Mastering Postfix: Building a Bulletproof Mail Server on CentOS 6
Let’s be honest: running your own mail server is a nightmare. I’ve seen seasoned sysadmins cry because Hotmail blacklisted their IP range for no apparent reason, or because a single compromised WordPress plugin turned their server into a spam cannon. But if you care about data privacy here in Norway and don't want your corporate communications scanned by US giants, you have to do it yourself.
Most VPS providers will hand you a dirty IP address and wish you luck. That’s a recipe for the junk folder. Today, we are going to configure Postfix on CentOS 6.3 the right way. We will cover strict HELO checks, SPF records, and the new standard everyone is talking about: DKIM.
The Prerequisite: A Clean Foundation
Before you even touch yum, check your infrastructure. If your hosting provider oversubscribes their network, the latency jitter will cause timeouts during the SMTP handshake. I’ve moved critical infrastructure to CoolVDS specifically because they enforce strict isolation. Their connectivity to the NIX (Norwegian Internet Exchange) in Oslo ensures your handshake completes before the remote server gets bored and hangs up.
1. Reverse DNS (PTR) is Mandatory
If you don't have a PTR record pointing your IP back to your hostname, you are already spam. Login to your CoolVDS control panel and set the Reverse DNS for your IP to match your server's FQDN (e.g., mail.example.no).
Step 1: Installation and Basic Configuration
We are sticking to the stock repositories for stability. Stability beats bleeding-edge features when it comes to email.
[root@mail ~]# yum install postfix policycoreutils-python
[root@mail ~]# chkconfig postfix on
[root@mail ~]# service sendmail stop
[root@mail ~]# chkconfig sendmail offNow, let’s crack open /etc/postfix/main.cf. This file controls the brain of your mail server. Do not rely on the defaults.
# /etc/postfix/main.cf
# Identity
myhostname = mail.example.no
mydomain = example.no
myorigin = $mydomain
# Network
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
# The most important setting for preventing open relays
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destinationStep 2: Hardening Against Spam
This is where the "Battle-Hardened" part comes in. We need to tell Postfix to be skeptical of incoming connections. Spammers often use botnets with poorly configured network settings. We can exploit that.
Add these lines to your main.cf to force RFC compliance on incoming connections:
# HELO Restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Sender Restrictions
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
Pro Tip: Be careful with reject_unknown_client_hostname. While it blocks a ton of spam, it also blocks legitimate mail servers with lazy admins who forgot their PTR records. On a business-critical CoolVDS instance, I usually comment this out to avoid false positives, unless I'm under active attack.
Step 3: Implementing DKIM with OpenDKIM
Sender Policy Framework (SPF) is standard, but DomainKeys Identified Mail (DKIM) is what separates the professionals from the amateurs in 2012. It cryptographically signs your emails so the receiver knows they weren't tampered with.
First, install the EPEL repository to get OpenDKIM, as it's not in the base CentOS repo:
[root@mail ~]# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
[root@mail ~]# yum install opendkimConfigure /etc/opendkim.conf:
Mode sv
Socket inet:8891@localhost
Domain example.no
KeyFile /etc/opendkim/keys/default.private
Selector default
AutoRestart YesGenerate your keys:
[root@mail ~]# mkdir /etc/opendkim/keys
[root@mail ~]# opendkim-genkey -D /etc/opendkim/keys/ -d example.no -s default
[root@mail ~]# chown -R opendkim:opendkim /etc/opendkim/keysFinally, tell Postfix about this milter (mail filter) in main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
milter_default_action = acceptThe Storage Bottleneck
Here is a scenario I faced last month: A client's marketing campaign triggered 50,000 emails in an hour. On a standard VPS with spinning rust (HDD), the I/O wait spiked, the mail queue backed up, and Postfix started dropping connections. It was a disaster.
Disk I/O is the silent killer of mail servers. Postfix writes to the queue directory extensively. If your disk latency is high, your delivery speed tanks. This is why I deploy on CoolVDS. Their storage backend uses high-performance RAID arrays that handle random writes significantly better than standard budget VPS hosts. You get near-bare-metal performance without the dedicated server price tag.
Legal Compliance: Datatilsynet is Watching
Operating in Norway means adhering to the Personopplysningsloven (Personal Data Act). If you host email for clients, you are processing personal data. By hosting on a Norwegian VPS like CoolVDS, you ensure data residency remains within the Kingdom, simplifying your compliance with local regulations compared to hosting in a US-based cloud.
Final Verification
Restart everything and tail the logs. If you don't watch the logs, you're flying blind.
[root@mail ~]# service opendkim start
[root@mail ~]# service postfix restart
[root@mail ~]# tail -f /var/log/maillogSend an email to a Gmail account and check the headers (