On Wed, 2008-05-28 at 15:40 -0700, David Jonas wrote: > I spoke too soon. Dovecot still complains about the invalid character. > While testing I had forgotten to update to remove <space> from > username_chars. I should have known really, since the invalid chars > check is done before var_expand() in auth_request_fix_username(). > > Any other ideas? Adding <space> to the username_chars list doesn't seem > like a security threat, but honestly I don't know much about that.
The default auth_username_chars contain only the ones that are commonly used. There should be no problems allowing most non-control characters. In future I'm going to fix also Dovecot's handling of control characters.
signature.asc
Description: This is a digitally signed message part
