From 7ac2a1c3d6cb91eaf7b201982f22a919d3983286 Mon Sep 17 00:00:00 2001 From: Stephen Chin Date: Wed, 25 Feb 2026 23:12:05 -0800 Subject: [PATCH] feat: add Proton Mail Bridge --- ct/protonmail-bridge.sh | 81 +++++++ frontend/public/json/protonmail-bridge.json | 48 ++++ install/protonmail-bridge-install.sh | 239 ++++++++++++++++++++ 3 files changed, 368 insertions(+) create mode 100644 ct/protonmail-bridge.sh create mode 100644 frontend/public/json/protonmail-bridge.json create mode 100644 install/protonmail-bridge-install.sh diff --git a/ct/protonmail-bridge.sh b/ct/protonmail-bridge.sh new file mode 100644 index 00000000..a47ea3f8 --- /dev/null +++ b/ct/protonmail-bridge.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash +COMMUNITY_SCRIPTS_URL="${COMMUNITY_SCRIPTS_URL:-https://git.community-scripts.org/community-scripts/ProxmoxVED/raw/branch/main}" +source <(curl -fsSL "$COMMUNITY_SCRIPTS_URL/misc/build.func") +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Stephen Chin +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/ProtonMail/proton-bridge +# Description: Debian LXC that runs Proton Mail Bridge headless and exposes IMAP/SMTP to the LAN via systemd-socket-proxyd. + +APP="ProtonMail-Bridge" +var_tags="${var_tags:-mail;proton}" +var_cpu="${var_cpu:-2}" +var_ram="${var_ram:-768}" +var_disk="${var_disk:-8}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + + if [[ ! -x /usr/bin/protonmail-bridge ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + if ! check_for_gh_release "protonmail-bridge" "ProtonMail/proton-bridge"; then + msg_ok "No update available." + exit + fi + + + msg_info "Stopping Services" + systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true + systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true + msg_ok "Stopped Services" + + msg_info "Updating ${APP}" + fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary" "latest" "/tmp" + msg_ok "Updated ${APP}" + + systemctl daemon-reload + + if [[ -f /home/protonbridge/.protonmailbridge-initialized ]]; then + msg_info "Starting Services" + systemctl enable -q --now protonmail-bridge.service + systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket + systemctl start protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service + msg_ok "Started Services" + else + msg_ok "Initialization not completed. Services remain disabled." + fi + + msg_ok "Updated successfully!" + exit +} + +start +build_container +description + +msg_ok "Completed successfully!" +echo -e "${CREATING}${GN}${APP} has been successfully installed!${CL}" +echo -e "${INFO}${YW}One-time initialization is required before Bridge services are enabled.${CL}" +echo -e "${INFO}${YW}Initialize the account inside the container:${CL}" +echo -e "${TAB}${YW}protonmailbridge-init${CL}" +echo -e "${INFO}${YW}After initial configuration, use this to access the Bridge CLI:${CL}" +echo -e "${TAB}${YW}protonmailbridge-configure${CL}" +echo -e "${INFO}${YW}LAN-accessible forwarded ports (container IP ${IP}):${CL}" +echo -e "${TAB}${GATEWAY}${BGN}IMAP ${IP}:143${CL}" +echo -e "${TAB}${GATEWAY}${BGN}SMTP ${IP}:587${CL}" +echo -e "${INFO}${YW}Forwarding targets inside the container (Bridge defaults):${CL}" +echo -e "${TAB}${YW}IMAP 127.0.0.1:1143${CL}" +echo -e "${TAB}${YW}SMTP 127.0.0.1:1025${CL}" diff --git a/frontend/public/json/protonmail-bridge.json b/frontend/public/json/protonmail-bridge.json new file mode 100644 index 00000000..8cc3318c --- /dev/null +++ b/frontend/public/json/protonmail-bridge.json @@ -0,0 +1,48 @@ +{ + "name": "Proton Mail Bridge", + "slug": "protonmail-bridge", + "categories": [ + 18 + ], + "date_created": "2026-02-22", + "type": "ct", + "updateable": true, + "privileged": false, + "interface_port": null, + "documentation": "https://proton.me/support/bridge-cli-guide", + "website": "https://proton.me/mail/bridge", + "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/proton-mail.webp", + "config_path": "", + "description": "Proton Mail Bridge runs a local IMAP/SMTP service that lets traditional mail clients access a Proton mailbox. This LXC runs Bridge headless and forwards IMAP/SMTP to the LAN using systemd socket activation (systemd-socket-proxyd).", + "install_methods": [ + { + "type": "default", + "script": "ct/protonmail-bridge.sh", + "resources": { + "cpu": 2, + "ram": 768, + "hdd": 8, + "os": "debian", + "version": "13" + } + } + ], + "default_credentials": { + "username": null, + "password": null + }, + "notes": [ + { + "text": "After install, run protonmailbridge-init inside the container to create a pass keychain and log in via the Bridge CLI.", + "type": "info" + }, + { + "text": "LAN forwarding (container IP): IMAP 143 -> 127.0.0.1:1143, SMTP 587 -> 127.0.0.1:1025.", + "type": "info" + }, + { + "text": "Use protonmailbridge-configure to temporarily stop the service and enter the Bridge CLI without running a second instance.", + "type": "info" + } + ] +} diff --git a/install/protonmail-bridge-install.sh b/install/protonmail-bridge-install.sh new file mode 100644 index 00000000..01d94b3a --- /dev/null +++ b/install/protonmail-bridge-install.sh @@ -0,0 +1,239 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Stephen Chin +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/ProtonMail/proton-bridge +# Description: Installs Proton Mail Bridge, creates systemd services, and exposes IMAP/SMTP via systemd-socket-proxyd. + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +# ============================================================================= +# DEPENDENCIES (app-specific only) +# ============================================================================= +msg_info "Installing Dependencies" +$STD apt install -y \ + pass +msg_ok "Installed Dependencies" + +# ============================================================================= +# SERVICE USER +# ============================================================================= +msg_info "Creating Service User" +if ! id -u protonbridge >/dev/null 2>&1; then + useradd -r -m -d /home/protonbridge -s /usr/sbin/nologin protonbridge +fi +install -d -m 0750 -o protonbridge -g protonbridge /home/protonbridge +msg_ok "Created Service User" + +# ============================================================================= +# INSTALL PROTON MAIL BRIDGE (.deb from GitHub Releases) +# ============================================================================= +msg_info "Installing Proton Mail Bridge" +fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary" "latest" "/tmp" +msg_ok "Installed Proton Mail Bridge" + +# ============================================================================= +# SYSTEMD UNITS +# ============================================================================= +msg_info "Creating Services" + +cat > /etc/systemd/system/protonmail-bridge.service <<'EOF' +[Unit] +Description=Proton Mail Bridge (noninteractive) +After=network-online.target +Wants=network-online.target + +ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized + +[Service] +Type=simple +User=protonbridge +Group=protonbridge +WorkingDirectory=/home/protonbridge +Environment=HOME=/home/protonbridge + +ExecStart=/usr/bin/protonmail-bridge --noninteractive + +Restart=always +RestartSec=3 + +NoNewPrivileges=yes +PrivateTmp=yes +ProtectSystem=full +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes + +[Install] +WantedBy=multi-user.target +EOF + +# IMAP socket (LAN 143) +cat > /etc/systemd/system/protonmail-bridge-imap.socket <<'EOF' +[Unit] +Description=Proton Mail Bridge IMAP Socket (143) +ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized + +[Socket] +ListenStream=143 +Accept=no + +[Install] +WantedBy=sockets.target +EOF + +# IMAP proxy service (143 -> 127.0.0.1:1143) +cat > /etc/systemd/system/protonmail-bridge-imap-proxy.service <<'EOF' +[Unit] +Description=Proton Mail Bridge IMAP Proxy (143 -> 127.0.0.1:1143) +After=protonmail-bridge.service +Requires=protonmail-bridge.service +ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized + +[Service] +Type=simple +ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1143 +EOF + +# SMTP socket (LAN 587) +cat > /etc/systemd/system/protonmail-bridge-smtp.socket <<'EOF' +[Unit] +Description=Proton Mail Bridge SMTP Socket (587) +ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized + +[Socket] +ListenStream=587 +Accept=no + +[Install] +WantedBy=sockets.target +EOF + +# SMTP proxy service (587 -> 127.0.0.1:1025) +cat > /etc/systemd/system/protonmail-bridge-smtp-proxy.service <<'EOF' +[Unit] +Description=Proton Mail Bridge SMTP Proxy (587 -> 127.0.0.1:1025) +After=protonmail-bridge.service +Requires=protonmail-bridge.service +ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized + +[Service] +Type=simple +ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1025 +EOF + +systemctl daemon-reload +msg_ok "Created Services" + +# ============================================================================= +# INIT + CONFIGURE HELPERS +# ============================================================================= +msg_info "Creating Helper Commands" + +cat > /usr/local/bin/protonmailbridge-init <<'EOF' +#!/usr/bin/env bash +set -euo pipefail + +BRIDGE_USER="protonbridge" +BRIDGE_HOME="/home/${BRIDGE_USER}" +MARKER="${BRIDGE_HOME}/.protonmailbridge-initialized" + +if [[ -f "$MARKER" ]]; then + echo "Already initialized." + echo "To start services:" + echo " systemctl enable --now protonmail-bridge.service" + echo " systemctl enable --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket" + exit 0 +fi + +# Stop sockets/proxies/bridge daemon if they were manually started +systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true +systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true + +echo "Initializing pass keychain for ${BRIDGE_USER} (required by Proton Mail Bridge on Linux)." + +install -d -m 0700 -o "${BRIDGE_USER}" -g "${BRIDGE_USER}" "${BRIDGE_HOME}/.gnupg" + +FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \ + gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')" + +if [[ -z "${FPR}" ]]; then + runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \ + gpg --batch --pinentry-mode loopback --passphrase '' \ + --quick-gen-key 'ProtonMail Bridge' default default never + + FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \ + gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')" +fi + +if [[ -z "${FPR}" ]]; then + echo "Failed to detect a GPG key fingerprint for ${BRIDGE_USER}." >&2 + exit 1 +fi + +runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \ + pass init "${FPR}" + +echo +echo "Starting Proton Mail Bridge CLI for one-time login." +echo "Run: login" +echo "Run: info" +echo "Run: exit" +echo + +runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" \ + protonmail-bridge -c + +touch "${MARKER}" +chown "${BRIDGE_USER}:${BRIDGE_USER}" "${MARKER}" +chmod 0644 "${MARKER}" + +systemctl daemon-reload +systemctl enable -q --now protonmail-bridge.service +systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket + +echo "Initialization complete. Services enabled and started." +EOF +chmod +x /usr/local/bin/protonmailbridge-init +ln -sf /usr/local/bin/protonmailbridge-init /usr/bin/protonmailbridge-init + +cat > /usr/local/bin/protonmailbridge-configure <<'EOF' +#!/usr/bin/env bash +set -euo pipefail + +BRIDGE_USER="protonbridge" +BRIDGE_HOME="/home/${BRIDGE_USER}" +MARKER="${BRIDGE_HOME}/.protonmailbridge-initialized" + +if [[ ! -f "${MARKER}" ]]; then + echo "Not initialized yet. Run:" + echo " protonmailbridge-init" + exit 1 +fi + +systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true +systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true + +runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" \ + protonmail-bridge -c + +systemctl daemon-reload +systemctl enable -q --now protonmail-bridge.service +systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket +EOF +chmod +x /usr/local/bin/protonmailbridge-configure +ln -sf /usr/local/bin/protonmailbridge-configure /usr/bin/protonmailbridge-configure + +msg_ok "Created Helper Commands" + +motd_ssh +customize +cleanup_lxc +