Ironclad Postfix Configuration: Stop Being Marked as Spam
There is nothing—and I mean nothing—more frustrating than configuring a mail server, hitting "send," and watching your critical business emails vanish into the void of a Hotmail or Yahoo junk folder. Or worse, waking up to find your IP address listed on Spamhaus because a PHP script on your server went rogue.
It’s 2009. Setting up an email server is still a rite of passage for any serious Linux administrator, but the rules of engagement have changed. Spammers are smarter, and major ISPs like Telenor are aggressively blocking port 25 on residential lines. You cannot host this from your basement in Oslo anymore.
If you are serious about deliverability, you need a dedicated IP, full reverse DNS (rDNS) control, and a Postfix configuration that treats every incoming connection with suspicion. This guide assumes you are running CentOS 5.3 or Debian 5 (Lenny).
The Prerequisites: Don't Start Without These
Before touching a config file, ensure your infrastructure isn't doomed from the start. Deliverability is 50% reputation and 50% configuration.
- Clean Static IP: Dynamic IPs are instant spam flags.
- Reverse DNS (PTR Record): This is non-negotiable. If your forward DNS (mail.example.com) points to 1.2.3.4, then 1.2.3.4 must resolve back to mail.example.com.
- FQD (Fully Qualified Domain Name): Your server needs a proper hostname, not just 'localhost'.
Pro Tip: Many budget VPS providers in Norway make you file a support ticket to change your PTR record, which can take 24 hours. At CoolVDS, we give you full control over rDNS in the control panel. You can fix a mismatch in seconds, not days.
Step 1: The Basics (main.cf)
Open your fortress gate. The main configuration file for Postfix is located at /etc/postfix/main.cf.
First, back up the original. Always.
cp /etc/postfix/main.cf /etc/postfix/main.cf.bak
Now, edit the file to establish your identity. Do not rely on auto-detection.
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
Step 2: The "Paranoid" Restrictions
This is where most admins fail. By default, Postfix is relatively trusting. We want it to be skeptical. We need to reject bad actors during the handshake, before they waste our bandwidth or CPU cycles.
Add or modify these lines in main.cf:
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
permit
Why these settings matter:
- reject_non_fqdn_helo_hostname: If a bot connects and says "HELO friend" instead of a proper domain, we drop them.
- reject_rbl_client zen.spamhaus.org: This queries Spamhaus in real-time. If the sender is a known spammer, we don't even let them send the email body. This saves massive I/O on your server.
Step 3: Storage Performance and Queue Management
Email is I/O intensive. When a spam wave hits, or when you are sending a newsletter to 50,000 users, Postfix is writing to the queue, reading from the queue, writing logs, and updating Dovecot indices simultaneously.
On standard shared hosting, this "I/O wait" is what kills your server. The load average spikes, and legitimate mail gets delayed. This is why we use hardware RAID-10 SAS arrays on all CoolVDS host nodes. We prioritize disk throughput so your mail queue never bottlenecks, even during peak traffic.
Step 4: Fighting the "Open Relay" Nightmare
In the early 2000s, open relays were the scourge of the internet. Today, they are a fast track to getting your server IP blacklisted globally. Ensure your mynetworks setting is strictly defined.
mynetworks = 127.0.0.0/8 [::1]/128
Do not add 0.0.0.0/0 here unless you want to become a spam hub for the entire planet.
Local Compliance: Datatilsynet and Privacy
Operating in Norway or the EU implies strict adherence to privacy laws (Personopplysningsloven). While we aren't at the level of encrypting everything at rest just yet, you should ensure your logs are rotated strictly and access is limited. Hosting on a VPS within the EEA (like our Oslo or Amsterdam datacenters) ensures you aren't sending sensitive customer data across the Atlantic unnecessarily.
Conclusion: Test, Test, Test
Once configured, restart Postfix:
/etc/init.d/postfix restart
Don't just assume it works. Telnet to your server from an external machine:
telnet mail.yourdomain.com 25
If you get a connection refused, check your iptables firewall. If you get a 200 OK, try sending a mail to an external domain. Watch /var/log/maillog like a hawk.
Building a mail server is hard work, but the stability is worth it. If you are tired of fighting for resources on oversold shared hosting, it's time to move to a platform built for sysadmins. Deploy a CentOS CoolVDS instance today and get full root access in under 60 seconds.