From a60159a0db89b56fc86e163a77a13e760a315237 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 4 Feb 2023 16:46:27 +0100 Subject: [PATCH] update defaults, rephrase doc --- core/admin/mailu/configuration.py | 2 +- docs/configuration.rst | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 11d79643..2f5f6b0c 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -40,7 +40,7 @@ DEFAULT_CONFIG = { 'TLS_FLAVOR': 'cert', 'INBOUND_TLS_ENFORCE': False, 'DEFER_ON_TLS_ERROR': True, - 'AUTH_RATELIMIT_IP': '60/hour', + 'AUTH_RATELIMIT_IP': '5/hour', 'AUTH_RATELIMIT_IP_V4_MASK': 24, 'AUTH_RATELIMIT_IP_V6_MASK': 56, 'AUTH_RATELIMIT_USER': '100/day', diff --git a/docs/configuration.rst b/docs/configuration.rst index 240870cf..c867d8dd 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -40,11 +40,12 @@ address. The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender). -The ``AUTH_RATELIMIT_IP`` (default: 60/hour) holds a security setting for fighting -attackers that waste server resources by trying to guess user passwords (typically -using a password spraying attack). The value defines the limit of authentication -attempts that will be processed on non-existing accounts for a specific IP subnet -(as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` and ``AUTH_RATELIMIT_IP_V6_MASK`` below). +The ``AUTH_RATELIMIT_IP`` (default: 5/hour) holds a security setting for fighting +attackers that attempt a password spraying attack. The value defines the limit of +authentication attempts that will be processed on **distinct** non-existing +accounts for a specific IP subnet as defined in +``AUTH_RATELIMIT_IP_V4_MASK`` (default: /24) and +``AUTH_RATELIMIT_IP_V6_MASK`` (default: /56). The ``AUTH_RATELIMIT_USER`` (default: 100/day) holds a security setting for fighting attackers that attempt to guess a user's password (typically using a password