Stop Landing in Spam: The Battle-Hardened Postfix Configuration Guide
Letβs be honest: running your own mail server in 2012 is a nightmare if you don't know exactly what you are doing. Between the aggressive filtering algorithms of Hotmail and Gmail, and the constant barrage of script-kiddies trying to turn your box into an open relay, itβs a minefield. Most sysadmins give up and rely on shared hosting for mail, which is a fatal mistake. Shared IPs are dirty IPs. If your neighbor on a cheap shared host sends spam, you get blacklisted.
I recently audited a setup for a client in Oslo who was losing 20% of their order confirmations. The culprit? A misconfigured Reverse DNS (rDNS) and a slow, overloaded drive array that timed out during queue processing. We moved them to a CoolVDS instance, fixed the headers, and their deliverability hit 99.9% overnight.
This guide isn't for hobbyists. This is for professionals who need a mail stack that works. We will build a Postfix server on Debian 6 (Squeeze) that adheres to the strictest standards required by Norwegian ISPs and international providers alike.
The Prerequisite: Infrastructure That Doesn't Lie
Before we touch a single config file, we need to talk about hardware. Email is I/O intensive. When you have thousands of messages in the queue, standard SATA drives choke. You see iowait spike, and Postfix starts deferring connections.
This is why we deploy on CoolVDS. Unlike budget providers overselling their SANs, CoolVDS offers genuine SSD-backed storage. In 2012, SSDs are a luxury for most, but for mail queues, they are mandatory. Furthermore, you need a provider that allows full control over PTR Records (rDNS). If your provider demands you open a support ticket to change your rDNS, leave. CoolVDS lets you manage this directly in the panel. Without a valid PTR record matching your hostname, Telenor and NextGenTel will block you at the TCP handshake.
Step 1: The Foundation (Hostname & DNS)
First, verify your FQDN (Fully Qualified Domain Name). Your server hostname must match the A record and the PTR record.
# hostname -f
mail.yourdomain.no
If this returns localhost, fix your /etc/hosts and /etc/hostname immediately.
Pro Tip: Verify your rDNS lookup from an external source. Rundig -x [YOUR_IP]from your local machine. If the answer section doesn't returnmail.yourdomain.no, stop here. No amount of Postfix config will save you if your identity is unverified. CoolVDS updates these records instantly across their Norwegian zones.
Step 2: Installing the Stack
We are using Debian Squeeze because it is rock stable. We will install Postfix and Dovecot (for SASL authentication).
apt-get update
apt-get install postfix dovecot-core dovecot-imapd
When prompted, select "Internet Site". This tells Postfix to send mail directly using SMTP rather than relaying through a smarthost.
Step 3: The main.cf Surgery
The default configuration is insecure. We need to enforce strict HELO checks to reject bots. Open /etc/postfix/main.cf and apply these changes. We are aggressively rejecting unknown hostnames to save CPU cycles.
# /etc/postfix/main.cf
# Network Details
myhostname = mail.yourdomain.no
myorigin = /etc/mailname
mydestination = $myhostname, localhost, localhost.localdomain
# Trust only localhost to relay
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
# AGGRESSIVE RESTRICTIONS
# This is where we filter 90% of spam before it hits the disk
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Recipient Restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
reject_rbl_client zen.spamhaus.org,
permit
# Performance Tuning for SSD (CoolVDS Optimized)
default_process_limit = 100
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
Notice the reject_rbl_client zen.spamhaus.org. Spamhaus is the gold standard in 2012. Using this RBL (Real-time Blackhole List) offloads the burden of identifying known spammers from your server to their DNS lookup.
Step 4: SASL Authentication with Dovecot
You need to send emails from your iPhone or Outlook securely. We won't use the archaic Cyrus SASL; we'll use Dovecot, which communicates with Postfix via a UNIX socket. This reduces overhead and configuration complexity.
Edit /etc/dovecot/conf.d/10-master.conf:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Then, tell Postfix to use this socket in main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
Step 5: SPF and DKIM β The Passport of Email
In 2012, you cannot ignore SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). While DMARC is currently being drafted by industry leaders, SPF and DKIM are the current reality for proving you are not a spoofer.
SPF Record
Add this TXT record to your DNS zone immediately. It tells the world that only your specific IP is allowed to send mail for your domain.
yourdomain.no. IN TXT "v=spf1 mx a ip4:YOUR.IP.ADDRESS.HERE -all"
DKIM Configuration
DKIM signs your emails cryptographically. We use opendkim.
apt-get install opendkim opendkim-tools
Generate your keys. This is critical for passing Yahoo! and Gmail checks.
mkdir -p /etc/opendkim/keys/yourdomain.no
opendkim-genkey -s default -d yourdomain.no -D /etc/opendkim/keys/yourdomain.no
chown -R opendkim:opendkim /etc/opendkim/keys
Once generated, cat the default.txt file and add that TXT record to your DNS. It serves as the public key for verifying your signatures.
Data Privacy and Reliability in Norway
Operating in Norway means adhering to the Personopplysningsloven. While we aren't lawyers, we know that data sovereignty matters. Hosting your mail server on a VPS physically located in Oslo (via NIX) ensures your data stays within Norwegian jurisdiction, satisfying strict compliance requirements for local businesses.
Furthermore, latency matters. If your web application connects to this mail server via localhost or a private LAN, the speed is instant. But if you are connecting from an office in Bergen to a server in Texas, the handshake lag is noticeable. CoolVDS peers directly at NIX, offering sub-10ms latency to most Norwegian ISPs.
Testing the Configuration
Never assume it works. Test it manually via Telnet to see the raw SMTP dialogue. This is how the battle-hardened debug.
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.yourdomain.no ESMTP Postfix (Debian/GNU)
EHLO test.com
250-mail.yourdomain.no
250-PIPELINING
250-SIZE 10240000
250-STARTTLS
250-AUTH PLAIN LOGIN
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
250 2.1.5 Ok
DATA
354 End data with .
Subject: Test from CoolVDS
This is a test.
.
250 2.0.0 Ok: queued as 4324324
If you see 250 Ok, your basic transport is working. If you get Relay access denied, check your mynetworks setting.
Conclusion
Email is the lifeblood of business. A dropped email is a lost contract. By building your stack on CoolVDS, you gain the I/O performance of SSDs to handle massive queues and the clean IP reputation necessary to keep the spam filters happy. Combine that with the configuration above, and you have a mail server that commands respect.
Don't risk your reputation on shared hosting blacklists. Deploy a clean, SSD-powered VPS with CoolVDS today and take full control of your inbox.