diff --git a/defaults/main.yml b/defaults/main.yml
index 1094c42..59da1f8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -11,6 +11,7 @@ mail_db_users_username_field: 'email'
 mail_db_users_alias_field: 'alias'
 mail_db_users_quota_field: 'quota'
 dns_resolver: 1.1.1.1
+postfix_blacklist: []
 mail_domains:
   - example.org
   - example.net
@@ -62,7 +63,7 @@ postfix_config:
   smtpd_data_restrictions: reject_unauth_pipelining
   # Don't talk to mail systems that don't know their own hostname.
   smtpd_helo_restrictions: permit_mynetworks reject_unknown_helo_hostname
-  smtpd_recipient_restrictions: permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, check_policy_service unix:private/policy-spf
+  smtpd_recipient_restrictions: permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_client_access cidr:/etc/postfix/blacklist
   smtpd_relay_restrictions: permit_mynetworks permit_sasl_authenticated defer_unauth_destination
   smtpd_sasl_auth_enable: 'yes'
   smtpd_sasl_authenticated_header: 'yes'
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 93d166b..c61f208 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -251,3 +251,15 @@
     name: postfix
     enabled: true
     state: started
+
+- name: Ensure blacklist is present
+  file_line:
+    path: /etc/postfix/blacklist
+    line: "{{ item }} REJECT Blacklisted"
+    match: "^{{ item }} "
+    backup: true
+    create: true
+  loop: "{{ postfix_blacklist }}"
+
+- name: Postmap blacklist
+  shell: /usr/sbin/postmap /etc/postfix/blacklist