diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 937f89b7a8480ca631e6de0ad5b4dce47585ba5e..1cfa02cfcfdb7baeba3bc2de4384cad4bc55cf00 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -56,6 +56,12 @@ New features/improvements:
 * Tests have been updated to work with latest Molecule/Testinfra as
   part of the Ansible upgrade process.
 
+* ``mail_server`` role
+
+  * The role now supports specifying the maximum mail message size
+    limit for the SMTP server to accept via
+    ``mail_message_size_limit`` role parameter.
+
 Deprecations:
 
 * ``backup_server`` and ``backup_client`` role
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 195eeb0cf59128a3889d887ca2da0a858254adf3..20f2be3a761b9902019f4e22dbf798ee4d5ebddb 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1113,6 +1113,13 @@ Parameters
 **mail_ldap_dovecot_password** (string, mandatory)
   Password for authenticating the Dovecot LDAP user.
 
+**mail_message_size_limit** (integer, optional, ``10240000``)
+  Maximum size of message in bytes that the SMTP server should accept
+  for incoming mails. If the mail message size exceeds the listed
+  value, it will be rejected by the server. The size is also
+  advertised as part of SMTP server capabilities (in response to the
+  ``ehlo`` SMTP command).
+
 **mail_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the mail server should support. Each value specified
   should be compatible with Postfix configuration option
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index cb0eacf4ae162afdad64467c802383994e6ec3da..06eef0d80344e5ec3f2bbbf5a6b9f1648d473757 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -18,3 +18,4 @@ mail_server_tls_protocols:
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT"
+mail_message_size_limit: 10240000
diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
index 5adfec2ca8fe74686c034776f6b638495a7d8551..b8cd407acf19330f09793f7fd28dfa6433b63849 100644
--- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
@@ -29,6 +29,7 @@ smtp_rbl:
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "10.31.127.22"
+mail_message_size_limit: 20480001
 
 # common
 ca_certificates:
diff --git a/roles/mail_server/molecule/default/tests/test_mandatory.py b/roles/mail_server/molecule/default/tests/test_mandatory.py
index 6feec89f0aa58111c94f6565cd7e699f3f4f1335..f1997002a7036bd1f93a41df09db4a5b3bf59468 100644
--- a/roles/mail_server/molecule/default/tests/test_mandatory.py
+++ b/roles/mail_server/molecule/default/tests/test_mandatory.py
@@ -268,3 +268,17 @@ def test_sieve_tls_configuration(host):
     # @TODO: Currently not possible to test since openssl s_client does not
     # support STARTTLS for Sieve.
     pass
+
+
+def test_mail_message_size_limit(host):
+    """
+    Tests if the mail message size limit advertised by the SMTP server
+    is correct.
+    """
+
+    capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25")
+    begin = capabilities.stdout.find("250-SIZE")
+    end = capabilities.stdout.find("\n", begin)
+    mail_message_size_limit = capabilities.stdout[begin:end]
+
+    assert mail_message_size_limit == "250-SIZE 10240000"
diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py
index c8079027080cd50e5b6c11e5f44a1836093679b8..f5d26e81446d139876be7bfd73c488811c561164 100644
--- a/roles/mail_server/molecule/default/tests/test_optional.py
+++ b/roles/mail_server/molecule/default/tests/test_optional.py
@@ -301,3 +301,17 @@ def test_sieve_tls_configuration(host):
     # @TODO: Currently not possible to test since openssl s_client does not
     # support STARTTLS for Sieve.
     pass
+
+
+def test_mail_message_size_limit(host):
+    """
+    Tests if the mail message size limit advertised by the SMTP server
+    is correct.
+    """
+
+    capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25")
+    begin = capabilities.stdout.find("250-SIZE")
+    end = capabilities.stdout.find("\n", begin)
+    mail_message_size_limit = capabilities.stdout[begin:end]
+
+    assert mail_message_size_limit == "250-SIZE 20480001"
diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2
index b3ab8923ce9e29cd6743e52ae5d5a328290233ca..015c86190e3fcf9c3e840599683b2d8d5812086f 100644
--- a/roles/mail_server/templates/main.cf.j2
+++ b/roles/mail_server/templates/main.cf.j2
@@ -77,3 +77,6 @@ notify_classes = resource, software, 2bounce
 # Fall-back to using native lookups (/etc/hosts etc) if DNS lookup fails. Useful
 # for local overrides of mail servers.
 smtp_host_lookup = dns, native
+
+# Explicitly set maximum allowed mail size that should be accepted.
+message_size_limit = {{ mail_message_size_limit }}