Configuring a Bulletproof Postfix Mail Server on CentOS 5
There is nothing—absolutely nothing—more soul-crushing than seeing your primary IP address listed on Spamhaus. One minute your marketing team is happy; the next, you are bouncing emails to Gmail and Hotmail, and your CTO is standing at your desk demanding answers.
I learned this the hard way back in '07. We were running a shared hosting cluster where one compromised WordPress 2.0 install started spewing Viagra ads. The entire /24 subnet got burned. It took us three weeks to de-list.
If you are serious about mail delivery in 2009, you stop relying on shared hosting or ISP relays. You build your own dedicated MTA (Mail Transfer Agent). This guide cuts through the noise and shows you how to deploy a Postfix server that is secure, compliant with Norwegian standards, and fast.
The Prerequisite: Reverse DNS (PTR)
Before you even yum install anything, check your infrastructure. Most email providers (especially AOL and Yahoo!) will drop your connection immediately if your Forward DNS (A Record) does not match your Reverse DNS (PTR Record).
Pro Tip: Many budget VPS providers in Europe lock the PTR record to their own domain (e.g.,static-88.provider.net). This is a deliverability killer.
At CoolVDS, we give you full control over your PTR records directly in the control panel. If your server ismail.yourcompany.no, your IP must resolve back tomail.yourcompany.no. Don't skip this.
Step 1: Installation and Base Config
We are using CentOS 5.3 for this setup. It’s stable, boring, and enterprise-ready. Sendmail is installed by default, so let's purge it and grab Postfix.
yum remove sendmail
yum install postfix system-switch-mail
system-switch-mail
# Select Postfix
Now, open /etc/postfix/main.cf. This is where the magic happens. Do not just copy-paste configs you found on a forum. Understand what you are typing.
vi /etc/postfix/main.cf
Set your identity:
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
Step 2: The "No Open Relay" Rule
An open relay is a server that allows anyone on the internet to send mail through it. If you misconfigure this, spammers will find you in under 6 hours. I've timed it.
Restrict trusted networks strictly to your local machine (and your VPN IP if necessary):
mynetworks = 127.0.0.0/8
Step 3: Hardening Against Spammers (HELO Checks)
Spambots are lazy. They rarely configure a proper HELO handshake. We can block 80% of junk just by enforcing strict syntax rules. Add these lines to main.cf:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
This forces the connecting server to identify itself with a valid Fully Qualified Domain Name (FQDN). If a bot connects and just says "HELO friend", Postfix drops the connection. Saves CPU, saves bandwidth.
Step 4: Real-time Blackhole Lists (RBLs)
Why filter spam yourself when others do it better? Configuring RBLs allows Postfix to check the sender's IP against known spam databases before accepting the body of the email.
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
Warning: Ensure your DNS resolver is fast. If your DNS lookups are slow, your email delivery will crawl. This is where network quality matters.
Performance vs. Latency
Email is I/O intensive. Every incoming message hits the disk (logs, queues, virus scanning). On a typical "oversold" VPS using OpenVZ, you are sharing disk I/O with hundreds of other users. If neighbor A is compiling a kernel, your email queue locks up.
This is why we architect CoolVDS on Xen virtualization with high-performance RAID-10 SAS arrays. We guarantee dedicated resources. In Norway, where internet speeds are high, the bottleneck is almost always disk I/O, not bandwidth. Don't let a slow disk queue cause timeouts.
Step 5: Compliance and Logging (Datatilsynet)
In Norway, under the Personal Data Act (Personopplysningsloven), you have responsibilities regarding logs. You need logs to debug security issues, but you shouldn't hoard data forever.
Configure logrotate to keep mail logs manageable. Verify your config:
vi /etc/logrotate.d/syslog
Ensure you are rotating weekly and keeping only 4 weeks of backlogs unless you have a specific legal requirement to keep more. This keeps your /var partition from filling up and crashing the server—a rookie mistake I see too often.
Finalizing the Deployment
Once your config is saved, rebuild the alias map and restart the service.
newaliases
service postfix restart
chkconfig postfix on
Test it immediately using telnet from a remote machine:
telnet mail.yourdomain.no 25
If you see a 220 banner, you are live. If the connection hangs, check your iptables firewall. Ensure port 25 is open.
Why Infrastructure Matters
You can have the perfect config, but if your host has a "dirty" IP range, you are doomed. Large providers often recycle IPs too quickly, meaning you might inherit an IP that was spamming yesterday.
At CoolVDS, we aggressively monitor our IP reputation. We provide clean IPs, low latency to the NIX (Norwegian Internet Exchange), and the dedicated I/O throughput required for serious mail processing. When you are managing critical infrastructure, "good enough" isn't.
Ready to deploy? Spin up a CentOS 5 Xen instance on CoolVDS today and get your mail flowing properly.