From 8d7737c917e8726ba7dcd26c6efd7fcfa6825fc2 Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Fri, 1 Sep 2023 19:14:57 +0200 Subject: [PATCH 1/4] Add FAQ entry for deleting IPs from rate limiter --- docs/faq.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 8529c752d..22a34a2b1 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -435,6 +435,25 @@ Proceed as following for deleting an user: .. _`github project`: https://github.com/Mailu/Mailu/ + +How to unblock an IP from rate limiter manually? +```````````````````````````````````````````````` + +To manually unblock an IP from the rate limiter do the following on your CLI: + +.. code-block:: bash + + # list the limited networks (this is not the IP, but only the network part according to AUTH_RATELIMIT_IP_V4_MASK + $ docker compose exec redis redis-cli -n 2 --scan --pattern 'LIMITER/auth-ip/*' + + # remove from rate limiter + $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ + | xargs -r docker compose exec -T redis redis-cli -n 2 DEL + +*Issue reference:* `2856`_. + +.. _`2856`: https://github.com/Mailu/Mailu/issues/2856 + Changes in .env don't propagate ``````````````````````````````` From 1aa0f89a17058185b31c2f3cbf21a386a93fdef5 Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Sat, 2 Sep 2023 11:15:21 +0200 Subject: [PATCH 2/4] Add hints for token-based auth and AUTH_RATELIMIT_EXEMPTION --- docs/configuration.rst | 2 ++ docs/faq.rst | 4 ++++ docs/webadministration.rst | 2 ++ 3 files changed, 8 insertions(+) diff --git a/docs/configuration.rst b/docs/configuration.rst index 2f7e27a76..e4bd045e0 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -40,6 +40,8 @@ address. The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender). +.. _AUTH Ratelimit: + The ``AUTH_RATELIMIT_IP`` (default: 5/hour) holds a security setting for fighting attackers that attempt a password spraying attack. The value defines the limit of authentication attempts that will be processed on **distinct** non-existing diff --git a/docs/faq.rst b/docs/faq.rst index 22a34a2b1..27e5f6a22 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -450,6 +450,10 @@ To manually unblock an IP from the rate limiter do the following on your CLI: $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ | xargs -r docker compose exec -T redis redis-cli -n 2 DEL +Consider to use :ref:`AUTH tokens` for your users. Ratelimiting is exempted for token-based authentication! + +Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. + *Issue reference:* `2856`_. .. _`2856`: https://github.com/Mailu/Mailu/issues/2856 diff --git a/docs/webadministration.rst b/docs/webadministration.rst index ed75f0950..6521fc2e9 100644 --- a/docs/webadministration.rst +++ b/docs/webadministration.rst @@ -165,6 +165,8 @@ Click the submit button to apply settings. With the default polling interval, fe Make sure ``FETCHMAIL_ENABLED`` is set to ``true`` in ``mailu.env`` to enable fetching and showing fetchmail in the admin interface. +.. _AUTH tokens: + Authentication tokens --------------------- From c20ef3253381f584791281f0dc74cd22fe044af2 Mon Sep 17 00:00:00 2001 From: Stephan Holl <1610827+sholl@users.noreply.github.com> Date: Wed, 22 Nov 2023 20:07:55 +0100 Subject: [PATCH 3/4] Update docs/faq.rst use @nextgens suggestion Co-authored-by: Florent Daigniere --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 27e5f6a22..5772978ae 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -450,7 +450,7 @@ To manually unblock an IP from the rate limiter do the following on your CLI: $ IP=8.8.8.8; docker compose exec redis redis-cli -n 2 --scan --pattern "LIMITER/auth-ip/${IP}/*" \ | xargs -r docker compose exec -T redis redis-cli -n 2 DEL -Consider to use :ref:`AUTH tokens` for your users. Ratelimiting is exempted for token-based authentication! +Consider using :ref:`AUTH tokens` for your users. Token-based authentication is exempted from rate limits! Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. From e0c6fbd92accc2bede4c671ffb4a293ffbca060e Mon Sep 17 00:00:00 2001 From: Stephan Holl Date: Wed, 22 Nov 2023 20:28:47 +0100 Subject: [PATCH 4/4] Add AUTH_REQUIRE_TOKENS referrer --- docs/faq.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 5dfc0fa11..2200cfd88 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -453,7 +453,9 @@ To manually unblock an IP from the rate limiter do the following on your CLI: Consider using :ref:`AUTH tokens` for your users. Token-based authentication is exempted from rate limits! -Also have a look at the configuration parameter ``AUTH_RATELIMIT_EXEMPTION``. More on :ref:`Rate limiting`. +Also have a look at the configuration parameters +``AUTH_RATELIMIT_EXEMPTION`` and ``AUTH_REQUIRE_TOKENS``. More on +:ref:`Rate limiting` and :ref:`advanced settings`. *Issue reference:* `2856`_.