Commit 202c4a94 authored by Joshua Tauberer's avatar Joshua Tauberer

our users/aliases database is case sensitive - force new users/aliases to lowercase

Unfortunately our users/aliases database is case sensitive. (Perhaps I should have defined the columns with COLLATE NOCASE, see https://www.sqlite.org/datatype3.html.) Postfix always queries the tables in lowecase, so mail delivery would fail if a user or alias were defined with any capital letters. It would have also been possible to add multiple euqivalent addresses into the database with different case.

This commit rejects new mail users that have capital letters and forces new aliases to lowecase. I prefer to reject rather than casefold user accounts so that the login credentials the user gave are exactly what goes into the database.

https://discourse.mailinabox.email/t/recipient-address-rejected-user-unknown-in-virtual-mailbox-table/512/4
parent b5269bb2
...@@ -6,6 +6,7 @@ In Development ...@@ -6,6 +6,7 @@ In Development
* ownCloud updated to version 8.0.3. * ownCloud updated to version 8.0.3.
* SMTP Submission (port 587) began offering the insecure SSLv3 protocol due to a misconfiguration in the previous version. * SMTP Submission (port 587) began offering the insecure SSLv3 protocol due to a misconfiguration in the previous version.
* Users and aliases weren't working if they were entered with any uppercase letters. Now only lowercase is allowed.
v0.09 (May 8, 2015) v0.09 (May 8, 2015)
------------------- -------------------
......
...@@ -32,8 +32,11 @@ def validate_email(email, mode=None): ...@@ -32,8 +32,11 @@ def validate_email(email, mode=None):
# unusual characters in the address. Bah. Also note that since # unusual characters in the address. Bah. Also note that since
# the mailbox path name is based on the email address, the address # the mailbox path name is based on the email address, the address
# shouldn't be absurdly long and must not have a forward slash. # shouldn't be absurdly long and must not have a forward slash.
# Our database is case sensitive (oops), which affects mail delivery
# (Postfix always queries in lowercase?), so also only permit lowercase
# letters.
if len(email) > 255: return False if len(email) > 255: return False
if re.search(r'[^\@\.a-zA-Z0-9_\-]+', email): if re.search(r'[^\@\.a-z0-9_\-]+', email):
return False return False
# Everything looks good. # Everything looks good.
...@@ -253,7 +256,7 @@ def add_mail_user(email, pw, privs, env): ...@@ -253,7 +256,7 @@ def add_mail_user(email, pw, privs, env):
elif not validate_email(email): elif not validate_email(email):
return ("Invalid email address.", 400) return ("Invalid email address.", 400)
elif not validate_email(email, mode='user'): elif not validate_email(email, mode='user'):
return ("User account email addresses may only use the ASCII letters A-Z, the digits 0-9, underscore (_), hyphen (-), and period (.).", 400) return ("User account email addresses may only use the lowercase ASCII letters a-z, the digits 0-9, underscore (_), hyphen (-), and period (.).", 400)
elif is_dcv_address(email) and len(get_mail_users(env)) > 0: elif is_dcv_address(email) and len(get_mail_users(env)) > 0:
# Make domain control validation hijacking a little harder to mess up by preventing the usual # Make domain control validation hijacking a little harder to mess up by preventing the usual
# addresses used for DCV from being user accounts. Except let it be the first account because # addresses used for DCV from being user accounts. Except let it be the first account because
...@@ -403,6 +406,10 @@ def add_mail_alias(source, destination, env, update_if_exists=False, do_kick=Tru ...@@ -403,6 +406,10 @@ def add_mail_alias(source, destination, env, update_if_exists=False, do_kick=Tru
# convert Unicode domain to IDNA # convert Unicode domain to IDNA
source = sanitize_idn_email_address(source) source = sanitize_idn_email_address(source)
# Our database is case sensitive (oops), which affects mail delivery
# (Postfix always queries in lowercase?), so force lowercase.
source = source.lower()
# validate source # validate source
source = source.strip() source = source.strip()
if source == "": if source == "":
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment