The Ironclad Postfix Guide: Building a Bulletproof Mail Server on CentOS 6
I have lost count of the number of times I've watched a legitimate business grind to a halt because their shared hosting provider got blacklisted. One compromised WordPress site on a shared IP, and suddenly your CEO's emails to Oslo are bouncing back with a 554 Service Unavailable. It is amateur hour.
If you are serious about infrastructure, you handle your own transport. But be warned: running a mail server in 2012 is not for the faint of heart. It is a war against spammers, open relays, and the ever-watchful eye of Spamhaus. This guide is not a "Quick Start." This is how we build mail servers that actually deliver, compliant with the rigorous standards of the Norwegian Data Inspectorate (Datatilsynet) and robust enough to handle the load.
The Prerequisite: A Clean Reputation
Before you even touch the terminal, you need infrastructure. You cannot run a mail server on a residential line or a budget VPS where the neighbors are running botnets. You need a static IP with a pristine reputation.
Pro Tip: The number one reason for email delivery failure isn't configuration—it's Reverse DNS (rDNS). If your Forward DNS (A Record) points to your IP, but your IP doesn't point back to your hostname, GMail and Hotmail will drop your packets into the void. At CoolVDS, our KVM instances come with full control over PTR records, ensuring your handshake is valid from day one. Do not skip this.
Step 1: The Foundation (CentOS 6)
We are using CentOS 6.2 for this. It is stable, it is boring, and it works. First, strip the default Sendmail installation. It is a relic and we don't want it fighting for port 25.
yum remove sendmail
yum install postfix cyrus-sasl cyrus-sasl-plain mailx
Once installed, we need to configure the alternatives system to ensure the OS knows Postfix is the boss.
alternatives --set mta /usr/sbin/sendmail.postfix
Step 2: Configuring main.cf
The /etc/postfix/main.cf file is where the magic happens. Do not simply copy-paste generic configs from a forum. You need to understand the parameters. Here is a battle-hardened configuration block for a standard setup:
# /etc/postfix/main.cf
# Identity
myhostname = mail.yourdomain.no
mydomain = yourdomain.no
myorigin = $mydomain
# Network
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
# Mailbox
home_mailbox = Maildir/
# Performance & Limits
message_size_limit = 20480000
mailbox_size_limit = 2048000000
Pay attention to inet_protocols = ipv4. While IPv6 is the future, in 2012, many blacklists (RBLs) behave erratically with IPv6 addresses. Unless you have a specific need and a rock-solid IPv6 strategy, stick to IPv4 for mail to ensure maximum compatibility with legacy receivers.
Step 3: Securing the Perimeter (SASL & TLS)
Sending cleartext passwords over the wire is negligence. If you are operating under Norwegian jurisdiction, you have a responsibility under the Personopplysningsloven to safeguard data. We will use Cyrus SASL for authentication and TLS for encryption.
Enable SASL in Postfix:
# Append to /etc/postfix/main.cf
# SASL Auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
# TLS Encryption
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
You can generate a self-signed certificate for testing, but for production, purchase a valid certificate from a trusted CA like Verisign or Thawte. A mismatch warning in a client's Outlook 2010 is a sure way to lose trust.
Step 4: The Kill List (Anti-Spam Restrictions)
This is the most critical section. We are going to instruct Postfix to reject connections from known bad actors before they even transfer a single byte of data. This saves CPU cycles and disk I/O.
# /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
The reject_rbl_client directives query real-time blacklists. Zen.spamhaus.org is the gold standard. If an incoming connection is on that list, Postfix drops it immediately. This effectively filters about 90% of junk traffic without you lifting a finger.
Step 5: Testing and Reliability
Restart the service to apply changes:
service postfix restart
chkconfig postfix on
Now, check your logs. Tail /var/log/maillog while sending a test email. You want to see status=sent. If you see status=bounced, read the code. 5xx errors are permanent, 4xx are temporary.
The Storage Bottle-neck
Mail servers are I/O intensive. Every incoming mail requires writing to logs, updating the queue manager, writing the file to the Maildir, and updating indexes. On a traditional mechanical hard drive (HDD), a spam wave can cause your I/O wait to skyrocket, making the server sluggish for everyone.
This is where hardware choice matters. We see many admins trying to save money on budget VPS providers who oversell their storage arrays. The result? Mail queues that take hours to flush. At CoolVDS, we utilize high-performance SSD RAID arrays and low-latency SAS storage tiers. The difference in queue processing speed is not just noticeable; it is measurable.
Conclusion
Building a mail server on CentOS 6 gives you total control over your data, which is crucial for compliance and privacy in Europe. However, software is only half the battle. Without a clean network reputation and fast I/O, your perfect config is useless.
Don't let a noisy neighbor on a shared host destroy your email deliverability. Deploy a clean KVM instance on CoolVDS today, set up your rDNS in our panel, and start delivering to the Inbox, not the Spam folder.