Hello all. The goal of this guide is to provide you with a split-protonmail setup made of a minimal mail template and three AppVMs: protonmail-bridge, mail-receive, and mail-send.
This will allow you to effectively separate incoming and outgoing mail, and your protonmail credentials.
This guide was inspired by a Reddit post to which I made with some modifications, since the original post didn't quite work for me.
I hope this guide can help some of you.
Note: I'm not an expert, so I'm sharing what worked for me. If you have suggestions or modification proposals, feel free to post them. Also, feel free to let me know if I've made any mistake so I can update this post accordingly.
Note 1: if you don't want to create a dedicated template, just make sure that the required software is installed in your template of choice. Personally, I prefer to create a template for each purpose.
Note 2: you can take this a step further by creating a template for Protonmail bridge, and another one for Thunderbird. In this example, I use only one template for both purposes.
Note 3: I'm using a debian-11-minimal template, I haven't tested Fedora.
dom0 $ qvm-clone debian-11-minimal debian-11-protonmail
dom0 $ qvm-run -u root --pass-io debian-11-protonmail "apt update && apt full-upgrade -y"
packages.txt file, type them by hand or use whatever method you prefer to install the following packages:[details="packages.txt"]
fonts-dejavu
gnome-keyring
libblockdev-crypto2
libgpgme11
libpulse-mainloop-glib0
libqt5core5a
libqt5gui5
libqt5network5
libqt5qml5
libqt5svg5
libqt5widgets5
qubes-core-agent-networking
qubes-thunderbird
thunderbird
wget
debian-11-mail # apt install -y --no-install-recommends $(cat packages.txt)
apt-cacher-ng qube might need to change the protonmail url from https://protonmail.com to http://HTTPS///protonmail.com
Note 2: if you're using Fedora, you will need to check the Protonmail website for the appropriate package.
debian-11-mail # https_proxy=http://127.0.0.1:8082/ http_proxy=http://127.0.0.1:8082/ wget https://protonmail.com/download/bridge/protonmail-bridge_2.1.1-1_amd64.deb
debian-11-mail # dpkg -i install protonmail-bridge_*_amd64.deb && shutdown
This qube will only run protonmail bridge and will be the only one with a netvm assigned. This example uses sys-whonix, feel free to pick your netvm of choice.
Note 1: Keep in mind that if you pick a different name than protonmail-bridge you will have to adjust some parameters in the following steps.
Note 2: I included a maxmem value that works for me. Keep in mind you can always adjust as needed. 1. Create the qube:
dom0 $ qvm-create --class=AppVM --template=debian-11-protonmail protonmail-bridge
dom0 $ qvm-prefs protonmail-bridge maxmem 900
dom0 $ qvm-prefs protonmail-bridge netvm sys-whonix
protonmail-bridge # mkdir -p /rw/usrlocal/etc/qubes-rpc
protonmail-bridge # echo 'socat STDIO TCP:localhost:1143' > /rw/usrlocal/etc/qubes-rpc/user.protonmail-imap
protonmail-bridge # echo 'socat STDIO TCP:localhost:1025' > /rw/usrlocal/etc/qubes-rpc/user.protonmail-smtp
dom0 $ qvm-shutdown --wait protonmail-bridge
dom0 $ qvm-features protonmail-bridge menu-items protonmail-bridge.desktop
This qube will only be able to receive mail and will not be connected to a netvm. 1. Create the qube:
dom0 $ qvm-create --class=AppVM --template=debian-11-protonmail mail-receive
dom0 $ qvm-prefs protonmail-receive maxmem 900
dom0 $ qvm-prefs protonmail-receive netvm ''
mail-receive # echo 'qvm-connect-tcp ::1143' >> /rw/config/rc.local && shutdown
dom0 $ qvm-features mail-receive menu-items thunderbird.desktop
This qube will only be able to send mail and will not be connected to a netvm. 1. Create the qube:
dom0 $ qvm-create --class=AppVM --template=debian-11-protonmail mail-send
dom0 $ qvm-prefs protonmail-send maxmem 900
dom0 $ qvm-prefs protonmail-send netvm ''
mail-send # echo 'qvm-connect-tcp ::1025' >> /rw/config/rc.local && shutdown
dom0 $ qvm-features mail-send menu-items thunderbird.desktop
These policies allow communications between the relevant qubes: specifically, the mail-receive qube will be able to fetch email automatically, while the mail-send qube will require an extra user prompt. This set up may or may not be desirable for you, so feel free to experiment.
dom0 # echo "mail-receive protonmail-bridge allow,target=protonmail-bridge" >> /etc/qubes-rpc/policy/user.protonmail-imap
dom0 # echo "mail-send protonmail-bridge ask,default_target=protonmail-bridge" >> /etc/qubes-rpc/policy/user.protonmail-smtp
dom0 # echo "mail-receive protonmail-bridge allow,target=protonmail-bridge" >> /etc/qubes-rpc/policy/qubes.ConnectTCP
dom0 # echo "mail-send protonmail-bridge ask,default_target=protonmail-bridge" >> /etc/qubes-rpc/policy/qubes.ConnectTCP
Start protonmail-bridge, login with your PM credentials and make sure that the bridge is set to run on startup (there's an option in the app settings).
Start mail-receive, add an account on thunderbird with the credentials provided by pm bridge. For IMAP use server 127.0.0.1, port 1143. For SMTP use 0.0.0.0. Then click advanced to save, and fetch mail.
Start mail-send, add an account on thunderbird with the credentials provided by pm bridge. For IMAP use server 0.0.0.0. For SMTP use server 127.0.0.1, port 1025. Then click advanced to save.
mail-send requires that you approve the pm certificate: you'll receive a prompt the first time you attempt to send an email.