The terrified silence of a frozen mail queue.
If you have been in this game long enough, you know the feeling. It's 3:00 AM. Your pager goes off. Your client in Oslo can't send invoices because their IP just hit the Spamhaus Blocklist (SBL). Why? Because a default Postfix installation is about as secure as a screen door on a submarine.
I've seen seasoned sysadmins weep over /var/log/mail.log. Running your own mail server in 2011 is not for the faint of heart. Between Microsoft's aggressive filtering and the constant pounding from botnets looking for open relays, you need a configuration that is ironclad.
This isn't a "Hello World" tutorial. This is how we configure Postfix for production environments at CoolVDS, ensuring high deliverability and compliance with the Norwegian Personal Data Act.
1. The Foundation: OS and Connectivity
Whether you are running Debian 6 (Squeeze) or CentOS 5.6, the principles remain the same. Before touching a config file, check your environment.
Pro Tip: Mail servers live and die by their IP reputation. Most budget VPS providers recycle dirty IPs that have been abused by spammers for years. At CoolVDS, we scrub our IP ranges aggressively. Do not start a mail server project on an IP with a bad history. Check it against MXToolbox first.
You also need a valid PTR Record (Reverse DNS). If your provider tells you to open a support ticket to change your PTR, find a new provider. In the CoolVDS panel, you can update your reverse DNS instantly to match your hostname. Without a matching PTR, Gmail and Hotmail will drop your packets at the gate.
2. Postfix Configuration: The Meat
Let's assume you've run apt-get install postfix. The default config is too permissive. Open /etc/postfix/main.cf. We need to lock this down.
Hostname and Identity
Your server needs to know who it is. Consistency is key here.
myhostname = mail.yourdomain.no
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhostThe Kill Switch: Preventing Open Relays
This is where 90% of admins fail. If you configure mynetworks incorrectly, you become a spam relay. Once that happens, your IP is burned.
# STRICT configuration. Only trust localhost.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# Do not let the world send through you
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination3. Fighting the Botnets: RBLs and Delay
Spam is a volume game. You want to reject bad connections before they waste your CPU cycles or disk I/O. We use Real-time Blackhole Lists (RBLs) directly in the Postfix restrictions.
Add this to your smtpd_recipient_restrictions block in main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.netWarning: RBLs are aggressive. If you have clients on dynamic IPs (like home DSL lines in Norway), ensure they authenticate via SASL (port 587) so they bypass these checks.
4. Storage Performance & Reliability
Email is I/O heavy. It's thousands of tiny files being written, read, and deleted. On a standard SATA drive, a busy queue causes "iowait" to spike, freezing the entire server.
This is why specific virtualization matters. We use KVM at CoolVDS. Unlike OpenVZ, where resources are often oversold and shared, KVM gives us strict isolation. We back this with high-performance RAID-10 arrays. When your queue depth hits 5,000 messages during a marketing blast, you will appreciate the raw I/O throughput. Do not skimp on storage speed for mail.
5. The Norwegian Context: Datatilsynet & Compliance
Hosting email for Norwegian businesses brings you under the jurisdiction of the Personal Data Act (Personopplysningsloven). The Data Protection Authority (Datatilsynet) is clear: you are responsible for the security of personal data.
If you host your mail server on a budget box in the US, you are navigating the complex "Safe Harbor" framework. It is cleaner, faster, and legally safer to keep the data within the EEA. Our datacenters offer low-latency connectivity to the NIX (Norwegian Internet Exchange), meaning your IMAP syncs feel instant, and your data jurisdiction is clear.
6. Wrapping Up
Once your config is saved, restart the service:
/etc/init.d/postfix restartTail your logs immediately:
tail -f /var/log/mail.logBuilding a mail server is a rite of passage. It demands respect for protocols and a paranoid eye for security. If you want to skip the hardware headaches and focus on the config, deploy a CoolVDS instance. We provide the clean IP reputation and the raw disk speed you need to keep that queue moving.