this post was submitted on 18 Jul 2023
76 points (87.3% liked)

Asklemmy

43945 readers
638 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] CumBroth@discuss.tchncs.de 3 points 1 year ago* (last edited 1 year ago) (1 children)

I would never expose it outside my network. The password used for authentication is too easy to brute force. If you really want to access it from anywhere, set it up for access within your network and then maybe use a VPN tunnel for devices outside the network. But anyway, setting up local access is problematic because it binds to localhost and gives you no option to change the binding address. There are several ways around this:

  • Set it up behind a reverse proxy (I didn't want to bother with this)
  • Build the bridge from source after changing the binding address in the source code see https://github.com/ProtonMail/proton-bridge/pull/270 (seemed like the best option, but then I decided option 3 was better)
  • Easiest option in my opinion: Set up local port forwarding with a redirection tool like rinetd, bind it to 0.0.0.0, only allow local IPs (you'd need port forwarding to access from outside anyway, but...), and redirect traffic from a particular port to the IMAP/SMTP server ports, for example: 0.0.0.0 1142 127.0.0.1 1143 (bindaddress bindport connectaddress connectport); last step was to set it up as a systemd service.

I went with the third option and it seemed like so much hassle for such a simple requirement, honestly. If you decide you want to do this, feel free to ask for my configuration files.

[–] paulchartres@beehaw.org 1 points 1 year ago

Yeah, the password is the one thing I was worried about. I already have a VPN set up so I might just go with that for external access.
Since I already have a reverse proxy I might go with option 1, seems like the easiest to set up! If it doesn’t work that well I’ll go with option 3! Thanks a lot!