diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2
index b3bac26..15c3f32 100644
--- a/templates/postfix/main.cf.j2
+++ b/templates/postfix/main.cf.j2
@@ -165,13 +165,22 @@ delay_warning_time=3h
 maximal_queue_lifetime=2d
 bounce_queue_lifetime=1d
 
+# submission sender restrictions
+smtpd_sender_restrictions = reject_sender_login_mismatch,
+  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+  reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
+  reject_unauth_pipelining,
+  reject
+
 {% if mailserver_behind_proxy %}
 # We're behind a forwaring proxy that does antispam. Mails therefore do not get delivered to us
 # from their original sender, therefore, we can't do DNS checks!
 
 # smtpd sender restrictions
-smtpd_sender_restrictions = reject_sender_login_mismatch,
-  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+smtpd_sender_restrictions_25 = permit_mynetworks,
+{% if mailserver_config_method == "ldap" %}  check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,
+{% endif %}
+  reject_unauth_destination,
   reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
   reject_unauth_pipelining, check_client_access hash:/etc/postfix/allowed_proxies,
   reject
@@ -179,14 +188,19 @@ smtpd_sender_restrictions = reject_sender_login_mismatch,
 # smtp destination restrictions
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
+  reject_unauth_destination, reject_multi_recipient_bounce, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated,
   permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining,
   reject_unauth_destination, reject_multi_recipient_bounce, check_client_access hash:/etc/postfix/allowed_proxies,
   reject
 {% else %}
 # smtpd sender restrictions
-smtpd_sender_restrictions = reject_sender_login_mismatch,
-  permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
+smtpd_sender_restrictions_25 = permit_mynetworks,
+{% if mailserver_config_method == "ldap" %}  check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,
+{% endif %}
+  reject_unauth_destination,
   reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
   reject_unauth_pipelining, permit
 
@@ -194,6 +208,11 @@ smtpd_sender_restrictions = reject_sender_login_mismatch,
 # Either you're authenticated OR you are from 127.0.0.1 OR you satisfy a boatload of constraints
 # We need to find out in prod if this is too restrictive
 # Also note that the same thing ist in master.cf without sasl restrictions
+smtpd_recipient_restrictions_25 = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain,
+  reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination,
+  reject_multi_recipient_bounce, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
+
 smtpd_recipient_restrictions = reject_sender_login_mismatch,
 {% if mailserver_config_method == "ldap" %}  check_sender_access ldap:/etc/postfix/ldap-external-send.cf,
 {% endif %}
diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2
index 634b8b4..4ddb72c 100644
--- a/templates/postfix/master.cf.j2
+++ b/templates/postfix/master.cf.j2
@@ -15,13 +15,8 @@
 # We list
 smtp      inet  n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=no
-{% if not mailserver_behind_proxy %}
-  -o smtpd_recipient_restrictions=permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,permit
-  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% else %}
-  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination,reject_multi_recipient_bounce,permit
-  -o smtpd_sender_restrictions=permit_mynetworks,{% if mailserver_config_method == "ldap" %}check_recipient_access ldap:/etc/postfix/ldap-external-receive.cf,{% endif %}reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,permit
-{% endif %}
+  -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_25
+  -o smtpd_sender_restrictions=$smtpd_sender_restrictions_25
   -o header_checks=
 {% if ansible_local['mailserver_have_antispam']|default(False) %}
   -o smtpd_proxy_filter=127.0.0.1:10026