Don't raise rate limit exception on hit(), only on check()

5 years ago · 70f797dbd9
parent a7f787f914
commit 70f797dbd9
2 changed files with 9 additions and 4 deletions
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@ -33,5 +33,4 @@ class Limiter:
        # disable limits for internal requests (e.g. from webmail)?
        if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet:
            return
-        if not self.limiter.hit(self.rate,"client-ip",clientip):
-            raise RateLimitExceeded()
+        self.limiter.hit(self.rate,"client-ip",clientip)
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -38,8 +38,14 @@ recommended to setup a generic value and later configure a mail alias for that
 address.

 The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
-try to guess user passwords. The value is the limit of requests that a single
-IP address can perform against IMAP, POP and SMTP authentication endpoints.
+try to guess user passwords. The value is the limit of failed authentication attempts
+that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
+
+If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
+rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
+If you disable this, ensure that the rate limit on the webmail is enforced in a different
+way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
+

 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.