diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index b3335745e47311c0dab474c832214f690f2e15d6..90a34dbc66de29ff10338ee34ce9ca4c4196bda5 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -109,6 +109,21 @@
     - smtp
     - smtp-submission
     - smtps
-  when: postfix_smtpd_public and configure_firewall
+  when: postfix_smtpd_public and configure_firewall and inventory_hostname != "apollo.archlinux.org"
+  tags:
+    - firewall
+
+
+- name: open ipv4 firewall holes on apollo
+  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['mail.archlinux.org']['ipv4_address'] }} port protocol=tcp port=25 accept"
+  when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
+  tags:
+    - firewall
+
+- name: open ipv6 firewall holes on apollo
+  ansible.posix.firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv6 source address={{ hostvars['mail.archlinux.org']['ipv6_address'] }} port protocol=tcp port=25 accept"
+  when: postfix_smtpd_public and configure_firewall and inventory_hostname == "apollo.archlinux.org"
   tags:
     - firewall