Bug: Shared Mailbox - Case Sensitivity
Hi,
unfortunately I found a bug in Dovecot's ACL handling for shared mailboxes. It turns out Dovecot doesn't enforce lower casing the privileged username to whom the mailbox should be shared to. This results in a invalid configuration. Users get confused, since they passed on a valid email address in their ACL setup.
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Spam/dovecot-acl user=leander@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/leander@mydomain.localdomain/maildir/dovecot-acl user=test@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Drafts/dovecot-acl user=Leander@MyDomain.LocalDomain eilrwts ^^ Doesn't work
Best regards Leander Schäfer
On 16.09.2016 12:54, Leander Schäfer wrote:
Hi,
unfortunately I found a bug in Dovecot's ACL handling for shared mailboxes. It turns out Dovecot doesn't enforce lower casing the privileged username to whom the mailbox should be shared to. This results in a invalid configuration. Users get confused, since they passed on a valid email address in their ACL setup.
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Spam/dovecot-acl
user=leander@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/leander@mydomain.localdomain/maildir/dovecot-acl
user=test@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Drafts/dovecot-acl
user=Leander@MyDomain.LocalDomain eilrwts ^^ Doesn't work
Best regards Leander Schäfer
Hi! Did you know you can use %Lu instead of %u to force lowercasing?
Aki
On 9/16/2016 6:53 AM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
On 16.09.2016 12:54, Leander Schäfer wrote:
user=Leander@MyDomain.LocalDomain eilrwts ^^ Doesn't work
Hi! Did you know you can use %Lu instead of %u to force lowercasing?
In my opinion this should be the default...
Hi Aki,
Thanks for your advice. Yes, I'm aware of this. Yet lowercasing should be the default since Dovecot 2.1.x., isn't it? Yet I wouldn't know where exactly to implement this %L, since the ACLs are set through IMAP commands through the users mailclient like Thunderbird. So in other words, the email address to whom the user want to grant ACLs provided by the user's mailclient, has nothing to do with my auth backend where e.g. %u => %Lu would apply. PLease correct me if I'm wrong here.
It clearly looks like a bug of the internal processing of the "dovecot-acl-list" files. It simply lacks on a lowercase enforcement in the code, like it already seems to do for the "dovecot-acl" file.
Best regards
Leander Schäfer
Am 16.09.16 um 12:53 schrieb Aki Tuomi:
On 16.09.2016 12:54, Leander Schäfer wrote:
Hi,
unfortunately I found a bug in Dovecot's ACL handling for shared mailboxes. It turns out Dovecot doesn't enforce lower casing the privileged username to whom the mailbox should be shared to. This results in a invalid configuration. Users get confused, since they passed on a valid email address in their ACL setup.
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Spam/dovecot-acl
user=leander@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/leander@mydomain.localdomain/maildir/dovecot-acl
user=test@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Drafts/dovecot-acl
user=Leander@MyDomain.LocalDomain eilrwts ^^ Doesn't work
Best regards Leander Schäfer Hi! Did you know you can use %Lu instead of %u to force lowercasing?
Aki
Am I missing something, or might this be a bug as it seems to me?
Am 16.09.16 um 14:21 schrieb Leander Schäfer:
Hi Aki,
Thanks for your advice. Yes, I'm aware of this. Yet lowercasing should be the default since Dovecot 2.1.x., isn't it? Yet I wouldn't know where exactly to implement this %L, since the ACLs are set through IMAP commands through the users mailclient like Thunderbird. So in other words, the email address to whom the user want to grant ACLs provided by the user's mailclient, has nothing to do with my auth backend where e.g. %u => %Lu would apply. PLease correct me if I'm wrong here.
It clearly looks like a bug of the internal processing of the "dovecot-acl-list" files. It simply lacks on a lowercase enforcement in the code, like it already seems to do for the "dovecot-acl" file.
Best regards
Leander Schäfer
Am 16.09.16 um 12:53 schrieb Aki Tuomi:
On 16.09.2016 12:54, Leander Schäfer wrote:
Hi,
unfortunately I found a bug in Dovecot's ACL handling for shared mailboxes. It turns out Dovecot doesn't enforce lower casing the privileged username to whom the mailbox should be shared to. This results in a invalid configuration. Users get confused, since they passed on a valid email address in their ACL setup.
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Spam/dovecot-acl
user=leander@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/leander@mydomain.localdomain/maildir/dovecot-acl
user=test@mydomain.localdomain eilrwts ^^ works
/usr/local/www/default/mail/test@mydomain.localdomain/maildir/.Drafts/dovecot-acl
user=Leander@MyDomain.LocalDomain eilrwts ^^ Doesn't work
Best regards Leander Schäfer Hi! Did you know you can use %Lu instead of %u to force lowercasing?
Aki
participants (3)
-
Aki Tuomi
-
Leander Schäfer
-
Tanstaafl