I'm working on setting up an e-mail service.
I've got the e-mail servers working beautifully and am presently working on re-writing the parts of Roundcube I don't like (e.g. it uses inline JavaScript in a few places so CSP breaks it) but -
Is there any advice on characters to allow in usernames?
I know there are some wacky characters that are legal in e-mail addresses but are generally frowned upon - like
"very.(),:;<>[]".VERY."very@\ "very".unusual"@example.com
is apparently a legal address - but I know I don't want to allow ampersands and brackets etc. in an address.
I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters.
Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses?
Thanks
On Sat, April 30, 2016 1:28 pm, Alice Wonder wrote:
I'm working on setting up an e-mail service.
I've got the e-mail servers working beautifully and am presently working on re-writing the parts of Roundcube I don't like (e.g. it uses inline JavaScript in a few places so CSP breaks it) but -
Alice, you may be a lifesaver! Are you considering to also take a fresh look at rouncube plugins? There is one thing I couldn't find. On my mail servers I use amavis as a superstrcture above spamassassin and clamav. And there is a way to have users individual spam/virus preferences in mysql database (alas, postgresql didn't work in all my attempts). And the only missing thing here I never found is how to give users a way to edit their whitelist/blacklist preferences. There is long list of things I tried to harnes... so far amacube is the closest to giving users the way to edit preferences, and only whitelist/blacklist is missing from it.
Thanks a lot for all your efforts!!
Valeri
Is there any advice on characters to allow in usernames?
I know there are some wacky characters that are legal in e-mail addresses but are generally frowned upon - like
"very.(),:;<>[]".VERY."very@\ "very".unusual"@example.com
is apparently a legal address - but I know I don't want to allow ampersands and brackets etc. in an address.
I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters.
Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 04/30/2016 12:07 PM, Valeri Galtsev wrote:
On Sat, April 30, 2016 1:28 pm, Alice Wonder wrote:
I'm working on setting up an e-mail service.
I've got the e-mail servers working beautifully and am presently working on re-writing the parts of Roundcube I don't like (e.g. it uses inline JavaScript in a few places so CSP breaks it) but -
Alice, you may be a lifesaver! Are you considering to also take a fresh look at rouncube plugins? There is one thing I couldn't find. On my mail servers I use amavis as a superstrcture above spamassassin and clamav. And there is a way to have users individual spam/virus preferences in mysql database (alas, postgresql didn't work in all my attempts). And the only missing thing here I never found is how to give users a way to edit their whitelist/blacklist preferences. There is long list of things I tried to harnes... so far amacube is the closest to giving users the way to edit preferences, and only whitelist/blacklist is missing from it.
Thanks a lot for all your efforts!!
Those are things I want to have, so I will try to figure it out.
I'm not positive it will be compatible with stock Roundcube though, I'm rewriting a lot of Roundcube in DOMDocument because I really prefer XML output for a variety of reasons.
On 04/30/2016 11:28 AM, Alice Wonder wrote:
Is there any advice on characters to allow in usernames?
...
I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters.
Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses?
The RFC uses a list of allowed characters, and so must you.
My advice is, first, don't write this yourself. There is almost certainly a library for validating RFC-compliant usernames in whatever programming language you use; locate one and use it.
Second, when validating user names, you must be aware of the features of your email server. For instance, it may use the '-' character or the '+' character as a way to allow user-local extensions. Thus "example-foo," "example-bar," and "example" may all be the same user/mailbox. If you are not aware of this, then a new user might be set up as "example-bar" and one would mask the other. Either the old user would prevent the new one from receiving any mail, or the new one would begin intercepting some of the old user's mail. Thus, because a character is allowed by RFC does not mean that you should allow it in usernames.
Third, you should be aware that non-ASCII support was defined in RFC 6531, in 2012. That's very recent as RFCs go, and it is not widely supported today. None of the mail servers shipped with CentOS 7, for instance, include such support. Even if you build your own software that supports the RFC, users with non-ASCII usernames will not be able to send or receive email with remote domains that don't include such support.
https://en.wikipedia.org/wiki/Extended_SMTP#List_of_supporting_servers_3
On 04/30/2016 12:22 PM, Gordon Messmer wrote:
On 04/30/2016 11:28 AM, Alice Wonder wrote:
Is there any advice on characters to allow in usernames?
...
I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters.
Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses?
The RFC uses a list of allowed characters, and so must you.
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
------------ Original Message ------------
Date: Saturday, April 30, 2016 12:44:52 -0700 From: Alice Wonder alice@domblogger.net
On 04/30/2016 12:22 PM, Gordon Messmer wrote:
On 04/30/2016 11:28 AM, Alice Wonder wrote:
Is there any advice on characters to allow in usernames?
...
I don't think a whitelist alphabet is best approach because of people with names that are not spelled with Latin characters.
Is there an existing blacklist of characters that technically legal but are generally avoided in e-mail addresses?
The RFC uses a list of allowed characters, and so must you.
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
You can set any rules you want for what your local users can use for their accounts -- within the constraints of the mail RFCs. You just have to accept mail with and allow your users to send to any RFC compliant email address.
On Sat, Apr 30, 2016 at 12:44 PM, Alice Wonder alice@domblogger.net wrote:
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
That's not how the RFC rules are defined. But, rather than argue that point at length, I'd point out that Open Group standards for usernames are simple and will comply with the SMTP RFCs: http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_...
That is, [A-Za-z0-9._][A-Za-z0-9._-]
On 04/30/2016 08:56 PM, Gordon Messmer wrote:
On Sat, Apr 30, 2016 at 12:44 PM, Alice Wonder alice@domblogger.net wrote:
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
That's not how the RFC rules are defined. But, rather than argue that point at length, I'd point out that Open Group standards for usernames are simple and will comply with the SMTP RFCs: http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_...
That is, [A-Za-z0-9._][A-Za-z0-9._-] _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I think there is a mis-understanding.
All I was looking for was if there was a common set of characters typically blasted from new usernames *on the domain being set up*
I have no desire to refuse delivery to any valid e-mail address.
For example, avoiding spaces in usernames for addresses on the system is handy because it avoids bugs where the path to the mailbox on the filesystem isn't properly quoted.
So user names on the system won't be allowed to have spaces even though they are legal when within quotes or escaped.
That's all I was looking for, was experience on what legal characters to avoid allowing users to have for the mailbox portion of their e-mail address, the username.
Of course I have no desire to restrict who they can send to if it is a legal address.
Am 01.05.2016 um 06:43 schrieb Alice Wonder alice@domblogger.net:
On 04/30/2016 08:56 PM, Gordon Messmer wrote:
On Sat, Apr 30, 2016 at 12:44 PM, Alice Wonder alice@domblogger.net wrote:
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
That's not how the RFC rules are defined. But, rather than argue that point at length, I'd point out that Open Group standards for usernames are simple and will comply with the SMTP RFCs: http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_...
That is, [A-Za-z0-9._][A-Za-z0-9._-] _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I think there is a mis-understanding.
All I was looking for was if there was a common set of characters typically blasted from new usernames *on the domain being set up*
I have no desire to refuse delivery to any valid e-mail address.
For example, avoiding spaces in usernames for addresses on the system is handy because it avoids bugs where the path to the mailbox on the filesystem isn't properly quoted.
So user names on the system won't be allowed to have spaces even though they are legal when within quotes or escaped.
That's all I was looking for, was experience on what legal characters to avoid allowing users to have for the mailbox portion of their e-mail address, the username.
Of course I have no desire to restrict who they can send to if it is a legal address.
blacklisting is not a good practice, use the suggested whitelist ...
-- LF
On 05/01/2016 01:57 AM, Leon Fauster wrote:
Am 01.05.2016 um 06:43 schrieb Alice Wonder alice@domblogger.net:
On 04/30/2016 08:56 PM, Gordon Messmer wrote:
On Sat, Apr 30, 2016 at 12:44 PM, Alice Wonder alice@domblogger.net wrote:
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
That's not how the RFC rules are defined. But, rather than argue that point at length, I'd point out that Open Group standards for usernames are simple and will comply with the SMTP RFCs: http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_...
That is, [A-Za-z0-9._][A-Za-z0-9._-] _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I think there is a mis-understanding.
All I was looking for was if there was a common set of characters typically blasted from new usernames *on the domain being set up*
I have no desire to refuse delivery to any valid e-mail address.
For example, avoiding spaces in usernames for addresses on the system is handy because it avoids bugs where the path to the mailbox on the filesystem isn't properly quoted.
So user names on the system won't be allowed to have spaces even though they are legal when within quotes or escaped.
That's all I was looking for, was experience on what legal characters to avoid allowing users to have for the mailbox portion of their e-mail address, the username.
Of course I have no desire to restrict who they can send to if it is a legal address.
blacklisting is not a good practice, use the suggested whitelist ...
I think this is my autism coming in to play, I think what is very clear to me I just am not able to adequately communicate because clearly people are not even remotely grasping what I am trying to convey.
On 05/01/2016 05:10 AM, Alice Wonder wrote:
On 05/01/2016 01:57 AM, Leon Fauster wrote:
Am 01.05.2016 um 06:43 schrieb Alice Wonder alice@domblogger.net:
On 04/30/2016 08:56 PM, Gordon Messmer wrote:
On Sat, Apr 30, 2016 at 12:44 PM, Alice Wonder alice@domblogger.net wrote:
For e-mail sent to people, yes.
But for what usernames are allowed when creating an account, I don't see why blacklisting characters that are not allowed in a username is a standards problem.
That's not how the RFC rules are defined. But, rather than argue that point at length, I'd point out that Open Group standards for usernames are simple and will comply with the SMTP RFCs: http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_...
That is, [A-Za-z0-9._][A-Za-z0-9._-] _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I think there is a mis-understanding.
All I was looking for was if there was a common set of characters typically blasted from new usernames *on the domain being set up*
I have no desire to refuse delivery to any valid e-mail address.
For example, avoiding spaces in usernames for addresses on the system is handy because it avoids bugs where the path to the mailbox on the filesystem isn't properly quoted.
So user names on the system won't be allowed to have spaces even though they are legal when within quotes or escaped.
That's all I was looking for, was experience on what legal characters to avoid allowing users to have for the mailbox portion of their e-mail address, the username.
Of course I have no desire to restrict who they can send to if it is a legal address.
blacklisting is not a good practice, use the suggested whitelist ...
I think this is my autism coming in to play, I think what is very clear to me I just am not able to adequately communicate because clearly people are not even remotely grasping what I am trying to convey.
Basically whether it is a white list or a black list doesn't matter.
One is just the complement set of the other.
It's the set I'm after. Or its complement. I don't care. Not whether my code should use set A or its complement.
On 01/05/16 13:23, Alice Wonder wrote:
On 05/01/2016 05:10 AM, Alice Wonder wrote:
I think this is my autism coming in to play, I think what is very clear to me I just am not able to adequately communicate because clearly people are not even remotely grasping what I am trying to convey.
Basically whether it is a white list or a black list doesn't matter.
One is just the complement set of the other.
It's the set I'm after. Or its complement. I don't care. Not whether my code should use set A or its complement.
See Gordon's previous answer above:
That is, [A-Za-z0-9._][A-Za-z0-9._-]
In other words, allowable characters are A-Za-z (upper and lower case), 0-9 (numerics), . and _ (period and underscore).
Hyphens are allowed, but NOT as the first character, so maybe easier to just not allow hyphens in your account usernames.
On 05/01/2016 05:50 AM, Ned Slider wrote:
On 01/05/16 13:23, Alice Wonder wrote:
On 05/01/2016 05:10 AM, Alice Wonder wrote:
I think this is my autism coming in to play, I think what is very clear to me I just am not able to adequately communicate because clearly people are not even remotely grasping what I am trying to convey.
Basically whether it is a white list or a black list doesn't matter.
One is just the complement set of the other.
It's the set I'm after. Or its complement. I don't care. Not whether my code should use set A or its complement.
See Gordon's previous answer above:
That is, [A-Za-z0-9._][A-Za-z0-9._-]
In other words, allowable characters are A-Za-z (upper and lower case), 0-9 (numerics), . and _ (period and underscore).
Hyphens are allowed, but NOT as the first character, so maybe easier to just not allow hyphens in your account usernames.
Well that excludes ' and I've seen ' (and even ’) in things like John.O'neill@example.org - I don't see a need to exclude those (or UTF8 above U+007F that non-western people often use) - which is kind of why I was hoping for a blacklist, characters that should be excluded.
As fas a - and . that may not be at the beginning of a username (or two+ consecutive .) etc. - of course after checking for characters that are not allowed, the final address would have to go through a validator.
On 05/01/2016 05:23 AM, Alice Wonder wrote:
It's the set I'm after. Or its complement. I don't care. Not whether my code should use set A or its complement.
Then you're after RFC 5321 section 4.1.2 and possibly 6531 section 3.3 (but probably not for a few years yet). You should also consider shadow-utils' chkname.c, where valid local user names are restricted to "[a-z_][a-z0-9_-]*[$]" of less than USER_NAME_MAX_LENGTH characters (though not with a regex).
https://tools.ietf.org/html/rfc5321
https://tools.ietf.org/html/rfc6531
http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/libmisc/chkname.c
On Sun, 2016-05-01 at 10:57 +0200, Leon Fauster wrote:
blacklisting is not a good practice, use the suggested whitelist ...
I disagree from practical experience. My Exim mail servers (MTAs) refused connections from 'amateur' mail senders such as:-
*dynamic.163data.com.cn
*airtelbroadband.in *adsl.alicedsl.de *dynamic.se.alltele.net *alshamil.net.ae *adsl.anteldata.net.uy *aphie.info *pools.arcor-ip.net *static.arcor-ip.net *as9105.com *as13285.net *as43234.net
et cetera
and from professional spammers
*compute.amazonaws.com *isp.att.net *bmsend.com *chtah.com *chtah.net *descene.org *dmdelivery.com *dnsinspect.com *edmspread.com *emsmtp.com *emsmtp.us *everydayedeals.com
et cetera
My philosophy is not to be a willing victim of spam and other unwanted time-wasting junk. It is only when concerned citizens like Alice (in) Wonder(land) critically re-examine the status quo, and the justification for it, that things may improve.
Mankind never advances when there is no questioning of established practises.
-
Alice Wonder -
Always Learning -
Gordon Messmer -
Leon Fauster -
Ned Slider -
Richard -
Valeri Galtsev