[Dovecot] Trim trailing whitespace from username

David Jonas djonas at vitalwerks.com
Thu May 29 01:40:38 EEST 2008


Timo Sirainen wrote:
> On Fri, 2008-05-16 at 00:48 -0700, David Jonas wrote:
>> Recently we changed Postfix to use Dovecot for our SASL authentication 
>> and we ran into trouble with some of our clients having extraneous 
>> spaces at the end of their usernames. The quick fix was to add a space 
>> to username_chars. The slightly longer fix was a pretty simple patch to 
>> Dovecot. I put the trimming in auth_request_fix_username. I didn't think 
>> it warranted a full strfuncs function.
>>
>> If there is a better way to do this I'm all ears. I don't really like 
>> patching with my own code, even if I did essentially steal if from the 
>> kernel's strstrip().
> 
> How about this: http://hg.dovecot.org/dovecot-1.1/rev/15ddb7513e2d
> 
> Then you can use auth_username_format = %Tu

I spoke too soon. Dovecot still complains about the invalid character. 
While testing I had forgotten to update to remove <space> from 
username_chars. I should have known really, since the invalid chars 
check is done before var_expand() in auth_request_fix_username().

Any other ideas? Adding <space> to the username_chars list doesn't seem 
like a security threat, but honestly I don't know much about that.

David

### From the log:

dovecot: auth(default): client in: AUTH 1       LOGIN   service=smtp 
resp=ZGpvbmFzQHZpdGFsd2Vya3MuY29tIA==
dovecot: auth(default): auth(?): Invalid username: djonas at vitalwerks.com
dovecot: auth(default): login(?): Username contains disallowed 
character: 0x20
dovecot: auth(default): client out: FAIL        1

# dovecot -n
# 1.1.rc5: /usr/local/dovecot-1.1/etc/dovecot-auth.conf
...
disable_plaintext_auth: no
...
auth default:
   mechanisms: login plain cram-md5
...
   username_chars: 
abcdefghijklmnopqrstuvwxyzDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at ABC
   username_translation: %@
   username_format: %LTu
   verbose: yes
   debug: yes
   debug_passwords: yes
   passdb:
     driver: sql
     args: /usr/local/dovecot-1.1/etc/dovecot-sql.conf
   userdb:
     driver: prefetch
   socket:
     type: listen
     client:
       path: /var/spool/postfix-smtp-auth/private/auth
       mode: 432
       user: postfix
       group: postfix



More information about the dovecot mailing list