Set default of AUTH_RATELIMIT_SUBNET to False. Increase default AUTH_RATELIMIT value.

core/admin/mailu/configuration.py

@@ -34,8 +34,8 @@ DEFAULT_CONFIG = {
     'POSTMASTER': 'postmaster',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
-    'AUTH_RATELIMIT': '10/minute;1000/hour',
-    'AUTH_RATELIMIT_SUBNET': True,
+    'AUTH_RATELIMIT': '1000/minute;10000/hour',
+    'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
     # Mail settings
     'DMARC_RUA': None,

docs/configuration.rst

@@ -41,7 +41,7 @@ The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
 try to guess user passwords. The value is the limit of failed authentication attempts
 that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
 
-If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
+If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
 rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
 If you disable this, ensure that the rate limit on the webmail is enforced in a different
 way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.

setup/templates/steps/config.html

@@ -51,7 +51,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
   <label>Authentication rate limit (per source IP address)</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10" required > / minute
+  		value="10000" required > / minute
   </p>
 </div>
 

towncrier/newsfragments/1867.feature

@@ -0,0 +1 @@
+Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value.