diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index cecd43ede..60dbea2dd 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index d94958ff7..b7aecbb3c 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -117,6 +117,13 @@
         <type>password</type>
         <help>The password to use for SMTP authentication.</help>
     </field>
+    <field>
+        <id>general.enforce_recipient_check</id>
+        <label>Enforce Recipient Relay Check</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>If you enable this, every entry in Recipients will be checked against. When there is no match mail will be rejected. Be aware that it does not matter if the action is "OK" or "REJECT". This setup allows you to run postfix in front of an internal system and already rejecting unsolicited mail at the border.</help>
+    </field>
     <field>
         <id>general.reject_unauth_pipelining</id>
         <label>Reject Unauthenticated Pipelining</label>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index ada619c2a..1a8a36f30 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/postfix/general</mount>
     <description>Postfix configuration</description>
-    <version>1.2.0</version>
+    <version>1.2.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -85,6 +85,10 @@
             <default></default>
             <Required>N</Required>
         </smtpauth_password>
+        <enforce_recipient_check type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enforce_recipient_check>
         <reject_unauth_pipelining type="BooleanField">
             <default>1</default>
             <Required>Y</Required>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 035a07009..03f83f8d4 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -112,6 +112,10 @@ milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = accept
 {% endif %}
 
+{% if helpers.exists('OPNsense.postfix.general.enforce_recipient_check') and OPNsense.postfix.general.enforce_recipient_check == '1' %}
+relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
+{% endif %}
+
 {# Sender Restrictions #}
 {% set smtpd_recipient_restrictions=[] %}
 {% if helpers.exists('OPNsense.postfix.recipient.recipients.recipient') %}