[bug]: X-Forwarded-For on JMAP Rate-Limit does not work

[wrenix]

What happened?

Loadbalancer set X-Forwarded-For but log say, it is an internal.

config like in https://stalw.art/docs/jmap/ratelimit#proxy-setup descripted:

[jmap.rate-limit]
use-forwarded = true

---

I found in code, that only Forwarded in header is checked:

mail-server/crates/jmap/src/auth/authenticate.rs

Line 159 in b7c0344

.get(header::FORWARDED)

also the rust library does not support X-Forwarded-For:
hyperium/http#601

How can we reproduce the problem?

I can reproduce the problem by doing the following steps:

Version

v0.5.x

What database are you using?

None

What blob storage are you using?

None

Where is your directory located?

None

What operating system are you using?

Docker

Relevant log output

2024-01-11T12:15:32.971421Z DEBUG session{instance="http" protocol=Jmap remote.ip="10.0.0.2" remote.port=40140}: jmap:
2024-01-11T12:15:32.971466Z DEBUG jmap::auth::authenticate: Warning: No remote address found in request, using loopback

Code of Conduct

• I agree to follow this project's Code of Conduct

[johansmitsnl]

I found this issue. But even when you enable this it still shows in the log the IP of the proxy and not the connecting client.

[mdecimus]

The X-Forwarded header is only used for the rate limiter only on HTTP connections. If Stalwart is running behind a proxy you need to enable the proxy protocol so all services can have access to the remote client address.

[johansmitsnl]

In my setup all email ports are exposed without proxy and only the 443 port is behind nginx. And only the jmap shows the wrong IP. I have not found the option in nginx for upstream proxy protocol. That's why I expected the forward header would work.