From 70f797dbd9742c811c83f95cd839f7032129a8ae Mon Sep 17 00:00:00 2001 From: Michael Wyraz Date: Mon, 16 Dec 2019 18:47:21 +0100 Subject: [PATCH] Don't raise rate limit exception on hit(), only on check() --- core/admin/mailu/limiter.py | 3 +-- docs/configuration.rst | 10 ++++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index 3fe4d94b..5a1b10fc 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -33,5 +33,4 @@ class Limiter: # disable limits for internal requests (e.g. from webmail)? if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet: return - if not self.limiter.hit(self.rate,"client-ip",clientip): - raise RateLimitExceeded() + self.limiter.hit(self.rate,"client-ip",clientip) diff --git a/docs/configuration.rst b/docs/configuration.rst index 386fa41c..cda6becb 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -38,8 +38,14 @@ recommended to setup a generic value and later configure a mail alias for that address. The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that -try to guess user passwords. The value is the limit of requests that a single -IP address can perform against IMAP, POP and SMTP authentication endpoints. +try to guess user passwords. The value is the limit of failed authentication attempts +that a single IP address can perform against IMAP, POP and SMTP authentication endpoints. + +If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT`` +rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail. +If you disable this, ensure that the rate limit on the webmail is enforced in a different +way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail. + The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.