Mailcow-dockerized: Have I Been Pwned integration

You can subscribe your email account with HaveIBeenPwned.com so you "get notified when future pwnage occurs and your account is compromised."

Sounds like the feature which nextcloud integrated lately.

https://github.com/nextcloud/password_policy/pull/60/commits

I would also appreciate this feature.

@D3luxee and @ntimo ,

I have a question about something.

How do you propose we keep to the rate limit given that users of Mailcow range from single users to businesses that resell? Some people adding multiple domains on one server.

Requests to the breaches and pastes APIs are limited to one per every 1500 milliseconds each from any given IP address .... The retry period is sliding; ... Adding a 100 millisecond delay between requests will usually ensure this won't happen.

I emailed Troy from haveibeenpwned and he says as long as the requests stick to the rate limit, all is fine.

Bad case scenario, 2 users send the API at the same time, IP gets triggered with a sliding retry period of unknown (docs don't exactly say what the multiplier is for the retry length or length of the retry period is, only that the header will have the retry period returned in seconds and it shows 2 seconds in the docs).

Second user waits ~2 seconds for a response.

With more users activating the API at the same time, the more the wait time grows.
The fourth user has to wait 4.8 seconds before results are shown. 100th user would have to wait about 160 seconds before getting their results.

nth user wait time in seconds where n > 1 = ((n-1) * 1.5) + ((n-1) * .1)

Users who naturally wouldn't know about the rate limit, would think an error has occurred and most likely attempt to redo/retry the API request. Or perhaps feel the system is slow.

I'm thinking Queue programming tied to the MYSQL database.
Also getting ideas with SQLQueue Class?

Any suggestions?

I integrated it now. But I need to make further checks with the user ACL implementation before pushing.

@Mr-Martinez i was not aware of the rate limit, but i dont think its a problem at all.
Nextcloud for example implements it as password policy which will only trigger requests when you create a user or change the password.

With only checking on password changes and user creation i think its almost impossible to trigger this condition on a single mailcow node.

This rate limit will be a issue when your mailcow reached a size where a single mailcow instance with 1 ip will simply collapse.

Hi @D3luxee ,

I see, only triggered on rare cases. Makes sense.

I was thinking on working on something where a user activates it every now and again along with the admin checking on all email addresses on the server. Somewhere here there was a person who had 150 accounts under a single domain, so was looking on suggestions on how to approach the issue.

Looking forward to seeing how andryyy implemented this in code and how to improve it.

I just created a check for the password mask when the input field has a data attr "hipb". You can click and check the input.

I don't really want to store any SHA1 hashes for this feature. :-O

This means the user need to trigger this check manually? Would'nt it be better to check the password when he is trying to apply it?

You can check it manually, but you don't need to.

I guess this was added with https://github.com/mailcow/mailcow-dockerized/commit/c9554ca02291e64e56a786217de8d4b34b25544d