[Dovecot] Case sensitive nightmare
Erik Petersen
cthree at s2ki.com
Mon Dec 12 02:34:35 EET 2005
It took me 4 days to figure this out and I sure hope someone can help me
solve it.
My Setup: Postfix + MySQL + dovecot
dovecot.conf:
default_mail_env = maildir:/var/spool/vmail/%d/%n/Maildir
password_query = SELECT password FROM mailbox WHERE username='%u'
user_query = SELECT maildir, 108 AS uid, 108 AS gid FROM mailbox WHERE
username='%u'
The virtual host schema is postfix.admin compatible but I¹m not using it
(phpMyAdmin is actually easier to use).
When foo at domain.tld, abrand new account, logs in using an IMAP client (any
client; squirrelmail, OE, tbird, Apple...) a maildir is created named
domain.tld/foo/Maildir¹ and everything is good. Now I login as
Foo at domain.tld and then as fOo at domain.tld and then as foO at domain.tld then so
on for every case variation. Each of these accounts can login correctly,
they are seen as being the same account by dovecot. On the other hand they
are not seen as being the same mailbox! When I check my mail spool I see one
maildir for every case variation (domain.tld/foo/Maildir,
domain.tld/FOO/Maildir, etc.)
It would seem to me that the queries above would fail for the different
variations of the name but they don¹t seem to. Is dovecot converting %u to
lower case for the query on the virtual users table but then using it
unconverted when looking up the Mairdir for the account? If the username
column has the value foo at domain.tld¹ how does SELECT * FROM table WHERE
username=¹FOO at domain.tld¹ match the row?
Also puzzling is that I select a column named maildir which has the path to
the mailbox in it (using the correct case). Even if SELECT pigs fly¹ AS
when WHERE FoO¹=¹foo¹ the maildir path for the account is being returned
which is domain.tld/foo/Maildir¹ so how does domain.tld/FoO/Maildir¹ get
created?
This is both a pain in the nuts support nightmare but also a security
problem (albeit fairly limited). An account named ³barneyrubble² could
generate a significant number of maildir directories if you logged in with
every variation thereof.
Any assistance would be greatly appreciated.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20051211/92cd16b4/attachment.html
More information about the dovecot
mailing list