diff --git a/data/web/edit.php b/data/web/edit.php
index 0e7460bc..4c60fadf 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -138,7 +138,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
       !empty($_GET["domain"])) {
         $domain = $_GET["domain"];
         $result = mailbox('get', 'domain_details', $domain);
-        $rl = mailbox('get', 'domain_ratelimit', $domain);
+        $rl = mailbox('get', 'ratelimit', $domain);
         $rlyhosts = relayhost('get');
         if (!empty($result)) {
         ?>
@@ -251,7 +251,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           </select>
         </div>
         <div class="form-group">
-          <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$domain;?>" data-api-url='edit/domain-ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+          <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$domain;?>" data-api-url='edit/ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
         </div>
       </form>
       <hr>
@@ -314,7 +314,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
       !empty($_GET["aliasdomain"])) {
         $alias_domain = $_GET["aliasdomain"];
         $result = mailbox('get', 'alias_domain_details', $alias_domain);
-        $rl = mailbox('get', 'domain_ratelimit', $alias_domain);
+        $rl = mailbox('get', 'ratelimit', $alias_domain);
         if (!empty($result)) {
         ?>
           <h4><?=$lang['edit']['edit_alias_domain'];?></h4>
@@ -353,7 +353,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
               </select>
             </div>
             <div class="form-group">
-              <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$alias_domain;?>" data-api-url='edit/domain-ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+              <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$alias_domain;?>" data-api-url='edit/ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
             </div>
           </form>
           <?php
@@ -380,6 +380,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
     elseif (isset($_GET['mailbox']) && filter_var($_GET["mailbox"], FILTER_VALIDATE_EMAIL) && !empty($_GET["mailbox"])) {
       $mailbox = $_GET["mailbox"];
       $result = mailbox('get', 'mailbox_details', $mailbox);
+      $rl = mailbox('get', 'ratelimit', $mailbox);
       if (!empty($result)) {
         ?>
         <h4><?=$lang['edit']['mailbox'];?></h4>
@@ -478,6 +479,23 @@ if (isset($_SESSION['mailcow_cc_role'])) {
             </div>
           </div>
         </form>
+        <hr>
+        <form data-id="mboxratelimit" class="form-inline well" method="post">
+          <div class="form-group">
+            <label class="control-label">Ratelimit</label>
+            <input name="rl_value" id="rl_value" type="number" value="<?=(!empty($rl['value'])) ? $rl['value'] : null;?>" class="form-control" placeholder="disabled">
+          </div>
+          <div class="form-group">
+            <select name="rl_frame" id="rl_frame" class="form-control">
+              <option value="s" <?=(isset($rl['frame']) && $rl['frame'] == 's') ? 'selected' : null;?>>msgs / second</option>
+              <option value="m" <?=(isset($rl['frame']) && $rl['frame'] == 'm') ? 'selected' : null;?>>msgs / minute</option>
+              <option value="h" <?=(isset($rl['frame']) && $rl['frame'] == 'h') ? 'selected' : null;?>>msgs / hour</option>
+            </select>
+          </div>
+          <div class="form-group">
+            <button class="btn btn-default" id="edit_selected" data-id="mboxratelimit" data-item="<?=$mailbox;?>" data-api-url='edit/ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+          </div>
+        </form>
       <?php
       }
     }
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 4baca2b7..8c5804d8 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1189,7 +1189,7 @@ function mailbox($_action, $_type, $_data = null) {
             'msg' => sprintf($lang['success']['mailbox_modified'], implode(', ', $usernames))
           );
         break;
-        case 'domain_ratelimit':
+        case 'ratelimit':
           $rl_value = intval($_data['rl_value']);
           $rl_frame = $_data['rl_frame'];
           if (!in_array($rl_frame, array('s', 'm', 'h'))) {
@@ -1199,24 +1199,38 @@ function mailbox($_action, $_type, $_data = null) {
               );
               return false;
           }
-          if (!is_array($_data['domain'])) {
-            $domains = array();
-            $domains[] = $_data['domain'];
+          if (!is_array($_data['object'])) {
+            $objects = array();
+            $objects[] = $_data['object'];
           }
           else {
-            $domains = $_data['domain'];
+            $objects = $_data['object'];
           }
-          foreach ($domains as $domain) {
-            if (!is_valid_domain_name($domain) || !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
-              $_SESSION['return'] = array(
-                'type' => 'danger',
-                'msg' => sprintf($lang['danger']['access_denied'])
-              );
+          foreach ($objects as $object) {
+            if (is_valid_domain_name($object)) {
+              if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => sprintf($lang['danger']['access_denied'])
+                );
+                return false;
+              }
+            }
+            elseif (filter_var($object, FILTER_VALIDATE_EMAIL)) {
+              if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => sprintf($lang['danger']['access_denied'])
+                );
+                return false;
+              }
+            }
+            else {
               return false;
             }
             if (empty($rl_value)) {
               try {
-                $redis->hDel('RL_VALUE', $domain);
+                $redis->hDel('RL_VALUE', $object);
               }
               catch (RedisException $e) {
                 $_SESSION['return'] = array(
@@ -1228,7 +1242,7 @@ function mailbox($_action, $_type, $_data = null) {
             }
             else {
               try {
-                $redis->hSet('RL_VALUE', $domain, $rl_value . ' / 1' . $rl_frame);
+                $redis->hSet('RL_VALUE', $object, $rl_value . ' / 1' . $rl_frame);
               }
               catch (RedisException $e) {
                 $_SESSION['return'] = array(
@@ -1241,7 +1255,7 @@ function mailbox($_action, $_type, $_data = null) {
           }
           $_SESSION['return'] = array(
             'type' => 'success',
-            'msg' => sprintf($lang['success']['domain_modified'], implode(', ', $domains))
+            'msg' => sprintf($lang['success']['domain_modified'], implode(', ', $objects))
           );
         break;
         case 'syncjob':
@@ -2385,9 +2399,26 @@ function mailbox($_action, $_type, $_data = null) {
           }
           return $aliases;
         break;
-        case 'domain_ratelimit':
-          $aliases = array();
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+        case 'ratelimit':
+          if (is_valid_domain_name($_data)) {
+            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['access_denied'])
+              );
+              return false;
+            }
+          }
+          elseif (filter_var($_data, FILTER_VALIDATE_EMAIL)) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['access_denied'])
+              );
+              return false;
+            }
+          }
+          else {
             return false;
           }
           try {
diff --git a/data/web/json_api.php b/data/web/json_api.php
index b7acb724..ec7899c7 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -2133,13 +2133,13 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
-          case "domain-ratelimit":
+          case "ratelimit":
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
               $attr = (array)json_decode($_POST['attr'], true);
-              $postarray = array_merge(array('domain' => $items), $attr);
-              if (is_array($postarray['domain'])) {
-                if (mailbox('edit', 'domain_ratelimit', $postarray) === false) {
+              $postarray = array_merge(array('object' => $items), $attr);
+              if (is_array($postarray['object'])) {
+                if (mailbox('edit', 'ratelimit', $postarray) === false) {
                   if (isset($_SESSION['return'])) {
                     echo json_encode($_SESSION['return']);
                   }