The 2012 Guide to Bulletproof Postfix Configuration on CentOS 6

Let’s be honest: configuring a mail server in 2012 is a nightmare. Between aggressive RBLs (Real-time Blackhole Lists), the complexities of the new Sender Policy Framework (SPF), and the constant threat of becoming a spam relay, most sysadmins would rather manage a broken printer fleet. But if you care about data privacy and don't want your corporate communications scanned by US-based giants, you need to host your own.

I've spent the last week cleaning up a client's mess after they deployed a default Postfix install on a cheap shared host. The result? Their IP was blacklisted by Spamhaus within four hours. Don't be that guy.

This guide covers a production-ready Postfix deployment on CentOS 6.3. We will focus on security, deliverability, and compliance with the Norwegian Personal Data Act (Personopplysningsloven), because if you are hosting here in Norway or serving EU clients, Datatilsynet does not joke around with log retention.

1. The Foundation: DNS and PTR Records

Before you even touch yum, check your DNS. The number one reason emails fail isn't your config; it's your reputation. Postfix checks the Reverse DNS (PTR) record of the connecting IP. If it doesn't match your hostname, you look like a botnet.

You need a hosting provider that allows full control over PTR records. This is why I use CoolVDS for my mail relays. Unlike budget providers where you have to open a support ticket and wait 24 hours for a DNS update, CoolVDS lets you set the PTR record instantly in the control panel. In a disaster recovery scenario, that speed saves your reputation.

Pro Tip: Set your hostname to a fully qualified domain name (FQDN) like mail.example.no. Do not use just example.no.

2. Installation and Basic Setup

We are using the stock Postfix 2.6 (or 2.9 if you compiled from source) available in the CentOS repositories. It's stable and battle-tested.

[root@mail ~]# yum remove sendmail
[root@mail ~]# yum install postfix
[root@mail ~]# alternatives --set mta /usr/sbin/sendmail.postfix

Now, let’s strip the configuration down to the essentials. Open /etc/postfix/main.cf. I’ve seen too many configs bloated with copy-pasted garbage from 2005.

# /etc/postfix/main.cf basics
myhostname = mail.example.no
mydomain = example.no
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# NETWORK CONTROL
mynetworks = 127.0.0.0/8, [::1]/128
home_mailbox = Maildir/

3. Securing the Relay (The Most Critical Step)

If you mess this up, spammers will hijack your server to sell Viagra, and your clean CoolVDS IP will be burned. We need strict smtpd_recipient_restrictions. This defines who can send email through your server.

The logic is simple: Allow your networks. Allow authenticated users (SASL). Reject everything else that tries to relay.

# /etc/postfix/main.cf security settings

# Disable VRFY to prevent username harvesting
disable_vrfy_command = yes

# Require HELO handshake
smtpd_helo_required = yes

# The Gatekeeper
smtpd_recipient_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_rbl_client zen.spamhaus.org

Notice the reject_rbl_client at the end? That queries Spamhaus in real-time. It cuts 90% of incoming junk before it even hits your disk. However, query latency matters here. If your VPS has slow I/O or network jitter, these lookups time out, and legitimate mail gets delayed. This is where the CoolVDS infrastructure shines; the network latency to major European exchanges is negligible, ensuring these DNS lookups happen in milliseconds.

4. Implementing SPF (Sender Policy Framework)

In 2012, SPF is no longer optional if you want to hit the Gmail or Hotmail inbox. You need to tell the world which IPs are allowed to send mail for your domain.

Create a TXT record in your DNS zone:

example.no.  IN  TXT  "v=spf1 mx a ip4:192.0.2.10 -all"

Then, install the Perl-based SPF checker to validate incoming mail. This keeps your users safe from phishing.

[root@mail ~]# yum install perl-Mail-SPF
[root@mail ~]# wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.010.tar.gz
[root@mail ~]# tar xvf postfix-policyd-spf-perl-2.010.tar.gz
[root@mail ~]# cp postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/lib/postfix/policyd-spf-perl

Add this to the end of main.cf to wire it up:

smtpd_recipient_restrictions = 
    ...
    check_policy_service unix:private/policy

policy_time_limit = 3600

5. Performance Tuning for the Norwegian Context

Mail queues are I/O intensive. When a newsletter goes out, or a spam wave hits, your disk creates thousands of small files in /var/spool/postfix. On a standard mechanical HDD, your iowait will skyrocket, causing the server to stall. I’ve seen mail queues back up for hours on budget hosts.

While enterprise SSDs are still a luxury in the dedicated server market, CoolVDS utilizes high-performance storage arrays that handle random write operations significantly better than standard SATA drives. For a mail server, this I/O throughput is the difference between instant delivery and a 30-minute lag.

Logging and Compliance

Under the EU Data Protection Directive and Norwegian law, you must be careful about what you log. Postfix logs to syslog by default. Ensure your log rotation is set up correctly to avoid filling the disk, but also verify your retention policy.

# Check log rotation config
[root@mail ~]# cat /etc/logrotate.d/syslog 

/var/log/maillog {
    weekly
    rotate 4
    compress
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Don't keep logs longer than necessary. If Datatilsynet comes knocking for an audit, you want a clean, compliant retention policy, not three years of user metadata sitting on a forgotten partition.

6. Testing

Once you restart Postfix (service postfix restart), do not just assume it works. Telnet into your server from an external network.

[user@laptop ~]$ telnet mail.example.no 25
Trying 192.0.2.10...
Connected to mail.example.no.
Escape character is '^]'.
220 mail.example.no ESMTP Postfix
EHLO test.com
250-mail.example.no
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
554 5.7.1 : Relay access denied

If you see Relay access denied, congratulations. You have a secure mail server. If you see 250 2.1.5 Ok, shut it down immediately and fix your mynetworks setting.

Summary

Running a mail server in 2012 requires vigilance. The spammers are getting smarter, and the blocklists are getting stricter. By using a solid configuration on CentOS 6 and hosting on infrastructure with clean IP reputation and high I/O performance like CoolVDS, you ensure your emails actually land where they belong: the inbox.

Ready to deploy? Stop fighting with slow legacy hardware. Spin up a CoolVDS instance in Oslo today and give your Postfix queue the throughput it deserves.