Configure the protonmail bridge linux client on Ubuntu 20.04 with Nextcloud

Protonmail.md

Protonmail on Ubuntu 20.04 server

#protonmail #ubuntu #linux

Before you start

Currently protonmail bridge for linux is distributed as part of an open beta program, but soon it will be made public (https://protonmail.com/bridge/install).

Consider that the bridge linux client requires a paid protonmail account to work.

Get the protonmail bridge linux installer

Download the latest package into your computer.

wget https://protonmail.com/download/bridge/protonmail-bridge_1.6.9-1_amd64.deb

The link above is working at the time of writing this article, but as the bridge team pointed out, they will expire all the previous links once they release a new version to encourage the installation of the latest version.

To get the latest version try replacing/increasing the version numbers on the link provided or write an email to [email protected] (https://protonmail.com/support/knowledge-base/bridge-for-linux/)

Install protonmail bridge

We will need root access for the setup

sudo -i

Install the protonmail bridge client

dpkg -i protonmail-bridge_1.6.9-1_amd64.deb

Install additional tools required for the setup

Install the "pass" password manager that protonmail bridge will use to store the passwords

apt install pass -y

Install the "screen" utility to daemonize the protonmail bridge client

apt install screen -y

Create a new user

We will create a new user mainly to isolate the access to the passwords of other users.

Notice that the new user will be locked to disable access to this user from outside.

useradd protonmail
usermod -L protonmail (locks the user)
mkdir -p /home/protonmail
chown -R protonmail:protonmail /home/protonmail 

Setup "pass" password manager

Login as the new isolated user

su protonmail
cd ~

Run a script session to avoid the PGP key passphrase prompt to fail (https://bugzilla.redhat.com/show_bug.cgi?id=659512).

This is required if we are not using a graphical interface due to the way our isolated user runs the shell commands

script /dev/null

Generate PGP key pair for the new user with an empty passphrase.

The empty passphrase is required to run the protonmail bridge on the background on system startup without being prompted for the password and hence causing the process to fail.

gpg --full-gen-key
>>>> Choose 1                (1) RSA and RSA (default)
>>>> Choose 4096             4096
>>>> Choose 0                0 = key does not expire
>>>> Type your name          e.g. Proty McProtonFace
>>>> Type your email         e.g. [email protected]
>>>> Leave empty comment
>>>> Leave empty passphrase

List the keys to ensure they were created correctly

gpg --list-keys

Init the password manager for the chosen email address in the PGP keys step

pass init [email protected]

Setup the protonmail bridge client

At this point we already set up the password manager that will allow the protonmail bridge to store the passwords so we will now setup your protonmail account.

protonmail-bridge --cli
>>>> add    (add your protonmail account to bridge)
>>>> (enter your protonmail account email address)
>>>> (enter your protonmail account password)
>>>> list   (list configured accounts)
>>>> info   (list SMTP credentials for configuring any local SMTP compatible service)
>>>> help   (get familiarized with the bridge options)
>>>> exit   (exit the bridge console which stops the local SMTP server created)

Exit the scripted mode of the isolated user if you previously ran "script /dev/null"

exit

Daemonize the protonmail bridge client

In order to start automatically the bridge client on system startup we will create a script to run it in the background.

Notice that we will use the "screen" utility since there is no way to run the protonmail linux client in the background currently without a graphical interface.

For this we will need root access again.

exit

Create a basic script that will be able to launch the protonmail bridge client in the background and kill it.

mkdir /var/lib/protonmail
nano /var/lib/protonmail/protonmail.sh
(copy the content of the file and save)
chmod +x /var/lib/protonmail/protonmail.sh

Create a systemd service

nano /etc/systemd/system/protonmail.service
(copy the content of the file and save)

Enable the script so that it can run on system startup

systemctl enable protonmail

Test the protonmail service

systemctl start protonmail
netstat -tulpn | grep 1025

Reboot you system and check if protonmail bridge is bound to the default ports

reboot
netstat -tulpn | grep 1025

Protonmail on Nextcloud

Configure the mail app with the info from the info command above. Also add this to your config.php in Nextcloud

'app.mail.verify-tls-peer' => false,

protonmail.service

[Unit]
Description=Service to run the Protonmail bridge client
After=network.target

[Service]
Type=oneshot
User=protonmail
ExecStart=/var/lib/protonmail/protonmail.sh start
ExecStop=/var/lib/protonmail/protonmail.sh stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

protonmail.sh

#!/bin/bash

case "$1" in
  start)
    # will create an screen in detached mode (background) with name "protonmail"
    screen -S protonmail -dm protonmail-bridge --cli
    echo "Service started."
    ;;
  status)
    # ignore this block unless you understand how screen works and that only lists the current user's screens
    result=$(screen -list | grep protonmail)
    if [ $? == 0 ]; then
      echo "Protonmail bridge service is ON."
    else
      echo "Protonmail bridge service is OFF."
    fi
    ;;
  stop)
    # Will quit a screen called "protonmail" and therefore terminate the running protonmail-bridge process
    screen -S protonmail -X quit
    echo "Service stopped."
    ;;
  *)
    echo "Unknown command: $1"
    exit 1
  ;;
esac

z_bridge_pubkey.gpg

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFo9OeEBEAC+fPrLcUBY+YUc5YiMrYJQ6ogrJWMGC00h9fAv3PsrHkBz0z7c
QFDyNdNatokFDtZDX115M0vzDwk5NkcjmO7CWbf6nCZcwYqOSrBoH8wNT9uTS/6p
R3AHk1r3C/36QG3iWx6Wg4ycRkXWYToT3/yh5waE5BbLi/9TSBAdfJzTyxt4IpZG
3OTMnOwuz6eNRWVHkA48CJydWS6M8z+jIsBwFq4nOIChvLjIF42PuAT1VaiCYSmy
4sU1YxxWof5z9HY0XghRpd7aUIgzAIsXUbaEXh/3iCZDUMN5LwkyAn+r5j3SMNzk
2htF8V7qWE8ldYNVrpeEwyor0x1wMzpbb/C4Y8wXe8rP01d0ApiHVRETzsQk2esf
XuSrBCtpyLc6ET1lluiL2sVUUelAPueUQlOyYXfL2X958i0TgBCi6QRPXxbPjCPs
d1UzLPCSUNUO+/7fslZCax26d1r1kbHzJLAN1Jer6rxoEDaEiVSCUTnHgykCq5rO
C3PScGEdOaIi4H5c6YFZrLmdz409YmJEWLKIPV/u5DpI+YGmAfAevrjkMBgQBOmZ
D8Gp19LnRtmqjVh2rVdr8yc5nAjoNOZwanMwD5vCWPUVELWXubNFBv8hqZMxHZqW
GrB8x8hkdgiNmuyqsxzBmOEJHWLlvbFhvHhIedT8paU/spL/qJmWp3EB4QARAQAB
tExQcm90b24gVGVjaG5vbG9naWVzIEFHIChQcm90b25NYWlsIEJyaWRnZSBkZXZl
bG9wZXJzKSA8YnJpZGdlQHByb3Rvbm1haWwuY2g+iQJUBBMBCAA+AhsDBQsJCAcC
BhUICQoLAgQWAgMBAh4BAheAFiEE1R5k0+Y+3D7veGTO4sddaOYjSwcFAlxR5QUF
CQP13qQACgkQ4sddaOYjSwdzsA//aM1bfO0dWxMBJBDDoy362q6SCXmETw1GN79g
yifUcvntDeFrDoAoSvXTOG6Fq5LTG6A1zDLuJ+XZRm5nLOXkfiTDnMEQQqjVo3MG
wVuxhOXCPnVzOyLiyLHuBWh3K8pcCdEbigmJuOms905DEkCLfhYobHnlExd5foD9
aYNFZd1R8dyojAkM4+yhoj3KKCaGntggJtPCizdS/Tl9SV/0aBCCce7ai+0I0olg
rJ6oLP+hgOwhBLWs37HnwDloTtWDwk2k+Liz2zWTcM6sPARFgYw+0QmoUrs7OyG+
nPFHuYDCvsl7CAckUXsFgJzHlO4RNoCtE8PbWWU4m7tF4uQY4aVai8+cqfm2YRKK
TraakUItGAlhq+QuaFFhW3g8EEy02zcyeB7aWDFZsKY1o38t4cX3GSSexvHdDGHu
hguJx30Lt87N9xnsP1W4d13UKwYVaG1N1Xm7glLzkKqE5NIFAaSUuyJYMZOtfQoL
5VhNXHT/IMJp7sQNGuXurmYyl2unwivJiBKoStc63+/VAF+Q9icAjlSqGY3T1d62
7KAIwm4jnov0du2OG0Qis/652SL2jh5nUuSfb/zzQF7KErSuSMislUN8MuOUmIRk
zgJ4Q71c87d9RQPQNG1fVZWAfZv4GVj0XADJ3xoMj62eG9V4DJtIJ3pNXOGHN/Jx
nTSvYba5Ag0EWj054QEQALdPQOlRT1omHljxnN64jFuDXXSIb6zqaBvUwdYoDpV2
dfRmzGklsCVA7WHXBmDWbUe9avgO3OO7ANw6/JzzYjP+jwImpJg7cSqTqW8A1U6T
YfGXVUV3a/obIEttl7bI9BsUNgmLsBYIwHov+gl/ajKQdALYHCmq3Bj6o7BBeWPp
Vpk9dzjcsLVbmNszNGP1Ik5dKE0jZUi6h+YoVuJE9o/+T+jxoqFRpXNsZqWOEKmC
HDz6TTs1iTp+CoZ/5g0eKph6XJ+TuNoqF9491IYEFn9oxzsoIBkewTY/fJWmXf++
cnpBODrZLF/GoRFc7MW9Kael9vmQ0J7mjM2bFs308lH0rRrfmdlLAU5iKgPv0akx
nnnUqvCcoekFMURDtP3z09KZXuOMnt834utd7WLe+LZD6dxs+rPhyDiW80E8Bdlz
1Jo+c2g6toIN+uD7/f5gwaZaXhJB0oO7fWSVVo+HJprWBnmf9frgKq1OcS0BNvA+
4Aip2hhFqWJAbUQXCyMaeU2WTWIzy0FQ6SEFFy/RM8O5O1HHsDYjtIic9QJ/PqSD
0qN7LMlkjR8AdWvAxm95i5GpxDZODldsOneeummvsn3I1jCoULTik7iJVdRuY1V3
vfsYAkefGN/n2ga3MvatCJipwoCGsMgUXGTdokXOqKBgMBuBLCkxj2wlol2R9p8R
ABEBAAGJAjwEGAEIACYCGwwWIQTVHmTT5j7cPu94ZM7ix11o5iNLBwUCXFHkuwUJ
A/XeWgAKCRDix11o5iNLB1+xD/9+KLTHUKVqRl/FyBcjZJuEEjYAvn6d4uaaoDuf
7RKPjqFqjR8VHJUpJVPcJ2zn4pFvKrxxueXP74lXuiaKra6g1vS5VvJ/4nItpamf
g+3wpMYhg/FqsrEJfWg6RTQU2yh4Cez8uti5U6xLoxEdEuk3zir9tJIzWgKraalY
bHncU9xbN8o3U2RAYU8AwJKOM0Vd2/OXuzuEn8KLaE11y6mfN4tje0sTPdYxMHYp
/W1Sgypw1zw1FiHxrgJe08HNXbPjazxgj9nIhEQ4hGJXr0bAVrN6KJ+wYVgby01H
bhn/6apKP826kvPX7ug3x57HSJmSkmXFbZGihWiXBH8cFztrOTp3MbDtb7D6X2DH
VY14uKJhrLOQAERjGCwKPaUVzH7pBO9DHL6xdNbJMR474YgKyNMjEpM5jhUFy1U0
dEyB8BCXTLKY+ObGyErYSxP0bnr5CFOHmXAZwUl10x9/bcCb/auFn7MjFk79zGts
rq1EX0PjgHjN1CE55qCaF7nKHjKvplez5D2Pa6G1ZojZHiDtcnjyqopNTrlyPmhS
2jOKtLpgz6u6ug03NwQ88/Hr900JrhttxXriYlIGpAs7BCBlHzxSDm7oKvGGlG29
zYtnL+g4BIob7Dn5FGwpvEcMzXCohIL/5bchHRizVZcN1nBDRj1Wn6RGuDRbMLW1
+Ovhdw==
=UEAd
-----END PGP PUBLIC KEY BLOCK-----