lub
/
mailu
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2,978 Commits
3 Branches
0 Tags
7.4 MiB
Python 65.2%
HTML 18.6%
Shell 7.8%
Dockerfile 3.4%
JavaScript 1.8%
Other 3%
 
 
 
 
 
 
main
dynamic-resolution
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a1192d8039'
${ noResults }
Go to file
bors[bot] a1192d8039
Merge #1987 
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
 		3 years ago
.github Give docker containers in each test one more minute for starting. 3 years ago
core Merge #1987 3 years ago
docs Introduce AUTH_RATELIMIT_EXEMPTION 3 years ago
optional not required anymore 3 years ago
setup this should be changed too 3 years ago
tests Remove PASSWORD_SCHEME from test envs 3 years ago
towncrier Merge remote-tracking branch 'upstream/master' into ratelimits 3 years ago
webmails remove health check from log 3 years ago
.gitignore use different alpine image for arm, add config for php images+arm 5 years ago
.mergify.yml Update list of trusted authors. 3 years ago
AUTHORS.md Improve changelog and release texts for 1.8 4 years ago
CHANGELOG.md enhanced security changelog entry and added recommendation to recreate secret_key 3 years ago
CODE_OF_CONDUCT.md Add a code of conduct, fixes #319 7 years ago
CONTRIBUTING.md Update "the development guidelines" hyperlink 5 years ago
ISSUE_TEMPLATE.md Remove <> tags as they break markdown rendering 4 years ago
LICENSE.md Rename the freeposte/mailu directory and database 8 years ago
PULL_REQUEST_TEMPLATE.md fix spelling 3 years ago
README.md Cosmetic change 3 years ago
bors.toml Switch to github actions for CI/CD 3 years ago
pyproject.toml Fix the package setting 5 years ago

README.md

Mailu

Mailu is a simple yet full-featured mail server as a set of Docker images. It is free software (both as in free beer and as in free speech), open to suggestions and external contributions. The project aims at providing people with an easily setup, easily maintained and full-featured mail server while not shipping proprietary software nor unrelated features often found in popular groupware.

Most of the documentation is available on our Website, you can also try our demo server before setting up your own, and come talk to us on Matrix.

Features

Main features include:

  • Standard email server, IMAP and IMAP+, SMTP and Submission
  • Advanced email features, aliases, domain aliases, custom routing
  • Web access, multiple Webmails and administration interface
  • User features, aliases, auto-reply, auto-forward, fetched accounts
  • Admin features, global admins, announcements, per-domain delegation, quotas
  • Security, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
  • Antispam, auto-learn, greylisting, DMARC and SPF
  • Freedom, all FOSS components, no tracker included

Domains

Contributing

Mailu is free software, open to suggestions and contributions. All components are free software and compatible with the MIT license. All specific configuration files, Dockerfiles and code are placed under the MIT license.