When you install the Proton Mail Bridge profile on macOS, you may see a warning that the certificate used to secure the communication channel between Proton Mail Bridge and your email client is not signed by a trusted third party.
Apple Mail, Thunderbird, and other email clients running on macOS require a secure connection to IMAP and SMTP servers. This connection is secured using HTTPS, which encrypts your data in transit and verifies that the email client is connecting to who it thinks it is connecting to.
Verification is achieved using SSL/TLS certificates(new window) issued and digitally signed by certification authorities (CA) such as Let’s Encrypt.
Servers that are accessible to the public request a certificate from a CA, which then issues a digitally signed certificate for that domain.
However, Proton Mail Bridge operates locally (on localhost or 127.0.0.1), so its IMAP and SMTP servers aren’t accessible outside your computer, not even by computers on the same local network. This means Bridge can’t obtain a signed certificate from a CA.
Our solution is to use a self-signed certificate, which provides the same level of encryption for data in transit. Self-signed certificates are not trusted by default since they aren’t signed by a CA. As a result, most email clients will display a warning and ask if you trust the certificate, as the client can’t verify it (and therefore, can’t verify the connection to the server).
With Proton Mail Bridge, you can safely ignore this warning and approve the certificate and connection between the email client (for example, Apple Mail) and Proton Mail Bridge. The connection is local and doesn’t leave your device.
On the other hand, the connection between Proton Mail Bridge and Proton servers is always encrypted with TLS using the HTTPS protocol. Bridge also employs additional verification measures to ensure the identity of the server it’s connecting to.