feat: add Proton Mail Bridge

2026-02-25 23:12:05 -08:00
parent 168a82dbc3
commit 7ac2a1c3d6
3 changed files with 368 additions and 0 deletions
--- a/ct/protonmail-bridge.sh
+++ b/ct/protonmail-bridge.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+COMMUNITY_SCRIPTS_URL="${COMMUNITY_SCRIPTS_URL:-https://git.community-scripts.org/community-scripts/ProxmoxVED/raw/branch/main}"
+source <(curl -fsSL "$COMMUNITY_SCRIPTS_URL/misc/build.func")
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Stephen Chin
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://github.com/ProtonMail/proton-bridge
+# Description: Debian LXC that runs Proton Mail Bridge headless and exposes IMAP/SMTP to the LAN via systemd-socket-proxyd.
+
+APP="ProtonMail-Bridge"
+var_tags="${var_tags:-mail;proton}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-768}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -x /usr/bin/protonmail-bridge ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if ! check_for_gh_release "protonmail-bridge" "ProtonMail/proton-bridge"; then
+    msg_ok "No update available."
+    exit
+  fi
+
+
+  msg_info "Stopping Services"
+  systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true
+  systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true
+  msg_ok "Stopped Services"
+
+  msg_info "Updating ${APP}"
+  fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary" "latest" "/tmp"
+  msg_ok "Updated ${APP}"
+
+  systemctl daemon-reload
+
+  if [[ -f /home/protonbridge/.protonmailbridge-initialized ]]; then
+    msg_info "Starting Services"
+    systemctl enable -q --now protonmail-bridge.service
+    systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket
+    systemctl start protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service
+    msg_ok "Started Services"
+  else
+    msg_ok "Initialization not completed. Services remain disabled."
+  fi
+
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!"
+echo -e "${CREATING}${GN}${APP} has been successfully installed!${CL}"
+echo -e "${INFO}${YW}One-time initialization is required before Bridge services are enabled.${CL}"
+echo -e "${INFO}${YW}Initialize the account inside the container:${CL}"
+echo -e "${TAB}${YW}protonmailbridge-init${CL}"
+echo -e "${INFO}${YW}After initial configuration, use this to access the Bridge CLI:${CL}"
+echo -e "${TAB}${YW}protonmailbridge-configure${CL}"
+echo -e "${INFO}${YW}LAN-accessible forwarded ports (container IP ${IP}):${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}IMAP  ${IP}:143${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}SMTP  ${IP}:587${CL}"
+echo -e "${INFO}${YW}Forwarding targets inside the container (Bridge defaults):${CL}"
+echo -e "${TAB}${YW}IMAP 127.0.0.1:1143${CL}"
+echo -e "${TAB}${YW}SMTP 127.0.0.1:1025${CL}"
--- a/frontend/public/json/protonmail-bridge.json
+++ b/frontend/public/json/protonmail-bridge.json
@@ -0,0 +1,48 @@
+{
+  "name": "Proton Mail Bridge",
+  "slug": "protonmail-bridge",
+  "categories": [
+    18
+  ],
+  "date_created": "2026-02-22",
+  "type": "ct",
+  "updateable": true,
+  "privileged": false,
+  "interface_port": null,
+  "documentation": "https://proton.me/support/bridge-cli-guide",
+  "website": "https://proton.me/mail/bridge",
+  "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/proton-mail.webp",
+  "config_path": "",
+  "description": "Proton Mail Bridge runs a local IMAP/SMTP service that lets traditional mail clients access a Proton mailbox. This LXC runs Bridge headless and forwards IMAP/SMTP to the LAN using systemd socket activation (systemd-socket-proxyd).",
+  "install_methods": [
+    {
+      "type": "default",
+      "script": "ct/protonmail-bridge.sh",
+      "resources": {
+        "cpu": 2,
+        "ram": 768,
+        "hdd": 8,
+        "os": "debian",
+        "version": "13"
+      }
+    }
+  ],
+  "default_credentials": {
+    "username": null,
+    "password": null
+  },
+  "notes": [
+    {
+      "text": "After install, run protonmailbridge-init inside the container to create a pass keychain and log in via the Bridge CLI.",
+      "type": "info"
+    },
+    {
+      "text": "LAN forwarding (container IP): IMAP 143 -> 127.0.0.1:1143, SMTP 587 -> 127.0.0.1:1025.",
+      "type": "info"
+    },
+    {
+      "text": "Use protonmailbridge-configure to temporarily stop the service and enter the Bridge CLI without running a second instance.",
+      "type": "info"
+    }
+  ]
+}
--- a/install/protonmail-bridge-install.sh
+++ b/install/protonmail-bridge-install.sh
@@ -0,0 +1,239 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Stephen Chin
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://github.com/ProtonMail/proton-bridge
+# Description: Installs Proton Mail Bridge, creates systemd services, and exposes IMAP/SMTP via systemd-socket-proxyd.
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+# =============================================================================
+# DEPENDENCIES (app-specific only)
+# =============================================================================
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  pass
+msg_ok "Installed Dependencies"
+
+# =============================================================================
+# SERVICE USER
+# =============================================================================
+msg_info "Creating Service User"
+if ! id -u protonbridge >/dev/null 2>&1; then
+  useradd -r -m -d /home/protonbridge -s /usr/sbin/nologin protonbridge
+fi
+install -d -m 0750 -o protonbridge -g protonbridge /home/protonbridge
+msg_ok "Created Service User"
+
+# =============================================================================
+# INSTALL PROTON MAIL BRIDGE (.deb from GitHub Releases)
+# =============================================================================
+msg_info "Installing Proton Mail Bridge"
+fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary" "latest" "/tmp"
+msg_ok "Installed Proton Mail Bridge"
+
+# =============================================================================
+# SYSTEMD UNITS
+# =============================================================================
+msg_info "Creating Services"
+
+cat > /etc/systemd/system/protonmail-bridge.service <<'EOF'
+[Unit]
+Description=Proton Mail Bridge (noninteractive)
+After=network-online.target
+Wants=network-online.target
+
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+User=protonbridge
+Group=protonbridge
+WorkingDirectory=/home/protonbridge
+Environment=HOME=/home/protonbridge
+
+ExecStart=/usr/bin/protonmail-bridge --noninteractive
+
+Restart=always
+RestartSec=3
+
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=full
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# IMAP socket (LAN 143)
+cat > /etc/systemd/system/protonmail-bridge-imap.socket <<'EOF'
+[Unit]
+Description=Proton Mail Bridge IMAP Socket (143)
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Socket]
+ListenStream=143
+Accept=no
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+# IMAP proxy service (143 -> 127.0.0.1:1143)
+cat > /etc/systemd/system/protonmail-bridge-imap-proxy.service <<'EOF'
+[Unit]
+Description=Proton Mail Bridge IMAP Proxy (143 -> 127.0.0.1:1143)
+After=protonmail-bridge.service
+Requires=protonmail-bridge.service
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1143
+EOF
+
+# SMTP socket (LAN 587)
+cat > /etc/systemd/system/protonmail-bridge-smtp.socket <<'EOF'
+[Unit]
+Description=Proton Mail Bridge SMTP Socket (587)
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Socket]
+ListenStream=587
+Accept=no
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+# SMTP proxy service (587 -> 127.0.0.1:1025)
+cat > /etc/systemd/system/protonmail-bridge-smtp-proxy.service <<'EOF'
+[Unit]
+Description=Proton Mail Bridge SMTP Proxy (587 -> 127.0.0.1:1025)
+After=protonmail-bridge.service
+Requires=protonmail-bridge.service
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1025
+EOF
+
+systemctl daemon-reload
+msg_ok "Created Services"
+
+# =============================================================================
+# INIT + CONFIGURE HELPERS
+# =============================================================================
+msg_info "Creating Helper Commands"
+
+cat > /usr/local/bin/protonmailbridge-init <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+BRIDGE_USER="protonbridge"
+BRIDGE_HOME="/home/${BRIDGE_USER}"
+MARKER="${BRIDGE_HOME}/.protonmailbridge-initialized"
+
+if [[ -f "$MARKER" ]]; then
+  echo "Already initialized."
+  echo "To start services:"
+  echo "  systemctl enable --now protonmail-bridge.service"
+  echo "  systemctl enable --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket"
+  exit 0
+fi
+
+# Stop sockets/proxies/bridge daemon if they were manually started
+systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true
+systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true
+
+echo "Initializing pass keychain for ${BRIDGE_USER} (required by Proton Mail Bridge on Linux)."
+
+install -d -m 0700 -o "${BRIDGE_USER}" -g "${BRIDGE_USER}" "${BRIDGE_HOME}/.gnupg"
+
+FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \
+  gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')"
+
+if [[ -z "${FPR}" ]]; then
+  runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \
+    gpg --batch --pinentry-mode loopback --passphrase '' \
+    --quick-gen-key 'ProtonMail Bridge' default default never
+
+  FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \
+    gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')"
+fi
+
+if [[ -z "${FPR}" ]]; then
+  echo "Failed to detect a GPG key fingerprint for ${BRIDGE_USER}." >&2
+  exit 1
+fi
+
+runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${BRIDGE_HOME}/.gnupg" \
+  pass init "${FPR}"
+
+echo
+echo "Starting Proton Mail Bridge CLI for one-time login."
+echo "Run: login"
+echo "Run: info"
+echo "Run: exit"
+echo
+
+runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" \
+  protonmail-bridge -c
+
+touch "${MARKER}"
+chown "${BRIDGE_USER}:${BRIDGE_USER}" "${MARKER}"
+chmod 0644 "${MARKER}"
+
+systemctl daemon-reload
+systemctl enable -q --now protonmail-bridge.service
+systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket
+
+echo "Initialization complete. Services enabled and started."
+EOF
+chmod +x /usr/local/bin/protonmailbridge-init
+ln -sf /usr/local/bin/protonmailbridge-init /usr/bin/protonmailbridge-init
+
+cat > /usr/local/bin/protonmailbridge-configure <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+
+BRIDGE_USER="protonbridge"
+BRIDGE_HOME="/home/${BRIDGE_USER}"
+MARKER="${BRIDGE_HOME}/.protonmailbridge-initialized"
+
+if [[ ! -f "${MARKER}" ]]; then
+  echo "Not initialized yet. Run:"
+  echo "  protonmailbridge-init"
+  exit 1
+fi
+
+systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket 2>/dev/null || true
+systemctl stop protonmail-bridge-imap-proxy.service protonmail-bridge-smtp-proxy.service protonmail-bridge.service 2>/dev/null || true
+
+runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" \
+  protonmail-bridge -c
+
+systemctl daemon-reload
+systemctl enable -q --now protonmail-bridge.service
+systemctl enable -q --now protonmail-bridge-imap.socket protonmail-bridge-smtp.socket
+EOF
+chmod +x /usr/local/bin/protonmailbridge-configure
+ln -sf /usr/local/bin/protonmailbridge-configure /usr/bin/protonmailbridge-configure
+
+msg_ok "Created Helper Commands"
+
+motd_ssh
+customize
+cleanup_lxc
+