@jwildeboer reject_unauth_pipelining was already set in my config, must've been shipped that way in debian. Didn't see the other setting anywhere yet.