14 Jan
2025
14 Jan
'25
2:30 a.m.
On 1/12/25 9:34 AM, dep via tde-users wrote:
I use ProtonMail. PrnotMail offers an
application-filter thing called
ProtonBridge; without it one is stuck with Proton's webmail, which is a
pain for many reasons, not least that it's impossible to reply to a
message at the bottom.
ProtonBridge is a fairly large thing that does the encryption/decryption of
outgong/incoming messages respectively. Instead of having an actual
address for the mail server, Bridge requires we use 127.0.0.1. and port
1143 for incoming and 1025 for outgoing. Fine so far.
Be very, very wary....
Protonmail is not accepted by my server and many others due to it routing mail
though APNIC servers in PRC. Starting several years ago, I have an engineering
company I host that found it could no longer receive mail from proton mail. A
quick investigation showed it could no longer receive mails due to the
protonmail server being blocked at the firewall. It was banned by fail2ban due
to repeated illegal intrusion attempts from that same IP. (dovecot:auth failures)
I know I'm not the only one that now blocks protonmail IPs at the firewall.
Just a guess, but given the distributed nature of the wonderful net, if kmail
receives header information from an open IP, but the remainder of the message
is blocked somewhere along the way at one of the hops close to your delivery
point - I could see kmail being quite confused. The same distributed nature of
the net should also provide an automatic re-route, but if it run into another
block elsewhere I could see a problem like you describe. traceroute on the
sender/server IP may turn up something (low probability, but worth doing)
Like I said this is a GUESS, but I can see this becoming a bigger issue as
temporary bans come on/off IP addresses. I am seeing just over 1000 brute
force attempts per-month (with hundreds of thousands of bad-actor IPs already
blocked by ipset).
It may also be that protonbridge causes the mail header to be seen by kmail
with some non-standard additions in it used by the web-mail UI that most
current mail packages accept. The old "Internet Explorer" type adherence to
standards applied to mail... It would be really interesting if you could pin
down an error message (hopefully with debug info) from kmail that shows where
kmail is unhappy. (and it may just be a corner-case issue that doesn't throw
an error or exception).
I'll keep following this thread. I'm interested in what turns up and if it
provides a way for me to loosen protonmail restrictions.
--
David C. Rankin, J.D.,P.E.