From a7f787f91462b2fc12839b00bd22b680553ec9f2 Mon Sep 17 00:00:00 2001
From: Michael Wyraz <michael@wyraz.de>
Date: Mon, 16 Dec 2019 18:46:17 +0100
Subject: [PATCH] Make rate limit for subnet (webmail) configurable

---
 core/admin/mailu/configuration.py |  1 +
 core/admin/mailu/limiter.py       | 16 ++++++++--------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index c7c695f1..7dcd7c3a 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -32,6 +32,7 @@ DEFAULT_CONFIG = {
     'POSTMASTER': 'postmaster',
     'TLS_FLAVOR': 'cert',
     'AUTH_RATELIMIT': '10/minute;1000/hour',
+    'AUTH_RATELIMIT_SUBNET': True,
     'DISABLE_STATISTICS': False,
     # Mail settings
     'DMARC_RUA': None,
diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index fd0b138b..3fe4d94b 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -13,25 +13,25 @@ class Limiter:
         self.limiter = None
         self.rate = None
         self.subnet = None
+        self.rate_limit_subnet = True
 
     def init_app(self, app):
         self.storage = limits.storage.storage_from_string(app.config["RATELIMIT_STORAGE_URL"])
         self.limiter = limits.strategies.MovingWindowRateLimiter(self.storage)
         self.rate = limits.parse(app.config["AUTH_RATELIMIT"])
+        self.rate_limit_subnet = str(app.config["AUTH_RATELIMIT_SUBNET"])!='False'
         self.subnet = ipaddress.ip_network(app.config["SUBNET"])
 
     def check(self,clientip):
-        # TODO: activate this code if we have limits at webmail level
-        #if ipaddress.ip_address(clientip) in self.subnet:
-        #    # no limits for internal requests (e.g. from webmail)
-        #    return
+        # disable limits for internal requests (e.g. from webmail)?
+        if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet:
+            return
         if not self.limiter.test(self.rate,"client-ip",clientip):
             raise RateLimitExceeded()
 
     def hit(self,clientip):
-        # TODO: activate this code if we have limits at webmail level
-        #if ipaddress.ip_address(clientip) in self.subnet:
-        #    # no limits for internal requests (e.g. from webmail)
-        #    return
+        # disable limits for internal requests (e.g. from webmail)?
+        if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet:
+            return
         if not self.limiter.hit(self.rate,"client-ip",clientip):
             raise RateLimitExceeded()