When consolidating my DB, I noticed that I have multiple usernames for essentially the same user on a server.
The mail server does not require a hostname to login, so the config for RC is:
$rcmail_config['default_host'] = 'domain.tld';
$rcmail_config['username_domain'] = '';
However, I noticed with this config, that RC allows for ANY domain to be included in the username login, which then creates multiple records for the same username (so different RC configs/contacts/identities).
I watched the mail server logs, and in this configuration, RC strips the domain part out of the username and sends authentication to IMAP server. I used myname@blah.com in username field, but IMAP shows:
May 3 12:20:38 mail dovecot: imap-login: Login: user=<myname>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x
So what happens is a user can basically enter "myname@blah.com" in the username field of the login form. Authentication succeeds but now there is a new entry in the DB of a username of "myname@blah.com" associated with the actual host field of the mail server.
This can cause user confusion, since now there are 2 (or more) entries of same user, but different contacts/etc. IE a user logging in with a username of "myname", but later with a username of "myname@domain.tld" succeeds however they wont seem the same configs.
Also, this could be used maliciously to easily fill up RC's DB with 1000s of entries of a user creating multiple DB entries of "myname@blah1.com", "myname@blah2.com", etc...
I guess I could fill in the username_domain field to domain.tld, but then similar to my other report, there should be some way to have DB creation of a new user to use just the username portion of the login field and the mail server host for the hostname field to prevent multiple entries as described above.
Edit: adding "domain.tld" to the username_domain field did not work. I'm still able to create new user entries with username of "myname@blahXXX.com" on login..