diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 7a7b67e89d..c9f08e2da2 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -67,5 +67,5 @@ primary_auth_source: ipa
 #
 # allow incoming openvpn and smtp
 #
-tcp_ports: [22, 25, 1194]
+tcp_ports: [22, 1194]
 udp_ports: [1194]
diff --git a/roles/base/templates/iptables/iptables.bastion b/roles/base/templates/iptables/iptables.bastion
index 6133eb17ee..05eb9720f0 100644
--- a/roles/base/templates/iptables/iptables.bastion
+++ b/roles/base/templates/iptables/iptables.bastion
@@ -77,6 +77,9 @@
 -A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 -A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 -A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT
+# redhat mxes
+-A INPUT -s 10.30.177.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 10.30.29.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 # mimecast ips from
 # https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
 -A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT