fix: fixed logger for test, relaxed rate limiting for failed attempts

forwardemail · Nov 13, 2023 · ccd2f4b · ccd2f4b
1 parent 3c0f20b
commit ccd2f4b
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 7 deletions.
diff --git a/config/index.js b/config/index.js
@@ -50,8 +50,8 @@ const config = {
   smtpMaxQueue: 60,
   smtpQueueTimeout: ms('180s'),
   smtpLimitMessages: env.NODE_ENV === 'test' ? 10 : 300,
-  smtpLimitAuth: env.NODE_ENV === 'test' ? Number.MAX_VALUE : 5,
-  smtpLimitAuthDuration: ms('1d'),
+  smtpLimitAuth: env.NODE_ENV === 'test' ? Number.MAX_VALUE : 10,
+  smtpLimitAuthDuration: ms('1h'),
   smtpLimitDuration: ms('1d'),
   smtpLimitNamespace: `smtp_auth_limit_${env.NODE_ENV.toLowerCase()}`,
   supportEmail: env.EMAIL_DEFAULT_FROM_EMAIL,

diff --git a/helpers/on-auth.js b/helpers/on-auth.js
@@ -208,11 +208,30 @@ async function onAuth(auth, session, fn) {
         `auth_limit_${config.env}:${session.remoteAddress}`,
         0
       );
-      if (count >= config.smtpLimitAuth)
+      if (count >= config.smtpLimitAuth) {
+        // alert admins of failed login by IP address
+        // (until this gets out of hand)
+        if (session.resolvedClientHostname) {
+          this.logger.error(
+            new TypeError(
+              `${session.resolvedClientHostname} (${parseRootDomain(
+                session.resolvedClientHostname
+              )}) has exceeded failed login attempts`
+            )
+          );
+        } else {
+          this.logger.error(
+            new TypeError(
+              `${session.remoteAddress} has exceeded failed login attempts`
+            )
+          );
+        }
+
         throw new SMTPError(
           `You have exceeded the maximum number of failed authentication attempts. Please try again later or contact us at ${config.supportEmail}`
           // { ignoreHook: true }
         );
+      }
     }
 
     // ensure that the token is valid

diff --git a/imap-server.js b/imap-server.js
@@ -103,8 +103,7 @@ class IMAP {
       namespace: config.smtpLimitNamespace
     });
 
-    this.logger =
-      config.env === 'development' ? logger : new Axe({ silent: true });
+    this.logger = config.env === 'test' ? new Axe({ silent: true }) : logger;
 
     const server = new IMAPServer({
       secure,

diff --git a/smtp-server.js b/smtp-server.js
@@ -60,8 +60,7 @@ class SMTP {
       namespace: config.smtpLimitNamespace
     });
 
-    this.logger =
-      config.env === 'development' ? logger : new Axe({ silent: true });
+    this.logger = config.env === 'test' ? new Axe({ silent: true }) : logger;
 
     // setup our smtp server which listens for incoming email
     // TODO: <https://github.com/nodemailer/smtp-server/issues/177>