Stop Letting Default Configs Ruin Your Reputation
Let’s be honest: Managing a mail server in 2012 is a thankless, miserable job. If you are reading this, you are either a masochist or you have a client who refuses to pay for Google Apps. I’ve been there. Last month, I spent 48 straight hours begging Spamhaus to de-list a client’s IP address not because we messed up, but because a "noisy neighbor" on a cheap, oversold OpenVZ container was blasting out pharmaceuticals from the same subnet.
That is the reality of email hosting. It is not just about apt-get install postfix; it is about reputation, latency, and raw I/O performance. If your disk queue is choked, your mail queue stalls. If your IP reputation is tarnished, your CEO’s email to an investor goes to the junk folder.
This guide isn't for hobbyists. It's for systems administrators who need to build a rock-solid MTA (Mail Transfer Agent) on CentOS 6 or Debian Squeeze, specifically tailored for the Nordic region where strict adherence to the Personal Data Act (Personopplysningsloven) is mandatory.
1. The Foundation: Infrastructure Matters
Before touching a single config file, look at your infrastructure. Postfix is I/O hungry. Every email creates disk writes: receiving, queueing, processing, logging, and delivering. On a traditional spinning HDD (even SAS 15k), a sudden influx of spam or a marketing blast can spike your Load Average to double digits.
We strictly deploy mail servers on CoolVDS instances because they utilize Enterprise SSD storage and true KVM virtualization. Unlike OpenVZ, KVM ensures your memory and I/O resources are yours alone. You don't want your mail queue waiting because another user is compiling a kernel on the same physical host.
Pro Tip: Always verify your Reverse DNS (PTR) record immediately after provisioning. If your PTR record is generic (e.g.,192-168-1-1.static.provider.net), you look like a botnet. Set it tomail.yourdomain.comimmediately.
2. Installation and Basic Hygiene
Let's assume you are running a clean minimal install of CentOS 6.3 or Debian 6. First, strip the bloat and install Postfix.
yum remove sendmail
yum install postfix policycoreutils-python cyrus-sasl-plain
On Debian/Ubuntu 12.04 LTS:
apt-get remove exim4
apt-get install postfix
During the interactive setup on Debian, select "Internet Site". But the real work happens in /etc/postfix/main.cf.
3. The main.cf: Security First
The default Postfix configuration is too permissive. We need to lock it down to prevent becoming an open relay—which is the fastest way to get blacklisted globally.
Open /etc/postfix/main.cf and apply these changes:
# /etc/postfix/main.cf
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
# DATA PRIVACY & ENCRYPTION (Essential for Norwegian Compliance)
# We use Opportunistic TLS. It's 2012; cleartext is unacceptable.
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_loglevel = 1
# RELAY CONTROL
# Strictly limit who can send mail through us
mynetworks = 127.0.0.0/8 [::1]/128
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
The Critical RBL Defense
This next block is what separates a professional admin from an amateur. We will use Real-time Blackhole Lists (RBLs) to block known spammers at the connection level, saving your CPU cycles.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# The Heavy Hitters:
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit
Warning: Be careful with RBLs. Spamhaus is reliable, but some aggressive lists can generate false positives. Monitor your /var/log/maillog closely during the first week.
4. Data Integrity and The "Datatilsynet" Factor
Operating in Norway means you answer to the Data Inspectorate (Datatilsynet). While the EU Data Protection Directive sets the baseline, Norwegian implementation is strict. You must ensure that logs containing personal identifiers (like email metadata) are secured.
At CoolVDS, our data centers in Oslo connect directly to NIX (Norwegian Internet Exchange). This keeps domestic traffic within Norway, reducing latency to under 5ms for local users and ensuring data sovereignty—a key selling point when pitching to Norwegian enterprise clients who are wary of the US Patriot Act.
5. Fighting Forgery: SPF and DKIM
In 2012, you cannot ignore SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). While DMARC is still a draft technology, SPF and DKIM are established standards.
Setting up SPF
Add a TXT record to your DNS zone. This tells the world which IPs are allowed to send mail for you.
yourdomain.no. IN TXT "v=spf1 mx a ip4:192.0.2.10 -all"
Configuring OpenDKIM
DKIM adds a cryptographic signature to your headers. Install it via EPEL repo on CentOS:
yum install opendkim
Edit /etc/opendkim.conf and ensure you generate a 1024-bit key (2048-bit is safer but can cause DNS packet size issues on older resolvers).
opendkim-genkey -s default -d yourdomain.noThis outputs a TXT record. Add it to your DNS. If you skip this, Gmail and Yahoo might throttle your delivery rates.
6. Performance Tuning for High Load
If you are sending newsletters, the default concurrency limits in Postfix will bottleneck you. Increase the parallel delivery limit, but watch your I/O wait.
# /etc/postfix/main.cf
default_process_limit = 100
initial_destination_concurrency = 5
default_destination_concurrency_limit = 20
| Parameter | Default | High Load Recommendation |
|---|---|---|
| default_process_limit | 100 | 200 (Requires RAM) |
| queue_run_delay | 300s | 120s |
| minimal_backoff_time | 300s | 180s |
Note: Do not raise these blindly. If your underlying storage is slow (like standard SATA VPS hosting), increasing concurrency will just increase I/O contention and slow everything down. This is why we benchmark our CoolVDS SSD instances to handle high IOPS specifically for mail queues and database transactions.
Final Thoughts
Building a mail server is about layers of defense. You need a clean network (CoolVDS provides vetted IPs), strong authentication (SASL + TLS), and reputation management (SPF/DKIM/RBL). Don't cut corners.
When you are ready to deploy, don't risk your reputation on shared hosting where a neighbor's spam script can blacklist your IP. Get a dedicated environment that respects your need for raw performance and data privacy.
Ready to configure? Deploy a CentOS 6 instance on CoolVDS in 55 seconds and ping the NIX node to see the latency difference yourself.