diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index f0c2159c3..5feb4c74f 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 6bce690ce..f9756bc69 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.24
+
+* Disable broken, insecure, legacy NTLM authentication (contributed by Alfred Egger)
+
 1.23
 
 * Add support for Opportunistic DANE as SMTP client security level
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 2d462bb42..49419f5d1 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -157,7 +157,7 @@ relayhost = {{ OPNsense.postfix.general.relayhost }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
-smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+smtp_sasl_mechanism_filter = !gssapi, !ntlm, !external, static:all
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}