Use Protonmail Bridge with Discourse

Community wiki Sysadmins
1

Problem: a) Protonmail Bridge cannot listen to IP other than 127.0.0.1, and b) Discourse in a Docker container cannot send SMTP requests to 127.0.0.1 of the host machine.

Solution: We configure it to send to 172.17.0.1 (the Docker’s bridge IP on the host machine), and then redirect to 127.0.0.1, on which the Protonmail Bridge is listening.

We do it with using Socat.

How To

Start by installing Socat:
apt install socat

We will run Socat as a service. Create service file:
nano /etc/systemd/system/protonsocat.service

… and put the following content in it:

[Unit]
Description=Socat Bridge ProtonMail/Discourse
After=protonbridge.service,docker.service
ReloadPropagatedFrom=docker.service

[Service]
ExecStart=socat -d -d -lm TCP4-LISTEN:1026,fork,reuseaddr,so-bindtodevice=docker0,range=172.17.0.0/24 TCP4:127.0.0.1:1025
Restart=always
RestartSec=2

[Install]
WantedBy=multi-user.target

Notes:

  • We configured Socat to listen to all IPs 172.17.0.0/24, port 1026, and redirect the traffic to 127.0.0.1:1025, where Protonmail Bridge is listening

  • Example from Socat documentation: <strong>socat</strong>

  • -d -d will print the fatal, error, warning, and notice messages; you may not want that much detail logged

Next, start the service:
systemctl start protonsocat

Check that it is running:
systemctl status protonsocat

And automatically get it to start on boot:
systemctl enable protonsocat

Done! Now, configure Discourse app.yml and rebuild:

  DISCOURSE_SMTP_ADDRESS: 172.17.0.1
  DISCOURSE_SMTP_PORT: 1026
  DISCOURSE_SMTP_USER_NAME: <SMTP username supplied by the Proton Bridge command-line application>
  DISCOURSE_SMTP_PASSWORD: "<SMTP password - put in quotes>"
  DISCOURSE_SMTP_ENABLE_START_TLS: true
  DISCOURSE_SMTP_DOMAIN: <the domain name>
  DISCOURSE_NOTIFICATION_EMAIL: <here, put the address form which Discourse will send transactional emails>
2 Likes
2

Hi @meglio
I cannot find protonbridge.service so I replaced it with protonmail.service
But seems there’s issue with the format After=protonbridge.service,docker.service

4

Hi @meglio This seems to be giving me an error

After the initial sysctl commands

root@ip-172-31-0-166:/var/discourse# systemctl status protonsocat.service
● protonsocat.service - Socat Bridge ProtonMail/Discourse
     Loaded: loaded (/etc/systemd/system/protonsocat.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-12-18 20:58:18 UTC; 25s ago
   Main PID: 2020962 (socat)
      Tasks: 1 (limit: 1143)
     Memory: 2.0M
        CPU: 4ms
     CGroup: /system.slice/protonsocat.service
             └─2020962 socat -d -d -lm TCP4-LISTEN:1026,fork,reuseaddr,so-bindtodevice=docker0,range=172.17.0.0/24 TCP4:127.0.0.1:1025

Dec 18 20:58:18 ip-172-31-0-166 systemd[1]: Started Socat Bridge ProtonMail/Discourse.
Dec 18 20:58:18 ip-172-31-0-166 socat[2020962]: 2022/12/18 20:58:18 socat[2020962] W ioctl(5, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl for device
Dec 18 20:58:18 ip-172-31-0-166 socat[2020962]: N listening on AF=2 0.0.0.0:1026
**Dec 18 20:58:42 ip-172-31-0-166 systemd[1]: /etc/systemd/system/protonsocat.service:3: Failed to add dependency on protonbridge.service,docker.service, ignoring: Invalid argument**

Also when running the ./discourse-doctor I am getting error as


==================== MAIL TEST ====================
For a robust test, get an address from http://www.mail-tester.com/
Or just send a test message to yourself.
Email address for mail test? ('n' to skip) [[REDACTED]@proton.me]: 
Sending mail to [REDACTED]@proton.me. . . 
SAM: sudo docker exec -w /var/www/discourse -i app rake emails:test[[REDACTED]@proton.me]
Testing sending to [REDACTED]@proton.me using 172.17.0.1:1026, username:[REDACTED]@proton.me with plain auth.
======================================== ERROR ========================================
                                    UNEXPECTED ERROR

**end of file reached**

====================================== SOLUTION =======================================
This is not a common error. No recommended solution exists!

Please report the exact error message above to https://meta.discourse.org/
(And a solution, if you find one!)

Any pointers would be appreciated and would be helpful!
Thank you.

5

Have you guys managed to solve those issues since then?

6

I have actually a worse problem, my socat is running fine, but I am unable to telnet 172.17.0.1 1026 or 172.17.0.2 1026 either. Also tried 127.0.0.1 1026 and 1025, all failed from within the docker container with Discourse.

I can connect with telnet just fine on the host machine with 127.0.0.1 1025 did Discourse change something?

root@raspberry:/var/discourse# sudo systemctl status protonsocat.service 
● protonsocat.service - Socat Bridge ProtonMail/Discourse
     Loaded: loaded (/etc/systemd/system/protonsocat.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-02-25 20:37:34 CET; 4min 37s ago
   Main PID: 1530542 (socat)
      Tasks: 1 (limit: 9236)
     Memory: 816.0K
        CPU: 10ms
     CGroup: /system.slice/protonsocat.service
             └─1530542 socat -d -d -lm TCP4-LISTEN:1026,fork,reuseaddr,so-bindtodevice=docker0,range=172.17.0.0/24 TCP4:127.0.0.1:1025

Feb 25 20:37:34 raspberry.local systemd[1]: Started Socat Bridge ProtonMail/Discourse.
Feb 25 20:37:34 raspberry.local socat[1530542]: 2023/02/25 20:37:34 socat[1530542] W ioctl(5, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl for device
Feb 25 20:37:34 raspberry.local socat[1530542]: N listening on AF=2 0.0.0.0:1026

Host machine:

root@raspberry:/var/discourse# telnet 127.0.0.1 1025
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 127.0.0.1 ESMTP Service Ready

root@raspberry:/var/discourse# nmap 127.0.0.1 1025
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-25 21:03 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000045s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
1025/tcp open  NFS-or-IIS
3306/tcp open  mysql
5432/tcp open  postgresql
8080/tcp open  http-proxy
8088/tcp open  radan-http

Nmap done: 2 IP addresses (1 host up) scanned in 3.36 seconds

My interfaces on host:

root@raspberry:/var/discourse# ifconfig
br-eb8fd6a0d930: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:bdff:fe5c:8dbf  prefixlen 64  scopeid 0x20<link>
        ether 02:42:bd:5c:8d:bf  txqueuelen 0  (Ethernet)
        RX packets 1336  bytes 94913 (94.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2254  bytes 3098019 (3.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:60ff:feaf:784c  prefixlen 64  scopeid 0x20<link>
        ether 02:42:60:af:78:4c  txqueuelen 0  (Ethernet)
        RX packets 295920  bytes 21547471 (21.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1049936  bytes 1487623390 (1.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether dc:a6:32:c2:70:f8  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 97179  bytes 22606251 (22.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 97179  bytes 22606251 (22.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth5a26573: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::428:bfff:febf:cf5c  prefixlen 64  scopeid 0x20<link>
        ether 06:28:bf:bf:cf:5c  txqueuelen 0  (Ethernet)
        RX packets 1336  bytes 113617 (113.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2279  bytes 3099825 (3.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethe0f8588: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a04d:adff:feb1:351a  prefixlen 64  scopeid 0x20<link>
        ether a2:4d:ad:b1:35:1a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32  bytes 2488 (2.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethfe706a1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::74b3:3aff:feea:89ec  prefixlen 64  scopeid 0x20<link>
        ether 76:b3:3a:ea:89:ec  txqueuelen 0  (Ethernet)
        RX packets 4459  bytes 287499 (287.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5221  bytes 7330834 (7.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.4  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::dea6:32ff:fec2:70f9  prefixlen 64  scopeid 0x20<link>
        ether dc:a6:32:c2:70:f9  txqueuelen 1000  (Ethernet)
        RX packets 2789702  bytes 3447696344 (3.4 GB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 1082661  bytes 213831559 (213.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Docker

root@raspberry-app:/var/www/discourse# telnet 172.17.0.1 1026
Trying 172.17.0.1...
telnet: Unable to connect to remote host: Connection refused