Postfix Survival Guide: Hardening Email on CentOS 5 for High Deliverability
There are two types of sysadmins: those who have been blacklisted by Spamhaus, and those who are lying. Running your own mail server in 2009 is an act of defiance. It gives you control, privacy, and freedom from the arbitrary limits of ISPs. But if you configure it wrong, you’re just another open relay for pharmaceutical spam botnets.
I’ve spent the last week cleaning up a mess left by a developer who thought a default yum install postfix was enough. It wasn't. The server IP is burned, the client is furious, and mail delivery to Hotmail is non-existent. We’re fixing that today.
This guide isn't for hobbyists. It's for professionals running mission-critical mail on CoolVDS Xen instances who need rock-solid deliverability.
The Iron Laws of Postfix Configuration
Forget Sendmail. It’s a relic. Postfix is modular, secure by design, and fast. But out of the box, it's too trusting. We need to tighten the screws in /etc/postfix/main.cf.
1. The HELO Handshake
Spammers are lazy. They rarely configure their botnets to send a proper HELO hostname during the SMTP handshake. We can drop 40% of junk traffic just by enforcing strict syntax.
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit2. The RBL Shield (Real-time Blackhole Lists)
You cannot fight spam alone. Use the community. Configuring smtpd_recipient_restrictions is the single most important part of your setup. This determines who gets to talk to your users.
Warning: Order matters here. Put permit_mynetworks first, or you'll block your own web apps.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permitPro Tip:zen.spamhaus.orgis aggressive but highly accurate. If you are serving Norwegian business clients, false positives are rare. However, always monitor your/var/log/maillogduring the first 24 hours of deployment.
Storage Latency: The Silent Killer
Most people think mail servers are CPU intensive. They aren't. They are I/O nightmares. When you have a queue of 50,000 messages, Postfix is hammering your disk, moving files between the incoming, active, and deferred directories.
If you host this on cheap shared hosting with standard SATA drives, your iowait will skyrocket. Your load average will hit 20.0, and delivery will stall. This is simple physics.
This is why we use CoolVDS. We don't mess around with consumer-grade hardware. Our nodes run on Enterprise 15k RPM SAS drives in RAID-10. The random write performance of 15k SAS is necessary when you are pushing volume. Don't let a $10/month saving on a slow VPS cost you hours of downtime.
Legal Compliance in Norway (Datatilsynet)
Hosting email for clients in Oslo or Bergen comes with responsibilities under the Personopplysningsloven (Personal Data Act). You are processing personal data.
Unlike US-based hosting, where the Patriot Act allows interference, hosting on Norwegian soil provides a layer of legal sovereignty. At CoolVDS, our datacenter is in Oslo. Your bits stay within the jurisdiction. For clients dealing with sensitive corporate communications, this isn't just a feature; it's a requirement.
Securing the Transport
Sending cleartext email is negligent. While certificates from VeriSign or Thawte are expensive, they are a cost of doing business. You must enable TLS to encrypt the connection between servers.
# /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.yourdomain.no.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail.yourdomain.no.key
smtpd_tls_loglevel = 1Setting the level to may allows opportunistic encryption. If the receiving server supports it (like Gmail or huge enterprise Exchange servers), it encrypts. If not, it falls back. It’s the pragmatic choice for 2009.
The Verdict
Building a mail server is about layers. A clean network, fast SAS storage, and strict Postfix configurations. Do not rely on 'security through obscurity'.
If you are tired of fighting for I/O resources on oversold nodes, it’s time to move. Deploy a CoolVDS instance today. We give you the raw power of RAID-10 and the stability of Xen, so you can sleep at night knowing your mail queue is empty.