diff --git a/NEWS b/NEWS
index 42bcf6c02d7b37ef31f4fdd03651242a0407dd10..757f708be6f0256c609cbd214560ad547f927e10 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,11 @@ unreleased (2017-??-??)
     [ssh] Add $extra_gssapi_only_users parameter listing any extra
     accounts that should skip Duo (i.e., service accounts). [adamhl]
 
+    [postfix] Remove the transport lines which allowed stanford.edu mail
+    to route via published MX records, because that is moving entirely
+    off-campus Instead, just have everything go through smtp.stanford.edu
+    (which still has an on-campus presence). [akkornel]
+
 release/005.009 (2017-07-07)
 
     [ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
diff --git a/files/postfix/etc/postfix/transport b/files/postfix/etc/postfix/transport
index 40990ce5cb0955e2672a58f1fc1e74737d603184..9b786f3d58d615e979cae88523239161fa6dde38 100644
--- a/files/postfix/etc/postfix/transport
+++ b/files/postfix/etc/postfix/transport
@@ -1,11 +1,27 @@
 # Postfix transport definitions.  -*- conf -*-
 #
-# Off-campus mail has to go through smtp.stanford.edu.  Currently we
-# manually list the stanford.edu hosts that have off-campus MX records.
-
-stanford.edu		:
-.stanford.edu		:
-alumni.stanford.edu	smtp:smtp.stanford.edu
-law.stanford.edu	smtp:smtp.stanford.edu
-sls.stanford.edu	smtp:smtp.stanford.edu
-*			smtp:smtp.stanford.edu
+# This file is maintained by Puppet, as part of base::postfix.
+# You can override it in your code, if you like!  Just be sure to use the
+# base::postfix::map type, to ensure that `postmap` is run when this file
+# changes.
+
+# By default, relay all email through the campus mail gateway.
+# This is basically the same as using the relayhost option in main.cf,
+# but using the transport map gives us more flexibility!
+*           smtp:smtp.stanford.edu
+
+# The only time you should remove the above line is (a) you are using this code
+# to push to a cloud (or other non-on-Stanford-network system), or (b) your
+# system has an exemption to send mail directly to the outside world.
+# (Or, you might be like SoM, and have your own mail gateways!)
+
+# If you have a host or domain where you want to use the MX records returned by
+# DNS, then use lines like the following:
+#stanford.edu		:
+#.stanford.edu		:
+
+# ... but!  If you use lines like the above, then you'd have to put in
+# additional lines for any sub-domains where you want to use the mail gateway.
+#alumni.stanford.edu	smtp:smtp.stanford.edu
+#law.stanford.edu	smtp:smtp.stanford.edu
+#sls.stanford.edu	smtp:smtp.stanford.edu