You Can't Outrun a Bad IP Reputation
Let's be brutally honest: most of you shouldn't be running your own mail server. It's a thankless job filled with blacklist monitoring, log parsing, and fighting off script kiddies trying to turn your box into a spam cannon. But if you are reading this on New Year's Eve 2012, you probably have a requirement that GMail or Exchange just can't meet. Maybe it's data sovereignty under Norway's Personopplysningsloven, or maybe you just refuse to pay per-user licensing fees.
I've spent the last six months cleaning up a disaster left by a junior admin who configured a default Postfix install on a cheap, oversold VPS in Germany. The result? The IP was blacklisted by Spamhaus within 48 hours. If you are serious about delivery, you need clean infrastructure and a configuration that screams "I know what I'm doing" to receiving MTAs.
This guide isn't about setting up a webmail UI. This is about the engine. We are going to configure Postfix on CentOS 6.3 to be secure, fast, and compliant.
1. The Foundation: DNS and Hostname
Before you even install a package, look at your DNS. If your Forward DNS (A record) doesn't match your Reverse DNS (PTR), you are dead on arrival. Telenor and Altibox will drop your packets before they even scan them.
Pro Tip: Most budget providers lock your PTR record. You have to open a ticket and wait three days. On CoolVDS, we give you full control over your rDNS in the control panel. If you provision a KVM slice today, you can set the PTR in 30 seconds. Do not skip this.
Set your hostname properly. Do not use 'localhost' or just your domain name. Use a proper subdomain.
[root@mail ~]# hostname mail.yourdomain.no
[root@mail ~]# vi /etc/sysconfig/network
HOSTNAME=mail.yourdomain.no
2. Installing and Configuring Postfix
Remove Sendmail if it's lingering. It's 2012; we don't need that complexity anymore.
[root@mail ~]# yum remove sendmail
[root@mail ~]# yum install postfix
[root@mail ~]# alternatives --set mta /usr/sbin/sendmail.postfix
Now, let's open /etc/postfix/main.cf. This is where the magic happens. I'm going to give you the settings that actually matter for a dedicated mail server.
# /etc/postfix/main.cf
# IDENTITY
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
# NETWORK
inet_interfaces = all
inet_protocols = ipv4
# Be very careful here. Trust only localhost unless you know exactly what you are doing.
mynetworks = 127.0.0.0/8
# DELIVERY
home_mailbox = Maildir/
# RESTRICTIONS (The Security Layer)
smtpd_helo_required = yes
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
# Don't accept mail if we can't talk back to the sender
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit
The smtpd_recipient_restrictions block is your firewall against becoming an open relay. The order matters. We permit our networks and authenticated users first, then we start rejecting garbage.
3. Fighting Spam: SPF and DKIM
In 2012, you cannot survive on IP reputation alone. You need Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). While DMARC is the new kid on the block, getting SPF and DKIM right is the current standard.
Setting up SPF
This is a DNS TXT record. It tells the world which IPs are allowed to send mail for you. If you are hosting on a CoolVDS instance, your record should look like this:
yourdomain.no. IN TXT "v=spf1 mx a ip4:192.0.2.10 -all"
The -all at the end is a hard fail. It tells receivers: "If the mail didn't come from this IP, delete it."
Setting up DKIM with OpenDKIM
DKIM signs your emails cryptographically. It proves the email hasn't been tampered with in transit.
[root@mail ~]# yum install opendkim
[root@mail ~]# vi /etc/opendkim.conf
Mode v
Canonicalization relaxed/relaxed
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
Generate your keys:
[root@mail ~]# mkdir /etc/opendkim/keys/yourdomain.no
[root@mail ~]# opendkim-genkey -D /etc/opendkim/keys/yourdomain.no/ -d yourdomain.no -s default
[root@mail ~]# chown -R opendkim:opendkim /etc/opendkim/keys
Take the content of default.txt and add it to your DNS records. This is non-negotiable for delivering to Yahoo or Hotmail.
4. Storage Performance and I/O Wait
Here is a technical reality check. Postfix is I/O intensive. Every email that comes in hits the disk multiple times: receiving, queueing, processing, and writing to the Maildir. If you are running this on a shared hosting plan with mechanical SATA drives and 50 other noisy neighbors, your mail queue will back up.
| Resource | Impact on Postfix | CoolVDS Advantage |
|---|---|---|
| RAM | Used for caching and SpamAssassin scoring. | Dedicated RAM allocation (no ballooning). |
| Disk I/O | Critical for queue speed and log writing. | Low-latency RAID-10 storage arrays. |
| CPU | Used for crypto (TLS/DKIM) and virus scanning. | Xeon processors with dedicated cores available. |
We see this constantly with customers migrating from budget US hosts. They have high "CPU Steal" time because the host node is overloaded. Postfix processes hang, timeouts occur, and sending servers retry later. This increases latency. On CoolVDS, we use KVM virtualization to ensure your disk I/O is yours. When you write a log entry, it writes.
5. The Norwegian Context: Privacy & Speed
Hosting email outside of Norway introduces legal complexity. The Datatilsynet (Data Protection Authority) is rigorous. If you are handling customer data, keep it within the borders. Furthermore, latency matters for IMAP connections. If your office is in Oslo, why route your Outlook connection through a datacenter in Amsterdam? A 5ms ping to your mail server makes listing a folder with 10,000 headers feel instantaneous.
Final Verification
Before you go live, telnet into your server from an external machine to test the banner and relay blocking.
$ telnet mail.yourdomain.no 25
Trying 192.0.2.10...
Connected to mail.yourdomain.no.
Escape character is '^]'.
220 mail.yourdomain.no ESMTP Postfix
HELO evil-spammer.com
250 mail.yourdomain.no
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
554 5.7.1 : Relay access denied
If you see "Relay access denied", congratulations. You aren't part of the problem.
Configuring a mail server is a rite of passage. It demands precision. If you are ready to build a reputation-based infrastructure on hardware that doesn't choke on I/O, spin up a CoolVDS instance. We provide the clean IP space; you provide the logic.