diff --git a/postfix.nix b/postfix.nix
index c9654b1..e7a1f5c 100644
--- a/postfix.nix
+++ b/postfix.nix
@@ -1,6 +1,12 @@
 { pkgs, config, ... }:
 
 {
+  networking.firewall.extraCommands = let user = config.services.postfix.user;
+  in ''
+    iptables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited
+    ip6tables -I OUTPUT -m owner ! --uid-owner ${user} -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited
+  '';
+
   services.postfix = {
     enable = true;
     enableSubmission = true;