On 17/04/24 00:51, John Stoffel via dovecot wrote:
"Peter" == Peter via dovecot <dovecot@dovecot.org> writes:
On 14/04/24 12:09, John Stoffel via dovecot wrote:
I think you need to update both places, so that your username and
password checks are done with lowercase usernames.
Generally speaking you want auth to be case-sensitive, but go ahead and
try it to see if it fixes the issue.
Umm... not for emails you don't. Since the j...@stoffel.org and
j...@stoffel.org and j...@stoffel.org are all the same email
address... should they be different logins? Not for email...
There is a difference between expecting $random_stranger to get the case
correct on an email address and expecting a user to get his own email
address correct for the purpose of logging in, also keeping in mind that
the user will generally get it entered *once* in their MUA and the MUA
will store it for future logins expecting the case to be correct is not
a huge ask in this scenario.
Also keep in mind that the username is not always going to be the same
as the email address, in fact Dovecot is perfectly capable of having
usernames that are entirely different to the email address that is
associated with them.
In general, usernames should NOT be case sensitive, that way leads
madness. Passwords on the other hand...
Both usernames and passwords are part of the authentication credentials.
When you allow any authentication credential to be case-insensitive
then you decrease the difficulty of any brute-force attack by quite a
bit. There is no good reason to make usernames case-insensitive and
very good reasons not to.
Peter
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
