diff --git a/chatmaild/src/chatmaild/config.py b/chatmaild/src/chatmaild/config.py
index 967a77db..48fd98a2 100644
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -38,9 +38,11 @@ class Config:
         return open(self._inipath, "rb")
 
     def get_user_maildir(self, addr):
-        if not addr or "/" in addr:
-            raise ValueError(addr)
-        return self.mail_basedir.joinpath(addr)
+        if addr and addr != "." and "/" not in addr:
+            res = self.mail_basedir.joinpath(addr).resolve()
+            if res.is_relative_to(self.mail_basedir):
+                return res
+        raise ValueError(f"invalid address {addr!r}")
 
 
 def write_initial_config(inipath, mail_domain):
diff --git a/chatmaild/src/chatmaild/tests/test_config.py b/chatmaild/src/chatmaild/tests/test_config.py
index 7881724d..38dca6f6 100644
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -43,7 +43,15 @@ def test_get_user_maildir(make_config):
 
     with pytest.raises(ValueError):
         config.get_user_maildir("")
+
     with pytest.raises(ValueError):
         config.get_user_maildir(None)
+
     with pytest.raises(ValueError):
         config.get_user_maildir("../some@something.testrun.org")
+
+    with pytest.raises(ValueError):
+        config.get_user_maildir("..")
+
+    with pytest.raises(ValueError):
+        config.get_user_maildir(".")