Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
0
Helpful
2
Replies

Listnerconfig issues with %

Go to solution
Rick Williams
Level 1
Level 1

‎11-27-2013 07:01 AM

Hi,

Within the Listner config there is a setting for "Reject These Characters in User Names" The default listed characters are %!:@

I am hoping that someone could provide a "technical" or "Security risk" explanation as to why the % sign is blocked.

The company I am working for is part of a large financial organisation. Our head office are (were) sending emails with the % sign as part of the email address. Since the Ironport was implemented it has naturally started to drop the emails.

Any good explanation would greatly assist with avoiding having to remove the % from the Reject list.

Thanks in Advance.

Rick.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andreas Mueller
Level 4
Level 4

‎12-02-2013 03:49 AM

Hello Rick,

the characters specified  in that setting (%!:@) are legal per  RFC to be used in usernames, but rarely used today. As for the % symbol,  it is used in some programming languages, such as JavaScript, and also  in SQL as a wildcard character, so my guess is that blocking this  character is supposed to prevent injection of malicious code via the  sender or recipient address to clients that may be vulnerable for this  kind of attacks. This is of cours just an assumption of mine, and not an  official statement, hope it will be helpful, though.

Regards,

Andreas

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Andreas Mueller
Level 4
Level 4

‎12-02-2013 03:49 AM

Hello Rick,

the characters specified  in that setting (%!:@) are legal per  RFC to be used in usernames, but rarely used today. As for the % symbol,  it is used in some programming languages, such as JavaScript, and also  in SQL as a wildcard character, so my guess is that blocking this  character is supposed to prevent injection of malicious code via the  sender or recipient address to clients that may be vulnerable for this  kind of attacks. This is of cours just an assumption of mine, and not an  official statement, hope it will be helpful, though.

Regards,

Andreas

0 Helpful

Go to solution
Rick Williams
Level 1
Level 1
In response to Andreas Mueller

‎12-03-2013 02:10 AM

Hi Andreas,

This was also my thoughts. Unfortunatley without a specific answer I cannot request it be changed.

I will mark your answer as correct, thanks for the response.

Rick.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents