diff --git a/docs/examples/blacklist_helo.master b/docs/examples/blacklist_helo.master
new file mode 100644
index 0000000000000000000000000000000000000000..5d696d44b8747a9bddafa454c11ef8a464fa9809
--- /dev/null
+++ b/docs/examples/blacklist_helo.master
@@ -0,0 +1,74 @@
+# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
+#
+# This file can be used to block hostnames used in smtp HELO command which are known bad.
+# Occasionally you will run into legitimate mail servers which are misconfigured and end
+# up blocked here, so this is not enabled by default, but it is useful if you are prepared
+# to address those cases.  .local is particularly problematic, and commented out by default.
+#
+# Note that any server hitting this check is misconfigured, all of the names below are bogus
+# and not allowed per RFC 2821.
+#
+# If your own users are blocked by this, they are not authenticating to your server when
+# sending (this check is after permit_sasl, which permits authenticated senders).
+#
+# Instructions:
+#
+# Copy this file to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
+# as well as /etc/postfix/blacklist_helo, so your changes are not overwritten with ispconfig
+# updates.
+
+# probably just put REJECT lines in here,
+# as OK lines will bypass a lot of other checks you may want done
+# (use DUNNO instead of OK)
+#
+
+# common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally)
+/.*\.administrator$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.admin$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.bac$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dlink$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dns$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.domain$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dynamic$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dyndns\.org$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.dyn$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.gateway$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.intern$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.janak$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.kornet$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.lab$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.lan$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.localdomain$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.localhost$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+
+# .local is used by spammers a lot, but too many otherwise legit servers hit it
+# (instead of REJECT, should send to greylisting)
+#/.*\.local$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+
+/.*\.loc$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.lokal$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.nat$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.pc$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.privat$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.private$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.router$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.setup$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+
+/.*\.119$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.beeline$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.gt_3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.gt-3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.hananet$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.skbroadband$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+/.*\.tbroad$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+
diff --git a/install/tpl/blacklist_helo.master b/install/tpl/blacklist_helo.master
index a519548aab7dfbe563df08c7c07951d81e75f2a8..f8d9ee27c53c939612b326549b05b9156d94bc9c 100644
--- a/install/tpl/blacklist_helo.master
+++ b/install/tpl/blacklist_helo.master
@@ -1,57 +1,22 @@
 # blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
 #
-# probably just put REJECT lines in here,
-# as OK lines will bypass a lot of other checks you may want done
-# (use DUNNO instead of OK)
+# This file can be used to block hostnames used in smtp HELO command which are known bad.
+# Occasionally you will run into legitimate mail servers which are misconfigured and end
+# up blocked here, so this is not enabled by default, but it is useful if you are prepared
+# to address those cases.
 #
+# See docs/extras/blacklist_helo.master from ispconfig source for a more complete example list.
+#
+# If you make changes here, also copy them to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
+# so your changes are not overwritten with ispconfig updates.
 
-# common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally)
-/.*\.administrator$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.admin$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.bac$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dlink$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dns$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.domain$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dynamic$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dyndns\.org$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.dyn$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.gateway$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.intern$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.janak$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.kornet$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.lab$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.lan$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.localdomain$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.localhost$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-
-# .local is used by spammers a lot, but too many otherwise legit servers hit it
-# (instead of REJECT, should send to greylisting)
-#/.*\.local$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-
-/.*\.loc$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.lokal$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.nat$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.pc$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.privat$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.private$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.router$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.setup$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
 
-/.*\.119$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.beeline$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.gt_3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.gt-3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.hananet$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.skbroadband$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
-/.*\.tbroad$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.administrator$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.admin$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.dns$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.domain$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
+#/.*\.dynamic$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.