diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index 44c5750..c0bbb90 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -6,7 +6,7 @@ compatibility_level = 2
 myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
-mynetworks = ${' '.join(sorted(node.metadata.get('postfix/mynetworks')))}
+mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_protocols = all
diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py
index 19fd1a7..be2bd24 100644
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -16,13 +18,6 @@ defaults = {
             },
         },
     },
-    'postfix': {
-        'mynetworks': {
-            '127.0.0.0/8',
-            '[::ffff:127.0.0.0]/104',
-            '[::1]/128',
-        },
-    },
 }
 
 if node.has_bundle('postfixadmin'):
@@ -72,3 +67,27 @@ def letsencrypt(metadata):
     return {
         'letsencrypt': result,
     }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules/25',
+    'iptables/port_rules/587',
+)
+def iptables(metadata):
+    if node.has_bundle('postfixadmin'):
+        default = set('*')
+    else:
+        default = metadata.get('postfix/mynetworks', set())
+
+    rules = {
+        '25': atomic(metadata.get('postfix/restrict-to', default)),
+    }
+
+    if node.has_bundle('postfixadmin'):
+        rules['587'] = atomic(metadata.get('postfix/restrict-to', default))
+
+    return {
+        'iptables': {
+            'port_rules': rules,
+        },
+    }
diff --git a/nodes/home/router.py b/nodes/home/router.py
index 7d2fd03..f8cad90 100644
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@@ -91,9 +91,6 @@ nodes['home.router'] = {
                 'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
                 'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
 
-                # Allow mail from internal network
-                'iptables_both -A INPUT -s 172.19.138.0/24 -p tcp --dport 25 -j ACCEPT',
-
                 # use MASQUERADE for tun0 (c3voc)
                 'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',