diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 0a762d6d44ea916ea46f63f7852692248d1c0181..8c67b45c9ab022026ae3258242109320d224e757 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1366,6 +1366,7 @@ Distribution compatibility
 Role is compatible with the following distributions:
 
 - Debian 9 (Stretch)
+- Debian 10 (Buster)
 
 
 Examples
diff --git a/roles/mail_forwarder/meta/main.yml b/roles/mail_forwarder/meta/main.yml
index fb43bc4342d65a28ab7d56e75ce7073887060a3a..17602f8afe99297d9ed50058f4e7815008a4b0d1 100644
--- a/roles/mail_forwarder/meta/main.yml
+++ b/roles/mail_forwarder/meta/main.yml
@@ -11,5 +11,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - 8
         - 9
+        - 10
diff --git a/roles/mail_forwarder/molecule/default/molecule.yml b/roles/mail_forwarder/molecule/default/molecule.yml
index 91356242535231784bf1fa084db5a62617293dc4..72c577cdf9789289167b778aee82e3355cbc116c 100644
--- a/roles/mail_forwarder/molecule/default/molecule.yml
+++ b/roles/mail_forwarder/molecule/default/molecule.yml
@@ -76,6 +76,42 @@ platforms:
         network_name: private_network
         type: static
 
+  - name: parameters-mandatory-buster64
+    groups:
+      - parameters-mandatory
+    box: debian/contrib-buster64
+    memory: 256
+    cpus: 1
+    interfaces:
+      - auto_config: true
+        ip: 10.31.127.20
+        network_name: private_network
+        type: static
+
+  - name: parameters-optional-buster64
+    groups:
+      - parameters-optional
+    box: debian/contrib-buster64
+    memory: 256
+    cpus: 1
+    interfaces:
+      - auto_config: true
+        ip: 10.31.127.21
+        network_name: private_network
+        type: static
+
+  - name: parameters-no-incoming-buster64
+    groups:
+      - parameters-no-incoming
+    box: debian/contrib-buster64
+    memory: 256
+    cpus: 1
+    interfaces:
+      - auto_config: true
+        ip: 10.31.127.22
+        network_name: private_network
+        type: static
+
 provisioner:
   name: ansible
   playbooks:
diff --git a/roles/mail_forwarder/molecule/default/prepare.yml b/roles/mail_forwarder/molecule/default/prepare.yml
index bd62782e5b6d830f8957d6cd601b039533b74e26..38d1ba12c87146f923dfb0eb824772b2e1692c99 100644
--- a/roles/mail_forwarder/molecule/default/prepare.yml
+++ b/roles/mail_forwarder/molecule/default/prepare.yml
@@ -69,6 +69,9 @@
         10.31.127.30: "parameters-mandatory-stretch64"
         10.31.127.31: "parameters-optional-stretch64"
         10.31.127.32: "parameters-no-incoming-stretch64"
+        10.31.127.20: "parameters-mandatory-buster64"
+        10.31.127.21: "parameters-optional-buster64"
+        10.31.127.22: "parameters-no-incoming-buster64"
 
     - name: Install tools for testing
       apt:
diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2
index 7decd6e798f338efc12b5839f872fbc2b50c5df4..e37f5ff3c05d4e939d1e4e3f3edc81ffe4b94afa 100644
--- a/roles/mail_forwarder/templates/main.cf.j2
+++ b/roles/mail_forwarder/templates/main.cf.j2
@@ -52,3 +52,7 @@ smtp_host_lookup = dns, native
 
 # Explicitly set maximum allowed mail size that should be accepted.
 message_size_limit = {{ mail_message_size_limit }}
+
+# Allow relaying only from trusted networks. Do not relay mails for
+# domains for which the mail server is not responsible.
+smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination