Fix 2125

Make the caller responsible to know whether the rate-limit code should
be called or not

core/admin/mailu/internal/views/auth.py

@@ -31,6 +31,7 @@ def nginx_authentication():
     for key, value in headers.items():
         response.headers[key] = str(value)
     is_valid_user = False
+    is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
     if response.headers.get("Auth-User-Exists"):
         username = response.headers["Auth-User"]
         if utils.limiter.should_rate_limit_user(username, client_ip):
@@ -47,7 +48,7 @@ def nginx_authentication():
         utils.limiter.exempt_ip_from_ratelimits(client_ip)
     elif is_valid_user:
         utils.limiter.rate_limit_user(username, client_ip)
-    else:
+    elif not is_from_webmail:
         utils.limiter.rate_limit_ip(client_ip)
     return response
 

core/admin/mailu/limiter.py

@@ -53,11 +53,10 @@ class LimitWraperFactory(object):
         return is_rate_limited
 
     def rate_limit_ip(self, ip):
-        if ip != app.config['WEBMAIL_ADDRESS']:
-            limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
-            client_network = utils.extract_network_from_ip(ip)
-            if self.is_subject_to_rate_limits(ip):
-                limiter.hit(client_network)
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+        client_network = utils.extract_network_from_ip(ip)
+        if self.is_subject_to_rate_limits(ip):
+            limiter.hit(client_network)
 
     def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
         limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')