I'm working on setting up an e-mail service. I've got the e-mail servers working beautifully and am presently working on re-writing the parts of Roundcube I don't like (e.g. it uses inline JavaScript in a few places so CSP breaks it) but - Is there any advice on characters to allow in usernames? I know there are some wacky characters that are legal in e-mail addresses but are generally frowned upon - like "very.(),:;<>[]\".VERY.\"very@\ \"very\".unusual"@example.com is apparently a legal address - but I know I don't want to allow ampersands and brackets etc. in an address. I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters. Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses? Thanks
On Sat, April 30, 2016 1:28 pm, Alice Wonder wrote:> I'm working on setting up an e-mail service. > > I've got the e-mail servers working beautifully and am presently working > on re-writing the parts of Roundcube I don't like (e.g. it uses inline > JavaScript in a few places so CSP breaks it) but -Alice, you may be a lifesaver! Are you considering to also take a fresh look at rouncube plugins? There is one thing I couldn't find. On my mail servers I use amavis as a superstrcture above spamassassin and clamav. And there is a way to have users individual spam/virus preferences in mysql database (alas, postgresql didn't work in all my attempts). And the only missing thing here I never found is how to give users a way to edit their whitelist/blacklist preferences. There is long list of things I tried to harnes... so far amacube is the closest to giving users the way to edit preferences, and only whitelist/blacklist is missing from it. Thanks a lot for all your efforts!! Valeri> > Is there any advice on characters to allow in usernames? > > I know there are some wacky characters that are legal in e-mail > addresses but are generally frowned upon - like > > "very.(),:;<>[]\".VERY.\"very@\ \"very\".unusual"@example.com > > is apparently a legal address - but I know I don't want to allow > ampersands and brackets etc. in an address. > > I don't think a whitelist alphabet is best approach because of people > with names that are not spelled with Latin characters. > > Is there an existing blacklist of characters that technically legal but > are generally avoided in e-mail addresses? > > Thanks > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 04/30/2016 11:28 AM, Alice Wonder wrote:> Is there any advice on characters to allow in usernames?...> I don't think a whitelist alphabet is best approach because of people > with names that are not spelled with Latin characters. > > Is there an existing blacklist of characters that technically legal > but are generally avoided in e-mail addresses?The RFC uses a list of allowed characters, and so must you. My advice is, first, don't write this yourself. There is almost certainly a library for validating RFC-compliant usernames in whatever programming language you use; locate one and use it. Second, when validating user names, you must be aware of the features of your email server. For instance, it may use the '-' character or the '+' character as a way to allow user-local extensions. Thus "example-foo," "example-bar," and "example" may all be the same user/mailbox. If you are not aware of this, then a new user might be set up as "example-bar" and one would mask the other. Either the old user would prevent the new one from receiving any mail, or the new one would begin intercepting some of the old user's mail. Thus, because a character is allowed by RFC does not mean that you should allow it in usernames. Third, you should be aware that non-ASCII support was defined in RFC 6531, in 2012. That's very recent as RFCs go, and it is not widely supported today. None of the mail servers shipped with CentOS 7, for instance, include such support. Even if you build your own software that supports the RFC, users with non-ASCII usernames will not be able to send or receive email with remote domains that don't include such support. https://en.wikipedia.org/wiki/Extended_SMTP#List_of_supporting_servers_3
On 04/30/2016 12:07 PM, Valeri Galtsev wrote:> > On Sat, April 30, 2016 1:28 pm, Alice Wonder wrote: >> I'm working on setting up an e-mail service. >> >> I've got the e-mail servers working beautifully and am presently working >> on re-writing the parts of Roundcube I don't like (e.g. it uses inline >> JavaScript in a few places so CSP breaks it) but - > > Alice, you may be a lifesaver! Are you considering to also take a fresh > look at rouncube plugins? There is one thing I couldn't find. On my mail > servers I use amavis as a superstrcture above spamassassin and clamav. And > there is a way to have users individual spam/virus preferences in mysql > database (alas, postgresql didn't work in all my attempts). And the only > missing thing here I never found is how to give users a way to edit their > whitelist/blacklist preferences. There is long list of things I tried to > harnes... so far amacube is the closest to giving users the way to edit > preferences, and only whitelist/blacklist is missing from it. > > Thanks a lot for all your efforts!!Those are things I want to have, so I will try to figure it out. I'm not positive it will be compatible with stock Roundcube though, I'm rewriting a lot of Roundcube in DOMDocument because I really prefer XML output for a variety of reasons.
On 04/30/2016 12:22 PM, Gordon Messmer wrote:> On 04/30/2016 11:28 AM, Alice Wonder wrote: >> Is there any advice on characters to allow in usernames? > ... >> I don't think a whitelist alphabet is best approach because of people >> with names that are not spelled with Latin characters. >> >> Is there an existing blacklist of characters that technically legal >> but are generally avoided in e-mail addresses? > > The RFC uses a list of allowed characters, and so must you.For e-mail sent to people, yes. But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.