Postfix Survival Guide: Building a Bulletproof Mail Server in 2009
Let’s be honest: Managing an email server is usually a thankless nightmare. Between getting blacklisted because a neighbor on your shared subnet got infected with a botnet, and dealing with the cryptic configuration hell of Sendmail, most sysadmins would rather debug a kernel panic than touch port 25.
But here we are. You need transactional email that actually hits the inbox, or maybe you're hosting mail for a client who refuses to pay for Exchange. You need control, and you need it to work.
I’ve spent the last week migrating a client from a crashing qmail setup to a robust Postfix architecture. Why Postfix? Because it's secure by default, modular, and it doesn't make me want to pull my hair out. Here is the exact configuration I used to stabilize their infrastructure, tailored for a VPS Norway environment.
1. The Foundation: Clean IPs and OS Choice
Before we touch a config file, we need to talk about infrastructure. Email delivery relies 90% on reputation. If you spin up a server on a cheap, oversold provider, you are inheriting the IP reputation of the spammer who rented that IP yesterday.
This is where CoolVDS differs from the bargain bin. We strictly police our IP ranges. When you provision a Virtual Dedicated Server with us, you get a clean IP. We also allow you to set your own Reverse DNS (PTR records) instantly via our panel—a mandatory requirement for delivering mail to Hotmail or Yahoo.
For this guide, I’m using CentOS 5.3 (32-bit). It’s rock solid. If you are on Debian Lenny, the paths differ slightly, but the logic remains.
2. Installation and Basic Config
First, kill Sendmail if it's running. It’s 2009; let it die.
# service sendmail stop
# yum remove sendmail
# yum install postfix system-switch-mail
# system-switch-mail
# (Select Postfix)Now, let’s edit /etc/postfix/main.cf. The defaults are too permissive for a public facing server. We need to lock this down.
# /etc/postfix/main.cf
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
# CRITICAL: Use Maildir format.
# Mbox locks up under high load and corrupts easily.
home_mailbox = Maildir/
Pro Tip: Always use Maildir/ format (trailing slash matters). On a VPS with high I/O, writing individual files is much safer than one giant mbox file. Our CoolVDS RAID-10 storage arrays handle small file writes exceptionally well, preventing the I/O wait that kills mail server performance.
3. Stopping the Spam (RBLs and Restrictions)
If you leave port 25 open without rules, you become an open relay. Within 4 hours, you will be blacklisted everywhere. We need to configure smtpd_recipient_restrictions. We are going to use Spamhaus—it is currently the most reliable Real-time Blackhole List (RBL).
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.orgThis configuration rejects connections from known spam sources before they even transfer the body of the email. This saves bandwidth and CPU cycles.
4. Authentication & Encryption (SASL + TLS)
Sending passwords in plain text is negligence, especially with the Norwegian Personal Data Act (Personopplysningsloven) requiring us to secure user data. We need to enable SASL for authentication and wrap it in TLS.
Install the necessary cyrus-sasl packages:
# yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5Add this to main.cf:
# SASL Auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
# TLS Encryption
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
smtpd_tls_loglevel = 1You can generate a self-signed cert with OpenSSL for testing, but for production, buy a cheap cert. It stops your users from getting scary pop-ups in Outlook 2007.
5. The Latency Factor
Why host mail in Norway? Latency and law. If your business is in Oslo, why route your internal emails through a server in Texas?
| Route | Ping (Avg) | Impact |
|---|---|---|
| Oslo -> US East Hosting | 110ms - 140ms | Sluggish IMAP syncing |
| Oslo -> CoolVDS (Oslo DC) | < 10ms | Instant header retrieval |
When you are checking email on a mobile device (like the new iPhone 3GS or a BlackBerry), that latency kills battery life and user experience. Keeping data within Norwegian borders also simplifies compliance with Datatilsynet regulations regarding data export.
6. Monitoring and Maintenance
Once you restart Postfix (service postfix restart), watch your logs like a hawk:
tail -f /var/log/maillogLook for "Relay access denied" (good, you aren't an open relay) or "SASL authentication failure" (someone is trying to brute force you).
Final Thoughts
Building a mail server isn't just about software; it's about the ecosystem. You need a clean IP, low latency for IMAP performance, and reliable storage that won't corrupt your Maildir index.
At CoolVDS, we don't oversell our nodes. We use enterprise-grade hardware that ensures your low latency requirements are met, and we protect our network aggressively against DDoS attacks so your mail keeps flowing even when the rest of the web is under fire.
Need a clean IP for your mail server? Deploy a CentOS VPS on CoolVDS today and get your Reverse DNS set up in minutes.