diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index d6a332fc..04d6d94e 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -94,6 +94,7 @@ def handle_authentication(headers):
         try:
             user_email = raw_user_email.encode("iso8859-1").decode("utf8")
             password = raw_password.encode("iso8859-1").decode("utf8")
+            ip = urllib.parse.unquote(headers["Client-Ip"])
         except:
             app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 0ba39019..3e53e7d2 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 
-# Authentication rate limit (per /24 on ipv4 and /56 on ipv6)
-{% if auth_ratelimit_pm > '0' %}
-AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
+# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_ip > '0' %}
+AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
+{% endif %}
+
+# Authentication rate limit per user (regardless of the source-IP)
+{% if auth_ratelimit_user > '0' %}
+AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
 
 # Opt-out of statistics, replace with "True" to opt out
@@ -150,9 +155,8 @@ DOMAIN_REGISTRATION=true
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
+# Number of rounds used by the password hashing scheme
+CREDENTIAL_ROUNDS=12
 
 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index f532f757..74a45800 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit (per source IP address)</label>
+  <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10000" required > / minute
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
+  		value="60" required > / hour
+  </p>
+</div>
+
+<div class="form-group">
+  <label>Authentication rate limit per user</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
+  		value="100" required > / day
   </p>
 </div>