diff --git a/src/config/acl.rs b/src/config/acl.rs
index 4b5aa24e..b4e0350b 100644
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@@ -3,9 +3,15 @@ use std::collections::HashSet;
 use url::Host;
 #[derive(Deserialize, Debug, Default, Clone)]
 pub struct AccessControlListConfig {
-    /// setting this explicitly enables allowlists
-    pub(crate) allow_list: Option<HashSet<Host<String>>>,
+    #[serde(default = "default_as_false")]
+    pub allow_only_federation_from_allow_list: bool,
+    #[serde(default)]
+    pub(crate) allow_list: HashSet<Host<String>>,
 
     #[serde(default)]
     pub(crate) block_list: HashSet<Host<String>>,
 }
+
+fn default_as_false() -> bool {
+    false
+}
diff --git a/src/main.rs b/src/main.rs
index 27bd31f3..d7255a6f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -90,6 +90,15 @@ async fn main() {
         }
     };
 
+    if !config.allow_federation && config.acl.allow_only_federation_from_allow_list {
+        warn!(
+            r#"
+Federation is disabled however acl.allow_only_federation_from_allow_list is enabled, this means that servers on the allow list won't be able to federate.
+Unlike in synapse an ACL is always applied first before checking if federation is enabled.
+        "#
+        );
+    }
+
     if config.allow_jaeger {
         opentelemetry::global::set_text_map_propagator(opentelemetry_jaeger::Propagator::new());
         let tracer = opentelemetry_jaeger::new_agent_pipeline()
diff --git a/src/service/acl/mod.rs b/src/service/acl/mod.rs
index e86cb476..a30dea4f 100644
--- a/src/service/acl/mod.rs
+++ b/src/service/acl/mod.rs
@@ -16,17 +16,12 @@ pub struct Service {
 impl Service {
     pub fn list_acls(&self, filter: Option<AclMode>) -> Vec<AclDatabaseEntry> {
         let mut set = self.db.get_all_acls();
-        self.acl_config
-            .allow_list
-            .clone()
-            .unwrap_or_default()
-            .iter()
-            .for_each(|it| {
-                set.insert(AclDatabaseEntry {
-                    mode: AclMode::Allow,
-                    hostname: it.to_owned(),
-                });
+        self.acl_config.allow_list.clone().iter().for_each(|it| {
+            set.insert(AclDatabaseEntry {
+                mode: AclMode::Allow,
+                hostname: it.to_owned(),
             });
+        });
         self.acl_config.block_list.clone().iter().for_each(|it| {
             set.insert(AclDatabaseEntry {
                 mode: AclMode::Block,
@@ -79,13 +74,10 @@ impl Service {
         if self.acl_config.block_list.contains(&server_host_name) {
             return false;
         }
-        let mut allow_list_enabled = false;
+        let allow_list_enabled = self.acl_config.allow_only_federation_from_allow_list;
         // check allowlist
-        if let Some(list) = &self.acl_config.allow_list {
-            if list.contains(&server_host_name) {
-                return true;
-            }
-            allow_list_enabled = true;
+        if allow_list_enabled && self.acl_config.allow_list.contains(&server_host_name) {
+            return true;
         }
 
         //check database