Final Network - Public Services¶
IP Configuration¶
Create and configure an additional dummy interface1 named dmz0
on the Pi. Create a .network
configuration for this interface and use it to mange the IP addresses associated with your public-facing network services, which include:
- the Authoritative name server for your public .pi domain
- your SMTP mail server (used to send and receive email on your domain)
- and a webmail server
Authoritative DNS¶
Your group should configure one public DNS zone per network based on the work you did in the original DNS planning exercise. Within your zone, you'll host records for each of your public services:
- NS and A reocrds for your authoritative name server
- MX and A records for the postfix SMTP mail server
- A records that will point to a rainloop Webmail server
This step should not require very many changes to your Checkpoint #5 configuration. However, you should review named.conf.options
and your public zone file to ensure that Bind9 is listening on the authoritative server's address and that and that address records reflect the final version of your address planning documentation.
Deploy Dockerized Email¶
Review the instructions at the docker-mail Github repo. You will need to refer back to these instructions to configure a full suite of email services for your public domain.
Install Docker¶
The easiest (though not the most secure) method of installing Docker on Raspberry Pi OS is to execute the scripted installer from the Docker website:
- Download and run the docker installer, ensuring that it completes without error.
- Give the pi user permission to manage Docker. You must exit and log in again before this change will take effect.
Update nftables¶
In general, Docker does a pretty good job managing its own firewall rules on Linux; however, we will need to make an update so that our containers can reach the outside world. Add a new rule to the forward
chain of your filter
table, granting Docker access to send outbound packets.
This change is demonstrated in the following example, where we accept all packets originating from the built-in docker0 network along with the custom docker-mail network that we'll be defining shortly.
After loading these rules, you will need to restart the docker service using sudo systemctl restart docker
.
Build the Containers¶
The docker-mail repository provides a basic mail environment based on postfix (SMTP), dovecot (IMAP), and rainloop (webmail) containers. Clone the repository to the Pi.
Navigate to the sub-directories for each service and build a tagged image.
In docker-mail/postfix
run docker build -t postfix .
In docker-mail/dovecot
run docker build -t dovecot .
In docker-mail/rainloop
run docker build -t rainloop .
Create a Custom Container Network¶
To enable internal communication between our containers, we will attach them to a user-defined docker network. The docker-mail
network created here is a bridged network that provides the containers with basic services such as IP address configuration, routing, and DNS resolution of container names.
If you didn't do it already, update nftables to ensure that outbound traffic from the docker-mail network interface can be forwarded.2
Launch and Configure the Containers¶
Follow along with the instructions in Github to launch the Postfix, Dovecot, and Rainloop containers. Make sure that you properly configure the correct domain name and SMTP hostname for your domain. Update all three containers to restart automatically when the Pii is rebooted.
Send Test Mail¶
Until you completed the routing and .pi TLD configuration with your group, you won't be able to send inter-domain email. For now, verify that you can send an email from pi@
We may ask you to run the following commands to assist with debugging:
- Shows all running containers. You should have three.
- Shows log output from postfix container.
- Check the mail queue for stuck mail.
-
Docker must be restarted after reapplying nftables rules. ↩