diff --git a/src/groups.js b/src/groups.js
index d315d7504..03bb0e33d 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -56,15 +56,18 @@ GroupError.BAD_FIELD = 'Field error';
 GroupError.NOT_EMPTY = 'Not Empty';
 GroupError.NOT_ALLOWED = 'Not Allowed';
 
+// keep this in sync with validateUsername
 function validateGroupname(name) {
     assert.strictEqual(typeof name, 'string');
+
     if (name.length < 2) return new GroupError(GroupError.BAD_FIELD, 'name must be atleast 2 chars');
     if (name.length >= 200) return new GroupError(GroupError.BAD_FIELD, 'name too long');
 
-    if (!/^[A-Za-z0-9_-]*$/.test(name)) return new GroupError(GroupError.BAD_FIELD, 'name can only have A-Za-z0-9_-');
-
     if (constants.RESERVED_NAMES.indexOf(name) !== -1) return new GroupError(GroupError.BAD_FIELD, 'name is reserved');
 
+    // +/- can be tricky in emails
+    if (/[^a-zA-Z0-9.]/.test(name)) return new GroupError(GroupError.BAD_FIELD, 'name can only contain alphanumerals and dot');
+
     // app emails are sent using the .app suffix
     if (name.indexOf('.app') !== -1) return new GroupError(GroupError.BAD_FIELD, 'name pattern is reserved for apps');
 
diff --git a/src/test/groups-test.js b/src/test/groups-test.js
index 3b9537670..575fea7ec 100644
--- a/src/test/groups-test.js
+++ b/src/test/groups-test.js
@@ -82,6 +82,13 @@ describe('Groups', function () {
         });
     });
 
+    it('cannot create group - invalid', function (done) {
+        groups.create('cloudron-admin', function (error) {
+            expect(error.reason).to.be(GroupError.BAD_FIELD);
+            done();
+        });
+    });
+
     it('can create valid group', function (done) {
         groups.create(GROUP0_NAME, function (error, result) {
             expect(error).to.be(null);
diff --git a/src/test/user-test.js b/src/test/user-test.js
index c502b708a..7640eabd6 100644
--- a/src/test/user-test.js
+++ b/src/test/user-test.js
@@ -157,8 +157,8 @@ describe('User', function () {
             });
         });
 
-        it('fails due to reserved username', function (done) {
-            user.create('Mailer-Daemon', PASSWORD, EMAIL, DISPLAY_NAME, AUDIT_SOURCE, function (error, result) {
+        it('fails due to invalid username', function (done) {
+            user.create('moo-daemon', PASSWORD, EMAIL, DISPLAY_NAME, AUDIT_SOURCE, function (error, result) {
                 expect(error).to.be.ok();
                 expect(result).to.not.be.ok();
                 expect(error.reason).to.equal(UserError.BAD_FIELD);
diff --git a/src/user.js b/src/user.js
index 73a85040a..ff89d2a6e 100644
--- a/src/user.js
+++ b/src/user.js
@@ -86,13 +86,14 @@ UserError.WRONG_PASSWORD = 'Wrong User or Password';
 UserError.BAD_FIELD = 'Bad field';
 UserError.BAD_TOKEN = 'Bad token';
 
+// keep this in sync with validateGroupname
 function validateUsername(username) {
     assert.strictEqual(typeof username, 'string');
     // allow empty usernames
     if (username === '') return null;
 
     if (username.length <= 1) return new UserError(UserError.BAD_FIELD, 'Username must be atleast 2 chars');
-    if (username.length > 256) return new UserError(UserError.BAD_FIELD, 'Username too long');
+    if (username.length >= 200) return new UserError(UserError.BAD_FIELD, 'name too long');
 
     if (constants.RESERVED_NAMES.indexOf(username) !== -1) return new UserError(UserError.BAD_FIELD, 'Username is reserved');