Pages

Friday 3 October 2014

Serving Pi mail on a DSL

The cryptic title of this blog reflects the difficulty of the exercise. I wanted to use a Raspberry Pi as a mail server and DNS server, accessing the internet via a DSL line. It wasn't easy.

First, why a Raspberry Pi? Because it takes up very little space, and uses very little electricity. I'm trying to keep costs down.

Second, why do it at all? Well, I recently had an outage of more than 24 hours on my leased-line. That meant that, for example, any email that anyone was trying to send to me, was bouncing. If I can set up a server on the DSL, then after trying and failing on the leased line, a mailer should try the DSL, and at least the mail will get through.

My first problem was that the five SD cards that I had in stock, wouldn't boot up the Pi. The problem turned out to be that the Linux image on the cards was duff. I don't know how that happened, but the fix was to recopy the image. Then I was able to boot up.

For my first effort, I tried to use a DSL that I have with five static IP addresses. I'm not going to relate the full humiliating story of what I did; suffice it to say that despite many different attempts, and with tech support from the DSL vendor, I failed. That will be cancelled soon.

Far far better to relate the success, because that could provide guidance for others.

I'm using a DSL line that I originally got 15 years ago from Nildram. Nildram was bought by Opal, Opal was folded into TalkTalk, and there might have been other moves along the way.
The router I'm using is suitably ancient - I got it from Noah in exchange for three shekels and a goat. It's a Conexant. The nice thing about it, is that I've got half a dozen of them, so if one goes sput I can swap it out. And they are really flexible and easy to set up.

The DSL comes with a static IP address (that's vital for this purpose); let's call it 81.81.81.81.
All my internal servers have IP addresses that start with 10 (such as, 10.0.2.50), because servers that start with 10 can't be seen from the internet, which also means that anyone can use those addresses internally. I can have 16 million computers with IP addresses that start with 10. Actually, I have only a few hundred. For the leased line, my firewall translates the IP addresses that I publish to the outside world, to the internal IP addresses that I use, for those servers that need to be accessed from outside.

The first task of the router, is that although it presents the address of 81.81.81.81 to the outside world, it talks to my internal network with the address 10.something - in this case, 10.12.12.12. That means that all my servers can see it as an internal device, not something on the outside world. And the router seamlessly translates packets coming in on 81.81.81.81 to packets going to my network via 10.12.12.12. And anything coming from the inside, is ejected outwardly to the internet outside. This is called "NAT, Network Address Translation", and it's the trick that stops the internet from collapsing owing to lack of IP addresses. Actually, it's NAPT (network address and port translation).

So the first thing I did, was to tell the router that anything coming in on ports 22, 25 or 53, needed to be passed over to my Raspberry Pi, on 10.1.0.43. This is done using a thing called "Virtual Server" - at least, that's what Conexant calls it. Other routers probably have the same capability, but might call it something else. Port 22 is ssh, the thing you use to log in remotely to a server. 25 is the port used by email, and 53 is the DNS port. Then I went to an outside computer, and checked that it worked, and it did!

Then I set up the Pi. As well as all the usual stuff, I installed Sendmail so that it could send and receive mail, and Dovecot so that the computer that I use to read my mail, could pick up the mail from this server. Then I installed bind, the DNS server. Then I put it in a little plastic box, powered it with a few volts from the power supply that powers a dozen other Pis, and it is now humming away.

It's doing nothing, of course, and I really hope it continues doing nothing. Um ... not quite nothing. It's a spam trap. here's how that works. When you want to send email to someone, your mailer asks "Which server should I send it to?" In my case, there were three, called (imaginatively) mail1, mail2 and mail3. They had priority 100, 200 and 300. So you should send email to mail1 because it has the highest priority, but if you can't access that, then send it to mail 2, and if that's also down, try mail3. I would expect that any decent mail system would honour that. But when you do a "dig mx" to get the names of the mail servers, they get shown to you in random order, and the nice mailer has to sort them. But spammers don't bother, they just send it to the name at the top of the list, which could be any of them. So by adding a new mail server to the list, it will get a quarter of the spam that's sent to me.

But next time my leased line fails, emails should be routed to that server via the DSL (which is unlikely to fail at the same time, unless someone commits extensive sabotage to BT, in which case we have bigger problems than my email not working). If the outage lasts for more than a day (unlikely) then the DNS service that it provides will allow people to continue to find my servers.

In the longer run, the 2mbit leased line will be replaced by a 100 mbit ethernet, which (I hope) will be faster, more reliable and cheaper than my current arrangement.

In the very long run (maybe 3 or 5 years), I'm hoping that we can get fibre broadband, and then I'll move to that.

 ... update ...

I forgot to mention - you also have to change the gateway for the Pi to 10.12.12.12, the LAN address of the router. you can do that by changing the gateway in  /etc/network/interfaces to

gateway 10.12.12.12


or with

route del -net 0/0 gw [old gateway address] eth0
route add -net 0/0 gw 10.12.12.12 eth0


2 comments:

  1. I think my head may be about to explode, but well done you - hope it works! Hope your leg is better too. Btw I came this way via Angie :0)

    ReplyDelete
  2. Yes, my leg is looking good thank you, I just have a small plaster on it.

    ReplyDelete