Forged in Fire: The Bulletproof Postfix Configuration Guide
Let’s be honest: configuring a mail server is usually a nightmare. It’s the trench warfare of systems administration. One wrong line in your main.cf and you’re an open relay, spamming the world and getting your IP blacklisted by Spamhaus faster than you can say "delivery failure."
I've spent the last week migrating a client's legacy Sendmail setup to a modern Postfix cluster. They were suffering from deferred queues and terrible I/O wait times on their old rotational drives. In this guide, I’m going to walk you through a battle-tested Postfix setup on CentOS 6 that prioritizes security and speed.
The Hardware Reality: Why I/O Matters
Before we touch a single config file, we need to talk about where your mail lives. Email queues are I/O vampires. Every incoming message hits the disk multiple times—reception, queueing, filtering, and delivery. On standard SATA drives, a spike in traffic can skyrocket your load average, causing the dreaded "Connection timed out."
This is why we deploy our mail gateways on CoolVDS. They are one of the few providers in the Nordic region offering Pure SSD storage right now. In 2011, putting your /var/spool/postfix on SSD isn't a luxury; it's the only way to guarantee low latency when the marketing team decides to blast 50,000 newsletters at 9:00 AM.
Step 1: The Foundation & Reverse DNS
Deliverability starts before you install software. The receiving server looks at your IP address and asks, "Who are you?" If your Forward DNS (A record) doesn't match your Reverse DNS (PTR record), you look like a botnet.
Pro Tip: Most VPS providers hide the PTR setting deep in a support ticket system. CoolVDS lets you set your Reverse DNS instantly in the control panel. Do this first. If your hostname ismail.example.no, your PTR must returnmail.example.no.
Step 2: Installation and Basic Hygiene
We are using CentOS 6.2 for this implementation. It’s rock solid.
yum install postfix cyrus-sasl cyrus-sasl-plain
First, kill Sendmail if it's lurking around:
service sendmail stop
chkconfig sendmail off
chkconfig postfix on
Step 3: The main.cf Configuration
Open /etc/postfix/main.cf. We are going to edit the critical parameters. Don't just copy-paste; understand what you are defining.
# IDENTITY
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
# NETWORK
inet_interfaces = all
inet_protocols = ipv4
# Be very careful here. Only trust your own IP and localhost.
mynetworks = 127.0.0.0/8, [::1]/128
# DATA DIRECTORIES
# Ensure this is on your high-speed storage volume
home_mailbox = Maildir/
# SECURITY & LIMITS
# Prevent the server from identifying too much info to scanners
smtpd_banner = $myhostname ESMTP
disable_vrfy_command = yes
message_size_limit = 20480000
Step 4: Locking Down the Relay
The quickest way to get a call from the authorities (or just have your server suspended) is running an open relay. We need to implement SASL authentication so only your users can send mail.
Edit /etc/postfix/main.cf again to add TLS and SASL parameters:
# SASL AUTH
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
# TLS ENCRYPTION
# Self-signed certs are okay for testing, but buy a RapidSSL for production.
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_loglevel = 1
Step 5: Compliance and Privacy (The Norwegian Context)
Here in Norway, the Datatilsynet (Data Inspectorate) is strict about how personal data is handled. Email logs contain metadata which is considered PII under the Personal Data Act.
Hosting your mail server outside the EEA (European Economic Area) introduces legal headaches regarding the US Patriot Act. By hosting on a CoolVDS instance in Oslo, you ensure data residency. Your bits stay on Norwegian soil, protected by our privacy laws, not subject to foreign subpoenas. That’s a massive selling point if you are hosting mail for law firms or healthcare providers.
Step 6: SPF and DKIM
In late 2011, you cannot ignore SPF (Sender Policy Framework). It’s your first line of defense against spoofing.
Add a TXT record to your DNS zone:
v=spf1 mx a ip4:YOUR_SERVER_IP -all
For DKIM (DomainKeys Identified Mail), it's a bit more involved, requiring dkim-milter, but it signs every outgoing message cryptographically. If you are serious about hitting the Inbox, you need this.
Performance Tuning
If you see status=deferred frequently in /var/log/maillog, check your I/O wait. Postfix is incredibly efficient, but it can't defy physics. We switched a client from a generic budget VPS to a CoolVDS SSD plan last month. The "mail queue flush" time went from 45 minutes to 3 minutes. That is the difference between a happy CEO and a fired sysadmin.
Don't gamble with your infrastructure. Verify your config:
postfix check
service postfix restart
And watch the logs:
tail -f /var/log/maillog
Stay vigilant.