Don't raise rate limit exception on hit(), only on check()

core/admin/mailu/limiter.py

@@ -33,5 +33,4 @@ class Limiter:
         # disable limits for internal requests (e.g. from webmail)?
         if rate_limit_subnet==False and ipaddress.ip_address(clientip) in self.subnet:
             return
-        if not self.limiter.hit(self.rate,"client-ip",clientip):
+        self.limiter.hit(self.rate,"client-ip",clientip)
-            raise RateLimitExceeded()

docs/configuration.rst

@@ -38,8 +38,14 @@ recommended to setup a generic value and later configure a mail alias for that
 address.
 
 The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
-try to guess user passwords. The value is the limit of requests that a single
+try to guess user passwords. The value is the limit of failed authentication attempts
-IP address can perform against IMAP, POP and SMTP authentication endpoints.
+that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
+
+If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
+rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
+If you disable this, ensure that the rate limit on the webmail is enforced in a different
+way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
+
 
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.