diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index b405ed0..d273f2b 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -23,9 +23,8 @@ inet_protocols = all
 
 virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf
 virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf
-virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf,pgsql:/etc/postfix/virtual_mailbox_maps.cf
-smtpd_sender_login_maps = pgsql:/etc/postfix/email2email.cf
+smtpd_sender_login_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 
 smtpd_sasl_type = dovecot
@@ -37,3 +36,8 @@ smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = /var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/fullchain.pem
 smtpd_tls_key_file = /var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/privkey.pem
 smtp_tls_security_level = may
+
+smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions
+mua_client_restrictions = permit_sasl_authenticated, reject
+mua_sender_restrictions = permit_sasl_authenticated, reject
+mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py
index 48105e5..723bb37 100644
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@@ -40,6 +40,13 @@ svc_systemd['postfix'] = {
     ],
 }
 
+actions['test_postfix_config'] = {
+    'command': 'false',
+    'unless': "postconf check | grep -v 'symlink leaves directory' | wc -l | grep -q '^0$'",
+    'needs': [
+        'svc_systemd:postfix',
+    ],
+}
 actions['test_virtual_mailbox_domains'] = {
     'command': 'false',
     'unless': "postmap -q example.com pgsql:/etc/postfix/virtual_mailbox_domains.cf | grep -q '^example.com$'",