Configure the protonmail bridge linux client on CentOS server and Fedora

Protonmail.md

Protonmail on CentOS server

#protonmail #centos #fedora #linux

Before you start

Currently protonmail bridge for linux is distributed as part of an open beta program, but soon it will be made public (https://protonmail.com/bridge/install).

Consider that the bridge linux client requires a paid protonmail account to work.

Get the protonmail bridge linux installer

Download the latest package into your computer.

wget https://protonmail.com/download/beta/protonmail-bridge-1.1.3-1.x86_64.rpm

The link above is working at the time of writing this article, but as the bridge team pointed out, they will expire all the previous links once they release a new version to encourage the installation of the latest version.

To get the latest version try replacing/increasing the version numbers on the link provided or write an email to [email protected] (https://protonmail.com/support/knowledge-base/bridge-for-linux/)

Install protonmail bridge

We will need root access for the setup

su root

Import the protonmail bridge public key

nano bridge_pubkey.gpg
(copy the content of the file and save)
rpm --import bridge_pubkey.gpg

Check the rpm package is correctly signed

rpm --checksig protonmail-bridge-1.1.1-1.x86_64.rpm

Install the protonmail bridge client

yum install protonmail-bridge-1.1.1-1.x86_64.rpm

Install additional tools required for the setup

Install the "pass" password manager that protonmail bridge will use to store the passwords

yum install pass

Install the "screen" utility to daemonize the protonmail bridge client

yum install screen

Create a new user

We will create a new user mainly to isolate the access to the passwords of other users.

Notice that the new user will be locked to disable access to this user from outside.

useradd protonmail
usermod -L protonmail

Setup "pass" password manager

Login as the new isolated user

su protonmail
cd ~

Run a script session to avoid the PGP key passphrase prompt to fail (https://bugzilla.redhat.com/show_bug.cgi?id=659512).

This is required if we are not using a graphical interface due to the way our isolated user runs the shell commands

script /dev/null

Generate PGP key pair for the new user with an empty passphrase.

The empty passphrase is required to run the protonmail bridge on the background on system startup without being prompted for the password and hence causing the process to fail.

gpg --gen-key
>>>> Choose 1                (1) RSA and RSA (default)
>>>> Choose 2048             (default)
>>>> Choose 0                0 = key does not expire
>>>> Type your name          e.g. Proty McProtonFace
>>>> Type your email         e.g. [email protected]
>>>> Leave empty comment
>>>> Leave empty passphrase

List the keys to ensure they were created correctly

gpg --list-keys

Init the password manager for the chosen email address in the PGP keys step

pass init [email protected]

Setup the protonmail bridge client

At this point we already set up the password manager that will allow the protonmail bridge to store the passwords so we will now setup your protonmail account.

protonmail-bridge --cli
>>>> add    (add your protonmail account to bridge)
>>>> (enter your protonmail account email address)
>>>> (enter your protonmail account password)
>>>> list   (list configured accounts)
>>>> info   (list SMTP credentials for configuring any local SMTP compatible service)
>>>> help   (get familiarized with the bridge options)
>>>> exit   (exit the bridge console which stops the local SMTP server created)

Exit the scripted mode of the isolated user if you previously ran "script /dev/null"

exit

Daemonize the protonmail bridge client

In order to start automatically the bridge client on system startup we will create a script to run it in the background.

Notice that we will use the "screen" utility since there is no way to run the protonmail linux client in the background currently without a graphical interface.

For this we will need root access again.

exit

Create a basic script that will be able to launch the protonmail bridge client in the background and kill it.

mkdir /var/lib/protonmail
nano /var/lib/protonmail/protonmail.sh
(copy the content of the file and save)
chmod +x /var/lib/protonmail/protonmail.sh

Create a systemd service

nano /etc/systemd/system/protonmail.service
(copy the content of the file and save)

Enable the script so that it can run on system startup

systemctl enable protonmail

Test the protonmail service

systemctl start protonmail
netstat -tulpn | grep 1025

Reboot you system and check if protonmail bridge is bound to the default ports

reboot
netstat -tulpn | grep 1025

Protonmail on Fedora

All the instructions above should work in Fedora. You can replace "yum" commands with "dnf"

Configure SMTP services

Now that you have the protonmail bridge running in the background you can configure SMTP emails on local instances of Jenkins, Jira, Bitbucket, Thunderbird or any service of your choice.

Remember that required credentials and configuration details can be found by executing:

protonmail-bridge --cli
>>>> info
>>>> exit

protonmail.service

[Unit]
Description=Service to run the Protonmail bridge client
After=network.target

[Service]
Type=oneshot
User=protonmail
ExecStart=/var/lib/protonmail/protonmail.sh start
ExecStop=/var/lib/protonmail/protonmail.sh stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

protonmail.sh

#!/bin/bash

case "$1" in
  start)
    # will create an screen in detached mode (background) with name "protonmail"
    screen -S protonmail -dm protonmail-bridge --cli
    echo "Service started."
    ;;
  status)
    # ignore this block unless you understand how screen works and that only lists the current user's screens
    result=$(screen -list | grep protonmail)
    if [ $? == 0 ]; then
      echo "Protonmail bridge service is ON."
    else
      echo "Protonmail bridge service is OFF."
    fi
    ;;
  stop)
    # Will quit a screen called "protonmail" and therefore terminate the running protonmail-bridge process
    screen -S protonmail -X quit
    echo "Service stopped."
    ;;
  *)
    echo "Unknown command: $1"
    exit 1
  ;;
esac

z_bridge_pubkey.gpg

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFo9OeEBEAC+fPrLcUBY+YUc5YiMrYJQ6ogrJWMGC00h9fAv3PsrHkBz0z7c
QFDyNdNatokFDtZDX115M0vzDwk5NkcjmO7CWbf6nCZcwYqOSrBoH8wNT9uTS/6p
R3AHk1r3C/36QG3iWx6Wg4ycRkXWYToT3/yh5waE5BbLi/9TSBAdfJzTyxt4IpZG
3OTMnOwuz6eNRWVHkA48CJydWS6M8z+jIsBwFq4nOIChvLjIF42PuAT1VaiCYSmy
4sU1YxxWof5z9HY0XghRpd7aUIgzAIsXUbaEXh/3iCZDUMN5LwkyAn+r5j3SMNzk
2htF8V7qWE8ldYNVrpeEwyor0x1wMzpbb/C4Y8wXe8rP01d0ApiHVRETzsQk2esf
XuSrBCtpyLc6ET1lluiL2sVUUelAPueUQlOyYXfL2X958i0TgBCi6QRPXxbPjCPs
d1UzLPCSUNUO+/7fslZCax26d1r1kbHzJLAN1Jer6rxoEDaEiVSCUTnHgykCq5rO
C3PScGEdOaIi4H5c6YFZrLmdz409YmJEWLKIPV/u5DpI+YGmAfAevrjkMBgQBOmZ
D8Gp19LnRtmqjVh2rVdr8yc5nAjoNOZwanMwD5vCWPUVELWXubNFBv8hqZMxHZqW
GrB8x8hkdgiNmuyqsxzBmOEJHWLlvbFhvHhIedT8paU/spL/qJmWp3EB4QARAQAB
tExQcm90b24gVGVjaG5vbG9naWVzIEFHIChQcm90b25NYWlsIEJyaWRnZSBkZXZl
bG9wZXJzKSA8YnJpZGdlQHByb3Rvbm1haWwuY2g+iQJUBBMBCAA+AhsDBQsJCAcC
BhUICQoLAgQWAgMBAh4BAheAFiEE1R5k0+Y+3D7veGTO4sddaOYjSwcFAlxR5QUF
CQP13qQACgkQ4sddaOYjSwdzsA//aM1bfO0dWxMBJBDDoy362q6SCXmETw1GN79g
yifUcvntDeFrDoAoSvXTOG6Fq5LTG6A1zDLuJ+XZRm5nLOXkfiTDnMEQQqjVo3MG
wVuxhOXCPnVzOyLiyLHuBWh3K8pcCdEbigmJuOms905DEkCLfhYobHnlExd5foD9
aYNFZd1R8dyojAkM4+yhoj3KKCaGntggJtPCizdS/Tl9SV/0aBCCce7ai+0I0olg
rJ6oLP+hgOwhBLWs37HnwDloTtWDwk2k+Liz2zWTcM6sPARFgYw+0QmoUrs7OyG+
nPFHuYDCvsl7CAckUXsFgJzHlO4RNoCtE8PbWWU4m7tF4uQY4aVai8+cqfm2YRKK
TraakUItGAlhq+QuaFFhW3g8EEy02zcyeB7aWDFZsKY1o38t4cX3GSSexvHdDGHu
hguJx30Lt87N9xnsP1W4d13UKwYVaG1N1Xm7glLzkKqE5NIFAaSUuyJYMZOtfQoL
5VhNXHT/IMJp7sQNGuXurmYyl2unwivJiBKoStc63+/VAF+Q9icAjlSqGY3T1d62
7KAIwm4jnov0du2OG0Qis/652SL2jh5nUuSfb/zzQF7KErSuSMislUN8MuOUmIRk
zgJ4Q71c87d9RQPQNG1fVZWAfZv4GVj0XADJ3xoMj62eG9V4DJtIJ3pNXOGHN/Jx
nTSvYba5Ag0EWj054QEQALdPQOlRT1omHljxnN64jFuDXXSIb6zqaBvUwdYoDpV2
dfRmzGklsCVA7WHXBmDWbUe9avgO3OO7ANw6/JzzYjP+jwImpJg7cSqTqW8A1U6T
YfGXVUV3a/obIEttl7bI9BsUNgmLsBYIwHov+gl/ajKQdALYHCmq3Bj6o7BBeWPp
Vpk9dzjcsLVbmNszNGP1Ik5dKE0jZUi6h+YoVuJE9o/+T+jxoqFRpXNsZqWOEKmC
HDz6TTs1iTp+CoZ/5g0eKph6XJ+TuNoqF9491IYEFn9oxzsoIBkewTY/fJWmXf++
cnpBODrZLF/GoRFc7MW9Kael9vmQ0J7mjM2bFs308lH0rRrfmdlLAU5iKgPv0akx
nnnUqvCcoekFMURDtP3z09KZXuOMnt834utd7WLe+LZD6dxs+rPhyDiW80E8Bdlz
1Jo+c2g6toIN+uD7/f5gwaZaXhJB0oO7fWSVVo+HJprWBnmf9frgKq1OcS0BNvA+
4Aip2hhFqWJAbUQXCyMaeU2WTWIzy0FQ6SEFFy/RM8O5O1HHsDYjtIic9QJ/PqSD
0qN7LMlkjR8AdWvAxm95i5GpxDZODldsOneeummvsn3I1jCoULTik7iJVdRuY1V3
vfsYAkefGN/n2ga3MvatCJipwoCGsMgUXGTdokXOqKBgMBuBLCkxj2wlol2R9p8R
ABEBAAGJAjwEGAEIACYCGwwWIQTVHmTT5j7cPu94ZM7ix11o5iNLBwUCXFHkuwUJ
A/XeWgAKCRDix11o5iNLB1+xD/9+KLTHUKVqRl/FyBcjZJuEEjYAvn6d4uaaoDuf
7RKPjqFqjR8VHJUpJVPcJ2zn4pFvKrxxueXP74lXuiaKra6g1vS5VvJ/4nItpamf
g+3wpMYhg/FqsrEJfWg6RTQU2yh4Cez8uti5U6xLoxEdEuk3zir9tJIzWgKraalY
bHncU9xbN8o3U2RAYU8AwJKOM0Vd2/OXuzuEn8KLaE11y6mfN4tje0sTPdYxMHYp
/W1Sgypw1zw1FiHxrgJe08HNXbPjazxgj9nIhEQ4hGJXr0bAVrN6KJ+wYVgby01H
bhn/6apKP826kvPX7ug3x57HSJmSkmXFbZGihWiXBH8cFztrOTp3MbDtb7D6X2DH
VY14uKJhrLOQAERjGCwKPaUVzH7pBO9DHL6xdNbJMR474YgKyNMjEpM5jhUFy1U0
dEyB8BCXTLKY+ObGyErYSxP0bnr5CFOHmXAZwUl10x9/bcCb/auFn7MjFk79zGts
rq1EX0PjgHjN1CE55qCaF7nKHjKvplez5D2Pa6G1ZojZHiDtcnjyqopNTrlyPmhS
2jOKtLpgz6u6ug03NwQ88/Hr900JrhttxXriYlIGpAs7BCBlHzxSDm7oKvGGlG29
zYtnL+g4BIob7Dn5FGwpvEcMzXCohIL/5bchHRizVZcN1nBDRj1Wn6RGuDRbMLW1
+Ovhdw==
=UEAd
-----END PGP PUBLIC KEY BLOCK-----

Hello there, im currently having an issue upon starting the cli.

sorry if this wasnt the proper place to place this problem but i couldnt find anywhere else

I'm trying to run this on a CentOS environment.

Hello there, im currently having an issue upon starting the cli.

sorry if this wasnt the proper place to place this problem but i couldnt find anywhere else

I'm trying to run this on a CentOS environment.

If you are not connected to the CentOS instance using a graphical interface you will need to use "pass" as your password manager. Check the error message printed. If you follow the instructions above you will see a command "pass init ..."

I followed the whole guide. and I got pass installed

got this when enabling logging

I believe I fixed it. I think I entered a password in the user I created in the setup pass steps. I created a new user with no password and it went trough.

Awesome write-up, seems to be working great so far. Somehow it stops working here after X minutes or hours. All I can assume is that the protonmail.service gets suspended. Is there any way to prevent this? Restart is not compatible with oneshot.

Thanks!

I just finished the configuration on Debian (10) (64BITS) with protonmail-bridge_1.2.6-1_amd64.deb, it works perfectly. Thanks for the tutorial, good job 👍👏.

I've attempted to install pass but it's not available, even with epel repository.
I'm using CentOS Linux release 7.8.2003 (Core)

Thank you for this!

Hi there - I installed protonmail-bridge_1.8.7-1_amd64.deb on ubuntu 20.04 server. But I note an error when adding an account:

add
Username: <account>
Password:
Authenticating ...
Two factor code: <digits>
Adding account ...
ERRO[Jun 26 13:45:16.907] Could not unmarshal secret                    error="backend/credentials: malformed secret: malformed credentials" pkg=credentials user="<hidden>"
Account <account> was added successfully.

I can see that my outbound mail is sent without error but fetching mail via IMAP is failing both with freescout and fetchmail.

On the client side I tried the follow options: no encryption/SSL/TLS, SSL, or TLS. Also I turn on and turn off "Validate Certificate" for each of the aformentioned encryption options.

Here is the error from the bridge when IMAP fails

imap_open(): Couldn't open stream {127.0.0.1:1143/imap/novalidate-cert}. TLS/SSL failure for 127.0.0.1: SSL negotiation failed

The bridge logs show:

ERRO[Jun 26 21:06:56.006] cannot read command: read tcp 127.0.0.1:1143->127.0.0.1:38408: read: connection reset by peer  protocol=IMAP
ERRO[Jun 26 21:06:56.007] cannot upgrade connection: EOF                protocol=IMAP
ERRO[Jun 26 21:07:06.487] cannot read command: read tcp 127.0.0.1:1143->127.0.0.1:38420: read: connection reset by peer  protocol=IMAP
ERRO[Jun 26 21:07:06.488] cannot upgrade connection: EOF                protocol=IMAP
ERRO[Jun 26 21:07:06.561] cannot upgrade connection: EOF                protocol=IMAP
ERRO[Jun 26 21:07:12.455] cannot read command: read tcp 127.0.0.1:1143->127.0.0.1:38426: read: connection reset by peer  protocol=IMAP
ERRO[Jun 26 21:07:12.457] cannot upgrade connection: EOF                protocol=IMAP

Not sure what else to try.

Cheers

Same issue than ipflowss for me with 1.8.7.1 (the error="backend/credentials: malformed secret: malformed credentials" message) . No issue with my older CentOS server that is still running with 1.6.9 though.

Here the solution: https://gist.github.com/githubcom13/2f30f46cd5273db2453a6e7fdb3c422b

Working with CentOS 7 and I am not passing through "yum install pass".
Since "pass" isn't available what is the alternative?

Working with CentOS 7 and I am not passing through "yum install pass". Since "pass" isn't available what is the alternative?

I managed to get around this issue by tracking down the rpm that was originally in the epel7 release. It was removed due to an incompatibility issue (https://bugzilla.redhat.com/show_bug.cgi?id=1639806). However, I installed pass1.5 and this seems to work for me.

Link: http://rpm.pbone.net/info_idpl_40942004_distro_redhat_el_7_com_pass-1.5-2.el7.noarch.rpm.html (pass-1.5-2.el7.noarch.rpm)

Download the rpm, then run yum install pass-1.5-2.el7.noarch.rpm -y.

Hope this helps somebody out!