with an error message of illegal characters. I also noticed that some of the fields, like 'dn' and 'cn' where automatically encoded in base64 when stored when including accentuated chars.
Regarding logging in with international characters, I have not tested it yet, but I am happy to test and to provide feedback if you are interested.
Thanks again for this excellent software, I have been using it for more than a decade, now...
Kind regards, André
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 19 Mar 2018, André Rodier wrote:
I had to use base64 encoding to store email addresses, because they are rejected otherwise, with an error message of illegal characters. I also
you are using the stock "mail" attribute in LDAP as:
olcAttributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
http://www.oid-info.com/get/1.3.6.1.4.1.1466.115.121.1.26 https://en.wikipedia.org/wiki/IA5STRING IA5 :- 7bit
noticed that some of the fields, like 'dn' and 'cn' where automatically encoded in base64 when stored when including accentuated chars.
you mean when you use ldapsearch or similiar tool to export data? LDIF traditionally encode all data in 7bit ASCII, which is noted by the double "::" after the LDAP attribute name. The data in LDAP is UTF8 and binary connections need not encode it either.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWq9lWMQnQQNheMxiAQL3ywgAtbWsT1U+PQgdK0D3StI9c44r8KgEG7dr AXhIvFPowuD3U0KH0ZJ8VHc+/WN0DMqCONvuaUyueaGY8bgqx+cNw8z01zMC9hTF xfs8x1lQsgikacyyjo3o9WehOJzgnlGvt33LLwjsI62WOLFE8PXnkZFXpkAWI1f4 yTWoTFOxPnAA90CDBS4aBHdBaFI0TwbiGP5oIyjGCvI1aHJSTy5lNKfwUkvTdI+L tH4Z0JDkB3YBnRVIL6ST5W7p0VvBAQo+ia+UXpsZ4b1t3/xYCKtNV0ls9jIoqVzg dEFeyUoKQe8k5N8k6/vVVElzwtW6fxzQUJQXj01u03udqVMmTqXhrw== =8rp9 -----END PGP SIGNATURE-----
On 19/03/2018 07:23, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 19 Mar 2018, André Rodier wrote:
I had to use base64 encoding to store email addresses, because they are rejected otherwise, with an error message of illegal characters. I also
you are using the stock "mail" attribute in LDAP as:
olcAttributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
http://www.oid-info.com/get/1.3.6.1.4.1.1466.115.121.1.26 https://en.wikipedia.org/wiki/IA5STRING IA5 :- 7bit
noticed that some of the fields, like 'dn' and 'cn' where automatically encoded in base64 when stored when including accentuated chars.
you mean when you use ldapsearch or similiar tool to export data? LDIF traditionally encode all data in 7bit ASCII, which is noted by the double "::" after the LDAP attribute name. The data in LDAP is UTF8 and binary connections need not encode it either.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWq9lWMQnQQNheMxiAQL3ywgAtbWsT1U+PQgdK0D3StI9c44r8KgEG7dr AXhIvFPowuD3U0KH0ZJ8VHc+/WN0DMqCONvuaUyueaGY8bgqx+cNw8z01zMC9hTF xfs8x1lQsgikacyyjo3o9WehOJzgnlGvt33LLwjsI62WOLFE8PXnkZFXpkAWI1f4 yTWoTFOxPnAA90CDBS4aBHdBaFI0TwbiGP5oIyjGCvI1aHJSTy5lNKfwUkvTdI+L tH4Z0JDkB3YBnRVIL6ST5W7p0VvBAQo+ia+UXpsZ4b1t3/xYCKtNV0ls9jIoqVzg dEFeyUoKQe8k5N8k6/vVVElzwtW6fxzQUJQXj01u03udqVMmTqXhrw== =8rp9 -----END PGP SIGNATURE-----
Hello Steffen,
Thank you for your answer.
In fact, I am using the otherMailBox attribute, from the standard OpenLDAP distribution, which is also IA5String.
- Is there any way in Dovecot to encode the fields in base 64, to send queries? as the query is "eq", this would be enough, I think.
- Or is the LDAP server is supposed to store attributes as UTF8, and in this case, how to configure it that way?
Thanks!
# RFC1274: Cosine and Internet X.500 schema: # 9.3.18. Other Mailbox # # The Other Mailbox attribute type specifies values for electronic # mailbox types other than X.400 and rfc822. # # otherMailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # SEQUENCE { # mailboxType PrintableString, -- e.g. Telemail # mailbox IA5String -- e.g. X378:Joe # } # ::= {pilotAttributeType 22} # attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 19 Mar 2018, Andre Rodier wrote:
In fact, I am using the otherMailBox attribute, from the standard OpenLDAP distribution, which is also IA5String.
- Is there any way in Dovecot to encode the fields in base 64, to send queries? as the query is "eq", this would be enough, I think.
Check out: https://wiki2.dovecot.org/Variables?highlight=(base64)
However, I never used this modifier and Aki pointed out, that UTF8 usernames are not (100%) supported, yet.
- Or is the LDAP server is supposed to store attributes as UTF8, and in this case, how to configure it that way?
To achieve this, you must/can extend the schema with your own attribute that uses:
https://www.ldap.com/understanding-ldap-schema
"Directory String
"The directory string syntax is basically a catch-all syntax for UTF-8 strings. It allows values with this syntax to have any combination of one or more UTF-8 characters (empty directory string values are not allowed, although some directory servers ignore this constraint).
"The directory string syntax is defined in RFC 4517 section 3.3.6, and has an OID of "1.3.6.1.4.1.1466.115.121.1.15"."
Otherwise, you could _misuse_ an exiting attribute of this type unused in your directory otherwise.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWrC/hcQnQQNheMxiAQLV+wf+P/gzADRyNSIQtILNKoN7eHEVPNGt9iVd TzHl5rka9XB89eUE2lsGjlURH3PIVqDKjtTEAl27CYiBr9OI66u+PvhE1o2lvY7R YBG1Z/R3n8FWF58HpxwJGBbY4iiPQKSvvRM43/Q2mYnEveyIBvNZawNo0okTNMOM bMSmpUhxGKsqmAeEoUQHOKrujAK0qfucZDI7nuSGjJeej7L2HXm3sEEKTEuYmUDQ E2ox5fAyIMURA+NINzdmk7chXu30DfWuHNY8jwezM3SEds5xlAy4x6qD6EZ4f7qP KnYEfxnYyISDqcXSy9AL20srIzn2OXiTA3/TiVOKFXpHrrst8kVCeg== =+Me+ -----END PGP SIGNATURE-----
On 20/03/2018 08:00, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 19 Mar 2018, Andre Rodier wrote:
In fact, I am using the otherMailBox attribute, from the standard OpenLDAP distribution, which is also IA5String.
- Is there any way in Dovecot to encode the fields in base 64, to send queries? as the query is "eq", this would be enough, I think.
Check out: https://wiki2.dovecot.org/Variables?highlight=(base64)
However, I never used this modifier and Aki pointed out, that UTF8 usernames are not (100%) supported, yet.
- Or is the LDAP server is supposed to store attributes as UTF8, and in this case, how to configure it that way?
To achieve this, you must/can extend the schema with your own attribute that uses:
https://www.ldap.com/understanding-ldap-schema
"Directory String
"The directory string syntax is basically a catch-all syntax for UTF-8 strings. It allows values with this syntax to have any combination of one or more UTF-8 characters (empty directory string values are not allowed, although some directory servers ignore this constraint).
"The directory string syntax is defined in RFC 4517 section 3.3.6, and has an OID of "1.3.6.1.4.1.1466.115.121.1.15"."
Otherwise, you could _misuse_ an exiting attribute of this type unused in your directory otherwise.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWrC/hcQnQQNheMxiAQLV+wf+P/gzADRyNSIQtILNKoN7eHEVPNGt9iVd TzHl5rka9XB89eUE2lsGjlURH3PIVqDKjtTEAl27CYiBr9OI66u+PvhE1o2lvY7R YBG1Z/R3n8FWF58HpxwJGBbY4iiPQKSvvRM43/Q2mYnEveyIBvNZawNo0okTNMOM bMSmpUhxGKsqmAeEoUQHOKrujAK0qfucZDI7nuSGjJeej7L2HXm3sEEKTEuYmUDQ E2ox5fAyIMURA+NINzdmk7chXu30DfWuHNY8jwezM3SEds5xlAy4x6qD6EZ4f7qP KnYEfxnYyISDqcXSy9AL20srIzn2OXiTA3/TiVOKFXpHrrst8kVCeg== =+Me+ -----END PGP SIGNATURE-----
Thank you, Steffen, this is a great link.
I am probably going to keep this attribute, and use base64, for now.
Kind regards, Andre
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 18 Mar 2018, André Rodier wrote:
Every other alias works, but not those with accents. They are correctly stored in the LDAP database, using base64.
Despite Aki's answer, whether it works at all, I would expect the enconding in LDAP is UTF8 instead of base64.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWq9ac8QnQQNheMxiAQIDPggAs2T7WwPYoHhIjl8r0Iyt00VFLnlqwECD IqFYL+aznVC2KXWzhK8Q9wZyQk1NyjNtEZnPUmsET0YUF9CK2P7WfruKLhqIH6VU ebLC7GXrCOeweaFsd81KFANyJ4XlsIkETceA6Myyzn6cgvYiaFptVa3n1y7LHx3P 6cmkCG0qwxM90+ucsZZkddkqCyaPQ8RbyFXTVp08ygAHIVhXALN5CWAR76B3KE1i q9WBh4PMTxu50gJDYBPHwONrz6qJ8JznnSwOKpxu7cTVPmMrwunqd4+s4EfqLl85 k+4DKOyUYIUeNTILAZ4kutXBf796ZFXAd4ADybVV9Q1ghltvbVTE/Q== =etDA -----END PGP SIGNATURE-----
participants (5)
-
Aki Tuomi
-
Alexander Dalloz
-
Andre Rodier
-
André Rodier
-
Steffen Kaiser