README.md

@@ -1,11 +1,26 @@
-# ProtonMail IMAP/SMTP Bridge Podman Container
+# ProtonMail IMAP/SMTP Bridge Docker Container
 
+![version badge](https://img.shields.io/docker/v/shenxn/protonmail-bridge)
+![image size badge](https://img.shields.io/docker/image-size/shenxn/protonmail-bridge/build)
+![docker pulls badge](https://img.shields.io/docker/pulls/shenxn/protonmail-bridge)
+![deb badge](https://github.com/shenxn/protonmail-bridge-docker/workflows/pack%20from%20deb/badge.svg)
+![build badge](https://github.com/shenxn/protonmail-bridge-docker/workflows/build%20from%20source/badge.svg)
 
 This is an unofficial Docker container of the [ProtonMail Bridge](https://protonmail.com/bridge/). Some of the scripts are based on [Hendrik Meyer's work](https://gitlab.com/T4cC0re/protonmail-bridge-docker).
 
-This nothing more than some small adjustments to the work shenxn did to make it easy to run with podman and adjusted for nextcloud mail.
+Docker Hub: [https://hub.docker.com/r/shenxn/protonmail-bridge](https://hub.docker.com/r/shenxn/protonmail-bridge)
+
 GitHub: [https://github.com/shenxn/protonmail-bridge-docker](https://github.com/shenxn/protonmail-bridge-docker)
 
+## ARM Support
+
+We now support ARM devices (`arm64` and `arm/v7`)! Use the images tagged with `build`. See next section for details.
+
+## Tags
+
+There are two types of images.
+ - `deb`: Images based on the official [.deb release](https://protonmail.com/bridge/install). It only supports the `amd64` architecture.
+ - `build`: Images based on the [source code](https://github.com/ProtonMail/proton-bridge). It supports `amd64`, `arm64`, `arm/v7` and `riscv64`. Supporting to more architectures is possible. PRs are welcome.
 
 tag | description
  -- | --
@@ -19,9 +34,14 @@ tag | description
 To initialize and add account to the bridge, run the following command.
 
 ```
-podman run --rm -it -v protonmail:/root shenxn/protonmail-bridge init
+docker run --rm -it -v protonmail:/root shenxn/protonmail-bridge init
 ```
 
+If you want to use Docker Compose instead, you can create a copy of the provided example [docker-compose.yml](docker-compose.yml) file, modify it to suit your needs, and then run the following command:
+
+```
+docker compose run protonmail-bridge init
+```
 
 Wait for the bridge to startup, then you will see a prompt appear for [Proton Mail Bridge interactive shell](https://proton.me/support/bridge-cli-guide). Use the `login` command and follow the instructions to add your account into the bridge. Then use `info` to see the configuration information (username and password). After that, use `exit` to exit the bridge. You may need `CTRL+C` to exit the docker entirely.
 
@@ -33,6 +53,11 @@ To run the container, use the following command.
 docker run -d --name=protonmail-bridge -v protonmail:/root -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge
 ```
 
+Or, if using Docker Compose, use the following command.
+
+```
+docker compose up -d
+```
 
 ## Kubernetes
 
@@ -42,7 +67,13 @@ If you don't want to use Helm, you can also reference to the guide ([#6](https:/
 
 ## Security
 
-Please be aware that running the command above will expose your bridge to the network. Remember to use firewall if you are going to run this in an untrusted network or on a machine that has public IP address.
+Please be aware that running the command above will expose your bridge to the network. Remember to use firewall if you are going to run this in an untrusted network or on a machine that has public IP address. You can also use the following command to publish the port to only localhost, which is the same behavior as the official bridge package.
+
+```
+docker run -d --name=protonmail-bridge -v protonmail:/root -p 127.0.0.1:1025:25/tcp -p 127.0.0.1:1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge
+```
+
+Besides, you can publish only port 25 (SMTP) if you don't need to receive any email (e.g. as a email notification service).
 
 ## Compatibility
 

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Before reporting any vulnerability, make sure that it is caused by this project (i.e., this is not a vulnarability of the bridge itself). To report a vulnerabilitiy, you can send me an email (s@sxn.dev). My PGP public key is available [here](https://api.protonmail.ch/pks/lookup?op=get&search=s@sxn.dev).

build/Dockerfile

@@ -0,0 +1,33 @@
+# The build image could be golang, but it currently does not support riscv64. Only debian:sid does, at the time of writing.
+FROM debian:sid-slim AS build
+
+ARG version
+
+# Install dependencies
+RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev
+
+# Build
+ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
+WORKDIR /build/
+RUN make build-nogui vault-editor
+
+FROM debian:sid-slim
+LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
+
+EXPOSE 25/tcp
+EXPOSE 143/tcp
+
+# Install dependencies and protonmail bridge
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy bash scripts
+COPY gpgparams entrypoint.sh /protonmail/
+
+# Copy protonmail
+COPY --from=build /build/bridge /protonmail/
+COPY --from=build /build/proton-bridge /protonmail/
+COPY --from=build /build/vault-editor /protonmail/
+
+ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]

build/entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -ex
+
+# Initialize
+if [[ $1 == init ]]; then
+
+    # Initialize pass
+    gpg --generate-key --batch /protonmail/gpgparams
+    pass init pass-key
+    
+    # Kill the other instance as only one can be running at a time.
+    # This allows users to run entrypoint init inside a running conainter
+    # which is useful in a k8s environment.
+    # || true to make sure this would not fail in case there is no running instance.
+    pkill protonmail-bridge || true
+
+    # Login
+    /protonmail/proton-bridge --cli $@
+
+else
+
+    # socat will make the conn appear to come from 127.0.0.1
+    # ProtonMail Bridge currently expects that.
+    # It also allows us to bind to the real ports :)
+    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
+    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+
+    # Start protonmail
+    # Fake a terminal, so it does not quit because of EOF...
+    rm -f faketty
+    mkfifo faketty
+    cat faketty | /protonmail/proton-bridge --cli $@
+
+fi

build/gpgparams

@@ -0,0 +1,8 @@
+%no-protection
+%echo Generating a basic OpenPGP key
+Key-Type: RSA
+Key-Length: 2048
+Name-Real: pass-key
+Expire-Date: 0
+%commit
+%echo done

deb/Dockerfile

@@ -12,8 +12,8 @@ RUN bash /install.sh
 FROM debian:sid-slim
 LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
 
-EXPOSE 12025/tcp
+EXPOSE 25/tcp
-EXPOSE 12143/tcp
+EXPOSE 143/tcp
 
 WORKDIR /protonmail
 

deb/entrypoint.sh

@@ -37,8 +37,8 @@ else
     # socat will make the conn appear to come from 127.0.0.1
     # ProtonMail Bridge currently expects that.
     # It also allows us to bind to the real ports :)
-    socat TCP-LISTEN:12025,fork TCP:127.0.0.1:1025 &
+    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
-    socat TCP-LISTEN:12143,fork TCP:127.0.0.1:1143 &
+    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
 
     # Start protonmail
     # Fake a terminal, so it does not quit because of EOF...

docker-compose.yml

@@ -0,0 +1,14 @@
+version: '2.1'
+
+services:
+  protonmail-bridge:
+    image: shenxn/protonmail-bridge
+    ports:
+      - 1025:25/tcp
+      - 1143:143/tcp
+    restart: unless-stopped
+    volumes:
+      - protonmail:/root
+volumes:
+  protonmail:
+    name: protonmail