Skip to content

Final Network - Public Services

IP Configuration

Create and configure an additional dummy interface1 named dmz0 on the Pi. Create a .network configuration for this interface and use it to mange the IP addresses associated with your public-facing network services, which include:

  • the Authoritative name server for your public .pi domain
  • your SMTP mail server (used to send and receive email on your domain)
  • and a webmail server

Authoritative DNS

Your group should configure one public DNS zone per network based on the work you did in the original DNS planning exercise. Within your zone, you'll host records for each of your public services:

  • NS and A reocrds for your authoritative name server
  • MX and A records for the postfix SMTP mail server
  • A records that will point to a rainloop Webmail server

This step should not require very many changes to your Checkpoint #5 configuration. However, you should review named.conf.options and your public zone file to ensure that Bind9 is listening on the authoritative server's address and that and that address records reflect the final version of your address planning documentation.

Deploy Dockerized Email

Review the instructions at the docker-mail Github repo. You will need to refer back to these instructions to configure a full suite of email services for your public domain.

Install Docker

The easiest (though not the most secure) method of installing Docker on Raspberry Pi OS is to execute the scripted installer from the Docker website:

curl -sSL get.docker.com | sh # (1)
sudo usermod -aG docker pi # (2) 
  1. Download and run the docker installer, ensuring that it completes without error.
  2. Give the pi user permission to manage Docker. You must exit and log in again before this change will take effect.

Update nftables

In general, Docker does a pretty good job managing its own firewall rules on Linux; however, we will need to make an update so that our containers can reach the outside world. Add a new rule to the forward chain of your filter table, granting Docker access to send outbound packets.

This change is demonstrated in the following example, where we accept all packets originating from the built-in docker0 network along with the custom docker-mail network that we'll be defining shortly.

iifname { eth0, vlan2 } accept
+iifname { docker0, docker-mail } accept

After loading these rules, you will need to restart the docker service using sudo systemctl restart docker.

Build the Containers

The docker-mail repository provides a basic mail environment based on postfix (SMTP), dovecot (IMAP), and rainloop (webmail) containers. Clone the repository to the Pi.

sudo apt install git
git clone https://github.com/i314-campbell-sp19/docker-mail.git

Navigate to the sub-directories for each service and build a tagged image.

In docker-mail/postfix run docker build -t postfix . In docker-mail/dovecot run docker build -t dovecot . In docker-mail/rainloop run docker build -t rainloop .

Create a Custom Container Network

To enable internal communication between our containers, we will attach them to a user-defined docker network. The docker-mail network created here is a bridged network that provides the containers with basic services such as IP address configuration, routing, and DNS resolution of container names.

docker network create --driver bridge --opt com.docker.network.bridge.name=docker-mail docker-mail

If you didn't do it already, update nftables to ensure that outbound traffic from the docker-mail network interface can be forwarded.2

Launch and Configure the Containers

Follow along with the instructions in Github to launch the Postfix, Dovecot, and Rainloop containers. Make sure that you properly configure the correct domain name and SMTP hostname for your domain. Update all three containers to restart automatically when the Pii is rebooted.

Send Test Mail

Until you completed the routing and .pi TLD configuration with your group, you won't be able to send inter-domain email. For now, verify that you can send an email from pi@ to pi@. Reach out for assistance if the message does not appear in the inbox after refreshing.

We may ask you to run the following commands to assist with debugging:

docker ps # (1)
docker logs postfix # (2)
docker run -it postfix "postqueue -p" # (3)
  1. Shows all running containers. You should have three.
  2. Shows log output from postfix container.
  3. Check the mail queue for stuck mail.

  1. See Configuring Dummy Interfaces in systemd-networkd 

  2. Docker must be restarted after reapplying nftables rules. 

Back to top