Re: Uppercase username emails are rejected

Wed, 17 Apr 2024 00:02:30 -0700 

 
     On 17/04/2024 08:27 EEST Peter via dovecot <dovecot@dovecot.org>
     wrote:
      
      
     On 17/04/24 00:51, John Stoffel via dovecot wrote:
     >>>>>> "Peter" == Peter via dovecot <dovecot@dovecot.org> writes:
               On 14/04/24 12:09, John Stoffel via dovecot
               wrote:
                    I think you need to update both places,
                    so that your username and
                    password checks are done with lowercase
                    usernames.
               Generally speaking you want auth to be case-
               sensitive, but go ahead and
               try it to see if it fixes the issue.
          Umm... not for emails you don't. Since the j...@stoffel.org
          and
          j...@stoffel.org and j...@stoffel.org are all the same
          email
          address... should they be different logins? Not for
          email...
     There is a difference between expecting $random_stranger to get the
     case
     correct on an email address and expecting a user to get his own email
     address correct for the purpose of logging in, also keeping in mind
     that
     the user will generally get it entered *once* in their MUA and the
     MUA
     will store it for future logins expecting the case to be correct is
     not
     a huge ask in this scenario.
      
     Also keep in mind that the username is not always going to be the
     same
     as the email address, in fact Dovecot is perfectly capable of having
     usernames that are entirely different to the email address that is
     associated with them.
      
          In general, usernames should NOT be case sensitive, that
          way leads
          madness. Passwords on the other hand...
     Both usernames and passwords are part of the authentication
     credentials.
     When you allow any authentication credential to be case-insensitive
     then you decrease the difficulty of any brute-force attack by quite a
     bit. There is no good reason to make usernames case-insensitive and
     very good reasons not to.
      
      
     Peter
     _______________________________________________
     dovecot mailing list -- dovecot@dovecot.org
     To unsubscribe send an email to dovecot-le...@dovecot.org
 
Unfortunately some systems uppercase (or downcase) your email when sending mail
to you. In general I would advocate using auth_username_format=%Ln or %Lu to
normalize to lowercase. I dont believe you would really get that much benefit
from mixed case address.
 
Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to