run mail server on raspberry pi

have you ever wanted to run your own mail server?

But the postfix configuration made you suspect that NSA made it hard on purpose :-DDD .

Most probably that’s not the case but nowdays with some quick docker cyber we can have own mail in a snap.

Firt thing you’ll need raspberry pi. Then you’ll want to checkout docker mail project. I’ve created a fork that works on raspberry pi.

Then you get certificates from letsencrypt. And then if your provider blocks port 25 you buy a small web server and forward it’s ports like port 25 to your local pi.
how to forward:
ssh -R your_remote_server:25:ip_of_docker_container_running_on_pi:25 root@your_remote_ip

oh and pick hypriot as your os since that will run docker out of the box.

for traffic going to 25 port you can route all traffic trough tor so that it will look like you are comunicating trough tor and people who receive email will get traffic trough tor.

for that checkout https://blog.jessfraz.com/post/routing-traffic-through-tor-docker-container/

Alternative to tor variant is that you use ssh tunnel to route traffic back and forth from your host

add this to sshd conf
PermitTunnel yes

so you would open two tunnel interfaces to connect your remote to local pi

ssh -f -w 0:1 root@yourremote true

then give ip to your local
ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252

give ip to your remote interface on your remote computer
ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252

transef traffic from remote tunnel to remote public interface eth0
iptables -I FORWARD -i tun1 -o eth0 -j ACCEPT
then make address translation on that remote interface so that outside world sees your remote computers ip
iptables -A POSTROUTING -t nat -o tun1 -p tcp –dport 25 -j SNAT –to yourremoteip
turn on forwarding
sysctl -w net.ipv4.conf.all.forwarding=1
you need to create this route in remote routing table
10.1.1.0/30 dev tun1 proto kernel scope link src 10.1.1.1

on local
create new routing table by adding this line
200 mail-route
in
/etc/iproute2/rt_tables
then set that default gateway for that routing table is the local tunnel interface
ip route add default via 10.1.1.2 dev tun0 table mail-route

now mark all traffic to port 25 with mark 1
iptables -A OUTPUT -t mangle -o tun0 -p tcp –dport 25 -j MARK –set-mark 1

now all with mark 1 will use our new routing table and will all go trough tunnel
ip rule add fwmark 0x1 table mail-route

so not sure if I wrote down all the steps but the idea is

you create ssh tunnel, give ips to those devices and then create snat on exit now you need to redirect traffic from docker to local tunnel interface

this is the iptables on local that enables connecting to smtp port 25 over remote computer when outband 25 is blocked by provider

Chain PREROUTING (policy ACCEPT 28 packets, 1802 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 120 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        9   540 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       29  1862 SNAT       all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            to:172.17.0.2
2        1    60 SNAT       all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            to:10.1.1.2
3       23  1652 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
4        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:993
5        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:587
6        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:143
7        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:25

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.17.0.2:993
2        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.17.0.2:587
3        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.17.0.2:143
4        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.17.0.2:25

for this to work you need
iptables -I POSTROUTING -t nat -o tun0 -j SNAT –to 10.1.1.2
this still does not make docker work
in order to make it work for docker another route needs to be added
this is for the traffic comming back to internal tun interface
so that once it comes back it knows where is the docker so it can send it to the container

ip route add 172.17.0.0/16 via 172.17.0.1 dev docker0 table mail-route
ip route add 192.168.1.0/24 via 192.168.1.35 dev eth0 table mail-route

so here is the complete system config dump

file that says what routing tables do we have

$ cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
200 mail-route
#
# local
#
#1      inr.ruhep

ip tables on local

{ ~ }  ยป cat local.fw                                                                                                                                                                                                                    ~
# Generated by iptables-save v1.4.21 on Mon Dec 28 23:59:44 2015
*mangle
:PREROUTING ACCEPT [19476:1370924]
:INPUT ACCEPT [16670:1217347]
:FORWARD ACCEPT [1412:95083]
:OUTPUT ACCEPT [18094:8090507]
:POSTROUTING ACCEPT [19723:8192534]
-A OUTPUT -o docker0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o tun0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o docker0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -o docker0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
-A POSTROUTING -o docker0 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Mon Dec 28 23:59:44 2015
# Generated by iptables-save v1.4.21 on Mon Dec 28 23:59:44 2015
*nat
:PREROUTING ACCEPT [2186:141299]
:INPUT ACCEPT [462:63786]
:OUTPUT ACCEPT [887:62538]
:POSTROUTING ACCEPT [892:62838]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o tun0 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.1.1.2
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.17.0.2:993
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.17.0.2:587
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.17.0.2:143
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.17.0.2:25
COMMIT
# Completed on Mon Dec 28 23:59:44 2015
# Generated by iptables-save v1.4.21 on Mon Dec 28 23:59:44 2015
*filter
:INPUT ACCEPT [16389:1201691]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17774:7850871]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Mon Dec 28 23:59:44 2015

-A FORWARD -i tun1 -o eth0 -j ACCEPT
-A POSTROUTING -o tun1 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.1.1.1
-A POSTROUTING -o tun1 -p tcp -m tcp --dport 25 -j SNAT --to-source 46.4.83.143

dont forget to turn on forwarding with sysctl command
also run tcp dump for debugging etc.
 tcpdump -vvv -i tun0  
 tcpdump -vvvv -i tun1
tcpdump -vvvv -i eth0  dst host 10.1.1.1
tcpdump -vvvv -i eth0  dst host 10.1.1.1


                    +-------------+                                                  raspb pi
                    |             |
                    |             |                                             +--------------------+
                    |             |        port going to 25   over tunnel       |                    |
                    | +---------+ |                                             | +---------+        |
                    | |snat tun1| |    <----------------------------------+     | |  tun0   |        |
 contact servers    | |         | |                                             | |         |        |
 over remote        | +---------+ |    +---------------------------------->     | +---------+        |
                    |     |   ^   |                                             |                    |
  +------------->   | +---v-----+ |                                             | +----------------+ |
                    | |snat eth0| |     all things going over eth0 for port 25  | |  container     | |
   <--------------+ | |         | |     go into tun0 instead     +------>       | |  mail          | |
                    | +---------+ |                                             | |                | |
                    |             |                                             | |                | |
                    |             |                                             | +----------------+ |
                    |             |                                             |                    |
                    |             |                                             |    ^   +  ^   +    |
                    |             |                                             |    |   |  |   |    |
                    |   +-----+   |  <-----------------25------------------->   |    |   |  |   |    |
         port forw. |    |-----+  |  <-----------------143|----------------->   |    |   |  |   |    |
                    |    |-----+  |  <----------------993------------------->   |    |   |  |   |    |
                    |   +-----+   |  <---------------587-------------------->   |    +   v  +   v    |
                    |             |                                             |                    |
                    +-------------+                                             +--------------------+



Leave a Comment