Jochen Erwied wrote:
> Wednesday, March 3, 2004, 9:06:41 PM, you wrote:
>
>> Is '#' a valid (unquoted) char in a local part? I was unsure on
>> where to look.
>
> Although it is quite unusual, it seems to be allowed according to
> RFC2822 (ftp://ftp.rfc-editor.org/in-notes/rfc2822.txt):
>
> atext = ALPHA / DIGIT / ; Any character except
> controls, "!" / "#" / ; SP, and specials.
> "$" / "%" / ; Used for atoms
> "&" / "'" /
> "*" / "+" /
> "-" / "/" /
> "=" / "?" /
> "^" / "_" /
> "`" / "{" /
> "|" / "}" /
> "~"
>
> atom = [CFWS] 1*atext [CFWS]
>
> dot-atom = [CFWS] dot-atom-text [CFWS]
>
> dot-atom-text = 1*atext *("." 1*atext)
>
> local-part = dot-atom / quoted-string / obs-local-part
Yep sir - there are a bunch of legal characters that could cause a whole
whack load of potential issues.
Here's a regex that I've got which I'd think is good enough for excluding
potential problematic characters from local parts:
local_parts = ^\\. : ^.+\\.\\. : ^.*[\%\/\!\&\$\@\|\~\`]
I have that in my RCPT ACL so that even if one of my clueless users decides
(somehow gets past the interface for creating users since we store stuff in
SQL) to make a user with one of %/!&$@|~` in their username, they still
won't get email to it (this way they can't whine if they say "well I've
already got it set up!").
I made a post about a month or two ago about local parts on this list and
got good feedback. The end result was that regex limitation which I believe
is very good and will not cause any problems with existing software which
may use special characters (such as mailing list daemons and such).
John Jetmore - Personally I would tell your user that they have no choice
but to change the username. I've found that giving an exemption to one user
either makes them feel that you are more likely to grant them other
exeptions down the road, and the more you do grant, makes your
administrative life all that much more difficult (such as you found out!).
Besides, who in their right mind needs a # in their email address, let alone
the first character!?
So far, in my 10+ years since I first started using anything Internet
related, I have only *once* come across a user who had done something like
this - they had an address something like "fun!@???". They were a
new client emailing in for support and I instantly told them to change the
email address because it will cause them nothing but problems.
Hacking the source code for software to allow a single user to get their way
isn't the right thing to do - punish the user, not yourself :P
Eli.
