You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thank you for opening an issue with Mailu. Please understand that issues are meant for bugs and enhancement-requests.
For user-support questions, reach out to us on matrix.
To be able to help you best, we need some more information.
Before you open your issue
Check if no issue or pull-request for this already exists.
Check documentation and FAQ. (Tip, use the search function on the documentation page)
You understand Mailu is made by volunteers in their free time — be conscise, civil and accept that delays can occur.
The title of the issue should be short and simple. It should contain specific terms related to the actual issue. Be specific while writing the title.
Environment & Versions
Environment
docker-compose
kubernetes
docker swarm
Versions
1.7, 1.8 and master
Description
See the logic for handling login attempt via the admin application:
So we have no rate limiting and no audit trail for failed logon attempts. Someone can try to bruteforce the password without consequences.
Replication Steps
1). Login with an incorrect email or password in the admin applications.
2). Check the admin logs. note that nothing is logged.
Expected behaviour
Failed logon attempts should be logged. It would also be handy if we add some kind of rate limiting for the login. Possibly every next login attempt can be delayed with x amount of seconds? This is a handy measure against brute force attempts.
The text was updated successfully, but these errors were encountered:
Thank you for opening an issue with Mailu. Please understand that issues are meant for bugs and enhancement-requests.
For user-support questions, reach out to us on matrix.
To be able to help you best, we need some more information.
Before you open your issue
Mailu
is made by volunteers in their free time — be conscise, civil and accept that delays can occur.Environment & Versions
Environment
Versions
1.7, 1.8 and master
Description
See the logic for handling login attempt via the admin application:
Mailu/core/admin/mailu/ui/views/base.py
Line 27 in 3a96bf2
When a logon attempt fails, nothing is logged. The model (models.py) also shows nothing happens when a logon attempt fails.
Mailu/core/admin/mailu/models.py
Line 458 in fc1a663
So we have no rate limiting and no audit trail for failed logon attempts. Someone can try to bruteforce the password without consequences.
Replication Steps
1). Login with an incorrect email or password in the admin applications.
2). Check the admin logs. note that nothing is logged.
Expected behaviour
Failed logon attempts should be logged. It would also be handy if we add some kind of rate limiting for the login. Possibly every next login attempt can be delayed with x amount of seconds? This is a handy measure against brute force attempts.
The text was updated successfully, but these errors were encountered: