Don't raise rate limit exception on hit(), only on check()

master
Michael Wyraz 5 years ago
parent a7f787f914
commit 70f797dbd9

@ -33,5 +33,4 @@ class Limiter:
# disable limits for internal requests (e.g. from webmail)?
if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet:
return
if not self.limiter.hit(self.rate,"client-ip",clientip):
raise RateLimitExceeded()
self.limiter.hit(self.rate,"client-ip",clientip)

@ -38,8 +38,14 @@ recommended to setup a generic value and later configure a mail alias for that
address.
The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
try to guess user passwords. The value is the limit of requests that a single
IP address can perform against IMAP, POP and SMTP authentication endpoints.
try to guess user passwords. The value is the limit of failed authentication attempts
that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
If you disable this, ensure that the rate limit on the webmail is enforced in a different
way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.

Loading…
Cancel
Save