diff --git a/templates/mosquitto.conf.erb b/templates/mosquitto.conf.erb
index 92a5952..4913510 100644
--- a/templates/mosquitto.conf.erb
+++ b/templates/mosquitto.conf.erb
@@ -537,11 +537,19 @@ log_timestamp true
 #clientid_prefixes
 
 # Boolean value that determines whether clients that connect
-# without providing a username are allowed to connect. If set to
-# false then a password file should be created (see the
-# password_file option) to control authenticated client access.
-# Defaults to true.
-#allow_anonymous true
+# without providing a username are allowed to connect.
+# If set to false then another means of connection should be created to
+# control authenticated client access.
+#
+#Defaults to true if no other security options are set. If password_file or
+#psk_file is set, or if an authentication plugin is loaded which implements
+#username/password or TLS-PSK checks, then allow_anonymous defaults to false.
+#
+#If per_listener_settings is true, this option applies to the current listener
+#being configured only. If per_listener_settings is false, this option applies
+#to all listeners.
+#
+allow_anonymous true
 
 # In addition to the clientid_prefixes, allow_anonymous and TLS
 # authentication options, username based authentication is also