From 588904078edd04ed08db309ceb7dd11e751c37b9 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 6 Aug 2021 16:27:07 +0200
Subject: [PATCH] Set default of AUTH_RATELIMIT_SUBNET to False. Increase
 default AUTH_RATELIMIT value.

---
 core/admin/mailu/configuration.py    | 4 ++--
 docs/configuration.rst               | 2 +-
 setup/templates/steps/config.html    | 2 +-
 towncrier/newsfragments/1867.feature | 1 +
 4 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 towncrier/newsfragments/1867.feature

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 3d1b4fb5..d2d34d88 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -34,8 +34,8 @@ DEFAULT_CONFIG = {
     'POSTMASTER': 'postmaster',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
-    'AUTH_RATELIMIT': '10/minute;1000/hour',
-    'AUTH_RATELIMIT_SUBNET': True,
+    'AUTH_RATELIMIT': '1000/minute;10000/hour',
+    'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
     # Mail settings
     'DMARC_RUA': None,
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 16ea23c3..d7ebfc11 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -41,7 +41,7 @@ The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
 try to guess user passwords. The value is the limit of failed authentication attempts
 that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
 
-If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (which is the default), the ``AUTH_RATELIMIT``
+If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
 rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
 If you disable this, ensure that the rate limit on the webmail is enforced in a different
 way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 3769a210..fee66933 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -51,7 +51,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
   <label>Authentication rate limit (per source IP address)</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10" required > / minute
+  		value="10000" required > / minute
   </p>
 </div>
 
diff --git a/towncrier/newsfragments/1867.feature b/towncrier/newsfragments/1867.feature
new file mode 100644
index 00000000..fbd3a7d7
--- /dev/null
+++ b/towncrier/newsfragments/1867.feature
@@ -0,0 +1 @@
+Changed default value of AUTH_RATELIMIT_SUBNET to false. Increased default value of the rate limit in setup utility (AUTH_RATELIMIT) to a higher value.