From f3c93212c6555432f4ae8e1f33489a41bb9f6e20 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 31 Oct 2021 19:41:12 +0100 Subject: [PATCH] The Rate-limiter should run after the deny --- core/admin/mailu/internal/nginx.py | 6 ------ core/admin/mailu/internal/views/auth.py | 7 +++++++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py index 04d6d94e..027db935 100644 --- a/core/admin/mailu/internal/nginx.py +++ b/core/admin/mailu/internal/nginx.py @@ -78,12 +78,6 @@ def handle_authentication(headers): # Authenticated user elif method == "plain": is_valid_user = False - if headers["Auth-Port"] == '25': - return { - "Auth-Status": "AUTH not supported", - "Auth-Error-Code": "502 5.5.1", - "Auth-Wait": 0 - } # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should # be ASCII and are generally considered ISO8859-1. However when passing # the password, nginx does not transcode the input UTF string, thus diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index 1afb53b5..344be78b 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -11,6 +11,13 @@ def nginx_authentication(): """ Main authentication endpoint for Nginx email server """ client_ip = flask.request.headers["Client-Ip"] + headers = flask.request.headers + if headers["Auth-Port"] == '25' and headers['Auth-Method'] == 'plain': + response = flask.Response() + response.headers['Auth-Status'] = 'AUTH not supported' + response.headers['Auth-Error-Code'] = '502 5.5.1' + utils.limiter.rate_limit_ip(client_ip) + return response if utils.limiter.should_rate_limit_ip(client_ip): status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit') response = flask.Response()