diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 37f84b7c..6a3641fe 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -40,6 +40,7 @@ DEFAULT_CONFIG = { 'AUTH_RATELIMIT_IP_V4_MASK': 24, 'AUTH_RATELIMIT_IP_V6_MASK': 56, 'AUTH_RATELIMIT_USER': '100/day', + 'AUTH_RATELIMIT_EXEMPTION': '', 'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400, 'DISABLE_STATISTICS': False, # Mail settings diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py index 88319012..ddaa07b3 100644 --- a/core/admin/mailu/limiter.py +++ b/core/admin/mailu/limiter.py @@ -39,7 +39,7 @@ class LimitWraperFactory(object): return LimitWrapper(self.limiter, limits.parse(limit), *args) def is_subject_to_rate_limits(self, ip): - return not (self.storage.get(f'exempt-{ip}') > 0) + return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0) def exempt_ip_from_ratelimits(self, ip): self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True) diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index db760280..d2bcc7a3 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -79,6 +79,12 @@ def extract_network_from_ip(ip): else: return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address) +def is_exempt_from_ratelimits(ip): + for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]: + if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False): + return False + return True + # Application translation babel = flask_babel.Babel() diff --git a/docs/configuration.rst b/docs/configuration.rst index 75f397c7..f5bd9582 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -55,6 +55,10 @@ after a successful login for which a specific IP address is exempted from rate l This ensures that users behind a NAT don't get locked out when a single client is misconfigured... but also potentially allow for users to attack each-other. +The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network +CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0`` +there is a good way to disable rate limiting altogether. + The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.