The Art of the SMTP Relay: Configuring Postfix on CentOS 6
If you are still running Sendmail in 2012, stop. Just stop. It is a monolithic beast that has caused more sleepless nights for sysadmins than faulty RAID controllers. The modern standard is Postfix: modular, secure by design, and fast enough to handle high-volume queues without choking your CPU.
I recently inherited a mess of a project where a client was hosting their newsletter infrastructure on a cheap, oversold VPS in Texas. Their emails were landing straight in the junk folder. Why? Because the provider's IP range was dirtier than a subway floor. They had zero control over Reverse DNS (PTR), and the latency to their Norwegian customer base was pushing 180ms.
We migrated them to a CoolVDS instance in Oslo. We fixed the PTR, configured Postfix properly, and inbox rates hit 99% overnight. Here is exactly how we did it.
The Pre-Flight Check: IP Reputation & Latency
Before you even type yum install, you need to understand the environment. Email is not just about software; it is about reputation.
- Clean IP Address: You need a dedicated IP. Shared IPs are a death sentence for deliverability because one neighbor sending spam blacklists everyone. At CoolVDS, we monitor our IP ranges aggressively. If someone spams, they are gone. This keeps the neighborhood clean for you.
- Reverse DNS (PTR): Forward DNS (domain to IP) isn't enough. Major ISPs (Hotmail, Gmail, Yahoo) require the IP to resolve back to the domain.
- Data Sovereignty: With the Datatilsynet (Norwegian Data Protection Authority) tightening grip on privacy, and the US Patriot Act scaring European businesses, hosting your mail data on Norwegian soil is not just a technical preference—it's becoming a legal necessity.
Step 1: Installation and Housekeeping
We are using CentOS 6.2 for this guide. It’s stable, and the RPMs are solid.
yum remove sendmail
yum install postfix
Once installed, set it as the default MTA (Mail Transfer Agent):
alternatives --set mta /usr/sbin/sendmail.postfix
Step 2: The main.cf Configuration
The default config is too permissive. Open /etc/postfix/main.cf. We are going to lock this down.
First, set your identity. This must match your PTR record.
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
Pro Tip: I explicitly set inet_protocols = ipv4. While IPv6 is the future, in 2012 it is still a configuration headache for many spam filters. Unless you have a specific need and a perfectly configured IPv6 stack, stick to IPv4 to avoid delivery timeouts.
The Critical Security Restrictions
This is where most people fail. You need to tell Postfix exactly who is allowed to talk to it. If you get this wrong, you become an Open Relay, and you will be blacklisted by Spamhaus within hours.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
This configuration rejects mail unless it comes from your trusted network or an authenticated user. It also checks incoming mail against Spamhaus and SpamCop real-time blacklists, saving your server from processing junk.
Step 3: Storage Performance Matters
People forget that email is I/O intensive. A mail queue is essentially thousands of tiny files being written, read, and deleted constantly. On a standard SATA drive, high IOPS (Input/Output Operations Per Second) will cause iowait to spike, making your server sluggish.
This is why we build CoolVDS nodes with enterprise-grade RAID-10 arrays. We strip the data across multiple disks for speed and mirror it for redundancy. When your marketing team blasts out 50,000 emails, you don't want the disk queue to lock up your web server.
Step 4: SPF Records (The ID Card)
Sender Policy Framework (SPF) is not optional anymore. It is a DNS TXT record that tells the world which IPs are allowed to send email for your domain.
Add this to your DNS zone file:
yourdomain.no. IN TXT "v=spf1 mx a ip4:123.123.123.123 -all"
This says: "Only my MX records, my A record IP, and this specific IP are valid. Fail everything else." It prevents spammers from spoofing your domain.
Step 5: Restart and Test
service postfix restart
chkconfig postfix on
Tail your logs immediately. I live inside /var/log/maillog. If you see errors, fix them before you try to send a single mail.
Conclusion
Running a mail server in 2012 requires diligence. You are fighting a war against spammers on one side and aggressive spam filters on the other. You need a clean network, fast storage for queue processing, and a rock-solid configuration.
Don't gamble your business communications on budget hosting with dirty IP neighborhoods. Deploy a CoolVDS instance in Oslo today. We handle the infrastructure stability and network purity so you can focus on the config.