diff --git a/roles/mail/defaults/main.yml b/roles/mail/defaults/main.yml
index 1f526afd1eca98a2c2b630bb1b196c2f53ca893b..b9c2b496e952e66e892573df0ce96758e20420ba 100644
--- a/roles/mail/defaults/main.yml
+++ b/roles/mail/defaults/main.yml
@@ -54,6 +54,9 @@ mail_blacklist_senders: []
 # Recipients that will be blacklisted
 mail_blacklist_recipients: []
 
+# HELO hosts to be blocked
+mail_blacklist_helo: []
+
 # Clean up TxRep entries older than this
 txrep_cleanup_days: 30
 
diff --git a/roles/mail/templates/postfix-in/access-helo b/roles/mail/templates/postfix-in/access-helo
index 4487e9c89bc51867cfe82ada145b3cc19b8de185..84fcf9cb5857a196c1b2b88b102f09013f3dd4c5 100644
--- a/roles/mail/templates/postfix-in/access-helo
+++ b/roles/mail/templates/postfix-in/access-helo
@@ -1,2 +1,5 @@
 # Cutwail botnet
 ylmf-pc REJECT
+{% for helo in mail_blacklist_helo %}
+{{ helo }} REJECT
+{% endfor %}