[Dovecot] Password authentication and character set

Timo Sirainen tss at iki.fi
Tue Nov 18 19:57:28 EET 2008

On Tue, 2008-11-18 at 19:27 +0200, Fredrik Grönqvist wrote:
> 18.11.2008 19:03, Timo Sirainen wrote:
> > On Tue, 2008-11-18 at 17:26 +0100, Geert Hendrickx wrote:
> >   
> >> On Tue, Nov 18, 2008 at 05:51:05PM +0200, Timo Sirainen wrote:
> >>     
> >>> On Nov 18, 2008, at 5:32 PM, Fredrik Grönqvist wrote:
> >>>
> >>>       
> >>>> Is there a setting that "forces" the authentication daemon to  
> >>>> convert the provided password to a specific charset before the  
> >>>> comparison takes place, or how should one handle this?
> >>>>         
> >>> Dovecot doesn't know the character set that the client is using, so it  
> >>> can't do charset conversion reliably. So the possibilities would be:
> >>>       
> >> It seems like this is a limitation in the IMAP protocol.  From RFC 3501:
> >>     
> >
> > I remember reading something about using UTF-8 and stringprep in
> > authentication strings, probably some SASL spec or something. Dovecot
> > should implement it some day.. But that won't help in any way if the
> > client doesn't send the password as UTF-8.
> >
> >   
> Ok, I see how this makes things problematic. One couldn't just encode it 
> to UTF-8 anyway and do the comparison after that (provided there would 
> be an option enabled)?

You can encode everything to UTF-8, but the result will be different
depending on what the source character set is. If by "option" you mean
that you'd have a single setting that specifies which the "non-utf8
charset" is that (hopefully) all your users are using, then sure that
would be the a) choice in my previous reply.

> So basically a password containing any non 7-bit ASCII is only "correct" 
> when provided by a client using the same charset as the password is 
> stored in...
> If the RFC states that the password should be provided as 7-bit ASCII 
> then I think I'll google for a reason why some clients send the password 
> as something else.

Most client programmers haven't even thought about the whole issue. The
password is typically 7bit. So they just send the password using
whatever charset that the OS by default happens to use.

In your case you're most likely not really seeing ISO-8859-1 charset,
but rather Windows-1252. Although Windows-1252 is a superset of
ISO-8859-1, but things like euro character is present in 1252 but not in
8859-1 (and euro in a different position in 8859-15).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081118/304452ac/attachment.bin 

More information about the dovecot mailing list