I have been looking into improving my server notifications solution (I wrote about it in this post). While having the ProtonMail third-party relay worked, it couldn’t handle attachments. Additionally, TLS between client and server wasn’t supported. While this isn’t the end of the world as messages would only be reaching the relay from my internal network, it irked me a little bit so I set about considering a solution.

That solution really send me down a bit of a rabbit hole which led to me completely replacing the MTA (SSMTP) on the server as I discovered it was no longer maintained. I eventually settled on MSMTP and Mutt (which I used previously). This was all well and good, but I still couldn’t send messages through ProtonMail’s servers with attachments. I definitely did not want to use Google, but couldn’t find any services that could support encryption like ProtonMail. I hit upon the idea of using GPG keys (natively supported by ProtonMail), but this still meant I had to find an SMTP server to deliver my messages.

I settled on using Sendgrid, although there are quite a few options out there. I’m not really Sendgrid’s target market really, but their restrictions on the free tier of their service won’t affect me given I will only be using it for notifications from my servers.

I might look into trying to configure my own relay again one day…but this was not that day. So my “stack” for notifications effectively looks like MSMTP/Mutt + GPG keys + Sendgrid.

GPG Keys

This was fairly straightforward in that I could just export the public key of the ProtonMail address I want to receive notifications at. This can be found in the Settings menu or ProtonMail’s page.

Once I had this key, it was a case of running the following (fair warning, this works on Ubuntu install, but not necessarily everything else - make sure you read what you are doing!).

Update/upgrade/install gunpg;

$ sudo apt update && apt upgrade -y

$ sudo apt install gnupg

Now you have to import the public key of the address you want to send to. In our case, this is the one we grabbed from the ProtonMail page.

$ gpg --import /path/to/downloaded/public/key

If you want this to be scriptable you have to trust the key. For this it’s a case of running;

$ gpg --list-keys

This will list your keys, imported or otherwise.

$ gpg --edit-key <name/email address of the public key>

This will bring up a gpg command prompt. Enter Trust and select the level of trust you wish to give the key. I went with 5 = I trust ultimately as it was my key. Then exit with Ctrl+c.

You should be all set to encrypt your messages now. Remember though that this is currently one-way communication as you have not generated a key-pair for the sending account to receive messages from. This isn’t an issue if you are only using this to send messages from your server and don’t want to receive anything. I used some GPG cheatsheets, which you can find here, here and here.

Logwatch

One of the issues with this software choice is getting some of the software on the server to send out encrypted messages. It’s less of an issue with the scripts for backup as I wrote them myself and it was somewhat trivial to add in a couple of lines to encrypt a message before it was sent. However, with logwatch a few options need to be set and the cron entry logwatch relies on has to be edited a little.

I actually followed this really helpful guide in getting logwatch set up, although I made some modifications to the cron script. I also set the output in /etc/logwatch/conf/logwatch.conf to file instead of mail, and text instead of html.

My entry in /etc/cron.weekly/00logwatch became;

  #!/bin/bash

  #Check if removed-but-not-purged
  test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0

  #execute
  /usr/sbin/logwatch --output file --Filename /path/to/where/the/log/will/output.html

  #Encrypt file, email and clean up
  gpg -e --armor -r <email address of imported key> /path/to/where/the/log/will/output.html
  cat /path/to/where/the/log/will/output.html.asc | mutt -s "Logwatch has been run" <email address of imported key>
  rm /path/to/where/the/log/will/output.html
  rm /path/to/where/the/log/will/output.html.asc

This works particularly well with ProtonMail as it has GPG key decryption baked into the product, but there are plugins out there for different email clients, so it can be used with other email providers too.

MSMTP

Honestly, setting up MTA’s in linux is an utter nightmare for me. It’s a bit beyond the scope of this article to get MSMTP set up, but there are a few guides I used. Remember that other MTA’s can be used if you’re more comfortable with those too. Ultimately I grabbed an apikey from Sendgrid and used that as my credentials as I just couldn’t get unlocking with a GPG key-pair of the password file working. I am aware of the irony of this!

Overall I think this is a more workable solution for notifications than the slightly kludge-y third party ProtonMail relay. I think if ProtonMail ever get to a point where they open-source their Bridge application it might open the door to a relay for encrypted messaging and notifications on a network level. Until that point, this will be fine. I still need to work out how I’m going to script some of the other services I run so that they output to file that can be encrypted by my GPG key, but that’s a problem for another time and another post.