I noticed that Roundcube is automatically lowercasing usernames when the first login fails. In program/include/rcmail.php (0.7.2),
if ($imap_login = $this->imap->connect($host, $username_lc, $pass $imap_port, $imap_ssl)) $username = $username_lc;
I think there's a bug here: the Roundcube user that gets created in the database uses the original capitalization.
As an example, our IMAP server is Dovecot and our accounts are case-sensitive. That means user@example.com != USER@example.com, for better or worse. We've got $rcmail_config['login_lc'] = false.
I've just created an IMAP account for roundcube@viabit.com. If I go to log in to Roundcube -- and do so as ROUNDCUBE@viabit.com -- the login fails. So, the username gets silently lowercased and the second try succeeds transparently to the user. But, the user in the Roundcube database has the capitalization that I entered:
roundcube=# select username from users order by user_id DESC limit 1;
username
ROUNDCUBE@viabit.com (1 row)
If I now log in with the correct capitalization, a second user is created:
roundcube=# select username from users order by user_id DESC limit 2;
username
roundcube@viabit.com ROUNDCUBE@viabit.com (2 rows)
This has confused a few of our users, because they see different stuff when they use a different capitalization to log in. My intent was that this should fail; that's why our IMAP server is case-sensitive in the first place. As far as our IMAP server is concerned, roundcube@ and ROUNDCUBE@ are two completely different people, so a client should not assume that they're the same under any circumstances. But in any case, if you *do* assume that they're the same, then they should share the same contacts, settings, etc.
Am 19.09.2012 14:47, schrieb Michael Orlitzky:
As an example, our IMAP server is Dovecot and our accounts are case-sensitive.
why are they not lowercase?
That means user@example.com != USER@example.com, for
better or worse. We've got $rcmail_config['login_lc'] = false.
why do you not fix dovecot? auth_username_translation = AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
On 09/19/2012 10:06 AM, Reindl Harald wrote:
Am 19.09.2012 14:47, schrieb Michael Orlitzky:
As an example, our IMAP server is Dovecot and our accounts are case-sensitive.
why are they not lowercase?
The only one that matters is RFC 5321, "The local-part of a mailbox MUST BE treated as case sensitive." But practically,
What do we do with existing mailboxes User1 and user1?
The simplest maildir mapping is the trivial one from username to directory. On any trustworthy filesystem, that's case-sensitive.
Mangling the case can lead to bugs; some software can handle it, others can't.
It gives users misconceptions about the way email works, and that can indirectly cause problems.
I don't wanna, the bug's in Roundcube.
That means user@example.com != USER@example.com, for
better or worse. We've got $rcmail_config['login_lc'] = false.
why do you not fix dovecot? auth_username_translation = AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
Am 19.09.2012 16:34, schrieb Michael Orlitzky:
The only one that matters is RFC 5321, "The local-part of a mailbox MUST BE treated as case sensitive."
but in the real world you can use myname@domain.tld and mYnAmE@domain.tld for any mail-address and on most mail-systems there is a good reason why mailbox == email
But practically,
- What do we do with existing mailboxes User1 and user1?
the main question is WHO in the world starting with the same users in different cases?
without user@domain.tld "user1" and "User1" leads to collisions and MANY errors because 99 out of 100 users are not aware of case-sensitivity because it does not matter on most servers
On 19/09/2012 15:34, Michael Orlitzky wrote:
On 09/19/2012 10:06 AM, Reindl Harald wrote:
Am 19.09.2012 14:47, schrieb Michael Orlitzky:
As an example, our IMAP server is Dovecot and our accounts are case-sensitive.
why are they not lowercase?
The only one that matters is RFC 5321, "The local-part of a mailbox MUST BE treated as case sensitive." But practically,
What do we do with existing mailboxes User1 and user1?
The simplest maildir mapping is the trivial one from username to directory. On any trustworthy filesystem, that's case-sensitive.
no comment.
Mangling the case can lead to bugs; some software can handle it, others can't.
It gives users misconceptions about the way email works, and that can indirectly cause problems.
I don't wanna, the bug's in Roundcube.
Whilst I appreciate case-sensitivity, I have *ALWAYS* thought of email addresses as being case-insensitive. i.e. joe@bloggs.com and JOE@BLOGGS.COM should go to exactly the same place. Logging in should use case-sensitive passwords but not usernames (in my opinion). I don't think this is a bug with RC but again, that is a personal opinion.
-- Janek
On 09/19/2012 11:06 AM, Reindl Harald wrote:
Am 19.09.2012 16:34, schrieb Michael Orlitzky:
The only one that matters is RFC 5321, "The local-part of a mailbox MUST BE treated as case sensitive."
but in the real world you can use myname@domain.tld and mYnAmE@domain.tld for any mail-address and on most mail-systems there is a good reason why mailbox == email
Except when you can't, which is exactly why I prefer to just do it one way. If you can access your mail account via,
- Roundcube
- Squirrelmail
- PostfixAdmin user
- PostfixAdmin admin
- Thunderbird
- Direct (e.g. Mutt) over SSH
which ones allow you to enter the username wrong? I don't want to have to explain the nuances of each piece of software to everyone. If they're case-sensitive, I say, "your email address is case-sensitive," and we're done. Unless I can force all mailbox access to go through some gatekeeper which will unilaterally ignore the RFC, this is the easiest way for me.
But practically,
- What do we do with existing mailboxes User1 and user1?
the main question is WHO in the world starting with the same users in different cases?
Who cares, pretend we have supervillains as customers who do everything they can to make my life miserable[1]. It's required by RFC, so not unreasonable for a customer to request. We're not going to turn down a new hosting client because they had John User Sr. and John User Jr. using JUser@example.com and juser@example.com at their old company and we can't do it.
[1] Not hypothetical
Am 19.09.2012 17:22, schrieb Michael Orlitzky:
But practically,
- What do we do with existing mailboxes User1 and user1?
the main question is WHO in the world starting with the same users in different cases?
Who cares, pretend we have supervillains as customers who do everything they can to make my life miserable[1]. It's required by RFC, so not unreasonable for a customer to request. We're not going to turn down a new hosting client because they had John User Sr. and John User Jr. using JUser@example.com and juser@example.com at their old company and we can't do it.
your problem
having "JUser@example.com" and "juser@example.com" as address for two different people is plain stupid and it is really your problem if you think it is a good idea to satisfy stupid whishes
On 09/19/2012 11:13 AM, Jan M. Dziewulski wrote:
Logging in should use case-sensitive passwords but not usernames (in my opinion).
Just a comment from the peanut gallery --the problem I see is that email addresses are not always usernames. For some places, they aren't even close.
*Many, many* authentication systems treat usernames as case sensitive, including kerberos and most implementations of LDAP I've seen. From what I've seen, many applications (before talking to anything on the backend) standardize the capitalization of a username (Shibboleth implementations, Drupal, etc).
Perhaps some possible settings could be added to handle the two cases of Roundcube authentication -- usernames vs. email addresses. One could do stuff to standardize capitalization (email address case), vs. another that would simply preserve and pass through (username case).
Cheers all,
Martin B. Smith, Systems Administrator smithmb@ufl.edu - (352) 273-1329 UF Information Technology, CNS/Open Systems Group University of Florida
On 09/19/2012 11:25 AM, Reindl Harald wrote:
your problem
having "JUser@example.com" and "juser@example.com" as address for two different people is plain stupid and it is really your problem if you think it is a good idea to satisfy stupid whishes
I proclaim wholeheartedly that we *do* want to satisfy their stupid wishes, over and over again, for a small fee.
On 09/19/2012 11:13 AM, Jan M. Dziewulski wrote:
Whilst I appreciate case-sensitivity, I have *ALWAYS* thought of email addresses as being case-insensitive. i.e. joe@bloggs.com and JOE@BLOGGS.COM should go to exactly the same place. Logging in should use case-sensitive passwords but not usernames (in my opinion). I don't think this is a bug with RC but again, that is a personal opinion.
Regardless, some people do it, and it's required by the RFC. "How it should be" is irrelevant. Roundcube tries to work both ways; there's just a slight bug in the implementation. If it *didn't* try to support both ways, I wouldn't call it a bug.
On 09/19/2012 11:30 AM, Michael Orlitzky wrote:
I proclaim wholeheartedly that we*do* want to satisfy their stupid wishes, over and over again, for a small fee.
+1 for this. And can we never tell people their problems are stupid? :)
Am 19.09.2012 17:30, schrieb Michael Orlitzky:
On 09/19/2012 11:25 AM, Reindl Harald wrote:
your problem
having "JUser@example.com" and "juser@example.com" as address for two different people is plain stupid and it is really your problem if you think it is a good idea to satisfy stupid whishes
I proclaim wholeheartedly that we *do* want to satisfy their stupid wishes, over and over again, for a small fee.
and after "juser@example.com" receives sensible informations targeted to "JUser@example.com" which he was not allowed to receive people will realize why it is stupid
i see it as my damned job prevent people from mistakes and i doubt it's not a better service to let them run into a knife
On 19/09/2012 16:26, Martin B. Smith wrote:
On 09/19/2012 11:13 AM, Jan M. Dziewulski wrote:
Logging in should use case-sensitive passwords but not usernames (in my opinion).
Just a comment from the peanut gallery --the problem I see is that email addresses are not always usernames. For some places, they aren't even close.
*Many, many* authentication systems treat usernames as case sensitive, including kerberos and most implementations of LDAP I've seen. From what I've seen, many applications (before talking to anything on the backend) standardize the capitalization of a username (Shibboleth implementations, Drupal, etc).
Fair point. I have just been using systems where I log on to so much using my email address as a username (because I don't have a choice) that I have been too used to it. My point still remains about email addresses though.
On 19/09/2012 16:31, Michael Orlitzky wrote:
On 09/19/2012 11:13 AM, Jan M. Dziewulski wrote:
Whilst I appreciate case-sensitivity, I have *ALWAYS* thought of email addresses as being case-insensitive. i.e. joe@bloggs.com and JOE@BLOGGS.COM should go to exactly the same place. Logging in should use case-sensitive passwords but not usernames (in my opinion). I don't think this is a bug with RC but again, that is a personal opinion.
Regardless, some people do it, and it's required by the RFC. "How it should be" is irrelevant. Roundcube tries to work both ways; there's just a slight bug in the implementation. If it *didn't* try to support both ways, I wouldn't call it a bug.
Then the RFC has a bug in it (IMHO). And yes, I appreciate that if RC tries to do it in two different ways in different places, then it also has a bug.
-- Janek
This discussion is really moot. Both roundcube and dovecot obviously intend to give the administrator the option to decide (in dovecot you can use the %L modifier). So this seems to be a bug, that im sure will be fixed. Please add it to the tracker or submit a patch through git.
Cor
On 09/19/2012 02:47 PM, Michael Orlitzky wrote:
I think there's a bug here: the Roundcube user that gets created in the database uses the original capitalization.
As an example, our IMAP server is Dovecot and our accounts are case-sensitive. That means user@example.com != USER@example.com, for better or worse. We've got $rcmail_config['login_lc'] = false.
I've just created an IMAP account for roundcube@viabit.com. If I go to log in to Roundcube -- and do so as ROUNDCUBE@viabit.com -- the login fails. So, the username gets silently lowercased and the second try succeeds transparently to the user. But, the user in the Roundcube database has the capitalization that I entered:
roundcube=# select username from users order by user_id DESC limit 1;
username
ROUNDCUBE@viabit.com (1 row)
And none of these usernames exist before? That shouldn't happen. I propose to check with 0.8. Are you using postgres?
On 09/21/2012 05:15 AM, A.L.E.C wrote:
roundcube=# select username from users order by user_id DESC limit 1;
username
ROUNDCUBE@viabit.com (1 row)
And none of these usernames exist before? That shouldn't happen. I propose to check with 0.8. Are you using postgres?
Correct, I just got around to creating a trac account and opened the ticket. I can test with 0.8 in a few hours probably.
On 09/21/2012 12:06 PM, Michael Orlitzky wrote:
On 09/21/2012 05:15 AM, A.L.E.C wrote:
roundcube=# select username from users order by user_id DESC limit 1;
username
ROUNDCUBE@viabit.com (1 row)
And none of these usernames exist before? That shouldn't happen. I propose to check with 0.8. Are you using postgres?
Correct, I just got around to creating a trac account and opened the ticket. I can test with 0.8 in a few hours probably.
Confirmed on 0.8.1.
-
A.L.E.C -
Cor Bosman -
Jan M. Dziewulski -
Martin B. Smith -
Michael Orlitzky -
Reindl Harald