VM Config

VM Specifications:

• CPU: 1vCPU (2 cores)
• RAM: 2 GB
• HD: 100 GB

Change the hostname:

sudo hostnamectl set-hostname mail01.domain.local

Update the IP:

sudo sed -i 's/192.168.30.199/192.168.30.107/g' /etc/sysconfig/network-scripts/ifcfg-ens192 sudo cat /etc/sysconfig/network-scripts/ifcfg-ens192

Protonmail User Setup

Create the user "protonmail"

sudo adduser protonmail

Change the user password

sudo passwd protonmail

Add the user to the wheel group for sudo rights.

sudo usermod -aG wheel protonmail

Install

Login as the newly created protonmail user.

su - protonmail

Install Pre-Req

sudo dnf -y install epel-release sudo dnf -y install postfix cyrus-sasl cyrus-sasl-plain mailx pass pinentry

Postfix should also be set to start on boot:

sudo systemctl enable postfix

Postfix will need to be restarted before the SASL framework will be detected

sudo systemctl restart postfix

Setup the firewall

sudo firewall-cmd --permanent --add-service=smtp sudo firewall-cmd --reload sudo firewall-cmd --list-all

There are some websites that referance "Desktop-Bridge." That is an older version. The new version is called "protonmail-bridge."

Download the bits from: https://proton.me/mail/download

Download the pubkey from: https://protonmail.com/download/bridge_pubkey.gpg

Import the ring

sudo rpm --import bridge_pubkey.gpg

Run the following command to validate the install

rpm --checksig protonmail-bridge-*.x86_64.rpm

Expected output from the above command

protonmail-bridge-*.x86_64.rpm: digests signatures OK

Install the bloody thing already

sudo dnf -y install protonmail-bridge-*.x86_64.rpm

Key Setup

Do not use sudo for any of the commands having to do with generateing a key OR running/configuring protonmail. These commands must be used under the account that Protonmail was installed under.

Use the following command to create a key in a single line with all of the appropriate switches. ProtonMail Bridge will not work without a password protected GPG key. This is by design as it is a serious securityrisk, so come to your own opinion on this. Research the implications. Some documenation stated that generateing a key would take a long time. It did not.

gpg --batch --passphrase '' --quick-gen-key 'ProtonMail Bridge' default default never

While still logged in as the protonmail user, use the following command to show a list of all previously generated keys that have been created on the system.

gpg --list-keys

Use the key name (in quotes) from the quick-gen-key command to add it to the systems key chain (pass).

pass init "ProtonMail Bridge"

Add Protonmail Bridge Login

Use the following command to start the bridge client.

protonmail-bridge --cli

The application will load and show a cute text image. Type the following command to be prompted for your ProtonMail username and password.

login

Login to protonmail

Username: [email protected] Password: keePass

To get the login info that postfix will use to log into bridge, type the following command. Take note of the SMTP password. The postfix config will require this later.

info

Do NOT log out. That would clear the login information for bridge and it would not run in the background. Instead, use the following command.

exit

Postfix Config - main.cf

Backup default config

sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.bak

Edit the config

sudo sed -i 's/#inet_interfaces = all/inet_interfaces = all/g' /etc/postfix/main.cf sudo sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g' /etc/postfix/main.cf sudo sed -i 's/inet_protocols = all/inet_protocols = ipv4/g' /etc/postfix/main.cf sudo sed -i 's/debug_peer_level = 2/debug_peer_level = 3/g' /etc/postfix/main.cf sudo sed -i 's/smtp_tls_security_level = may/#smtp_tls_security_level = may/g' /etc/postfix/main.cf

Verify the changes

sudo cat /etc/postfix/main.cf | grep -i "inet_interfaces = " sudo cat /etc/postfix/main.cf | grep -i inet_protocols sudo cat /etc/postfix/main.cf | grep -i debug_peer_level sudo cat /etc/postfix/main.cf | grep -i smtp_tls_security_level

Append the following to the Postfix main config.

sudo tee -a /etc/postfix/main.cf >/dev/null <<EOF # Basic Config mynetworks = 127.0.0.0/32, 192.168.10.0/28, 192.168.10.24/29, 192.168.20.0/24, 192.168.21.0/24, 192.168.30.0/24 myhostname = mail01.domain.local relayhost = [127.0.0.1]:1025 # SASL Config smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous # TLS Config smtp_tls_security_level = encrypt smtp_tls_mandatory_protocols = TLSv1.2, !TLSv1, !TLSv1.1, !SSLv2, !SSLv3 smtp_use_tls = yes # Change the from and add the reply-to header local_header_rewrite_clients = static:all sender_canonical_classes = envelope_sender, header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical smtp_header_checks = regexp:/etc/postfix/header_checks EOF

Postfix Config - force from/reply address

ProtonMail expects the From address to match that of the email account. It will not accept mail otherwise.

sudo echo "/.+/ [email protected]" | sudo tee -a /etc/postfix/sender_canonical sudo echo "/From:.*/ REPLACE From: [email protected]" | sudo tee -a /etc/postfix/header_checks

Commands to secure

sudo postmap /etc/postfix/sender_canonical sudo chmod 600 /etc/postfix/sender_canonical sudo chown root /etc/postfix/sender_canonical sudo chgrp postfix /etc/postfix/sender_canonical sudo postmap /etc/postfix/header_checks sudo chmod 600 /etc/postfix/header_checks sudo chown root /etc/postfix/header_checks sudo chgrp postfix /etc/postfix/header_checks

Add Protonmail Bridge Login

Create the login file

sudo vi /etc/postfix/sasl_passwd

Append the following line to the login file Do not use the email account password. To find the password, start the protonmail-bridge --cli app and type: info. Use the SMTP user/pass.

[127.0.0.1]:1025 [email protected]:noteAbove

Commands to secure

sudo postmap hash:/etc/postfix/sasl_passwd sudo chmod 600 /etc/postfix/sasl_passwd* sudo chown root /etc/postfix/sasl_passwd* sudo chgrp postfix /etc/postfix/sasl_passwd*

Since postfix will be connecting to the bridge with STARTSSL, it will need to validate the bridge certificate. Symlinking the self-signed certificate will be necessary.

sudo ln -s /home/protonmail/.config/protonmail/bridge/cert.pem /etc/ssl/certs/protonmail-bridge.pem

Create protonmail-bridge as a service

multi-user.target normally defines a system state where all network services are started up and the system will accept logins, but a local GUI is not started. This is the typical default system state for server systems, which might be rack-mounted headless systems in a remote server room.

This file does not need to be executable.

Create the following file and insert the contents below.

sudo tee -a /etc/systemd/system/protonmail-bridge.service >/dev/null <<EOF [Unit] Description=Protonmail Bridge Service After=multi-user.target [Service] User=protonmail Type=simple ExecStart=nohup protonmail-bridge --noninteractive > bridge_log.txt 2>&1 &;disown [Install] WantedBy=multi-user.target EOF

Enable the service

sudo systemctl enable protonmail-bridge.service

Testing

Send a test message

echo "This is a test." | mail -s "Test Message" [email protected]

View Message Queue

sudo tail /var/log/maillog

To test from another device over telnet

[protonmail@tmp-rocky-8 ~]$ telnet mail01.domain.local 25 Trying 192.168.30.107... Connected to mail01.domain.local. Escape character is '^]'. 220 mail01.domain.local ESMTP Postfix Helo mail01.domain.local 250 mail01.domain.local MAIL FROM:<[email protected]> 250 2.1.0 Ok RCPT TO:<[email protected]> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> Subject: test from from Reply-To: <[email protected]> I hope this works... . 250 2.0.0 Ok: queued as EC24AC5B99

Client Setup

Configure SMTP email clients to send mail to:

Server: mail01.domain.local Port: 25

References

Offical Proton docs

• https://protonmail.com/support/knowledge-base/bridge-cli-guide/
• https://protonmail.com/support/knowledge-base/install-bridge-linux-rpm-file/

Various sources

• https://gist.github.com/ibaiul/60d603845df931483a05d96c5b433981
• https://pychao.com/2020/06/10/update-on-using-protonmail-bridge-on-headless-wordpress-linux-servers/
• https://theselfhostingblog.com/posts/archiving-protonmail-emails-on-a-headless-ubuntu-instance/
• https://www.angelospanag.me/2021/3/1/integrating-protonmail-my-personal-site-made-django/
• https://www.romanbezlepkin.com/articles/protonmail-bridge-smtp-relay

Info on nohup and disown

• https://unix.stackexchange.com/questions/3886/difference-between-nohup-disown-and

Info on creating a serivce

• https://www.redhat.com/sysadmin/replacing-rclocal-systemd
• https://developer.toradex.com/knowledge-base/how-to-autorun-application-at-the-start-up-in-linux
• https://blog.knoldus.com/creating-custom-daemons-in-linux/
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/chap-managing_services_with_systemd
• https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6

Info on forcing the from and the reply-to

• https://serverfault.com/questions/147921/forcing-the-from-address-when-postfix-relays-over-smtp
• https://thinlight.org/2016/07/30/postfix-replace-sender-address-and-add-reply-to-header/