Merge #2738

2738: Make ratelimit exemptions less generous r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? Make ratelimit exemptions less generous, as discussed on #mailu-dev ### Related issue(s) ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2024-12-12 10:45:38 +02:00 · 2023-04-04 12:17:27 +00:00 · 2023-04-04 12:17:27 +00:00 · d66ddb0f3e
commit d66ddb0f3e
parent b68e132369 94ef62a884
1 changed files with 6 additions and 3 deletions
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -13,14 +13,15 @@ def nginx_authentication():
    """
    client_ip = flask.request.headers["Client-Ip"]
    headers = flask.request.headers
-    if headers["Auth-Port"] == '25' and headers['Auth-Method'] != 'none':
+    is_port_25 = headers["Auth-Port"] == '25'
+    if is_port_25 and headers['Auth-Method'] != 'none':
        response = flask.Response()
        response.headers['Auth-Status'] = 'AUTH not supported'
        response.headers['Auth-Error-Code'] = '502 5.5.1'
        utils.limiter.rate_limit_ip(client_ip)
        return response
    is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
-    if not is_from_webmail and utils.limiter.should_rate_limit_ip(client_ip):
+    if not is_from_webmail and not is_port_25 and utils.limiter.should_rate_limit_ip(client_ip):
        status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
        response = flask.Response()
        response.headers['Auth-Status'] = status
@ -46,7 +47,9 @@ def nginx_authentication():
            return response
        is_valid_user = True
    if headers.get("Auth-Status") == "OK":
-        utils.limiter.exempt_ip_from_ratelimits(client_ip)
+        # successful email delivery isn't enough to warrant an exemption
+        if not is_port_25:
+            utils.limiter.exempt_ip_from_ratelimits(client_ip)
    elif is_valid_user:
        utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None))
    elif not is_from_webmail: