Skip to content

Allows the bridge to be in a separate server not just localhost#519

Open
gastonmorixe wants to merge 1 commit into
ProtonMail:masterfrom
gastonmorixe:local-3
Open

Allows the bridge to be in a separate server not just localhost#519
gastonmorixe wants to merge 1 commit into
ProtonMail:masterfrom
gastonmorixe:local-3

Conversation

@gastonmorixe

@gastonmorixe gastonmorixe commented Aug 13, 2025

Copy link
Copy Markdown

Caution

This is not a recommended change nor use

For very few cases and advanced users or devs, this changes the hard-coded 127.0.0.1 IP from multiple parts exposing the bridge to the whole network allowing connections from anywhere by changing the hard-coded IP to 0.0.0.0.

Do not use. Do not merge. It's just a reference for anyone who may need it for advanced or special cases.

Then build it with:

$ make build-nogui

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to allow the Bridge (and related helper tools) to be accessible beyond localhost by replacing multiple hard-coded 127.0.0.1 values with 0.0.0.0 across Go and C++ components.

Changes:

  • Replaces loopback addresses with 0.0.0.0 in several server listeners and client connection targets.
  • Updates GUI/Focus/gRPC components to use 0.0.0.0 for hostnames and URLs.
  • Expands .gitignore entries (coverage output, local certs/scripts, research artifacts).

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
utils/smtp-send/main.go Changes default SMTP client server address to 0.0.0.0.
utils/port-blocker/port-blocker.go Binds port-blocker listeners to all interfaces (0.0.0.0).
internal/frontend/grpc/service.go Binds gRPC listener to all interfaces (0.0.0.0:0).
internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp Changes GUI gRPC client target/override host to 0.0.0.0.
internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp Changes focus client hostname to 0.0.0.0.
internal/frontend/bridge-gui/bridge-gui/main.cpp Changes default API URL host to 0.0.0.0.
internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp Binds test gRPC server to all interfaces (0.0.0.0:0).
internal/focus/service.go Changes focus service bind host constant to 0.0.0.0.
internal/constants/constants.go Changes shared Host constant to 0.0.0.0.
internal/clientconfig/applemail_test.go Updates disabled Apple Mail config test to use 0.0.0.0.
internal/certs/tls.go Changes generated TLS cert CN/SAN and tls.Config ServerName to 0.0.0.0.
internal/bridge/debug.go Changes diagnostic IMAP client dial address to 0.0.0.0.
.gitignore Adds ignores for coverage dir, certs/pems, scripts, research, and /bridge.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread utils/port-blocker/port-blocker.go
Comment thread internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp
Comment on lines 157 to 159
url.setScheme("http");
url.setHost("127.0.0.1");
url.setHost("0.0.0.0");
url.setPort(1042);

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defaulting the API base URL host to 0.0.0.0 will break requests because 0.0.0.0 is not a valid destination address. Keep the default as 127.0.0.1/localhost, and if you need to support a remote bridge, extend the prefs override to include a host (not just a port).

Copilot uses AI. Check for mistakes.
Comment on lines +36 to 37
(&AppleMail{}).Configure(`0.0.0.0`, 1143, 1025, true, false, `user&>>`, `<<abc&&'"def>>`, `user&a`, []byte(`ir8R9vhdNXyB7isWzhyEkQ`)),
)

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This (disabled) Apple Mail configuration test now uses 0.0.0.0 as the hostname, but mail clients cannot connect to 0.0.0.0. Keep 127.0.0.1/localhost here, and if testing remote host behavior is desired, pass an explicit concrete IP/hostname.

Copilot uses AI. Check for mistakes.
Comment thread internal/focus/service.go
Comment thread internal/certs/tls.go
Comment on lines +58 to 59
IPAddresses: []net.IP{net.ParseIP("0.0.0.0")},
NotBefore: time.Now(),

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Including 0.0.0.0 in the certificate IP SANs is not appropriate (it’s an unspecified/wildcard address, not a host clients connect to). Add SAN entries for real connect addresses (typically 127.0.0.1 and/or a configured external IP/hostname) instead of 0.0.0.0.

Copilot uses AI. Check for mistakes.
Comment thread utils/smtp-send/main.go
Comment thread internal/constants/constants.go
Comment thread internal/certs/tls.go
Comment on lines 111 to 114
return &tls.Config{
Certificates: []tls.Certificate{c},
ServerName: "127.0.0.1",
ServerName: "0.0.0.0",
ClientAuth: tls.VerifyClientCertIfGiven,

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting tls.Config.ServerName to 0.0.0.0 will cause hostname verification issues because clients won’t connect using 0.0.0.0, and the SNI/verification name should match a real hostname/IP present in the certificate SANs. Prefer using localhost/127.0.0.1 (or a configured advertised host) consistently between cert SANs, ServerName, and the client dial target.

Copilot uses AI. Check for mistakes.
@ilmc888

ilmc888 commented Feb 22, 2026

Copy link
Copy Markdown

Might be nice to make this configurable? Can be hidden away as advanced option to avoid accidents, but would be more convenient than compiling and keeping the patch up to date.

I have been playing with systemd socket to forward requests, so my paperless container can connect to it, but stranded at a mismatch of the hostname in the certificate (127.0.0.1 vs host.containers.internal).

@waTeim

waTeim commented Feb 24, 2026

Copy link
Copy Markdown

Yea, just add --bind <ip>; it's for containers, kubernetes, agents. Very soon the majority will not care about the UI.

Allow Proton Bridge to be accessed from remote machines on the network
by changing all 127.0.0.1 bindings to 0.0.0.0. This affects IMAP/SMTP
listeners, gRPC services, TLS certificate generation, the Focus service,
and the GUI frontend connections.

Also update .gitignore to exclude local TLS certificates, build
artifacts, service scripts, and research docs.
@pkolbus

pkolbus commented Jun 23, 2026

Copy link
Copy Markdown

FWIW, I've solved this by setting up a couple of socat units as described here: https://vimoire.com/blog/2025/setting_up_protonmail_bridge_on_lan_server -- this also allows using the standard port numbers (e.g. 993 for IMAPS). No patching of proton-bridge needed.

An SSL cert of your choice can be installed with protonmail-bridge --cli commands -- I'm using a LetsEncrypt wildcard cert to avoid iOS trust issues, but a self-signed cert (for whatever name the server goes by) should also work if your client allows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants