From ac496eed19955effbd262eaeb71f043a523061c4 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 12:57:17 +0200
Subject: [PATCH 1/3] Update setup with new rate limit config vars.

---
 setup/flavors/compose/mailu.env   | 11 ++++++++---
 setup/templates/steps/config.html | 14 +++++++++++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 0ba39019..fd95b725 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 
-# Authentication rate limit (per /24 on ipv4 and /56 on ipv6)
-{% if auth_ratelimit_pm > '0' %}
-AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
+# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_ip > '0' %}
+AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
+{% endif %}
+
+# Authentication rate limit per user (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_user > '0' %}
+AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
 
 # Opt-out of statistics, replace with "True" to opt out
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index f532f757..4b4bb281 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit (per source IP address)</label>
+  <label>Authentication rate limit per IP for failed login attempts for non-existing accounts</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10000" required > / minute
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
+  		value="60" required > / hour
+  </p>
+</div>
+
+<div class="form-group">
+  <label>Authentication rate limit per user for failed login attempts for existing accounts</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
+  		value="100" required > / day
   </p>
 </div>
 

From 862fdda55b9f13f4e5bc82f525441a7716210bf6 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 13:35:41 +0200
Subject: [PATCH 2/3] Tweak the wording

---
 setup/flavors/compose/mailu.env   | 2 +-
 setup/templates/steps/config.html | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index fd95b725..60516013 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -34,7 +34,7 @@ TLS_FLAVOR={{ tls_flavor }}
 AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
 {% endif %}
 
-# Authentication rate limit per user (per /24 on ipv4 and /56 on ipv6)
+# Authentication rate limit per user (regardless of the source-IP)
 {% if auth_ratelimit_user > '0' %}
 AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 4b4bb281..74a45800 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,7 +48,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit per IP for failed login attempts for non-existing accounts</label>
+  <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
   		value="60" required > / hour
@@ -56,7 +56,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit per user for failed login attempts for existing accounts</label>
+  <label>Authentication rate limit per user</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
   		value="100" required > / day

From 464a117e9f19f42af01a47f19c7cd488a88db959 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 13:37:00 +0200
Subject: [PATCH 3/3] this should be changed too

---
 setup/flavors/compose/mailu.env | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 60516013..3e53e7d2 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -155,9 +155,8 @@ DOMAIN_REGISTRATION=true
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
+# Number of rounds used by the password hashing scheme
+CREDENTIAL_ROUNDS=12
 
 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}