diff --git a/src/constants.js b/src/constants.js
index c3aedaa56..724758f74 100644
--- a/src/constants.js
+++ b/src/constants.js
@@ -9,6 +9,17 @@ exports = module.exports = {
     MAIL_LOCATION: 'my', // not a typo! should be same as admin location until we figure out certificates
     POSTMAN_LOCATION: 'postman', // used in dovecot bounces
 
+    // These are combined into one array because users and groups become mailboxes
+    RESERVED_NAMES: [
+        // Reserved usernames
+        // https://github.com/gogits/gogs/blob/52c8f691630548fe091d30bcfe8164545a05d3d5/models/repo.go#L393
+        'admin', // reserved for seding emails
+        'no-reply', 'postmaster', 'mailer-daemon', // apps like wordpress, gogs don't like these
+
+        // Reserved groups
+        'admins', 'users'         // ldap code uses 'users' pseudo group
+    ],
+
     ADMIN_NAME: 'Settings',
 
     ADMIN_CLIENT_ID: 'webadmin', // oauth client id
diff --git a/src/groups.js b/src/groups.js
index c079e715a..9ac7db90f 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -56,14 +56,12 @@ GroupError.NOT_ALLOWED = 'Not Allowed';
 
 function validateGroupname(name) {
     assert.strictEqual(typeof name, 'string');
-    var RESERVED = [ 'admins', 'users' ]; // ldap code uses 'users' pseudo group
-
     if (name.length <= 2) return new GroupError(GroupError.BAD_FIELD, 'name must be atleast 2 chars');
     if (name.length >= 200) return new GroupError(GroupError.BAD_FIELD, 'name too long');
 
     if (!/^[A-Za-z0-9_-]*$/.test(name)) return new GroupError(GroupError.BAD_FIELD, 'name can only have A-Za-z0-9_-');
 
-    if (RESERVED.indexOf(name) !== -1) return new GroupError(GroupError.BAD_FIELD, 'name is reserved');
+    if (constants.RESERVED_NAMES.indexOf(name) !== -1) return new GroupError(GroupError.BAD_FIELD, 'name is reserved');
 
     // app emails are sent using the .app suffix
     if (name.indexOf('.app') !== -1) return new GroupError(GroupError.BAD_FIELD, 'name pattern is reserved for apps');
diff --git a/src/user.js b/src/user.js
index 1db208b72..f00e6c3f8 100644
--- a/src/user.js
+++ b/src/user.js
@@ -87,17 +87,13 @@ UserError.BAD_TOKEN = 'Bad token';
 
 function validateUsername(username) {
     assert.strictEqual(typeof username, 'string');
-    // https://github.com/gogits/gogs/blob/52c8f691630548fe091d30bcfe8164545a05d3d5/models/repo.go#L393
-    // admin@fqdn is also reservd for sending emails
-    var RESERVED_USERNAMES = [ 'admin', 'no-reply', 'postmaster', 'mailer-daemon' ]; // apps like wordpress, gogs don't like these
-
     // allow empty usernames
     if (username === '') return null;
 
     if (username.length <= 1) return new UserError(UserError.BAD_FIELD, 'Username must be atleast 2 chars');
     if (username.length > 256) return new UserError(UserError.BAD_FIELD, 'Username too long');
 
-    if (RESERVED_USERNAMES.indexOf(username) !== -1) return new UserError(UserError.BAD_FIELD, 'Username is reserved');
+    if (constants.RESERVED_NAMES.indexOf(username) !== -1) return new UserError(UserError.BAD_FIELD, 'Username is reserved');
 
     // +/- can be tricky in emails
     if (/[^a-zA-Z0-9.]/.test(username)) return new UserError(UserError.BAD_FIELD, 'Username can only contain alphanumerals and dot');