SMTP External Relay w/ ProtonMail Bridge
-
Hi big fan of Cloudron, enough to have an annual subscription!
I use ProtonMail for all of my email needs, they have a Bridge that allows the use of SMTP and IMAP thru ProtonMail.I have the relay configured using this ansible script (same results with manual config): https://github.com/moismailzai/ansible-role-protonmail-bridge-headless
Connecting the ProtonMail Bridge directly as an SMTP Relay does not work. PMB uses a self signed certificate and initializes the TLS handshake using it, which may cause an issue. The message shows up in the mail queue but never gets sent.
I have postfix setup for use with the PMB. Using postfix I am able to successfully send emails using the PMB.
Is there a way to set up the external SMTP relay to ignore STARTTLS?
Since I have postfix set up and working can I use Postfix to relay emails from Cloudron and then Postfix sends it to the PMB? (I tried this but I get the too many received headers error)
If none of the above are an option can I use the wildcard LetsEncrypt certificate for PMB?
I've been at this for a few days and am almost ready to give up on having any email working in Cloudron.
Thank you any guidance would be much appreciated!
@YoMaCloud Before this, does ProtonMail even support relaying email at the domain level ? Note that just the SMTP service is not enough to relay email.
There are two types of relaying: single email address and domain level. In the former case, this is no different from an email client sending email with a specific email address. In the latter case, you need the ability to send email as
anything@domain.com. Does protonmail support the later? Cloudron needs the latter since each app has it's own email address. -
You should not install or upgrade packages on a Cloudron server by yourself so I hope you installed the bridge on another server.
@YoMaCloud said in SMTP External Relay w/ ProtonMail Bridge:
Is there a way to set up the external SMTP relay to ignore STARTTLS?
Cloudron uses Haraka as mail server. You can authenticate by different methods but I think transport encryption (STARTTLS) is mandatory.
@YoMaCloud said in SMTP External Relay w/ ProtonMail Bridge:
can I use the wildcard LetsEncrypt certificate for PMB?
You could use Cloudrons new app proxy feature maybe
Without digging further into the topic, I can't give a qualified answer or solution right now.
@subven said in SMTP External Relay w/ ProtonMail Bridge:
@YoMaCloud said in SMTP External Relay w/ ProtonMail Bridge:
can I use the wildcard LetsEncrypt certificate for PMB?
You could use Cloudrons new app proxy feature maybe
My understanding is that @YoMaCloud wants to use a LE cert for the SMTP mail server because @YoMaCloud suspects that using a self signed cert makes Cloudron mail server/Haraka not relay mail. So, it's not for a web app.
-
@YoMaCloud Before this, does ProtonMail even support relaying email at the domain level ? Note that just the SMTP service is not enough to relay email.
There are two types of relaying: single email address and domain level. In the former case, this is no different from an email client sending email with a specific email address. In the latter case, you need the ability to send email as
anything@domain.com. Does protonmail support the later? Cloudron needs the latter since each app has it's own email address.@girish my understanding (which might be wrong) is that because Proton is encrypted mail, it does not support relaying.
The client would need to have the ability to encrypt when sending through proton.
So you have to use their client or the Bridge, which acts as middleman to access proton servers, interfacing with your chosen local mail client.And I have only tried installing the Bridge on a local device.
I don't know whether you can install the Bridge on a server (suspect not, at least you could not in the past). -
@YoMaCloud Before this, does ProtonMail even support relaying email at the domain level ? Note that just the SMTP service is not enough to relay email.
There are two types of relaying: single email address and domain level. In the former case, this is no different from an email client sending email with a specific email address. In the latter case, you need the ability to send email as
anything@domain.com. Does protonmail support the later? Cloudron needs the latter since each app has it's own email address.@girish Yes it does, I can send emails at the domain level. I've successfully sent emails from postifx as no-reply and the others that Cloudron uses.
My issue is that the bridge wont connect with Haraka directly. Which seems to stem from its self signed certificate when used for STARTTLS.
Since Cloudron already generates a wildcard cert I was hoping as a work-around I could possibly use those or change the Haraka config to allow my connection from the bridge.
-
@girish my understanding (which might be wrong) is that because Proton is encrypted mail, it does not support relaying.
The client would need to have the ability to encrypt when sending through proton.
So you have to use their client or the Bridge, which acts as middleman to access proton servers, interfacing with your chosen local mail client.And I have only tried installing the Bridge on a local device.
I don't know whether you can install the Bridge on a server (suspect not, at least you could not in the past).@subven Hi installing this on a separate server would defeat its purpose. It shouldn't be public facing. The bridge itself works and I moved it to a docker container to separate even more from the Cloudron host. The issue is getting it to play nice with Haraka.
The only ideas I have as a work around are:
Altering Haraka's config to allow the connection
Replacing the Bridge's certificates with Cloudron's wildcard certs
Using postfix as a relay to the relayYour app proxy link requires a login but I will see what info I can find online
@timconsidine Hi Tim this information is no longer correct. The protonmail bridge has a CLI mode for headless servers for a long while now. There are many users that run this off of headless linux servers to serve the needs of their domain versus installing the bridge client on every instance that needs to send and/or receive email.
-
@subven Hi installing this on a separate server would defeat its purpose. It shouldn't be public facing. The bridge itself works and I moved it to a docker container to separate even more from the Cloudron host. The issue is getting it to play nice with Haraka.
The only ideas I have as a work around are:
Altering Haraka's config to allow the connection
Replacing the Bridge's certificates with Cloudron's wildcard certs
Using postfix as a relay to the relayYour app proxy link requires a login but I will see what info I can find online
@timconsidine Hi Tim this information is no longer correct. The protonmail bridge has a CLI mode for headless servers for a long while now. There are many users that run this off of headless linux servers to serve the needs of their domain versus installing the bridge client on every instance that needs to send and/or receive email.
As pointed earlier, we don't support installing external software. When all these containers mix, Cloudron might delete containers when updating the infrastructure, change docker configuration etc.
Note that there are other ways to keep things private. Just install it in a private network, for example. Like if you use a VPS provider, you can setup the equivalent of a VPC and the bridge is on a separate server. Cloudron and the bridge communicate with the private IP.
/end of warning
@YoMaCloud said in SMTP External Relay w/ ProtonMail Bridge:
Altering Haraka's config to allow the connection
Replacing the Bridge's certificates with Cloudron's wildcard certs
Using postfix as a relay to the relayI guess the bridge is IP address based, is it not? The certificates will not help in that case, no?
I quickly checked haraka code (https://github.com/haraka/Haraka/blob/master/plugins/queue/smtp_forward.js) and it doesn't have an option to accept self signed certificates for the relay.
-
@subven Hi installing this on a separate server would defeat its purpose. It shouldn't be public facing. The bridge itself works and I moved it to a docker container to separate even more from the Cloudron host. The issue is getting it to play nice with Haraka.
The only ideas I have as a work around are:
Altering Haraka's config to allow the connection
Replacing the Bridge's certificates with Cloudron's wildcard certs
Using postfix as a relay to the relayYour app proxy link requires a login but I will see what info I can find online
@timconsidine Hi Tim this information is no longer correct. The protonmail bridge has a CLI mode for headless servers for a long while now. There are many users that run this off of headless linux servers to serve the needs of their domain versus installing the bridge client on every instance that needs to send and/or receive email.
@YoMaCloud wasnt about beeing public facing but separating it from an infrastructure (server) that is controlled by Cloudron. As mentioned you should host services like this on another server and use either VPC (Tunnel + VLAN on hoster level) or VPN to connect to your non public services internally.
Without the possibility of haraka accepting SSCs, I don't think it will work.
-
mm, under
External SMTP serverrelay option, there is aAccept Self-signed certificatecheck box. Unfortunately, this is not passed on to Haraka. Investigating.@girish I suppose I could run a VPC but the idea behind using Cloudron was to have everything under one compute instance. It may not fully resolve the certificate issue. I may be able to use certbot on that separate instance but I need everything under the same domain. Can two severs be served the same wildcard cert?
Someone has already documented this solution: https://lder.dev/posts/Fixing-ProtonMail-Bridge-SSL-errors-with-Lets-Encrypt/
But I already have cloudron grabbing certs for the domainFor Haraka is Outbound treated differently than relay? Because I see here I can specify ciphers and even disable TLS
https://haraka.github.io/core/Outbound/@subven Yes, I understand what you were saying it is the best practice which I gladly implement if I can resolve the cert issue
-
@subven Hi installing this on a separate server would defeat its purpose. It shouldn't be public facing. The bridge itself works and I moved it to a docker container to separate even more from the Cloudron host. The issue is getting it to play nice with Haraka.
The only ideas I have as a work around are:
Altering Haraka's config to allow the connection
Replacing the Bridge's certificates with Cloudron's wildcard certs
Using postfix as a relay to the relayYour app proxy link requires a login but I will see what info I can find online
@timconsidine Hi Tim this information is no longer correct. The protonmail bridge has a CLI mode for headless servers for a long while now. There are many users that run this off of headless linux servers to serve the needs of their domain versus installing the bridge client on every instance that needs to send and/or receive email.
@YoMaCloud thank you for the correction / update, useful to know.
