From 040dd82d3e87648774eaac2c32ff6cfc90147c32 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 4 Apr 2023 11:30:59 +0200
Subject: [PATCH 1/3] fix bug

---
 core/admin/mailu/internal/views/auth.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 01d1562f..3764355f 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -46,7 +46,9 @@ def nginx_authentication():
             return response
         is_valid_user = True
     if headers.get("Auth-Status") == "OK":
-        utils.limiter.exempt_ip_from_ratelimits(client_ip)
+        # successful email delivery isn't enough to warrant an exemption
+        if headers["Auth-Port"] != '25':
+            utils.limiter.exempt_ip_from_ratelimits(client_ip)
     elif is_valid_user:
         utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None))
     elif not is_from_webmail:

From ab7b82d05b7aea2d53dd8dabc104566a5822ab0c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 4 Apr 2023 11:33:34 +0200
Subject: [PATCH 2/3] Clarify

---
 core/admin/mailu/internal/views/auth.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 3764355f..af9248b5 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -13,7 +13,8 @@ def nginx_authentication():
     """
     client_ip = flask.request.headers["Client-Ip"]
     headers = flask.request.headers
-    if headers["Auth-Port"] == '25' and headers['Auth-Method'] != 'none':
+    is_port_25 = headers["Auth-Port"] == '25'
+    if is_port_25 and headers['Auth-Method'] != 'none':
         response = flask.Response()
         response.headers['Auth-Status'] = 'AUTH not supported'
         response.headers['Auth-Error-Code'] = '502 5.5.1'
@@ -47,7 +48,7 @@ def nginx_authentication():
         is_valid_user = True
     if headers.get("Auth-Status") == "OK":
         # successful email delivery isn't enough to warrant an exemption
-        if headers["Auth-Port"] != '25':
+        if not is_port_25:
             utils.limiter.exempt_ip_from_ratelimits(client_ip)
     elif is_valid_user:
         utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None))

From 94ef62a884be16aca5060b082d20001db054bcc5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 4 Apr 2023 12:47:11 +0200
Subject: [PATCH 3/3] Don't rate-limit port 25, ever.

---
 core/admin/mailu/internal/views/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index af9248b5..a72497c4 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -21,7 +21,7 @@ def nginx_authentication():
         utils.limiter.rate_limit_ip(client_ip)
         return response
     is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
-    if not is_from_webmail and utils.limiter.should_rate_limit_ip(client_ip):
+    if not is_from_webmail and not is_port_25 and utils.limiter.should_rate_limit_ip(client_ip):
         status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
         response = flask.Response()
         response.headers['Auth-Status'] = status