Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits

master
Florent Daigniere 3 years ago
commit c674f1567a

@ -94,6 +94,7 @@ def handle_authentication(headers):
try: try:
user_email = raw_user_email.encode("iso8859-1").decode("utf8") user_email = raw_user_email.encode("iso8859-1").decode("utf8")
password = raw_password.encode("iso8859-1").decode("utf8") password = raw_password.encode("iso8859-1").decode("utf8")
ip = urllib.parse.unquote(headers["Client-Ip"])
except: except:
app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}') app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
else: else:

@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt) # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR={{ tls_flavor }} TLS_FLAVOR={{ tls_flavor }}
# Authentication rate limit (per /24 on ipv4 and /56 on ipv6) # Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
{% if auth_ratelimit_pm > '0' %} {% if auth_ratelimit_ip > '0' %}
AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
{% endif %}
# Authentication rate limit per user (regardless of the source-IP)
{% if auth_ratelimit_user > '0' %}
AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
{% endif %} {% endif %}
# Opt-out of statistics, replace with "True" to opt out # Opt-out of statistics, replace with "True" to opt out
@ -150,9 +155,8 @@ DOMAIN_REGISTRATION=true
# Docker-compose project name, this will prepended to containers names. # Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }} COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
# Default password scheme used for newly created accounts and changed passwords # Number of rounds used by the password hashing scheme
# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT) CREDENTIAL_ROUNDS=12
PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
# Header to take the real ip from # Header to take the real ip from
REAL_IP_HEADER={{ real_ip_header }} REAL_IP_HEADER={{ real_ip_header }}

@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
</div> </div>
<div class="form-group"> <div class="form-group">
<label>Authentication rate limit (per source IP address)</label> <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
<!-- Validates number input only --> <!-- Validates number input only -->
<p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm" <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
value="10000" required > / minute value="60" required > / hour
</p>
</div>
<div class="form-group">
<label>Authentication rate limit per user</label>
<!-- Validates number input only -->
<p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
value="100" required > / day
</p> </p>
</div> </div>

Loading…
Cancel
Save