From 1438253a069da3b10831ef89dc119177f16f5216 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 09:21:14 +0200
Subject: [PATCH 1/8] Ratelimit outgoing emails per user

---
 core/admin/mailu/configuration.py            |  1 +
 core/admin/mailu/internal/views/postfix.py   | 10 ++++++++--
 core/admin/mailu/models.py                   |  8 +++++++-
 core/admin/mailu/ui/templates/user/list.html |  5 ++++-
 core/postfix/conf/main.cf                    |  1 +
 core/postfix/start.py                        |  3 ++-
 setup/flavors/compose/mailu.env              |  5 +++++
 setup/templates/steps/config.html            |  7 +++++++
 towncrier/newsfragments/1031.feature         |  1 +
 9 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 towncrier/newsfragments/1031.feature

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index d2d34d88..50733d52 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -46,6 +46,7 @@ DEFAULT_CONFIG = {
     'DKIM_SELECTOR': 'dkim',
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
+    'MESSAGE_RATELIMIT': '100/hour',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index c358c37f..06918c61 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -1,5 +1,6 @@
-from mailu import models
+from mailu import models, utils
 from mailu.internal import internal
+from flask import current_app as app
 
 import flask
 import idna
@@ -31,7 +32,6 @@ def postfix_alias_map(alias):
     destination = models.Email.resolve_destination(localpart, domain_name)
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
-
 @internal.route("/postfix/transport/<path:email>")
 def postfix_transport(email):
     if email == '*' or re.match("(^|.*@)\[.*\]$", email):
@@ -139,6 +139,12 @@ def postfix_sender_login(sender):
     destination = models.Email.resolve_destination(localpart, domain_name, True)
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 
+@internal.route("/postfix/sender/rate/<path:sender>")
+def postfix_sender_rate(sender):
+    """ Rate limit outbound emails per sender login
+    """
+    user = models.User.get(sender) or flask.abort(404)
+    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("REJECT")
 
 @internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 3a299786..5760c27f 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -27,7 +27,7 @@ from sqlalchemy.ext.hybrid import hybrid_property
 from sqlalchemy.inspection import inspect
 from werkzeug.utils import cached_property
 
-from mailu import dkim
+from mailu import dkim, utils
 
 
 db = flask_sqlalchemy.SQLAlchemy()
@@ -501,6 +501,12 @@ class User(Base, Email):
             self.reply_enddate > now
         )
 
+    @property
+    def sender_limiter(self):
+        return utils.limiter.get_limiter(
+            app.config["MESSAGE_RATELIMIT"], "sender", self.email
+        )
+
     @classmethod
     def get_password_context(cls):
         """ create password context for hashing and verification
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index 2aff662f..746afd45 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -19,7 +19,8 @@
   <th>{% trans %}User settings{% endtrans %}</th>
   <th>{% trans %}Email{% endtrans %}</th>
   <th>{% trans %}Features{% endtrans %}</th>
-  <th>{% trans %}Quota{% endtrans %}</th>
+  <th>{% trans %}Storage Quota{% endtrans %}</th>
+  <th>{% trans %}Sending Quota{% endtrans %}</th>
   <th>{% trans %}Comment{% endtrans %}</th>
   <th>{% trans %}Created{% endtrans %}</th>
   <th>{% trans %}Last edit{% endtrans %}</th>
@@ -41,6 +42,8 @@
     {% if user.enable_pop %}<span class="label label-info">pop3</span>{% endif %}
   </td>
   <td>{{ user.quota_bytes_used | filesizeformat }} / {{ (user.quota_bytes | filesizeformat) if user.quota_bytes else '∞' }}</td>
+  {% set limiter = user.sender_limiter %}
+  <td>{{ limiter.get_window_stats()[1] }} / {{ limiter.limit }}</td>
   <td>{{ user.comment or '-' }}</td>
   <td>{{ user.created_at }}</td>
   <td>{{ user.updated_at or '' }}</td>
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 8f35f609..6f5a20b8 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -100,6 +100,7 @@ smtpd_sender_login_maps = ${podop}senderlogin
 smtpd_helo_required = yes
 
 smtpd_client_restrictions =
+  check_sasl_access ${podop}senderrate,
   permit_mynetworks,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
diff --git a/core/postfix/start.py b/core/postfix/start.py
index e0c781b7..139616b2 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -25,7 +25,8 @@ def start_podop():
         ("recipientmap", "url", url + "recipient/map/§"),
         ("sendermap", "url", url + "sender/map/§"),
         ("senderaccess", "url", url + "sender/access/§"),
-        ("senderlogin", "url", url + "sender/login/§")
+        ("senderlogin", "url", url + "sender/login/§"),
+        ("senderrate", "url", url + "sender/rate/§")
     ])
 
 def is_valid_postconf_line(line):
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index d45f5517..52f4ee04 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -62,6 +62,11 @@ ANTIVIRUS={{ antivirus_enabled or 'none' }}
 # Max attachment size will be 33% smaller
 MESSAGE_SIZE_LIMIT={{ message_size_limit or '50000000' }}
 
+# Message rate limit (per user)
+{% if message_ratelimit_pd > '0' %}
+MESSAGE_RATELIMIT={{ message_ratelimit_pd }}/day
+{% endif %}
+
 # Networks granted relay permissions
 # Use this with care, all hosts in this networks will be able to send mail without authentication!
 RELAYNETS=
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 72b83915..87410fca 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -55,6 +55,13 @@ Or in plain english: if receivers start to classify your mail as spam, this post
   </p>
 </div>
 
+<div class="form-group">
+  <label>Outgoing message rate limit (per user)</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="100" required > / day
+  </p>
+</div>
+
 <div class="form-check form-check-inline">
   <label class="form-check-label">
     <input class="form-check-input" type="checkbox" name="disable_statistics" value="True">
diff --git a/towncrier/newsfragments/1031.feature b/towncrier/newsfragments/1031.feature
new file mode 100644
index 00000000..5f369262
--- /dev/null
+++ b/towncrier/newsfragments/1031.feature
@@ -0,0 +1 @@
+Add sending quotas per user

From d6ce5d0c068566f86e5a061ce4819e9cd9e71246 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 8 Aug 2021 20:21:24 +0200
Subject: [PATCH 2/8] Remove a warning: limits don't apply to trusted hosts

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 6f5a20b8..428502ac 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -100,8 +100,8 @@ smtpd_sender_login_maps = ${podop}senderlogin
 smtpd_helo_required = yes
 
 smtpd_client_restrictions =
-  check_sasl_access ${podop}senderrate,
   permit_mynetworks,
+  check_sasl_access ${podop}senderrate,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,

From 6d244222dae55c83f77b3938df911a9b7ded2546 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 09:28:19 +0200
Subject: [PATCH 3/8] better error message

---
 core/admin/mailu/internal/views/postfix.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 06918c61..811dd4c0 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -144,7 +144,7 @@ def postfix_sender_rate(sender):
     """ Rate limit outbound emails per sender login
     """
     user = models.User.get(sender) or flask.abort(404)
-    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("REJECT")
+    return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("450 4.2.1 You are sending too many emails too fast.")
 
 @internal.route("/postfix/sender/access/<path:sender>")
 def postfix_sender_access(sender):

From 1101e401e80be9f2a62c85d490a308680a2e009c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 9 Aug 2021 14:58:58 +0200
Subject: [PATCH 4/8] Apply the restriction on the right port

---
 core/postfix/conf/main.cf   | 3 ++-
 core/postfix/conf/master.cf | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 428502ac..0c442fb3 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -99,9 +99,10 @@ smtpd_sender_login_maps = ${podop}senderlogin
 # Restrictions for incoming SMTP, other restrictions are applied in master.cf
 smtpd_helo_required = yes
 
+check_ratelimit = check_sasl_access ${podop}senderrate
+
 smtpd_client_restrictions =
   permit_mynetworks,
-  check_sasl_access ${podop}senderrate,
   check_sender_access ${podop}senderaccess,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index e45a8ccf..eca0ad77 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -7,7 +7,7 @@ smtp      inet  n       -       n       -       -       smtpd
 # Internal SMTP service
 10025     inet  n       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
-  -o smtpd_client_restrictions=reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
+  -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
   -o smtpd_reject_unlisted_recipient={% if REJECT_UNLISTED_RECIPIENT %}{{ REJECT_UNLISTED_RECIPIENT }}{% else %}no{% endif %}
   -o cleanup_service_name=outclean
 outclean  unix n       -       n       -       0       cleanup

From 772e5efb7d16c2f5519cf38ddef35a7f8644fd3f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 11 Aug 2021 22:47:29 +0200
Subject: [PATCH 5/8] Disable pipelining to prevent bypass

---
 core/postfix/conf/master.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index eca0ad77..15613476 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -7,6 +7,7 @@ smtp      inet  n       -       n       -       -       smtpd
 # Internal SMTP service
 10025     inet  n       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
+  -o smtpd_discard_ehlo_keywords=pipelining
   -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
   -o smtpd_reject_unlisted_recipient={% if REJECT_UNLISTED_RECIPIENT %}{{ REJECT_UNLISTED_RECIPIENT }}{% else %}no{% endif %}
   -o cleanup_service_name=outclean

From b7403c850a730a54c5720d7582ee570468a42560 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 14:56:12 +0000
Subject: [PATCH 6/8] Document the new setting in webadministration.rst.

---
 docs/webadministration.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/webadministration.rst b/docs/webadministration.rst
index 86ce41c0..a916cd9d 100644
--- a/docs/webadministration.rst
+++ b/docs/webadministration.rst
@@ -334,7 +334,10 @@ For adding a new user the following options can be configured.
 * Enabled. Tick this checkbox to enable the user account. When an user is disabled, the user is unable to login to the Admin GUI or webmail or access his email via IMAP/POP3 or send mail.
   The email inbox of the user is still retained. This option can be used to temporarily suspend an user account.
 
-* Quota. The maximum quota for the user's email box.
+* Storage Quota. The maximum quota for the user's email box.
+
+* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
+  This is meant to fight outbound spam in case of a compromised or malicious account on the server.
 
 * Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol.
 

From e5972bd9ecdb81c22998a380311add36538caea1 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 15:01:10 +0000
Subject: [PATCH 7/8] Set default message rate limit to 200/day

---
 core/admin/mailu/configuration.py | 2 +-
 setup/templates/steps/config.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 50733d52..c1016949 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -46,7 +46,7 @@ DEFAULT_CONFIG = {
     'DKIM_SELECTOR': 'dkim',
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
-    'MESSAGE_RATELIMIT': '100/hour',
+    'MESSAGE_RATELIMIT': '200/day',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 87410fca..f532f757 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -58,7 +58,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 <div class="form-group">
   <label>Outgoing message rate limit (per user)</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="100" required > / day
+  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="message_ratelimit_pd" value="200" required > / day
   </p>
 </div>
 

From 4c056db4aac6a304e3d1867fbb0f374ad3eaeea3 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 18 Aug 2021 18:53:50 +0000
Subject: [PATCH 8/8] Added documentation for all user statuses.

---
 docs/webadministration.rst | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/docs/webadministration.rst b/docs/webadministration.rst
index a916cd9d..03b07ba2 100644
--- a/docs/webadministration.rst
+++ b/docs/webadministration.rst
@@ -315,6 +315,21 @@ This page is also accessible for domain managers. On the users page new users ca
 
 * Fetched accounts. Access the fetched accounts page of the user. See the :ref:`fetched accounts page <webadministration_fetched_accounts>` for more information.
 
+This page also shows an overview of the following settings of an user:
+
+* Email. The email address of the user.
+
+* Features. Shows if IMAP or POP3 access is enabled.
+
+* Storage quota. Shows how much assigned storage has been consumed.
+
+* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
+
+* Comment. A desription for the user. 
+
+* Created. Date when the user was created.
+
+* Last edit. Last date when the user was modified. 
 
 .. _webadministration_add_user:
 
@@ -336,9 +351,6 @@ For adding a new user the following options can be configured.
 
 * Storage Quota. The maximum quota for the user's email box.
 
-* Sending Quota. The sending quota is the limit of messages a single user can send per day. 
-  This is meant to fight outbound spam in case of a compromised or malicious account on the server.
-
 * Allow IMAP access. When ticked, allows email retrieval via the IMAP protocol.
 
 * Allow POP3 access. When ticked, allows email retrieval via the POP3 protocol.