diff --git a/manifests/init.pp b/manifests/init.pp
index 0f2ae34..76ae6ab 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,125 +1,139 @@
 # == Class: postfix
 #
 # Manage postfix configuration with Debian preseeding
 #
 # === Parameters
 #
 # [*relayhost*]
 #    Set the relayhost for the machine
 #
 # [*root_address*]
 #    Set the forward address for mail sent to root.
 #    Default: '' (keeping the current root alias)
 #
 # [*mailname*]
 #    The default domain for outgoing mail
 #    Default: $::fqdn
 #
 # [*destinations*]
 #    Array of domains for whose the mail is locally delivered
 #    Default: [$::fqdn]
 #
 # [*mynetworks*]
 #    Array of networks from which to accept mail
 #    Default: ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] (only accept local mail)
 #
 # [*relay_destinations*]
 #    Hash of destinations for relayed mail
 #    Default: {} (no relayed mail)
 #    Example: {
 #      'forge.softwareheritage.org' => 'smtp:[tate.internal.softwareheritage.org]'
 #    }
 #
 # [*virtual_aliases*]
 #    Hash of virtual aliases
 #    Default: {} (no virtual aliases)
 #    Example: {
 #      '@forge.softwareheritage.org' => 'forge-virtual-user'
 #    }
 # === Examples
 #
 #  class { 'postfix':
 #    relayhost => '[smtp.example.com]',
 #  }
 #
 # === Authors
 #
 # Nicolas Dandrimont <nicolas@dandrimont.eu>
 #
 # === Copyright
 #
 # Copyright 2015 Nicolas Dandrimont
 #
 class postfix (
   $relayhost          = undef,
   $root_address       = '',
   $mailname           = $::fqdn,
   $mydestination      = [$::fqdn],
   $mynetworks         = ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'],
   $relay_destinations = {},
   $virtual_aliases    = {},
 ){
 
   validate_string($relayhost)
   validate_string($root_address)
   validate_string($mailname)
   assert_type(Array[String], $mydestination)
   assert_type(Array[String], $mynetworks)
   assert_type(Hash[String, String], $relay_destinations)
   assert_type(Hash[String, String], $virtual_aliases)
 
   package {'postfix':
     ensure  => present,
   }
 
   service {'postfix':
     ensure  => running,
     enable  => true,
     require => [
       File['/etc/postfix/main.cf'],
       File['/etc/postfix/master.cf'],
       File['/etc/postfix/transport'],
       File['/etc/postfix/virtual'],
     ],
   }
 
   file {'/etc/postfix/main.cf':
     ensure  => present,
     content => template('postfix/main.cf.erb'),
     notify  => Service['postfix'],
     require => Package['postfix'],
   }
 
   file {'/etc/postfix/master.cf':
     ensure  => present,
     content => template('postfix/master.cf.erb'),
     notify  => Service['postfix'],
     require => Package['postfix'],
   }
 
   file {'/etc/postfix/transport':
     ensure  => present,
     content => template('postfix/transport.erb'),
     notify  => Exec['update transport'],
     require => Package['postfix'],
   }
 
   file {'/etc/postfix/virtual':
     ensure  => present,
     content => template('postfix/virtual.erb'),
     notify  => Exec['update virtual'],
     require => Package['postfix'],
   }
 
   exec {'update transport':
     path        => ['/usr/bin', '/usr/sbin'],
     command     => 'postmap /etc/postfix/transport',
     refreshonly => true,
   }
 
   exec {'update virtual':
     path        => ['/usr/bin', '/usr/sbin'],
     command     => 'postmap /etc/postfix/virtual',
     refreshonly => true,
   }
+
+  file {'/etc/postfix/client_checks':
+    ensure  => present,
+    content => template('postfix/client_checks.erb'),
+    notify  => Exec['update client_checks'],
+    require => Package['postfix'],
+  }
+
+  exec {'update client_checks':
+    path        => ['/usr/bin', '/usr/sbin'],
+    command     => 'postmap /etc/postfix/client_checks',
+    refreshonly => true,
+  }
+
 }
diff --git a/templates/client_checks.erb b/templates/client_checks.erb
new file mode 100644
index 0000000..49211ea
--- /dev/null
+++ b/templates/client_checks.erb
@@ -0,0 +1,2 @@
+# Postfix client_checks
+# This file managed by puppet, manual changes will be erased
diff --git a/templates/main.cf.erb b/templates/main.cf.erb
index 5b6c23d..9654131 100644
--- a/templates/main.cf.erb
+++ b/templates/main.cf.erb
@@ -1,42 +1,44 @@
 # Postfix main configuration file
 #
 # Managed by puppet - module swh-puppet
 #
 # Changes will be overwritten!
 
 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 biff = no
 
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
 
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 
 readme_directory = no
 
 # TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/client_checks
+
 myhostname = <%= @mailname %>
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = <%= @mailname %>
 mydestination = <%= @mydestination.join(", ") %>
 relayhost = <%= @relayhost %>
 mynetworks = <%= @mynetworks.join(" ") %>
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 relay_domains = <%= @relay_destinations.keys.join(", ") %>
 transport_maps = hash:/etc/postfix/transport
 virtual_alias_domains = <%= @virtual_aliases.keys.map { |a| a.split('@').at(-1) }.uniq.join(", ") %>
 virtual_alias_maps = hash:/etc/postfix/virtual