Table of Contents:
I’ve switched my email provider to ProtonMail. But can I use it for my server notifications?
I run a number of applications and servers that I’ve configured to send me email notifications if an event occurs. For example, if updates are available to install on one of my web servers, the server will send me an email to tell me.
Long gone* are the days when you used to be able to run your own email server and send email directly from your server to a recipient. A much easier method is to use a mailbox hosted by Microsoft or Gmail and the like, to send email on your server or application’s behalf. It’s called SMTP Relay and it works well, if properly set up.
And I’ve done that for years!
*I say long gone, but it isn't. It's still entirely possible of course, but a hell of a faff to set it up just for a few email alerts. But oooooh! You wait until later in this post!
How did that work?
With Amazon Web Services (AWS) there were no issues, as AWS has the Simple Email Service (SES) that can be configured to relay email for your AWS-based server. But of course, I am no longer using AWS
For anything else (my other web server, or applications) I used to use an M365 account that I’d created for that very purpose: to relay alert emails. A while ago, however, Microsoft introduced some extra layers of security for SMTP relaying that made that scenario particular scenario a bit more complicated to use.
So I switched to a Gmail account that allowed me to use an account I created (for the purpose) as an SMTP relay with an app password. Good to go.
Except…
I got to pondering yet again. The Gmail account sends the email over an encrypted link to either my outlook.com or ProtonMail mailbox. Although the link is encrypted and of course the ProtonMail mailbox is encrypted to my satisfaction, the Gmail account uses Google’s proprietary keys. Accessible by anyone with a will at Google. Same with the outlook.com mailbox. That’s encrypted using Microsoft’s proprietary keys.
What I really want to happen is a ProtonMail mailbox sending to a ProtonMail mailbox. That way, both the sending and receiving parties are using zero-access architecture. A bit overkill just for alerts? Maybe. Maybe not.
Yes I know these are just server alerts. Nobody cares about them. But it's the principle, right?
Solutions
A couple of solutions sprang to mind:
Use the Proton SMTP service to relay emails. This works in much the same way as Gmail and O365 does, except it’s more secure in that you generate the SMTP tokens yourself.
Now that’s OK, but it’s only included in the Proton for Business, Proton Family and Mail Essentials packages, none of which I have. I won’t be upgrading to them, due to the cost, either – they’re reasonably expensive for what I want to use it for.
The other solution is to use ProtonMail Bridge and another ProtonMail account to send the emails. I could of course, use my own email account to send them to myself… but I’d rather keep them separate. It’s tidier and appeals to my OCD.
ProtonMail Bridge is included in a paid subscription only, so a new account was created and I paid for the Mail Plus subscription (which is still a lot less than the subscriptions required for SMTP relay service).
ProtonMail Bridge
Setting up the ProtonMail Bridge is easy enough on Windows, I’d already done it for my own mailbox account on a couple of devices. But what of Linux, specifically Ubuntu?
We live in the internet times, so some guidance wasn’t all that difficult to find. I used this guide to set up ProtonMail Bridge and pass on my Ubuntu 24.04.2 server.
Installing the Bridge on my Raspberry Pi however, was a little different. ProtonMail Bridge doesn’t support the aarm64 architecture, so using the same instructions as above won’t work (it’s for x64 only). The internet came to the rescue however (yet again), I used this guide to set up a release of ProtonMail bridge on the RPi server – which works well.
There’s also a Linux desktop client that works with various flavours of Ubuntu, so I’m pretty much 98% of the way towards a totally ProtonMail alert system.
It only left the Synology NAS
I have a couple of Synology NAS boxes, both send me the occasional email alert. One in particular does every time it boots up, as it is the UPS master monitor for that segment of power network. It likes to let me know that it’s OK. The other NAS remains pretty much silent, apart from the odd burp when I clear a browser cache and it prompts for some MFA.
One NAS has an ARM64 processor, the other is aarch64 architecture. Native ProtonMail Bridge won’t install on either, however I have read somewhere on the internet that a docker image (or Container Manager, for Synology) can be used for the ARM64. I’m not overly experienced with Docker (or Container Manager) – it seems like a bit of a faff just to send the occasional email.
Ubuntu (server) to the rescue!
I’d completely forgotten – at least for a moment – that I now have an internal Ubuntu server that runs for most of the time. On that server is ProtonMail Bridge, but more importantly: a Postfix server.
If I lock down Postfix so that only my NAS boxes can connect to it to send email, put some strong authentication on it and speak to it nicely, that ought to do the trick.
Accounts were created, firewall rules were added and main.cf got told that only those two boxes over there (waggling finger at them) can send through Postfix, and from Postfix through ProtonMail Bridge and arrive at the final destination: my mailbox. And all of that encrypted (by me) along the way.
Lovely. What’s more lovely is the fact that I am no longer tied to a Gmail account. So I’ll be waving goodbye to that, very shortly.đź‘‹
