Mail relay with ProtonMail
Environment used for this Guide
I set-up my server with the latest stable Debian Network install minimal CD (currently bullseye) and add the meta package progress-linux maintained by the Linux and Infrastructure Team of the Bern University of applied sciences - my first employer in Switzerland.
Download ProtonMail Bridge .deb
Get the .deb file
Currently: protonmail-bridge_2.3.0-1_amd64.deb
Install required packages
apt -y install pass libsasl2-2
Install the bridge and configure it
apt install ./protonmail-bridge_2.3.0-1_amd64.deb
It will install many additional packages that are only installed as this is mainly a GUI based software :(.
Create a passphrase-free GPG key non-interactively
gpg --batch --passphrase '' --quick-gen-key 'ProtonMail Bridge' default default never
The above command creates a basic GPG key, and its ID is ProtonMail Bridge.
This key does not have a passphrase, so pass does not need to ask users for a passphrase whenever it tries to use the key.
The key does not expire. Don’t use this key for other things (such as encryption, signing, identity, etc.). It is not safe.
This creates a new password database in pass (pass calls the database password store). And the GPG key ProtonMail Bridge can be used to open the database.
pass init “ProtonMail Bridge”
The planned way to run ProtonMail Bridge, in the background like the Postfix mail server, does not allow users to interact with the protonmail-bridge daemon.
We have to set up protonmail-bridge interactively in advance.
Start the bridge for the inital login and configuration
hostname#protonmail-bridge --cli
Welcome to Proton Mail Bridge interactive shell
___....___
^^ __..-:'':__:..:__:'':-..__
_.-:__:.-:'': : : :'':-.:__:-._
.':.-: : : : : : : : : :._:'.
_ :.': : : : : : : : : : : :'.: _
[ ]: : : : : : : : : : : : : :[ ]
[ ]: : : : : : : : : : : : : :[ ]
::::::::[ ]:__:__:__:__:__:__:__:__:__:__:__:__:__:[ ]::
!!!!!!!![ ]!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![ ]!!
^^^^^^^^[ ]^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[ ]^^
[ ] [ ]
[ ] [ ]
jgs [ ] [ ]
~~^_~^~/ \~^-~^~ _~^-~_^~-^~_^~~-^~_~^~-~_~-^~_^/ \~
>>>login
Username: [UsernameToLoginToProtonMail]
Password: [PasswordIsVerySecretAndComplex!1!Jaw0hl?]
After logging in with login
and providing the 2nd factor you surely have enabled with Proton Mail, get the required SMTP/IMAP credentials to use the ProtonMail Bridge on the device you installed the bridge with info
.
[ ] [ ]
jgs [ ] [ ]
~~^_~^~/ \~^-~^~ _~^-~_^~-^~_^~~-^~_~^~-~_~-^~_^/ \~
>>> info
Configuration for YourDefaultEmailOnYourPaidAccount@proton.me
IMAP Settings
Address: 127.0.0.1
IMAP port: 1143
Username: [YourDefaultEmailOnYourPaidAccountproton.me]
Password: wzRrv5R6xOREfmcQ12837ASUDFiudfhsai
Security: STARTTLS
SMTP Settings
Address: 127.0.0.1
SMTP port: 1025
Username: [YourDefaultEmailOnYourPaidAccountproton.me]
Password: wzRrv5R6xOREfmcQ12837ASUDFiudfhsai
Security: STARTTLS
>>>
Set-up bridge as service
Setting up the ProtonBridge Client as a Linux service that will always run and be restarted after e.g. a reboot
vim /etc/systemd/system/protonmailbridge.service
Add this to the file
[Unit]
Description=Protonmail client bridge service
[Service]
Type=simple
StandardOutput=journal
ExecStart=/usr/bin/protonmail-bridge --noninteractive
User=<name of the login with which you login to your server>
[Install]
WantedBy=default.target
Now enable and start protonmailbridge as a service
systemctl enable protonmailbridge
systemctl start protonmailbridge
Maybe you need to use sudo
if you are not working as root, which you are not, right?!
If there are any error messages, check if the service is up and running, if so - errors can be ignored.
<user>@hostname:~# ss -plant | grep 1025
LISTEN 0 4096 127.0.0.1:1025 0.0.0.0:* users:(("proton-bridge",pid=859038,fd=11))
Recap
- Required packes are installed
- ProtonMail Bridge installed
- ProtonMail Bridge running a Service
- Port listening on 1025/TCP
- We know the required User and Password for Postfix
Install and configure Postfix
apt -y install mailutils postfix
Edit the postfix main.cf file
vim /etc/postfix/main.cf
In this file search for relayhost and edit the line to look like
relayhost = [127.0.0.1]:1025
To allow Postfix use the ProtonMail Bridge with the required encryption details add the following to main.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes
sender_canonical_maps = regexp:/etc/postfix/canonical
The canonical file needs to be updated so we have a default
vim /etc/postfix/canonical
Add the following
/.*/ YourProtonEmilAddress here or your custom Emailaddress
Now save the account details you received from the ProtonMail Bridge, these are different than you login for the website at https://mail.proton.me/
[127.0.0.1]:1025 <login>@protonmail.com:P@ssw0rdPr0videdByBridge
Now protect this file from users that should not know these credentials
chmod 0600 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
Run Postmap to generate the DB file
postmap /etc/postfix/sasl_passwd
As Postfix will be connecting to the bridge with STARTSSL, it will need to validate the bridge certificate.
Symlinking the self-signed certificate will be necessary:
ln -s /user/.config/protonmail/bridge/cert.pem /etc/ssl/certs/protonmail-bridge.pem
Restart
At this point your postfix config has been complete and postfix needs a restart
systemctl restart postfix
If the services using this relay are not on the server you configured Postfix and the ProtonMail Bridge on, e.g. your home LAN or LAB LAN, allow then to use Postfix as relay by adding to open up the networks in /etc/postfix/main.cf
Edit the line
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Add extra networks as needed
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 10.10.0.0/16
Restart postfix for this to take effect.
systemctl restart postfix
Now test the setup by feeding a simple Email to Postfix
user@server:~# echo "this is the body" | mail -r "MustBeAnExistingEmail@proton.me" -s "this is the subject " "RecepientOfThisTestMail@internet.invalid"
You can check the forwarding by postfix to the ProtonMain Bridge in the Log
tail -f /var/log/mail.log
Any error messages should provide you with enough clues to find a solution via e.g. Google Foo or you preffered search engine.