CAPTCHA such as recaptcha/hcaptcha should be introduced to secure mailboxes.

[LiuNianJiang]

Summary

Currently, Mailcow is using Fail2Ban to block malicious brute-force password attempts and frequent request behaviors. However, its effectiveness is limited because attackers can often use proxy IPs to launch attacks. Additionally, there is no rate limiting for the "forgot password" feature, which makes it highly likely that attackers can frequently change IPs and use this feature to harass users' email accounts. This could ultimately pressure email service providers to lower the reputation of the sending domain, which would negatively impact normal use.

Motivation

Adding a more intelligent CAPTCHA system to Mailcow is essential. This would protect all users of Mailcow from malicious attacks like the one described and upgrade the anti-bot approach from passive IP blocking to active behavior verification. This would significantly enhance the security of Mailcow. Moreover, some CAPTCHA systems have reusable code, which could save a lot of development time.

Additional context

No response

[FreddleSpl0it]

I think there is no way to add captcha to imap, smtp, autodiscover or sogo credentials.
The "Forgot Password" feature is by default limited to 3 token requests per user, with each token having a lifetime of 15 minutes.
You can override these limits with a data/web/inc/vars.local.inc.php FIle

<?php
  // Maximum number of password reset tokens that can be generated at once per user
  $PW_RESET_TOKEN_LIMIT = 3;

  // Maximum time in minutes a password reset token is valid
  $PW_RESET_TOKEN_LIFETIME = 15;