✨(client-bridge) add new IMAP/SMTP proxy for legacy clients (!)

Author: sylvinus

Makefile

@@ -61,6 +61,7 @@ create-env-files: \
 	env.d/development/frontend.local \
 	env.d/development/mta-in.local \
 	env.d/development/mta-out.local \
+	env.d/development/client-bridge.local \
 	env.d/development/socks-proxy.local
 .PHONY: create-env-files
 
@@ -178,7 +179,8 @@ lint: \
   lint-front \
   typecheck-front \
   lint-mta-in \
-  lint-mta-out
+  lint-mta-out \
+  lint-client-bridge
 .PHONY: lint
 
 lint-check:  ## run all linters in check mode (no auto-fix)
@@ -231,6 +233,10 @@ lint-mta-out: ## lint mta-out python sources
 	$(COMPOSE_RUN) --rm -e EXEC_CMD_ONLY=true mta-out-test ruff format .
 .PHONY: lint-mta-out
 
+lint-client-bridge: ## lint client-bridge python sources
+	$(COMPOSE_RUN) --rm -e EXEC_CMD_ONLY=true client-bridge-test ruff format .
+.PHONY: lint-client-bridge
+
 # -- Tests
 
 test: ## run all tests
@@ -239,6 +245,7 @@ test: \
   test-front \
   test-mta-in \
   test-mta-out \
+  test-client-bridge \
   test-mpa \
   test-socks-proxy
 .PHONY: test
@@ -280,6 +287,10 @@ test-mta-out: ## run the mta-out tests
 	@$(COMPOSE) run --build --rm mta-out-test
 .PHONY: test-mta-out
 
+test-client-bridge: ## run the client-bridge tests
+	@$(COMPOSE) run --build --rm client-bridge-test
+.PHONY: test-client-bridge
+
 test-mpa: ## run the mpa tests
 	@$(COMPOSE) run --build --rm mpa-test
 .PHONY: test-mpa
@@ -578,3 +589,7 @@ deps-lock-mta-in: ## lock the dependencies
 deps-lock-mta-out: ## lock the dependencies
 	@$(COMPOSE) run --rm --build mta-out-uv uv lock
 .PHONY: deps-lock-mta-out
+
+deps-lock-client-bridge: ## lock the dependencies
+	@$(COMPOSE) run --rm --build client-bridge-uv uv lock
+.PHONY: deps-lock-client-bridge

README.md

@@ -58,10 +58,11 @@ It features a [MTA](https://en.wikipedia.org/wiki/Message_transfer_agent) based
 * (soon) 👉 Assign threads to specific users
 
 ### Based on standards
-* 🔑 OpenID Connect for all user accounts. Plug any identity provider, including Keycloak.
-* 📬 SMTP in and out.
-* ❌ No POP3 or IMAP client support, by design. We're building for the future, not the (unsecure) past!
-* ✅ JMAP-inspired data model. Full support could be added.
+* 🔑 OpenID Connect for all user accounts as the primary authentication method. Plug any identity provider, including Keycloak.
+* 📬 SMTP in and out (server-to-server).
+* ✅ JMAP-inspired data model. JMAP-compilant endpoint [in progress](https://github.com/suitenumerique/messages/pull/479).
+* 📮 Optional IMAP and SMTP client access via the [client bridge](/src/client-bridge/), for users who prefer traditional email clients like Thunderbird or mobile phones. Uses app-specific passwords with configurable roles.
+
 
 ### Self-host
 * 🚀 Messages is designed to be installed on the cloud or on your own servers.
@@ -146,6 +147,8 @@ When running the project, the following services are available:
 | **SOCKS Proxy** | 8916 | SOCKS5 proxy | `user1` / `pwd1` |
 | **Mailcatcher (SMTP)** | 8917 | SMTP server | No auth required |
 | **MPA (Rspamd)** | 8918 | Spam filtering service | `password` |
+| **Client Bridge (IMAP)** | 8919 | IMAP server for email clients | App-specific password |
+| **Client Bridge (SMTP)** | 8920 | SMTP submission for email clients | App-specific password |
 
 
 ### OpenAPI client

compose.yaml

@@ -268,6 +268,49 @@ services:
       target: uv
     pull_policy: build
 
+  client-bridge:
+    build:
+      context: src/client-bridge
+      target: runtime-prod
+    env_file:
+      - env.d/development/client-bridge.defaults
+      - env.d/development/client-bridge.local
+    ports:
+      - "8919:143"
+      - "8920:587"
+    depends_on:
+      - backend-dev
+
+  client-bridge-test:
+    profiles:
+      - tools
+    build:
+      context: src/client-bridge
+      target: runtime-dev
+    env_file:
+      - env.d/development/client-bridge.defaults
+      - env.d/development/client-bridge.local
+    environment:
+      - EXEC_CMD=true
+      - IMAP_HOST=localhost
+      - IMAP_PORT=1143
+      - SMTP_HOST=localhost
+      - SMTP_PORT=1587
+      - MOCK_API_PORT=8765
+    command: pytest -vvs tests/
+    volumes:
+      - ./src/client-bridge:/app
+
+  client-bridge-uv:
+    profiles:
+      - tools
+    volumes:
+      - ./src/client-bridge:/app
+    build:
+      context: src/client-bridge
+      target: uv
+    pull_policy: build
+
   mta-out:
     build:
       context: src/mta-out

env.d/development/backend.defaults

@@ -100,6 +100,9 @@ AI_MODEL=
 FEATURE_AI_SUMMARY=False
 FEATURE_AI_AUTOLABELS=False
 
+# Client bridge (IMAP/SMTP email client access)
+FEATURE_CLIENTBRIDGE=False
+
 # Third-party services
 # Drive - https://github.com/suitenumerique/drive
 DRIVE_BASE_URL=

env.d/development/client-bridge.defaults

@@ -0,0 +1,8 @@
+MESSAGES_API_BASE_URL=http://backend-dev:8000/api/v1.0/
+CLIENTBRIDGE_API_SECRET=my-shared-secret-clientbridge-at-least-32-bytes
+ENABLE_IMAP=true
+IMAP_HOST=0.0.0.0
+IMAP_PORT=143
+ENABLE_SMTP=true
+SMTP_HOST=0.0.0.0
+SMTP_PORT=587

src/backend/.pylintrc

@@ -23,7 +23,7 @@ jobs=0
 
 # List of plugins (as comma separated values of python modules names) to load,
 # usually to register additional checkers.
-load-plugins=pylint_django
+load-plugins=pylint_django,pylint_custom
 
 # Pickle collected data for later comparisons.
 persistent=yes

src/backend/README.md

@@ -124,6 +124,34 @@
                 }
             }
         },
+        "/api/v1.0/client-bridge/auth/": {
+            "post": {
+                "operationId": "client_bridge_auth_create",
+                "description": "Authenticate a client-bridge channel by email username and app-specific password.\n\nPOST /api/v1.0/client-bridge/auth/\nInput: {\"username\": \"<mailbox email>\", \"password\": \"...\"}\nReturns: {\"token\": \"<JWT>\", \"channel_id\", \"mailbox_id\", \"mailbox_email\", \"role\",\n          \"expires_at\": \"<ISO 8601>\"}\n\nThe request must carry ``X-Service-Auth: Bearer <CLIENTBRIDGE_API_SECRET>``\nto prove it comes from the client-bridge service.\n\nThe JWT is signed with CLIENTBRIDGE_API_SECRET and contains the channel_id,\nmailbox_id, role, and expiration. The client-bridge passes it as\nX-Channel-Token on all subsequent requests.",
+                "tags": [
+                    "client-bridge"
+                ],
+                "responses": {
+                    "200": {
+                        "description": "No response body"
+                    }
+                }
+            }
+        },
+        "/api/v1.0/client-bridge/submit/": {
+            "post": {
+                "operationId": "client_bridge_submit_create",
+                "description": "Submit an outbound message via the client-bridge.\n\nPOST /api/v1.0/client-bridge/submit/\nContent-Type: message/rfc822 (raw email)\nHeaders: X-Channel-Token (JWT), X-Mail-From, X-Rcpt-To\nReturns: {\"message_id\": \"...\", \"status\": \"accepted\"}\n\nUses ClientBridgeChannelAuthentication: the channel is resolved from\nthe JWT and available as request.auth.",
+                "tags": [
+                    "client-bridge"
+                ],
+                "responses": {
+                    "200": {
+                        "description": "No response body"
+                    }
+                }
+            }
+        },
         "/api/v1.0/config/": {
             "get": {
                 "operationId": "config_retrieve",
@@ -2818,6 +2846,50 @@
                 }
             }
         },
+        "/api/v1.0/mailboxes/{mailbox_id}/channels/{id}/rotate-password/": {
+            "post": {
+                "operationId": "mailboxes_channels_rotate_password_create",
+                "description": "Manage integration channels for a mailbox",
+                "parameters": [
+                    {
+                        "in": "path",
+                        "name": "id",
+                        "schema": {
+                            "type": "string"
+                        },
+                        "required": true
+                    },
+                    {
+                        "in": "path",
+                        "name": "mailbox_id",
+                        "schema": {
+                            "type": "string",
+                            "format": "uuid"
+                        },
+                        "required": true
+                    }
+                ],
+                "tags": [
+                    "channels"
+                ],
+                "security": [
+                    {
+                        "cookieAuth": []
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "New password generated"
+                    },
+                    "403": {
+                        "description": "Permission denied"
+                    },
+                    "404": {
+                        "description": "Channel not found"
+                    }
+                }
+            }
+        },
         "/api/v1.0/mailboxes/{mailbox_id}/image-proxy/": {
             "get": {
                 "operationId": "mailboxes_image_proxy_list",

src/backend/core/api/openapi.json

@@ -3,6 +3,7 @@
 
 import hashlib
 import json
+import secrets
 import uuid
 
 from django.conf import settings
@@ -16,6 +17,14 @@
 from core import enums, models
 from core.mda.rfc5322 import extract_base64_images_from_html
 
+# Base58 alphabet — no ambiguous characters (0, O, I, l)
+BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
+
+
+def generate_base58_password(length=16):
+    """Generate a password using base58 alphabet. 16 chars ≈ 94 bits of entropy."""
+    return "".join(secrets.choice(BASE58_ALPHABET) for _ in range(length))
+
 
 class CreateOnlyFieldsMixin:
     """Mixin that makes specified fields read-only on update (when instance exists).
@@ -1175,9 +1184,7 @@ def validate(self, attrs):
 
         if metadata.get("type") == "personal":
             local_part = attrs.get("local_part", "")
-            denylist = getattr(
-                settings, "MESSAGES_MAILBOX_LOCALPART_DENYLIST_PERSONAL", []
-            )
+            denylist = settings.MESSAGES_MAILBOX_LOCALPART_DENYLIST_PERSONAL
             lower_value = local_part.lower()
             if any(lower_value == prefix.lower() for prefix in denylist):
                 raise serializers.ValidationError(
@@ -1491,6 +1498,83 @@ class Meta:
         ]
         read_only_fields = ["id", "mailbox", "maildomain", "created_at", "updated_at"]
 
+    # Keys in settings that should be moved to encrypted_settings, per channel type.
+    ENCRYPTED_SETTINGS_KEYS = {
+        "client-bridge": ["password"],
+    }
+
+    def _move_sensitive_settings(self, validated_data):
+        """Move sensitive keys from settings to encrypted_settings."""
+        channel_type = validated_data.get("type") or (
+            self.instance.type if self.instance else None
+        )
+        keys_to_encrypt = self.ENCRYPTED_SETTINGS_KEYS.get(channel_type, [])
+        if not keys_to_encrypt:
+            return validated_data
+
+        settings_data = validated_data.get("settings")
+        if not settings_data:
+            return validated_data
+
+        extracted = {
+            key: settings_data.pop(key)
+            for key in keys_to_encrypt
+            if key in settings_data
+        }
+        if extracted:
+            existing = (self.instance.encrypted_settings or {}) if self.instance else {}
+            validated_data["encrypted_settings"] = {**existing, **extracted}
+
+        return validated_data
+
+    def create(self, validated_data):
+        validated_data = self._move_sensitive_settings(validated_data)
+        if validated_data.get("type") == "client-bridge":
+            password = generate_base58_password()
+            validated_data.setdefault("encrypted_settings", {})
+            validated_data["encrypted_settings"]["password"] = password
+            # Remove any user-supplied password from settings
+            if "settings" in validated_data and "password" in (
+                validated_data["settings"] or {}
+            ):
+                validated_data["settings"].pop("password")
+            # Set default role if not provided
+            validated_data.setdefault("settings", {})
+            validated_data["settings"].setdefault("role", "sender")
+            # Validate role
+            role = validated_data["settings"]["role"]
+            if role not in enums.CLIENT_BRIDGE_ROLES:
+                raise serializers.ValidationError(
+                    {
+                        "settings": {
+                            "role": f"Invalid role. Must be one of: {', '.join(enums.CLIENT_BRIDGE_ROLES)}"
+                        }
+                    }
+                )
+            instance = super().create(validated_data)
+            # Stash password so the view can return it once
+            instance._generated_password = password  # noqa: SLF001  # pylint: disable=protected-access
+            return instance
+        return super().create(validated_data)
+
+    def update(self, instance, validated_data):
+        validated_data = self._move_sensitive_settings(validated_data)
+        channel_type = validated_data.get("type") or (
+            instance.type if instance else None
+        )
+        if channel_type == "client-bridge":
+            settings_data = validated_data.get("settings") or {}
+            if "role" in settings_data:
+                if settings_data["role"] not in enums.CLIENT_BRIDGE_ROLES:
+                    raise serializers.ValidationError(
+                        {
+                            "settings": {
+                                "role": f"Invalid role. Must be one of: {', '.join(enums.CLIENT_BRIDGE_ROLES)}"
+                            }
+                        }
+                    )
+        return super().update(instance, validated_data)
+
     def validate_settings(self, value):
         """Validate settings, including tags if present."""
         if not value:
@@ -1550,14 +1634,21 @@ def validate(self, attrs):
         if self.context.get("mailbox"):
             channel_type = attrs.get("type")
             if channel_type:
-                allowed_types = settings.FEATURE_MAILBOX_ADMIN_CHANNELS
+                allowed_types = list(settings.FEATURE_MAILBOX_ADMIN_CHANNELS)
                 if channel_type not in allowed_types:
                     raise serializers.ValidationError(
                         {
                             "type": f"Channel type '{channel_type}' is not authorized. "
                             f"Allowed types: {', '.join(allowed_types)}"
                         }
                     )
+                if (
+                    channel_type == "client-bridge"
+                    and not settings.FEATURE_CLIENTBRIDGE
+                ):
+                    raise serializers.ValidationError(
+                        {"type": "Client bridge feature is not enabled."}
+                    )
             return attrs
 
         mailbox = attrs.get("mailbox")