diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
index f9935a70..d67beda9 100644
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@@ -15,7 +15,9 @@ Changes since 2.3.6 release
   - lt.lang, da.lang translation update
   - when enabling/disabling a mailbox, also update the corresponding alias
   - fix creating superadmin in setup.php with MariaDB (more strict SQL)
-  - trim() localpart in create-mailbox to avoid mailbox names with leading space
+  - don't trim() mail address to avoid that aliases starting with a space are
+    allowed. This fixes http://sourceforge.net/p/postfixadmin/bugs/210/ and
+    https://sourceforge.net/p/postfixadmin/feature-requests/113/
   - mark vacation_notification.notified field as latin1 to avoid overlong index
   - vacation.pl: encode subject
   - vacation.pl: disable use of TLS by default due to a bug in Mail::Sender 0.8.22
diff --git a/create-mailbox.php b/create-mailbox.php
index 48cb90f8..6292d52b 100644
--- a/create-mailbox.php
+++ b/create-mailbox.php
@@ -71,7 +71,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
 
-    if (isset ($_POST['fUsername']) && isset ($_POST['fDomain'])) $fUsername = escape_string (trim($_POST['fUsername'])) . "@" . escape_string ($_POST['fDomain']);
+    if (isset ($_POST['fUsername']) && isset ($_POST['fDomain'])) $fUsername = escape_string ($_POST['fUsername']) . "@" . escape_string ($_POST['fDomain']);
     $fUsername = strtolower ($fUsername);
     if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
     if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
diff --git a/functions.inc.php b/functions.inc.php
index 863126f0..5184e447 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -284,7 +284,7 @@ function check_email ($email)
     }
 
     // Perform non-domain-part sanity checks
-    if (!preg_match ('/^[-!#$%&\'*+\\.\/0-9=?A-Z^_{|}~]+' . '@' . '[^@]+$/i', trim ($ce_email)))
+    if (!preg_match ('/^[-!#$%&\'*+\\.\/0-9=?A-Z^_{|}~]+' . '@' . '[^@]+$/i', $ce_email))
     {
         flash_error($PALANG['pInvalidMailRegex']);
         return false;