diff --git a/app/models/user.rb b/app/models/user.rb
index 679cbdd1..3ad99d4c 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -39,6 +39,7 @@ class User < ApplicationRecord
                    format: { without: %r{https?://}i }
   validates :provider, presence: true
   validate :check_if_email_can_be_blank
+  validate :check_domain, if: :greenlight_account?, on: :create
   validates :email, length: { maximum: 256 }, allow_blank: true,
                     uniqueness: { case_sensitive: false, scope: :provider },
                     format: { with: /\A[\w+\-'.]+@[a-z\d\-.]+\.[a-z]+\z/i }
@@ -234,6 +235,13 @@ class User < ApplicationRecord
     Role.create_default_roles(role_provider) if Role.where(provider: role_provider).count.zero?
   end
 
+  def check_domain
+    if Rails.configuration.require_email_domain.any? && !email.end_with?(*Rails.configuration.require_email_domain)
+      errors.add(:email, I18n.t("errors.messages.domain",
+        email_domain: Rails.configuration.require_email_domain.join('" ' + I18n.t("modal.login.or") + ' "')))
+    end
+  end
+
   def check_if_email_can_be_blank
     if email.blank?
       if Rails.configuration.loadbalanced_configuration && greenlight_account?
diff --git a/config/application.rb b/config/application.rb
index 3670e7c6..18704274 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -94,6 +94,9 @@ module Greenlight
     # Determine if GreenLight should enable email verification
     config.enable_email_verification = parse_bool(ENV['ALLOW_MAIL_NOTIFICATIONS'])
 
+    # Determine if GreenLight should require a certain mail-domain
+    config.require_email_domain = ENV["GREENLIGHT_ACCOUNT_HD"].to_s.split(",")
+
     # Determine if GreenLight should allow non-omniauth signup/login.
     config.allow_user_signup = parse_bool(ENV['ALLOW_GREENLIGHT_ACCOUNTS'])
 
diff --git a/config/locales/en.yml b/config/locales/en.yml
index ebe18d12..04e14a1b 100755
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -269,6 +269,7 @@ en:
       accepted: must be accepted
       confirmation: doesn't match %{attribute}
       inclusion: is not included in the list
+      domain: must end with "%{email_domain}"
     no_provider:
       message: The site you are trying to access is not enabled
       help: Please contact your system administrator to setup Greenlight
diff --git a/sample.env b/sample.env
index 5cebc7fb..ad93036f 100644
--- a/sample.env
+++ b/sample.env
@@ -105,6 +105,12 @@ LDAP_ATTRIBUTE_MAPPING=
 #
 ALLOW_GREENLIGHT_ACCOUNTS=true
 
+# "hosted domain" part of the Email-Address required for signup for a greenlight account
+#    domain.com matches also mail.domain.com
+#    @domain.com does NOT match @mail.domain.com
+#    multiple domains can be separated by comma (with no whitespace!)
+#GREENLIGHT_ACCOUNT_HD=@domain.com,subdomain-allowed.net
+
 # To enable reCaptcha on the user sign up, define these 2 keys
 # You can obtain these keys by registering your domain using the following url:
 #