Postfix Configuration Guide: Hardening Email for Norwegian Business
Let’s be honest: configuring a mail server is usually a nightmare. You spend hours tweaking main.cf, only to find your critical invoices landing in a client's Junk folder because some script kiddie on the same subnet decided to blast out Viagra ads. I've seen it happen too many times.
If you are serious about business communication in 2009, you cannot rely on shared hosting. You need your own dedicated IP, a robust MTA (Mail Transfer Agent), and a configuration that screams "legitimate" to every spam filter from Outlook to Gmail. We are going to set up Postfix—the reliable workhorse of the internet—on a standard Linux VPS.
The Prerequisite: A Clean Reputation
Before you even touch the terminal, you need to understand the infrastructure. The number one reason for delivery failure isn't a bad config; it's a dirty IP address. If you spin up a server on a bargain-bin provider, you inherit the reputation of the previous user.
Required Network Hygiene:
- Dedicated IP: Shared IPs are death for email deliverability.
- rDNS (PTR Record): This is non-negotiable. If a receiving server does a reverse lookup on your IP and it returns
ip-123-123.generic-isp.netinstead ofmail.yourdomain.no, you look like a botnet. - Low Latency: For local businesses, routing through NIX (Norwegian Internet Exchange) in Oslo ensures your SMTP handshake doesn't time out during high-load periods.
Pro Tip: At CoolVDS, we enforce strict anti-spam policies to keep our IP ranges clean. Plus, our control panel allows instant PTR record updates—something most providers still make you open a support ticket for. Email requires trust, and we provide the foundation.
Step 1: The Base Installation
I’m assuming you are running a stable distribution like CentOS 5 or Debian Lenny. Sendmail is archaic and Qmail is a pain to patch. Postfix is modular, secure by default, and fast.
On Debian/Ubuntu:
apt-get update
apt-get install postfix
On CentOS/RHEL:
yum install postfix
alternatives --set mta /usr/sbin/sendmail.postfix
Step 2: The main.cf Surgery
Open /etc/postfix/main.cf. This is the brain of your server. We need to set the identity and lock down the relay to prevent becoming a spam gateway ourselves.
# reliable identity
myhostname = mail.yourcompany.no
mydomain = yourcompany.no
myorigin = $mydomain
# strictly limit who can send mail through us
mynetworks = 127.0.0.0/8 [::1]/128
inet_interfaces = all
inet_protocols = all
# use Maildir format (it handles thousands of files better than mbox)
home_mailbox = Maildir/
The "War Story": Why mynetworks Matters
In a project last year for a retail client in Bergen, a junior admin accidentally added the VPS public subnet to mynetworks. Within 4 hours, the server was hijacked to relay 200,000 phishing emails. The IP got blacklisted by Spamhaus, and it took us two weeks to get delisted. Do not trust external networks. Only trust localhost.
Step 3: Fight Spam or Die Trying
You need to reject bad mail before it even hits your disk. This saves CPU cycles and I/O—crucial if you aren't running on high-end SAS RAID arrays (though our CoolVDS instances handle high I/O loads effortlessly).
Add these restrictions to main.cf to force other servers to play by the rules:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
Using Real-time Blackhole Lists (RBLs) like Spamhaus is your first line of defense. It offloads the decision-making to the global community.
Step 4: Compliance and Data Sovereignty
Operating in Norway means adhering to Personopplysningsloven (Personal Data Act). Email logs contain personally identifiable information (PII). When you host your mail server on a US-based cloud, you are entering a legal grey area regarding data export.
By hosting on CoolVDS servers located physically in Oslo, you simplify compliance with the Data Inspectorate (Datatilsynet). Your data stays on Norwegian soil, protected by Norwegian law, not subject to the Patriot Act.
Step 5: SPF Records (The ID Card)
Finally, tell the world which IPs are allowed to send email for your domain. This is done via a TXT record in your DNS.
yourcompany.no. IN TXT "v=spf1 mx a:mail.yourcompany.no ip4:89.x.x.x -all"
The -all at the end is a hard fail. It tells receivers: "If the mail didn't come from these IPs, delete it." It's aggressive, but it prevents spoofing.
Performance Note: Storage I/O
Email involves thousands of tiny writes to the disk. Standard SATA drives often choke when the mail queue fills up (the "iowait" bottleneck). While many hosts oversell their storage, CoolVDS uses high-performance RAID arrays designed to handle the random write patterns of a busy Maildir system.
Don't let a slow disk kill your response times. If your mail queue is growing faster than it drains, check your I/O stats with iostat -x 1.
Final Thoughts
Running your own mail server gives you total control over logs, privacy, and deliverability. It’s not for the faint of heart, but with a clean IP from CoolVDS and this configuration, you’re building on bedrock.
Ready to deploy? Spin up a CoolVDS Linux instance in 55 seconds and get your mail flowing.