Preventing Spam Relays while maintaining PHP mail functionality.
An unsecured mail server (MTA) is one of the most common ways a VPS gets blacklisted. Spammers scan for "Open Relays"—servers that allow anyone to send mail through them. On CentOS, we must ensure Postfix only listens to our local PHP scripts.
Run the following command to see if Postfix is exposed to the public internet:
netstat -tunlp | grep :25If you see 0.0.0.0:25, your server is open to everyone. You want to see 127.0.0.1:25.
Edit /etc/postfix/main.cf to lock Postfix down to the local loopback address:
# Change 'all' to 'localhost'
inet_interfaces = localhost
# Ensure it only uses IPv4 loopback (and IPv6 if needed)
inet_protocols = allEven if Postfix is restricted, it's best practice to ensure the SMTP port is blocked at the firewall level:
firewall-cmd --permanent --remove-service=smtp
firewall-cmd --reloadlocalhost means your PHP mail() function will still work (since it's on the same machine), but outsiders cannot use your 32GB VPS to send spam.
Test that your contact form can still send mail by running a quick PHP CLI test:
php81 -r "mail('your@email.com', 'Security Test', 'Postfix is secure.');"We specialize in hardening CentOS environments for mission-critical web applications.
Contact Us Today