Webmail is not exempt from rate limiting #3094
Comments
|
The rate limiter doesn't work the way you think it does. Webmail is excluded from IP rate limits but not from account rate limits. |
@nextgens: I'm open to be corrected here. This was only my limited understanding so far. But the resulting behavior (a redirect loop) was unexpected for me nevertheless and really feels like a bug. Especially since I did not find any other way to recover from it. Do you have any other suggestions then how to avoid running into this situation again? |
|
Find out what has caused user@example.net to be rate-limited; address that. AUTH_RATELIMIT_USER defaults to 50/day ... that means that something somewhere has attempted at least 50 different passwords against that account. I agree that feedback on what is going on could be improved... some work has been done on it in master already (the admin container now logs exactly what is going on authentication-wise). |
Ah, I see, so it was some other client that hit the rate limit and caused user@example.net to be blocked. But wouldn't it still make sense, to exempt the webmailer container from rate limiting anyway, since it has no login form but uses SSO (or at least roundcube in my case)? |
Yes. It may not be trivial since there is no information about "distinctness" of passwords attempted in the logs... that's what has been fixed in master.
Hmm, the check is already done in SSO so if that was a new session it means your browser had the right cookies to bypass the rate-limit. Yeah I guess we can fix that; I'll send a PR. |
Correct, the browser had a valid session and I was logged in into mailu.
Perfect, #3100 fixes exactly this issue! |
3100: Do not block webmail when we have a valid SSO session r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? Ensure we do not block webmail when we have a valid SSO session ### Related issue(s) - close #3094 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
|
@acran The fix is in 2.0.35 |
Environment & Version
docker compose version: Docker Compose version 2.23.32.0.34Description
Trying to open my webmail (roundcube) the browser just showed an error due to too many redirects - which were to
sso.phpof the webmailer.Debugging this I found the following to be the reason:
Where
172.29.0.3is the IP of the webmail container.As far as I could debug this everything else was working fine,
sso.phpcould correctly get valid credentials provided byfrontvia HTTP headers but trying to use them would fail since the webmail container was rate limited. The failed login would the redirect again tosso.php- in a loop...Replication Steps
Unfortunately I have no idea how the webmail container's IP could end up on the rate limited list...
The webmail container should only ever try to login with credentials provided by
frontvia HTTP headers - which then should always be validObserved behaviour
Webmailer was blocked by rate limiting, preventing it from successfully authenticate, causing its login in to fail and damning the browser into an infinite redirection loop.
Expected behaviour
The webmailer should not be blocked by rate limiting since the credentials are passed from an already valid login via SSO anyway.
Possible solutions
docker-compose.ymlconfig to give the network used by the webmailer a known subnet and exempting it from rate limits:The text was updated successfully, but these errors were encountered: