diff --git a/plinth/modules/email/data/etc/apache2/conf-available/email-freedombox.conf b/plinth/modules/email/data/etc/apache2/conf-available/email-freedombox.conf
index 6fe412877..9f99790de 100644
--- a/plinth/modules/email/data/etc/apache2/conf-available/email-freedombox.conf
+++ b/plinth/modules/email/data/etc/apache2/conf-available/email-freedombox.conf
@@ -1,3 +1,5 @@
+# Serve rspamd web UI:
+# https://www.rspamd.com/doc/faq.html#how-to-use-the-webui-behind-a-proxy-server
 <LocationMatch "^/rspamd$">
     Redirect "/rspamd/"
 </LocationMatch>
@@ -5,18 +7,12 @@
 <Location "/rspamd/">
     ProxyPass http://127.0.0.1:11334/
     ProxyPassReverse http://127.0.0.1:11334/
-    # Modify proxy headers
+
+    # Don't add X-Forwarded* headers to make rspamd think that request is coming
+    # from localhost. This disables rspamd's password auth mechanism in favor of
+    # FreedomBox authentication and authorization below.
     ProxyAddHeaders off
-    RequestHeader unset Forwarded
-    RequestHeader unset Via
-    RequestHeader unset X-Forwarded-For
-    RequestHeader unset X-Forwarded-Host
-    RequestHeader unset X-Forwarded-Proto
-    RequestHeader unset X-Forwarded-Server
-    RequestHeader unset X-Real-IP
-    RequestHeader set X-Forwarded-For "127.0.0.1"
-    # Modify response headers
-    Header unset Set-Cookie
+
     # Require SSO
     Include includes/freedombox-single-sign-on.conf
     <IfModule mod_auth_pubtkt.c>
@@ -24,6 +20,8 @@
     </IfModule>
 </Location>
 
+# Automatic configuration for clients like Thunderbird:
+# https://wiki.mozilla.org/Thunderbird:Autoconfiguration#Implementation
 <Location "/.well-known/autoconfig/mail/config-v1.1.xml">
     <IfModule mod_rewrite.c>
         RewriteEngine On