An Ansible role to configure ProtonMail-Bridge (headless) with Postfix

3/14/2021

Recently I became a paid ProtonMail member and am very happy with the service. So happy, in fact, that I wanted to configure Postfix to use it as a relay. This was a little more challenging than expected, however, because of the encryption angle. To help with this, there's the official Protonmail-Bridge utility package for paid users on Windows, Mac, and several flavors of Linux. This handles all the encryption complexity but it runs interactively or in a GUI, which makes it difficult to configure on a headless machine.

Enter protonmail-bridge-headless, an Ansible role I wrote to handle all the details. The role will work on RHEL, Debian, and Arch Linux flavors.

To review the code and try it out, just follow the instructions in the git repository or check it out on Ansible Galaxy.

But the TL;DR version is that you just include the role and add your configuration overrides. For example, here's a sample playbook:

- name: "install and configure protonmail-bridge as a headless service"
  become: "yes"
  hosts: "all"
  vars:
    protonmail_username: "your_username"
    protonmail_password: "your_password"
    protonmail_custom_domain: "your_domain"
  roles:
    - "moismailzai.protonmail_bridge_headless"

Then just run the playbook:

sudo ansible-playbook -c local -i localhost, main.ym

The role will take care of everything you need to get the bridge working with Postfix — it will:

  • download the latest version of the bridge
  • ensure the package is correctly signed before installing it
  • configure the bridge with your user information
  • create a service to keep the bridge running in the background
  • create a locked user to run the service as
  • configure postfix for use with the bridge (SASL)
  • on RHEL systems, (or optionally) configure SELinux contexts

Note that the default settings generate a new unprotected key to use exclusively for the bridge. You'll likely want to modify this behavior by adding a key password, which you can do by overriding the default role variables. Oh, and if you've been thinking about diversifying away from an entirely-Google digital life, checkout ProtonMail!