edison23

Zápisky šíleného jazykového editora

Proton Bridge on Android? No, but close enough

Here's how to use a 3rd-party e-mail client for Proton Mail on Android. Proton services like mail, calendar, or drive are generally respected for their privacy-first design. However, as far as mobile apps go, you're vendor-locked into their official apps unless you go through substantial additional work because, unlike on desktop, there's no Proton Bridge on Android/iOS. The Proton Mail app for Android isn't bad but it's also not good enough for me. If your reason for being here is similar, read on.

Datum: 2025-01-03
Kategorie: Guides EN
Štítky: linux Proton Android

Obsah

Foreword

Firstly, I assume you got here by searching how to use a client app of your choice when you have Proton as your e-mail services provider. I also assume you want this setup to be functional no matter whence you connect with your mobile device. This is what this guide covers. I showcase this on Android with FairEmail as the e-mail client, but it's likely OS- and client-agnostic.

Secondly, there's no way to use an app of choice for Proton Calendar or Drive. At least none that I know of.

What we do here is that we set up a desktop computer to act as a bridge. You can't install Proton Bridge on an Android/iOS, but you can on desktop, even if it's a headless server. Your mobile devices can then connect to this bridge computer.

Prerequisites

To achieve your goal, you need:

  • A computer that can run 24/7. It'll serve as the bridge. This can be anything that can run Proton Bridge - your regular laptop, home server, or, if you're comfortable with that, you can use some VPS service like DigitalOcean (it'd kinda beat the reason why people use Proton services, though).

  • Static public IP address you can access from anywhere. The above computer will sit on this address.

  • The ability to access and change settings on your router through which the above computer is connected to the Internet.

  • A Proton account with e-mails, of course ;)

  • Be comfortable with a little bit of work in Linux terminal. No need to be a guru. For your own good, though, research the commands I present here before running them :) (This is a universal thruth)

    • In this guide, I run Linux (Ubuntu Server 24.04) on the bridge computer. You can likely achieve the same results with a computer running another operating system, I just don't know exactly how the setup would be done. But once you get the idea from this guide, you can likely figure it out.

Solution outline

  1. Install Proton Bridge on the bridge computer.

    • Proton Bridge tells you neatly how to set up your e-mail client, that's what the IP addresses and ports it shows are for. The catch is that Bridge is made to be accessed locally, within the machine it runs on. That's why the addresses are localhost 127.0.0.1.

  2. Under normal circumstances, localhost addresses can't be accessed from outside the physical machine. But we're going to expose those two ports. It is a security risk, of course, but nothing I found so far outweights the benefits I get with this setup.

    • We'll use iptables for the port mapping.

  3. Once the ports are exposed to the LAN, you'll set up your router to expose the ports to the outside world. This is required if you want to use your setup from anywhere. If you want to just use multiple machines and one Proton Bridge, all within one LAN, you don't have to expose anything to the Internet and you're considerably safer.

  4. And finally, once the ports are exposed, you'll set up your mobile e-mail client to connect to Bridge on the computer for which you will have exposed the localhost ports.

Run Proton Bridge on the bridge computer

  • If you run it on a "normal" computer with HID‒a screen, keyboard and mouse‒, proceed according to official setup guidelines for Proton Bridge.
  • If you run it on a headless server, you'll need to run it in a CLI and deal with secrets management to login.
    1. To run Proton Bridge in a command line interface, open your terminal and run protonmail-bridge -c.
    2. Login using the login command.
    3. After this, Proton Bridge should stay logged in even after you exit it with exit and restart. It will, though, likely complain about it not being able to find a compatible keyring app and that it has to store the password in an insecure way. I haven't resolved that yet. I comfort myself with the fact that I'm the only one with (physical and logical) access to the server so unless I screw up some network setup real bad, it should be somewhat OK-ish.

A useful command is help as it lists all available commands.

With the Bridge running, run the info command to see the port numbers for IMAP and SMTP. You need to make these accessible outside localhost (the physical machine).

Make localhost ports accessible from outside

This is the step that's OS-dependent. On Linux, use iptables as I show here. For Windows, this sounds like a question that could lead you somewhere: firewall - Windows equivalent of iptables? - Server Fault. For MacOS, it should be easier, maybe this question might prove useful: mac osx - iptables equivalent for mac os x - Server Fault. But Ubuntu Server is the only OS on which I've tried this.

  1. Allow routing to localhost:

sudo sysctl -w net.ipv4.conf.all.route_localnet=1

  1. Add the iptables rule for IMAP:

sudo iptables -t nat -I PREROUTING -p tcp --dport 44444 -j DNAT --to-destination 127.0.0.1:1143

… where 44444 is the port number under which the internal port is going to be accessible. Choose somewhere from the upper half of the port range (0-65535). And the 1143 port is what Proton Bridge told to me to use for IMAP when setting up an e-mail client. That's why you need to run the info command—make sure you check you redirect the right ports.

  1. Add the iptables rule for SMTP:

sudo iptables -t nat -I PREROUTING -p tcp --dport 55555 -j DNAT --to-destination 127.0.0.1:1025

… same rule as for IMAP, just different port numbers.

Save these commands somewhere. iptables rules don't survive reboot. I suggest you put the commands to a script so that you can comfortably run them after each reboot (see the end of this article).

Use port forwarding to make your bridge computer accessible from WAN

After you finish the iptables setup, test your setup locally (ie., on LAN). This is best done using the e-mail client you wish to use. For instance, FairEmail tests the server configuration before it saves the setup. That's the best way to confirm everything works.

Once you confirm it works on LAN, make your bridge computer accessible from anywhere.

  1. Go to your router settings interface. Usually accessible via 192.168.1.1 address, but it may differ based on your router settings. The ip r command tells you the IP after default via 192.168.….
  2. Find port forwarding settings.
  3. Add new forwarding rule.
    • Name it clearly.
    • Source IP address should be left to anything unless you know exactly from what IP address exclusively you'll connect with your mobile device.
    • Target IP address is the IP address of your bridge computer. You can find out by running the ip r command on it—the part after dhcp src 192.168.… is what you want.
    • Source port is the port that you'll be connecting to from outside. I suggest to use some random port number from the upper half of the port range, not the SMTP- or IMAP-reserved port numbers. #securityThroughObscurity
      • You can safely use the same random port numbers you used to expose the localhost ports to LAN above (44444 and 55555 in the examples here).
    • Target port is the port you exposed on the bridge computer. In the examples above, that's 44444 for IMAP and 55555 for SMTP.
  4. Save the settings in the router.

Various routers use different terminology for the above. This is an example of how Asus names things around port forwarding:

Port forwarding settings for Proton Bridge SMTP in an Asus router

Done. Connect with your e-mail client!

If everything went right and you set it all up correctly, you can now connect from your mobile device to the Proton Bridge using an e-mail client of choice. I wish you best of luck!

Contacts aren't synced so it's best to use a clever e-mail client that can pull them from your inbox. Calendar events aren't sync and you need to either accept events using the Proton Calendar app, or force Android to open the events in Proton Calendar when you click an RSVP link. I find the former easier.

I spent quite some time figuring this all out (especially the iptables stuff as I have zero experience with networking), I hope this guide saves you some time and makes your life a bit better.

Closing words

Firstly, if you're on Android, no matter what e-mail provider you use, I strongly suggest you check FairEmail out. It's great and by far the best e-mail client for Android I found so far. And trust me, I'm not easy to satisfy xD

Secondly, an advise: Since iptables rules don't survive reboots, I found it best to create a script to be run after each reboot. I use it to create the routing rules and start Proton Bridge in screen:

echo "Allowing routing to localhost"
sudo sysctl -w net.ipv4.conf.all.route_localnet=1
echo "Adding an iptables rule for IMAP"
sudo iptables -t nat -I PREROUTING -p tcp --dport 44444 -j DNAT --to-destination 127.0.0.1:1143
sleep 1
echo "Adding an iptables rule for SMTP"
sudo iptables -t nat -I PREROUTING -p tcp --dport 55555 -j DNAT --to-destination 127.0.0.1:1025
sleep 1
echo "Starting Proton Bridge in a screen called 'proton'"
screen -S proton -d -m protonmail-bridge -c
echo "Proton magic done."