update defaults, rephrase doc

core/admin/mailu/configuration.py

@@ -40,7 +40,7 @@ DEFAULT_CONFIG = {
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
     'DEFER_ON_TLS_ERROR': True,
-    'AUTH_RATELIMIT_IP': '60/hour',
+    'AUTH_RATELIMIT_IP': '5/hour',
     'AUTH_RATELIMIT_IP_V4_MASK': 24,
     'AUTH_RATELIMIT_IP_V6_MASK': 56,
     'AUTH_RATELIMIT_USER': '100/day',

docs/configuration.rst

@@ -40,11 +40,12 @@ address.
 The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses
 that are allowed to send emails from any existing address (spoofing the sender).
 
-The ``AUTH_RATELIMIT_IP`` (default: 60/hour) holds a security setting for fighting
-attackers that waste server resources by trying to guess user passwords (typically
-using a password spraying attack). The value defines the limit of authentication
-attempts that will be processed on non-existing accounts for a specific IP subnet
-(as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` and ``AUTH_RATELIMIT_IP_V6_MASK`` below).
+The ``AUTH_RATELIMIT_IP`` (default: 5/hour) holds a security setting for fighting
+attackers that attempt a password spraying attack. The value defines the limit of
+authentication attempts that will be processed on **distinct** non-existing
+accounts for a specific IP subnet as defined in
+``AUTH_RATELIMIT_IP_V4_MASK`` (default: /24) and
+``AUTH_RATELIMIT_IP_V6_MASK`` (default: /56).
 
 The ``AUTH_RATELIMIT_USER`` (default: 100/day) holds a security setting for fighting
 attackers that attempt to guess a user's password (typically using a password