diff --git a/docs/PEOPLE_PLAYBOOK.md b/docs/PEOPLE_PLAYBOOK.md
index 2eb468b..5722d64 100644
--- a/docs/PEOPLE_PLAYBOOK.md
+++ b/docs/PEOPLE_PLAYBOOK.md
@@ -1,3 +1,10 @@
+WOW THIS IS BAD:
+https://kanidm.github.io/kanidm/stable/accounts/anonymous.html
+```shell
+kanidm service-account update --entry-managed-by idm_admins anonymous
+kanidm service-account validity expire-at anonymous epoch
+```
+
 obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric
 
 ```sh
diff --git a/playbooks/roles/mail/templates/user-patches.sh.j2 b/playbooks/roles/mail/templates/user-patches.sh.j2
index 6845563..2780f70 100644
--- a/playbooks/roles/mail/templates/user-patches.sh.j2
+++ b/playbooks/roles/mail/templates/user-patches.sh.j2
@@ -3,7 +3,11 @@
 postconf -e 'smtpd_sasl_type = dovecot'
 postconf -e 'smtpd_sasl_path = /dev/shm/sasl-auth.sock'
 postconf -e 'smtpd_sasl_auth_enable = yes'
-postconf -e 'broken_sasl_auth_clients = yes'
+#postconf -e 'broken_sasl_auth_clients = yes'
+postconf -e 'smtpd_relay_restrictions=permit_sasl_authenticated,reject'
+postconf -e 'smtpd_delay_reject = yes'
+postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject'
+postconf -e 'smtpd_sasl_security_options = noanonymous'
 
 echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf