You may read this title and think "That's oddly specific" which to a degree it is.

What am I doing here?

What I'm going to go through is to set up the ProtonMail Linux bridge in CLI mode as a service that will sit and listen on port 1025 for SMTP. I'm then going to use postfix as a mail relay on port 25 (not encrypted) to move mails through the ProtonMail bridge to my proton mail accounts.

I'm using port 25 as the mail relay is internal only, it's not public-facing and it's not needed to be encrypted. I also can't spend hours working out certificates for other ports.

Why am I doing this?

Up until last night I was hosting my own Axigen mail server for 3 domains running in a cloud-hosted VM. If you're looking for a well thought out free (for 5 domains) Mailserver I would strongly recommend Axigen.

I migrated to ProtonMail mainly on Peer pressure however I was using it a while back, and I wanted to make things a little more secure.

However, the issue I have is a simple one. I run a lot of homelab type services which send out emails as notifications. In order to do this, I need to be able to point them to something, if the webserver is not there and ProtonMail doesn't support relay then I needed some way of sending notifications to these new Protonmail emails.

This is how I did that.

Server

Ubuntu 21.04, 20.04, 21.10

How did I do this?

Install Bridge

Install prerequisite software

sudo apt-get install debsig-verify debian-keyring gdebi-core pass

There is no point going to all the trouble of doing this in a secure method with ProtonMail if we are just doing to download a Deb file and trust it.

Download the public key `bridge_pubkey.gpg`

Import the public key into keyring by following these instructions:

gpg --dearmor --output debsig.gpg bridge_pubkey.gpg
sudo mkdir -p /usr/share/debsig/keyrings/E2C75D68E6234B07
sudo mv debsig.gpg /usr/share/debsig/keyrings/E2C75D68E6234B07

Download the policy file `bridge.pol`

Install the policy file:

sudo mkdir -p /etc/debsig/policies/E2C75D68E6234B07
sudo cp bridge.pol /etc/debsig/policies/E2C75D68E6234B07

Check `deb` file by running:

debsig-verify protonmail-bridge_1.2.6-1_amd64.deb

If the check passes, you should see this:

debsig: Verified package from 'Proton Technologies AG (ProtonMail Bridge developers) <bridge@protonmail.ch>' (Proton Technologies AG)

Install the package using your package manager:

sudo gdebi protonmail-bridge_*.deb

Setup Bridge via the GUI

Open the Application in Ubuntu and login with your ProtonMail login

You can see your ProtonMail Bridge settings and credentials under Mailbox details. You will use these credentials to configure your postfix later.

Setup Bridge CLI

Create a passphrase-free GPG key non-interactively

gpg --batch --passphrase '' --quick-gen-key 'ProtonMail Bridge' default default never

The above command creates a basic GPG key, and its ID is ProtonMail Bridge. This key does not have a passphrase, so pass does not need to ask users for a passphrase whenever it tries to use the key.

The key does not expire.

Don’t use this key for other things (such as encryption, signing, identity, etc.). It is not safe.

This creates a new password database in pass (pass calls the database password store). And the GPG key ProtonMail Bridge can be used to open the database.

pass init "ProtonMail Bridge"

If the server is multi-purpose or even a machine for daily work, don’t save other passwords/credentials in this database. This database does not need any passphrase to open due to the passphrase-free GPG key.

After this step, we can continue on the old way of running ProtonMail Bridge in the background as described above

Alternatively, we can use the new way described in the following steps.

Start ProtonMail Bridge in command-line & interactive mode and set it up

The new way to run ProtonMail Bridge in the background does not allow users to interact with the protonmail-bridge daemon. We have to set up protonmail-bridge interactively in advance. First, start the protonmail-bridge in command-line mode:

protonmail-bridge --cli

Start ProtonMail Bridge in command-line mode

Login to our ProtonMail account with login command and record the username and password of the local SMTP server they are needed for the postfix install later.

After setting up protonmail-bridge and obtaining the required information (SMTP username & password), we can now use exit to exit the interactive interface.
Create a service file

sudo vi /etc/systemd/system/protonmailbridge.service

Add the following

[Unit]
Description=Protonmail client bridge service

[Service]
Type=simple
StandardOutput=journal
ExecStart=/usr/bin/protonmail-bridge --noninteractive
User=<name of ubuntu user you login with>

[Install]
WantedBy=default.target

As an example for the user line

User=<name of ubuntu user you login with>

I use

User=mightywomble

Start and enable the service

sudo systemctl enable protonmailbridge
sudo systemctl start protonmailbridge

Its worth noting here, if you are running the GUI version of the bridge you may see this

○ protonmailbridge.service - Protonmail client bridge service
 Loaded: loaded (/etc/systemd/system/protonmailbridge.service; disabled; vendor preset: enabled)
 Active: inactive (dead)

Feb 21 11:11:57 david-desktop systemd[1]: Started Protonmail client bridge service.
Feb 21 11:11:58 david-desktop systemd[1]: protonmailbridge.service: Deactivated successfully.

This is ok if you get the following when you run

ss -plnt | grep 1025
LISTEN 0      4096                                   127.0.0.1:1025       0.0.0.0:*    users:(("proton-bridge",pid=2914797,fd=18)) 

What do we have?

  • ProtonMail Bridge installed
  • ProtonMail Bridge running as GUI or a Service
  • Port listening on 1025/TCP
  • User and Password for Postfix.

Install and Setup Postfix

Install postfix

sudo apt install mailutils -y

Edit the postfix main.cf file

sudo nano /etc/postfix/main.cf

You might want to use find and replace to make sure none of these are already in the file.

This will be so edit it

relayhost = [127.0.0.1]:1025

Add the following at the end of the file

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes
sender_canonical_maps = regexp:/etc/postfix/canonical

The canonical file needs to be updated so we have a default from enabled

sudo nano /etc/postfix/canonical

Add the following

/.*/ protonmail email here

Example

/.*/ dmf@protonmail.com

This can also be a custom domain if you are using them

Next the SMTP account details we got from ProtonMails (which will be different from the login account details.)

sudo nano /etc/postfix/sasl_passwd

Add the following

[127.0.0.1]:1025 dmf@protonmail.com:P@ssw0rdPr0videdByBridge

Don't just copy and paste this line, use the details from the ProtonMail bridge.

Secure this file

sudo chmod 0600 /etc/postfix/sasl_passwd 
sudo chown root:root /etc/postfix/sasl_passwd

Run Postmap to generate the DB file

postmap /etc/postfix/sasl_passwd

Since postfix will be connecting to the bridge with STARTSSL, it will need to validate the bridge certificate. Symlinking the self-signed certificate will be necessary:

sudo ln -s /home/user under which bridge was setup/.config/protonmail/bridge/cert.pem /etc/ssl/certs/protonmail-bridge.pem

example

sudo ln -s /home/dmf/.config/protonmail/bridge/cert.pem /etc/ssl/certs/protonmail-bridge.pem

Restart

At this point your postfix config has been complete and postfix needs a restart

sudo systemctl restart postfix

Check the service has started and the logs if you have issues

sudo systemctl status postfix

sudo tail /var/log/mail.err

sudo tail /var/log/mail.log

It's also worth noting that if the services using this relay are using different servers it would be useful to open up the networks in /etc/postfix/main.cf

Edit the line

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Add extra networks as needed

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 10.10.0.0/16 

Restart postfix for this to take effect.

What have we done

  • Installed Postfix
  • Setup the main.cf to use SASL
  • Setup the postfix server as a relay server
  • Provided credentials for postfix to connect to the ProtonMail relay server.

Test

Head over to an internal service and set it up pointing to the IP or DNS and Port 25 for your relay server

As an example here is the SabNZBd Email Notifications section

Use the command to see what is going on and any errors.

sudo tail -f /var/log/mail.log 

Thoughts

This is a lot simpler internally than running a mail server, it adds a degree of security for mails leaving the Lan.

While I'd probably like this to all be done over secure ports and not 25, it's behind closed doors so I'm not overly worried.

Works on the Tailscale network too.

References

How to install ProtonMail Bridge for Linux using a DEB file - ProtonMail Support
This article explains how to verify and install the DEB package on your Linux device.
How to install ProtonMail Bridge - ProtonMail Support
Setup guide for configuring ProtonMail Bridge in Windows, macOS, and Linux.
Update on using ProtonMail Bridge on headless WordPress/Linux servers | import pyChao
Ever since I posted these two posts (here and here) of using ProtonMail Bridge on a headless WordPress/Linux server, ProtonMail Bridge has somehow changed a…Continue ReadingUpdate on using ProtonMail Bridge on headless WordPress/Linux servers
Running a headless ProtonMail Bridge with a SMTP Relay for homelab use
Running SMTP mail relay to ProtonMail Bridge in homelab applications