1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-14 10:53:30 +02:00
2738: Make ratelimit exemptions less generous r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Make ratelimit exemptions less generous, as discussed on #mailu-dev

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
This commit is contained in:
bors[bot] 2023-04-04 12:17:27 +00:00 committed by GitHub
commit d66ddb0f3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -13,14 +13,15 @@ def nginx_authentication():
""" """
client_ip = flask.request.headers["Client-Ip"] client_ip = flask.request.headers["Client-Ip"]
headers = flask.request.headers headers = flask.request.headers
if headers["Auth-Port"] == '25' and headers['Auth-Method'] != 'none': is_port_25 = headers["Auth-Port"] == '25'
if is_port_25 and headers['Auth-Method'] != 'none':
response = flask.Response() response = flask.Response()
response.headers['Auth-Status'] = 'AUTH not supported' response.headers['Auth-Status'] = 'AUTH not supported'
response.headers['Auth-Error-Code'] = '502 5.5.1' response.headers['Auth-Error-Code'] = '502 5.5.1'
utils.limiter.rate_limit_ip(client_ip) utils.limiter.rate_limit_ip(client_ip)
return response return response
is_from_webmail = headers['Auth-Port'] in ['10143', '10025'] is_from_webmail = headers['Auth-Port'] in ['10143', '10025']
if not is_from_webmail and utils.limiter.should_rate_limit_ip(client_ip): if not is_from_webmail and not is_port_25 and utils.limiter.should_rate_limit_ip(client_ip):
status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit') status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
response = flask.Response() response = flask.Response()
response.headers['Auth-Status'] = status response.headers['Auth-Status'] = status
@ -46,6 +47,8 @@ def nginx_authentication():
return response return response
is_valid_user = True is_valid_user = True
if headers.get("Auth-Status") == "OK": if headers.get("Auth-Status") == "OK":
# successful email delivery isn't enough to warrant an exemption
if not is_port_25:
utils.limiter.exempt_ip_from_ratelimits(client_ip) utils.limiter.exempt_ip_from_ratelimits(client_ip)
elif is_valid_user: elif is_valid_user:
utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None)) utils.limiter.rate_limit_user(username, client_ip, password=response.headers.get('Auth-Password', None))