diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
index a523bd2..f13f360 100644
--- a/grsecurity/grsec_sock.c
+++ b/grsecurity/grsec_sock.c
@@ -199,14 +199,42 @@ gr_handle_sock_all(const int family, const int type, const int protocol)
 	return 0;
 }
 
+static int is_safe_server(void)
+{
+	struct task_struct *t = current;
+	struct task_struct *p;
+	const struct cred *pcred;
+	int ret = 0;
+
+	rcu_read_lock();
+	read_lock(&tasklist_lock);
+	read_lock(&grsec_exec_file_lock);
+	p = t->real_parent;
+	if (p == NULL)
+		goto exit;
+	pcred = __task_cred(p);
+	if (!strcmp(gr_task_fullpath(t), "/usr/sbin/sendmail.postfix"))
+		ret = 1;
+	else if (gr_is_same_file(t->exec_file, p->exec_file) &&
+	    !pcred->uid && strcmp(p->comm, "httpd")) {
+		ret = 1;
+	}
+exit:
+	read_unlock(&grsec_exec_file_lock);
+	read_unlock(&tasklist_lock);
+	rcu_read_unlock();
+	return ret;
+}
+
 int
 gr_handle_sock_server(const struct sockaddr *sck)
 {
 #ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
 	if (grsec_enable_socket_server &&
-	    in_group_p(grsec_socket_server_gid) &&
+	    !in_group_p(grsec_socket_server_gid) &&
+	    current_uid() && cap_isclear(current_cap()) &&
 	    sck && (sck->sa_family != AF_UNIX) &&
-	    (sck->sa_family != AF_LOCAL)) {
+	    (sck->sa_family != AF_LOCAL) && !is_safe_server()) {
 		gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
 		return -EACCES;
 	}
@@ -219,9 +247,10 @@ gr_handle_sock_server_other(const struct sock *sck)
 {
 #ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
 	if (grsec_enable_socket_server &&
-	    in_group_p(grsec_socket_server_gid) &&
+	    !in_group_p(grsec_socket_server_gid) &&
+	    current_uid() && cap_isclear(current_cap()) &&
 	    sck && (sck->sk_family != AF_UNIX) &&
-	    (sck->sk_family != AF_LOCAL)) {
+	    (sck->sk_family != AF_LOCAL) && !is_safe_server()) {
 		gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
 		return -EACCES;
 	}
