diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 32996095..2c9f71f3 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -40,9 +40,6 @@ smtp_sasl_tls_security_options = noanonymous
 # Recipient delimiter for extended addresses
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 
-# We need to allow everything to do xclient and rely on front to filter-out "bad" requests
-smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0
-
 ###############
 # TLS
 ###############
diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index 86659460..21d42b1b 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -11,6 +11,7 @@ smtp      inet  n       -       n       -       1       smtpd
   -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
   -o smtpd_reject_unlisted_recipient={% if REJECT_UNLISTED_RECIPIENT %}{{ REJECT_UNLISTED_RECIPIENT }}{% else %}no{% endif %}
   -o cleanup_service_name=outclean
+  -o smtpd_authorized_xclient_hosts={{ SUBNET}},{{ SUBNET6 }}
 outclean  unix n       -       n       -       0       cleanup
   -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf
   -o nested_header_checks=