diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index 3c23a36..91939cf 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -14,7 +14,7 @@ let
     auth_bind = no
     ldap_version = 3
     base = ou=users,dc=%Dd
-    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
     user_attrs = \
       quota=quota_rule=*:bytes=%$, \
       =home=/var/vmail/%d/%n/, \
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index 26bf1c5..bb76d7a 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -376,6 +376,12 @@ in
               SUBSTR caseIgnoreIA5SubstringsMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
           ''
+          ''
+            (1.3.6.1.4.1.12461.1.1.9 NAME 'mailSendOnly'
+              DESC 'If TRUE, account can only send mail, not receive'
+              EQUALITY caseIgnoreIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
+          ''
         ];
         olcObjectClasses = [
           ''
@@ -383,14 +389,14 @@ in
               SUP top AUXILIARY
               DESC 'Mail account objects'
               MUST ( mail $ userPassword )
-              MAY (  cn $ description $ quota))
+              MAY ( cn $ description $ quota $ mailSendOnly))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
               SUP top STRUCTURAL
               DESC 'Mail aliasing/forwarding entry'
               MUST ( mail $ maildrop )
-              MAY ( cn $ description ))
+              MAY ( cn $ description $ mailSendOnly ))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 1b53a7b..30ee17c 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -31,7 +31,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(uid=%u)(objectClass=mailAccount))
+    query_filter      = (&(uid=%u)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
     result_attribute  = mail
     debuglevel        = 0
   '';
@@ -59,7 +59,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(objectClass=mailAccount)(uid=%u))
+    query_filter      = (&(objectClass=mailAccount)(uid=%u)(!(mailSendOnly=TRUE)))
     result_attribute  = mail
     debuglevel        = 0
   '';
@@ -73,7 +73,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = one
-    query_filter      = (&(objectClass=mailAlias)(mail=%s))
+    query_filter      = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
     result_attribute  = maildrop
     debuglevel        = 0
   '';