[Dovecot] Password authentication and character set
Fredrik Grönqvist
fredrik.gronqvist at gmail.com
Tue Nov 18 19:27:00 EET 2008
18.11.2008 19:03, Timo Sirainen wrote:
> On Tue, 2008-11-18 at 17:26 +0100, Geert Hendrickx wrote:
>
>> On Tue, Nov 18, 2008 at 05:51:05PM +0200, Timo Sirainen wrote:
>>
>>> On Nov 18, 2008, at 5:32 PM, Fredrik Grönqvist wrote:
>>>
>>>
>>>> Is there a setting that "forces" the authentication daemon to
>>>> convert the provided password to a specific charset before the
>>>> comparison takes place, or how should one handle this?
>>>>
>>> Dovecot doesn't know the character set that the client is using, so it
>>> can't do charset conversion reliably. So the possibilities would be:
>>>
>> It seems like this is a limitation in the IMAP protocol. From RFC 3501:
>>
>
> I remember reading something about using UTF-8 and stringprep in
> authentication strings, probably some SASL spec or something. Dovecot
> should implement it some day.. But that won't help in any way if the
> client doesn't send the password as UTF-8.
>
>
Ok, I see how this makes things problematic. One couldn't just encode it
to UTF-8 anyway and do the comparison after that (provided there would
be an option enabled)?
So basically a password containing any non 7-bit ASCII is only "correct"
when provided by a client using the same charset as the password is
stored in...
If the RFC states that the password should be provided as 7-bit ASCII
then I think I'll google for a reason why some clients send the password
as something else.
Chears, Fredrik
--
------------------------------------------------------------------------
Fredrik Grönqvist
------------------------------------------------------------------------
More information about the dovecot
mailing list