[Dovecot] Password authentication and character set

Fredrik Grönqvist fredrik.gronqvist at gmail.com
Tue Nov 18 19:27:00 EET 2008

18.11.2008 19:03, Timo Sirainen wrote:
> On Tue, 2008-11-18 at 17:26 +0100, Geert Hendrickx wrote:
>> On Tue, Nov 18, 2008 at 05:51:05PM +0200, Timo Sirainen wrote:
>>> On Nov 18, 2008, at 5:32 PM, Fredrik Grönqvist wrote:
>>>> Is there a setting that "forces" the authentication daemon to  
>>>> convert the provided password to a specific charset before the  
>>>> comparison takes place, or how should one handle this?
>>> Dovecot doesn't know the character set that the client is using, so it  
>>> can't do charset conversion reliably. So the possibilities would be:
>> It seems like this is a limitation in the IMAP protocol.  From RFC 3501:
> I remember reading something about using UTF-8 and stringprep in
> authentication strings, probably some SASL spec or something. Dovecot
> should implement it some day.. But that won't help in any way if the
> client doesn't send the password as UTF-8.
Ok, I see how this makes things problematic. One couldn't just encode it 
to UTF-8 anyway and do the comparison after that (provided there would 
be an option enabled)?

So basically a password containing any non 7-bit ASCII is only "correct" 
when provided by a client using the same charset as the password is 
stored in...
If the RFC states that the password should be provided as 7-bit ASCII 
then I think I'll google for a reason why some clients send the password 
as something else.

Chears, Fredrik

Fredrik Grönqvist

More information about the dovecot mailing list