On 2.8.2013, at 23.32, Attila Nagy <b...@fsn.hu> wrote: > On 08/02/2013 02:32 PM, Timo Sirainen wrote: >> On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote: >> >>> On 07/28/13 13:49, Attila Nagy wrote: >>> >>>> Hi, >>>> >>>> I would like to convert my custom POP/IMAP proxy to Dovecot's. In this >>>> proxy I do more than giving back user name, password and the host and >>>> I need extra information. >>>> Luckily all of them are available as variables, but more than one >>>> comes as user input (like user name and cleartext password) and I'm >>>> not sure how to pass them safely. >>>> Obviously I would need a separator, which is guaranteed not to show up >>>> either in user name and the cleartext password. >>>> Should I use escape (%E) here, or is there a better way? >>>> >>>> >>> Just for the record, this is what I use currently: >>> password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: >>> %w^MAuth-Protocol: %s^M >>> Client-IP: %r^M >>> >> I have no idea what you're talking about. What is password_key? The >> password that is being sent to the backend IMAP/POP3 server? >> >> >> > RTFM? ;) > > http://wiki2.dovecot.org/AuthDatabase/Dict?highlight=%28password_key%29
Ah, dict auth. Yeah, you need to escape the user-given username and password. They can both contain all characters, including CR and LF. (Although auth_username_chars by default disables all the bad chars.) Looks like %E is the only possibility currently. The %E escapes " \ and ' characters only. So you could for example use Auth-User: "%Eu" with quotes and make sure you handle the unescaping correctly. Or maybe you could just use \; or something as the separator since %E only gives you \" \\ and \'.