On Wed, 17 Apr 2024 at 05:42, Peter via dovecot <dovecot@dovecot.org> wrote: > > On 17/04/24 00:51, John Stoffel via dovecot wrote: > >>>>>> "Peter" == Peter via dovecot <dovecot@dovecot.org> writes: > > > >> On 14/04/24 12:09, John Stoffel via dovecot wrote: > >>> I think you need to update both places, so that your username and > >>> password checks are done with lowercase usernames. > > > >> Generally speaking you want auth to be case-sensitive, but go ahead and > >> try it to see if it fixes the issue. > > > > Umm... not for emails you don't. Since the j...@stoffel.org and > > j...@stoffel.org and j...@stoffel.org are all the same email > > address... should they be different logins? Not for email... > > There is a difference between expecting $random_stranger to get the case > correct on an email address and expecting a user to get his own email > address correct for the purpose of logging in, also keeping in mind that > the user will generally get it entered *once* in their MUA and the MUA > will store it for future logins expecting the case to be correct is not > a huge ask in this scenario. > > Also keep in mind that the username is not always going to be the same > as the email address, in fact Dovecot is perfectly capable of having > usernames that are entirely different to the email address that is > associated with them. > > > In general, usernames should NOT be case sensitive, that way leads > > madness. Passwords on the other hand... > > Both usernames and passwords are part of the authentication credentials. > When you allow any authentication credential to be case-insensitive > then you decrease the difficulty of any brute-force attack by quite a > bit. There is no good reason to make usernames case-insensitive and > very good reasons not to.
I cannot semantically argue with your wording, they are indeed both "part of the authentication credentials.",but usernames are IDENTIFICATION, not AUTHENTICATION. And in the same way you do not have a case sensitive name, you should not have a case sensitive username. (Society's convention is that your name is capitalised in Proper Noun format, from a information technology perspective, all lowercase is the same convention). Regards Simon _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
