1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-22 07:17:05 +00:00

our users/aliases database is case sensitive - force new users/aliases to lowercase

Unfortunately our users/aliases database is case sensitive. (Perhaps I should have defined the columns with COLLATE NOCASE, see https://www.sqlite.org/datatype3.html.) Postfix always queries the tables in lowecase, so mail delivery would fail if a user or alias were defined with any capital letters. It would have also been possible to add multiple euqivalent addresses into the database with different case.

This commit rejects new mail users that have capital letters and forces new aliases to lowecase. I prefer to reject rather than casefold user accounts so that the login credentials the user gave are exactly what goes into the database.

https://discourse.mailinabox.email/t/recipient-address-rejected-user-unknown-in-virtual-mailbox-table/512/4
This commit is contained in:
Joshua Tauberer 2015-05-28 12:59:17 +00:00
parent b5269bb28e
commit 202c4a948b
2 changed files with 10 additions and 2 deletions

View File

@ -6,6 +6,7 @@ In Development
* ownCloud updated to version 8.0.3.
* SMTP Submission (port 587) began offering the insecure SSLv3 protocol due to a misconfiguration in the previous version.
* Users and aliases weren't working if they were entered with any uppercase letters. Now only lowercase is allowed.
v0.09 (May 8, 2015)
-------------------

View File

@ -32,8 +32,11 @@ def validate_email(email, mode=None):
# unusual characters in the address. Bah. Also note that since
# the mailbox path name is based on the email address, the address
# shouldn't be absurdly long and must not have a forward slash.
# Our database is case sensitive (oops), which affects mail delivery
# (Postfix always queries in lowercase?), so also only permit lowercase
# letters.
if len(email) > 255: return False
if re.search(r'[^\@\.a-zA-Z0-9_\-]+', email):
if re.search(r'[^\@\.a-z0-9_\-]+', email):
return False
# Everything looks good.
@ -253,7 +256,7 @@ def add_mail_user(email, pw, privs, env):
elif not validate_email(email):
return ("Invalid email address.", 400)
elif not validate_email(email, mode='user'):
return ("User account email addresses may only use the ASCII letters A-Z, the digits 0-9, underscore (_), hyphen (-), and period (.).", 400)
return ("User account email addresses may only use the lowercase ASCII letters a-z, the digits 0-9, underscore (_), hyphen (-), and period (.).", 400)
elif is_dcv_address(email) and len(get_mail_users(env)) > 0:
# Make domain control validation hijacking a little harder to mess up by preventing the usual
# addresses used for DCV from being user accounts. Except let it be the first account because
@ -403,6 +406,10 @@ def add_mail_alias(source, destination, env, update_if_exists=False, do_kick=Tru
# convert Unicode domain to IDNA
source = sanitize_idn_email_address(source)
# Our database is case sensitive (oops), which affects mail delivery
# (Postfix always queries in lowercase?), so force lowercase.
source = source.lower()
# validate source
source = source.strip()
if source == "":