diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 53f26db315944fdae628b5eb4fe898cde4ab3c93..0310c555d38c0a5617daa0112b96f2c8d5169c1f 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -960,7 +960,8 @@ The role implements the following:
 * Sets-up the necessary directories and files under Postfix chroot.
 * Configures firewall to allow incoming connections to the mail server. This
   includes set-up of redirection from TCP port 26 to TCP port 587 (alternate
-  SMTP submission port to work around common network blocks).
+  submission port), as well as redirection from TCP port 27 to TCP port 25
+  (alternate SMTP port), useful as workaround for ISP/hotel blocks.
 
 Deployed services are configured as follows:
 
diff --git a/docs/usage.rst b/docs/usage.rst
index fc973b77ce3d0e69c00c13fe4f77644e9769b5a5..3a432d064ad27e6912dfbd635d795174228b823e 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -828,9 +828,14 @@ role.
 
   Of course, free feel to also test out the mail server using any mail client of
   your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for
-  unauthenticated server-to-server mail deliveries. TLS has also been hardened
-  on port 587 to allow only TLSv1.2 and PFS ciphers (you can override TLS
-  versions/ciphers via role configuration).
+  unauthenticated server-to-server mail deliveries.
+
+  If you face issues with ISPs or hotels blocking the two ports listed above,
+  you can also use alternative ports 26 (redirected to port 587) and 27
+  (redirected to port 25).
+
+  TLS has also been hardened on port 587 to allow only TLSv1.2 and PFS ciphers
+  (you can override TLS versions/ciphers via role configuration).
 
 
 Setting-up mail relaying from web and backup servers
diff --git a/roles/mail_server/files/ferm_mail.conf b/roles/mail_server/files/ferm_mail.conf
index 3d95b6d19e1b1cc010ee92732188a26beb462d6b..0c2cc789c8a6ff35c1b3d0a996d34173b5f72dcb 100644
--- a/roles/mail_server/files/ferm_mail.conf
+++ b/roles/mail_server/files/ferm_mail.conf
@@ -16,9 +16,12 @@ domain (ip ip6) {
 
     table nat {
         chain PREROUTING {
-            # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks
-            # etc).
+            # Set-up redirection for alternate SMTP submission port (to avoid
+            # ISP/hotel blocks etc).
             proto tcp dport 26 REDIRECT to-ports 587;
+
+            # Set-up redirection for alternate SMTP port (to avoid ISP blocks).
+            proto tcp dport 27 REDIRECT to-ports 25;
         }
     }
 }
\ No newline at end of file
diff --git a/roles/mail_server/tests/test_client2.py b/roles/mail_server/tests/test_client2.py
index 4b06697c6e15cc9333ecaa4fed7f18a9fafa3787..0fb423dcab42e40e8ef857985d8763bbcf8b6e7c 100644
--- a/roles/mail_server/tests/test_client2.py
+++ b/roles/mail_server/tests/test_client2.py
@@ -22,6 +22,14 @@ def test_open_relay(Command):
     assert send.rc == no_recipients_accepted
     assert "Relay access denied" in send.stdout
 
+    send = Command('swaks --port 27 --suppress-data --to root@client1 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Relay access denied" in send.stdout
+
+    send = Command('swaks --port 27 --suppress-data --to root@client1 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Relay access denied" in send.stdout
+
 
 def test_mail_delivery(Command):
     """
@@ -243,7 +251,7 @@ def test_connectivity(Command, Sudo):
 
         for server in ["parameters-mandatory",
                        "parameters-optional"]:
-            for port in [25, 26, 587, 143, 993, 4190]:
+            for port in [25, 26, 27, 587, 143, 993, 4190]:
 
                 ping = Command('hping3 -S -p %d -c 1 %s' % (port, server))
                 assert ping.rc == 0
@@ -251,9 +259,20 @@ def test_connectivity(Command, Sudo):
 
 def test_port_forwarding(Command, Sudo):
     """
-    Tests if port forwarding is set-up correctly for submission port.
+    Tests if port forwarding is set-up correctly for additional SMTP and
+    submission ports.
     """
 
+    # Regular SMTP.
+    send = Command('swaks -tls --port 27 --to john.doe@domain1 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks -tls --port 27 --to john.doe@domain1 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    # Submission port.
     send = Command('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout