diff --git a/defaults/main.yml b/defaults/main.yml
index 5e5ddf3f..057fc730 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -564,6 +564,8 @@ security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210
 security_rhel7_session_timeout: 600                          # RHEL-07-040160
 # Enable chrony for NTP time synchronization.
 security_rhel7_enable_chrony: yes                            # RHEL-07-040210
+# Restrict mail relaying.
+security_rhel7_restrict_mail_relaying: yes                   # RHEL-07-040480
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
diff --git a/doc/metadata/rhel7/RHEL-07-040480.rst b/doc/metadata/rhel7/RHEL-07-040480.rst
index a36dd8f4..395610ce 100644
--- a/doc/metadata/rhel7/RHEL-07-040480.rst
+++ b/doc/metadata/rhel7/RHEL-07-040480.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040480
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The ``smtpd_client_restrictions`` configuration in postfix is set to
+``permit_mynetworks, reject`` to meet the STIG's requirements.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_restrict_mail_relaying: no
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index b6f3747e..b5d17b48 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -265,3 +265,23 @@
     - medium
     - misc
     - RHEL-07-040470
+
+- name: Check for postfix configuration file
+  stat:
+    path: /etc/postfix/main.cf
+  register: postfix_conf_check
+  tags:
+    - always
+
+- name: RHEL-07-040480 - Prevent unrestricted mail relaying
+  lineinfile:
+    dest: /etc/postfix/main.cf
+    regexp: '^smtpd_client_restrictions'
+    line: 'smtpd_client_restrictions = permit_mynetworks, reject'
+  when:
+    - postfix_conf_check.stat.exists
+    - security_rhel7_restrict_mail_relaying | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040480