Building a Bridge-Free ProtonMail MCP Server
The Problem
Every existing ProtonMail MCP server requires Proton Bridge — a paid desktop app. Free ProtonMail users have no way to integrate their email with AI assistants.
I found 11 existing ProtonMail MCP projects on GitHub. All of them require Bridge.
The Solution
I built protonmail-mcp — a Go MCP server that talks directly to Proton’s API using only their official open-source libraries:
- go-proton-api — The same library used by Proton Bridge itself
- go-srp — SRP authentication
- gopenpgp — PGP encryption/decryption
No third-party API wrappers. No supply chain risk from unknown packages handling your passwords and private keys.
Features
- Login — SRP authentication with 2FA (TOTP) support
- Read — Decrypt and read PGP-encrypted emails
- Search — Filter by sender, subject, keyword
- Send — Two-step confirmation with server-side token (prevents prompt injection)
Security: 8 Rounds of Adversarial Review
The code went through 8 rounds of adversarial security review using a Writer/Reviewer separation (Claude writes, Codex reviews):
| Round | CRITICAL | HIGH | MEDIUM | Fixed |
|---|---|---|---|---|
| 1 | 3 | 4 | 5 | 3 |
| 2 | 0 | 2 | 4 | 7 |
| 3 | 0 | 5 | 0 | 5 |
| 4 | 0 | 2 | 0 | 2 |
| 5 | 0 | 0 | 4 | 4 |
| 6 | 0 | 0 | 2 | 2 |
| 7 | 0 | 0 | 1 | 1 |
| 8 | 0 | 0 | 0 | 0 |
24 issues found and fixed. Key findings included:
- Prompt injection bypass — A malicious email could instruct the AI to send emails. Fixed with server-side confirmation tokens.
- PGP key material in memory — Salted key passphrase wasn’t zeroed after use. Fixed with immediate zero-fill.
- 2FA session leak — Partially authenticated sessions weren’t cleaned up on failure.
- SMTP header injection — Malformed email addresses could inject headers. Fixed with strict validation.
Final state: gosec, govulncheck, and staticcheck all clean.
How It Works
1. SRP Authentication (go-srp)
2. Key Unlock (salted passphrase → PGP keyring)
3. Fetch Messages (encrypted from API)
4. Decrypt Locally (gopenpgp)
5. Send via Draft → Confirm flow (token-based)
All encryption and decryption happens locally. Credentials are never stored on disk.
Try It
go install github.com/ichiburn/protonmail-mcp@latest
Add to your Claude Code .mcp.json:
{
"mcpServers": {
"protonmail": {
"command": "protonmail-mcp",
"env": {
"PROTON_USER": "[email protected]",
"PROTON_PASS": "your-password"
}
}
}
}