diff --git a/defaults/main.yml b/defaults/main.yml
index 4a90cd8a..fe4c8fdb 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -177,3 +177,14 @@ disable_usb_storage: no
 #
 sysctl_tunable:
   tcp_syncookies: 1                               # V-38539
+
+## Postfix
+# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will
+# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when
+# Ansible installs packages). The default here is 'localhost' to meet the STIG
+# requirement, but some deployers may want this set to 'all' if their hosts
+# need to receive emails over the network (which isn't common).
+#
+# See the documentation for V-38622 for more details.
+#
+postfix_inet_interfaces: localhost                # V-38622
diff --git a/doc/source/developer-notes/V-38622.rst b/doc/source/developer-notes/V-38622.rst
new file mode 100644
index 00000000..de2c6f4f
--- /dev/null
+++ b/doc/source/developer-notes/V-38622.rst
@@ -0,0 +1,19 @@
+The STIG requires that postfix only listens on the localhost so that it isn't
+abused as a mail relay. The Ansible task will adjust the ``inet_interfaces``
+line in the Postfix configuration and restart postfix if the line is changed.
+
+Although it's not common, some deployers may need to configure hosts so they
+can receive email over the network. In that case, deployers would need to set
+the following Ansible variable:
+
+.. code-block:: yaml
+
+    postfix_inet_interfaces: all
+
+Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can
+still send email on the network. The ``inet_interfaces`` directive only
+controls where postfix **listens** for incoming email.
+
+For more information, review the postfix documentation for `inet_interfaces`_.
+
+.. _inet_interfaces: http://www.postfix.org/postconf.5.html#inet_interfaces
diff --git a/handlers/main.yml b/handlers/main.yml
index afd1d6fb..e4e6554f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -24,6 +24,11 @@
     name: chrony
     state: restarted
 
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
 - name: restart ssh
   service:
     name: ssh
diff --git a/tasks/mail.yml b/tasks/mail.yml
index b8824be2..beb9e37b 100644
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@@ -46,3 +46,15 @@
     - mail
     - cat2
     - V-38446
+
+- name: V-38622 - Mail relaying must be restricted
+  lineinfile:
+    dest: /etc/postfix/main.cf
+    regexp: "^(#)?inet_interfaces"
+    line: "inet_interfaces = {{ postfix_inet_interfaces }}"
+  notify:
+    - restart postfix
+  tags:
+    - mail
+    - cat2
+    - V-38622