Password reset via e-mail stops working after 5 sent e-mails per 30min

Hello together,

we have a nextcloud with a lot of users and we you use the password-forgotten-function to reset passwords. After some send emails, it will not work anymore. The reason seems to be the problem, that all clients in our organization have the same ip-address. The error in the log is this:

POST","url":"/lostpassword/email","message":"Could not send password reset email: Could not send reset e-mail, 5 of them were already sent in the last 30 minutes

We already added our ip to the brute-force exceptions, but it doesn’t help.

Does someone know a solution?

I know we should have a LDAP-server, due to organizational problems we have to wait for it.

Thanks a lot.

hi @user-needs-help welcome to the forum :handshake:

it seems nothing is wrong and the reset password function is intentionally “rate limited”.

I assume this is for security reasons. Could you please explain your scenario in depth I’m wondering even big organization requires such many password resets within short period?

I’m not aware LDAP is a must… but I agree for a bigger installations with multiple applications some kind of single-sign-on sso is a must. If you are building on the green field you could go with more modern user authentication back-ends like OpenID connect based on Keycloak, Authentik, Authelia etc…

@wwe Thanks a lot for your reply!

Our scenario is a school. We added next to 600 users with the python-script from

We decided not to set passwords, because of the work to print them for every single user. Therefore send invitations via mail. Now a lot of pupils didn’t use the the invitations links, just because they are pupils. If there is a class and you want to start to work with them, 30 users push the reset-passwort-button. After 5 send mails, it’s not working anymore, like you pointed out.
The work around is to change the passwords manually for every user in class. This takes much longer and cannot be done by normal teachers only admins…

My question is now, the limit of 5 per 30min is per nextcloud-instance or per ip-address?

Thanks a lot.

As the limit is inside the code I assume this is instance-wide limitation. You can try to adjust the limit in the respective file or even better follow the procedure with pdf - at the end this is simpler than ask 30+ users to follow password reset procedure.

1 Like

Thanks again.

I tested this. It seems to be per IP-address. Because after changing to mobile phones, the pupils could reset there credentials there instantly.

This can be closed. Thanks.