[Issue] [Android 14/S23] Proton Mail won't push notifications

[schbrns]

I recently upgraded from an S10 to an S23 and it seems the way the Rethink firewall blocks Play Services/Framework has changed.

I used to be able to follow your general setup advice of having Play Services/Framework set to Bypass, but it has absolutely stopped working.

I've tried both bypasses and isolate. Proton Mail will ONLY push notifications if Services/Framework is set to Exclude.

There is no other combination of settings that allows Proton Mail to push notifications.

[retroluv]

Hello, does the same behaviour happends with the older phone using the same Rethink version?

Otherwise this might be the version of Android used between S10 & S23. If I remember correctly, a communication app on my end only works correcly if I exclude it, on an older phone that wasn't the case. I'm not worried since the connections made are needed.

Regards!

[ignoramous]

See if disabling (turning OFF) Configure -> DNS -> Advanced DNS filtering works?

If so, we've fixed this particular issue (#1115) in the upcoming release, v054b.

[BienGudBoy]

Works on mine (with advanced DNS filtering as well). You have to whitelist some domains for Play Services/Framework for push notification to work.

After multiple trial and error (pain), android.apis.google.com android.googleapis.com mtalk.google.com are the domains you need. Also, make sure firebaseinstallations.googleapis.com is whitelisted on the app you need push notification with GMS.

I got Proton Mail and Signal push notification working with this. I did have to wipe app data to "reset" the Play Services status in Signal, so maybe you can give it a try (after whitelisting these domains)?

Edit: I do not have Android 14 yet to test with, these results are from my phone running Android 13.

[ignoramous]

Thanks.

After multiple trial and error (pain), android.apis.google.com android.googleapis.com mtalk.google.com are the domains you need. Also, make sure firebaseinstallations.googleapis.com is whitelisted on the app you need push notification with GMS.

Also a good idea to avoid using the lists that block those domains: https://archive.is/CxEwr

[luckygitt]

I am still testing (mainly Whatsapp) and can't find the right combination of block/allow (trying to block all Google Play Services except those needed for notifications).

@BienGudBoy

1. What is your Google Play Services setting (allow, block, bypass etc.?)
2. Are you whitelisitng the domains (android.apis.google.com android.googleapis.com mtalk.google.com) globally or just for Google Play Services (the latter doesn't seem to work for me).

[schbrns]

I am still testing (mainly Whatsapp) and can't find the right combination of block/allow (trying to block all Google Play Services except those needed for notifications).

@BienGudBoy

1. What is your Google Play Services setting (allow, block, bypass etc.?)
2. Are you whitelisitng the domains (android.apis.google.com android.googleapis.com mtalk.google.com) globally or just for Google Play Services (the latter doesn't seem to work for me).

It doesn't. The testing was done on Android 13. None of the above comments are helpful and push notifications are most definitely not working properly outside of Exclude, even with advanced DNS filtering disabled.

[schbrns]

screenshots

network and dns logs:  

[schbrns]

The above screenshots produce no notifications until Services is set to Exclude or Rethink is disabled.

[ignoramous]

The above screenshots produce no notifications until Services is set to Exclude or Rethink is disabled.

Can you tap on those 0b upload / download connections to mail-api.proton.me and check (at the bottom of the sheet that shows up) the final status of the connection?

Might also want to experiment with allowing / trusting app-measurement.com.

[BienGudBoy]

I am still testing (mainly Whatsapp) and can't find the right combination of block/allow (trying to block all Google Play Services except those needed for notifications).

@BienGudBoy

1. What is your Google Play Services setting (allow, block, bypass etc.?)

2. Are you whitelisitng the domains (android.apis.google.com android.googleapis.com mtalk.google.com) globally or just for Google Play Services (the latter doesn't seem to work for me).

@luckygitt

1. I have GMS in isolate mode.

2. Yes, and only for the GMS itself. Push notification works fine. Make sure to allow firebaseinstallations.googleapis.com on the app you want as well.

I would recommend wiping data of both GMS and the app you want to have push notification on (in your case, Whatsapp). This is also how I did the trial and error part.

You can also try Signal, it has a banner that notifies you if GMS isn't available (this seems to require an app data wipe to disappear - meaning only then GMS push notification actually works)

@bornasalman Can you try trusting the alt domains for mtalk.google.com as well and see? Also, here's mine with working push notification:

screenshots

rethinkdns: 

The 3 domains are exactly what I did before.

[BienGudBoy]

Might also want to experiment with allowing / trusting app-measurement.com.

@ignoramous app-measurement.com is a known tracking domain. Trusting it is useless.

[schbrns]

@bornasalman Can you try trusting the alt domains for mtalk.google.com as well and see? Also, here's mine with working push notification:

No. As I mentioned in the previous comment, your Android 13 comments are bordering on off-topic. Plus, you can literally see that I have no blocked DNS requests in the screenshot.

@ignoramous I'll post the screenshots you wanted in a bit.

[schbrns]

The above screenshots produce no notifications until Services is set to Exclude or Rethink is disabled.

Can you tap on those 0b upload / download connections to mail-api.proton.me and check (at the bottom of the sheet that shows up) the final status of the connection?

Might also want to experiment with allowing / trusting app-measurement.com.

mail-api.proton.me No errors

api.protonmail.ch on foreground refresh No errors

api.protonmail.ch on background Readform tcp 192.168.0.(let me know if you need all of it)-> read tcp: connection reset by peer;

Google Services Framework (both bypass universal and bypass DNS/universal) 0kb transaction with mtalk.google.com connect: connection timed out;

NextDNS logs: No blocked queries during the timeframe.

Also entertained the idea of isolating the 3 mentioned domains for GSF and the 2 domains for Proton Mail, like it makes a difference from bypassing it entirely. It didn't, obviously. Same errors.

[schbrns]

Occasionally getting the same TCP error on mail-api.proton.me background.

[schbrns]

@ignoramous Not sure if this helps, but Proton Mail doesn't seem to push notifications in the traditional sense.

I have battery set to Restricted, run in background set to Strict, background data set to disabled, and yet push notifications from Proton come through exactly on time.

[ignoramous]

api.protonmail.ch on background Readform tcp 192.168.0.(let me know if you need all of it)-> read tcp: connection reset by peer;

I see these connections too that fail (as expected). Unsure what these are for. If you want to, you can let these connections go through unmeddeled by enabling Configure -> Network -> Do not route Private IPs.

Google Services Framework (both bypass universal and bypass DNS/universal) 0kb transaction with mtalk.google.com connect: connection timed out;

Are these hitting IPv6 by any chance? If so, switch Rethink to IPv4 (Configure -> Network -> Choose IP version), which is the default.

[schbrns]

api.protonmail.ch on background Readform tcp 192.168.0.(let me know if you need all of it)-> read tcp: connection reset by peer;

I see these connections too that fail (as expected). Unsure what these are for. If you want to, you can let these connections go through unmeddeled by enabling Configure -> Network -> Do not route Private IPs.

It was already enabled.

Google Services Framework (both bypass universal and bypass DNS/universal) 0kb transaction with mtalk.google.com connect: connection timed out;

Are these hitting IPv6 by any chance? If so, switch Rethink to IPv4 (Configure -> Network -> Choose IP version), which is the default.

It's set to IPv4, I don't use IPv6.

[schbrns]

Played around with the settings a bunch. It's as somebody else mentioned, push notifications seem to work fine as long as all the necessary apps are awake and cached. When Play Services and Proton are cleared from memory, push notifications do not start back up.

[lemefeaver]

I had the same issue and tried every settings possible and one that finally works for me is changing resolver from Sky to Max. After I receive notifications instantly.

[schbrns]

I gave up already. Did a factory reset and reupdated Play Services, everything is working as intended now (without RDNS unfortunately).

[luckygitt]

I managed to fix all my notification issues, Signal, Whatsapp, banking etc. (although I do not have ProtonMail installed). My set-up: All Apps blocked from internet use, except the Apps that obviously need access (eg. banking, Whatsapp etc.). Access for all (allowed) Apps goes through Wireguard. Google Play Services is set to "Isolated" with five Domain Rules - android.apis.google.com, mtalk.google.com, firebaseinstallations,googleapis.com, time.google.com, play.google.com. Note: I have GSF disabled on my phone but block it anyway (I do not use any Google Apps).

I believe only the first three relate to noticiations - "play" is for Aurora Store (non-Google Playstore alternative) and "time" I saw no harm in allowing. You have to be careful with other settings such as Universal Rules > block when DNS bypassed and DNS > Prevent DNS Leaks, as I found both of these interfered with the notifications (notably from Signal), although I am still doing testing on these to confirm.

Lucky

[BienGudBoy]

... Google Play Services is set to "Isolated" with five Domain Rules - android.apis.google.com, mtalk.google.com, firebaseinstallations,googleapis.com, time.google.com, play.google.com.

I believe only the first three relate to noticiations - "play" is for Aurora Store (non-Google Playstore alternative) and "time" I saw no harm in allowing.

You are correct, as I've tested in https://github.com/celzero/rethink-app/issues/1187#issuecomment-1895105958, only the three domains are actually needed for push notification - android.apis.google.com, mtalk.google.com and firebaseinstallations.googleapis.com. Good to hear that your notification issues are fixed!

You have to be careful with other settings such as Universal Rules > block when DNS bypassed and DNS > Prevent DNS Leaks, as I found both of these interfered with the notifications (notably from Signal), although I am still doing testing on these to confirm.

For me, I have both of these enabled and Signal notifications are still fine. I'll be switching to Molly (a fork without GMS) though, as I've fully disabled GMS on my phone.

[ignoramous]

Has v055c fixed notification issues with Proton after having turned OFF:

1. Configure -> DNS -> Advanced -> Prevent DNS leaks
2. Universal (global) firewall rule: Block when DNS is bypassed.

[luckygitt]

Has v055c fixed notification issues with Proton after having turned OFF:

1. _Configure_ -> _DNS_ -> _Advanced_ -> `Prevent DNS leaks`

2. _Universal_ (global) firewall rule: `Block when DNS is bypassed`.

Regarding (1) and testing using Whatsapp/Signal (not Proton) I would say yes (probably). Regarding (2), notifications seem OK (as per above) but I cannot make calls on Whatsapp - appears to call out and person answer but then get an error, something like "connection failed" - log shows it as blocked due to DNS bypass. I did not test for SIgnal.

[ignoramous]

Whatsapp - appears to call out and person answer but then get an error, something like "connection failed" - log shows it as blocked due to DNS bypass

You might want to turn OFF Block when DNS is bypassed Universal (global) firewall rule OR Bypass Universal WhatsApp.

---

Thanks for the confirmation. Closing this bug, feel free to re-open in case this issue re-appears despite (1) & (2) above.

[mircealinux]

I'm having issues with push notifications from proton app android since yesterday afternoon everything was working perfect