Merge branch 'ratelimits' of https://github.com/nextgens/Mailu into ratelimits

2024-12-14 10:53:30 +02:00 · 2021-10-16 09:55:15 +02:00 · 2021-10-16 09:55:15 +02:00 · c674f1567a
commit c674f1567a
parent 8414dd5cf0 7277e0b4e4
3 changed files with 22 additions and 9 deletions
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@ -94,6 +94,7 @@ def handle_authentication(headers):
        try:
            user_email = raw_user_email.encode("iso8859-1").decode("utf8")
            password = raw_password.encode("iso8859-1").decode("utf8")
+            ip = urllib.parse.unquote(headers["Client-Ip"])
        except:
            app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
        else:
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}

-# Authentication rate limit (per /24 on ipv4 and /56 on ipv6)
-{% if auth_ratelimit_pm > '0' %}
-AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
+# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_ip > '0' %}
+AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
+{% endif %}
+
+# Authentication rate limit per user (regardless of the source-IP)
+{% if auth_ratelimit_user > '0' %}
+AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}

 # Opt-out of statistics, replace with "True" to opt out
@ -150,9 +155,8 @@ DOMAIN_REGISTRATION=true
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}

-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
+# Number of rounds used by the password hashing scheme
+CREDENTIAL_ROUNDS=12

 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>

 <div class="form-group">
-  <label>Authentication rate limit (per source IP address)</label>
+  <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
  <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10000" required > / minute
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
+  		value="60" required > / hour
+  </p>
+</div>
+
+<div class="form-group">
+  <label>Authentication rate limit per user</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
+  		value="100" required > / day
  </p>
 </div>