Building a Bulletproof Email Gateway: Postfix Configuration on Ubuntu 10.04 LTS

There is nothing—and I mean nothing—more infuriating for a sysadmin than waking up to a support ticket that says: "Our emails are bouncing."

You check the logs. You see the dreaded error code:

If you are running your business email on cheap shared hosting, your deliverability is held hostage by the worst user on that server. One compromised WordPress installation in a neighboring account can get the entire IP subnet blacklisted, dragging your legitimate business correspondence into the abyss with it. In the Nordic market, where reliability is paramount and the Datatilsynet (Data Inspectorate) keeps a close watch on data handling under the Personal Data Act, you cannot afford to be negligent.

The solution is not another shared hosting plan. The solution is owning your infrastructure. Today, we are going to deploy a Postfix MTA (Mail Transfer Agent) on a CoolVDS Virtual Private Server running Ubuntu 10.04 LTS (Lucid Lynx). We will harden it against open relay abuse, secure it with TLS, and ensure your PTR records are spotless.

Step 0: The Foundation (DNS and Hostname)

Before touching a single config file, you must ensure your identity is verifiable. Spam filters operate on a premise of "guilty until proven innocent." If your forward DNS (A record) matches your IP, but your IP doesn't resolve back to your hostname (PTR/Reverse DNS), you look like a botnet.

Pro Tip: Many budget VPS providers make you file a ticket to change your PTR record, which can take 24 hours. At CoolVDS, we give you full control over your Reverse DNS directly in the control panel. Changes propagate instantly across our Nordic network backbone. Don't deploy a mail server without this.

First, set your hostname properly:

Ensure your /etc/hosts file links your IP to this FQDN. This is critical for Postfix to identify itself correctly during the SMTP handshake.

Step 1: Installation and Basic Config

We stick to the repositories. Compiling from source is fun for Gentoo users, but in production, we want security patches managed by apt.

During the ncurses setup, select "Internet Site". Once installed, we move to /etc/postfix/main.cf. This is the brain of your mail server.

The Essential main.cf Configuration

Open the file and verify these parameters. We need to ensure we aren't an open relay (a server that allows anyone to send email to anyone), which is the fastest way to get your IP burned.

# /etc/postfix/main.cf

# Network Identity
myhostname = mail.yourdomain.no
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# Network Settings
inet_interfaces = all
inet_protocols = ipv4

# RELAY CONTROL - CRITICAL
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

Step 2: Authenticated SMTP with SASL & Dovecot

By default, Postfix doesn't handle authentication well on its own. We pair it with Dovecot to handle the SASL (Simple Authentication and Security Layer). This allows your remote users to log in securely to send mail.

Edit /etc/dovecot/dovecot.conf to enable the socket for Postfix:

auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

Now, tell Postfix to use this socket in main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

Step 3: Fighting Spam with Restrictions

This is where the "Battle-Hardened" part comes in. We want to reject bad mail during the SMTP conversation, before it hits our disk I/O. Using Real-time Blackhole Lists (RBLs) is highly effective.

Add this block to your main.cf. Order matters here!

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org,
    permit

This configuration rejects connection attempts from IPs listed on Spamhaus, drops connections from misconfigured servers (no FQDN), and ensures that only your authenticated users can relay mail.

Step 4: Performance Tuning for High I/O

Email involves thousands of tiny files. On traditional spinning rust (HDDs), the "seek time" kills performance. If you have a mailing list of 50,000 users, a standard SATA drive will choke, causing the mail queue to back up.

This is why hardware matters. At CoolVDS, we utilize Enterprise SSD RAID-10 arrays. While standard SSDs are becoming common in consumer laptops, enterprise-grade flash storage in a server environment drastically reduces the I/O wait time for the Postfix queue manager.

If you anticipate high loads, tune the process limit in /etc/postfix/main.cf:

Step 5: The "Trust" Factor (SPF)

Technical configuration is only half the battle. You must tell the world that your server is authorized to send email for your domain. This is done via a Sender Policy Framework (SPF) TXT record in your DNS.

Add this to your domain's DNS zone:

Replace 192.0.2.10 with your CoolVDS static IP. This record tells receiving servers (like Gmail or Yahoo) that only this IP is allowed to send mail for your domain. Everything else should be discarded (-all).

Conclusion

Restart your services to apply the changes:

You now have a mail server that is secure, compliant with standard authentication protocols, and running on infrastructure capable of handling bursts of traffic without I/O bottlenecks. In an era where latency to NIX (Norwegian Internet Exchange) can dictate the responsiveness of your applications, hosting your mail server locally in Norway on robust VPS infrastructure is not just a technical preference—it's a competitive advantage.

Don't let a shared hosting neighbor ruin your reputation. Deploy a high-performance CoolVDS instance today and take back control of your inbox.