Mutt/Protonmail via hydroxide: Auth, imap, and unusually long waiting time to update new incoming (received) emails

[curiousgg]

Hi, I have a few clarification questions and an issue report.

Issue. It takes unusually long for incoming new emails to show up in the mutt client.

1.)
I have in my muttrc config the following additional settings which seem useless:

set mail_check=5
Why can't I see incoming mail after 5 seconds; sometimes I need to fetch the entire mailbox
from scratch to get the incoming new email. This should not be. There is probably a default
value set for hydroxide for fetching new emails ... i do see often that hydroxide notices new incoming
emails via the logs served on
hydroxide serve

2024/12/31 17:05:15 Received create event for message ....
So this is received with a minute or two delay, but the email does not appear in mutt inbox still ...
2.)
Also how do i set up mutt so that i don't need to fetch all my old mail every time?
Fetching message headers... 0/9505 (0%)
takes long. is there a better way
3.)
i would like to understand exactly what is happening when I do

hydroxide auth [email protected] and then I am forced to enter my protonmail password.

Is the connection safe? is the password send out via encrypted means?

When I log into with correct password, Protonmail immediately sends me a warning message:

New Login to [email protected] on Unknown. If this wasn't you, please change your password immediately.

(a) Protonmail does not recognize what device is logged in? why it is Unknown?

(b) Also, after correctly supplying my protonmail password in auth process, hydroxide then spits out another password, which it calls Bridge Password.

How is this Bridge Password generated? and how has hydroxide used my original Protonmail Password? Has that travelled over the net?
Finally

[ajkessel]

I can clarify at least your last questions. Hydroxide, like the official Protonmail Bridge, authenticates to the Protonmail server with your real Protonmail username/password but then exposes an IMAP interface locally with an arbitrary password. So your local mail client (in your case, mutt) speaks IMAP to Hydroxide with whatever the local password is. That password only goes between your MUA and the bridge, not between the bridge and the Protonmail server.

In terms of not seeing new emails in mutt, does $ (refresh) get them to appear?

[curiousgg]

Thanks for the explanation.
I have not fully understood it. Does it mean that my Protonmail password is authenticated in plaintext? So is my protonmail password sent over the internet in plaintext? If so, this is very not good.
My mutt config is the one that suggested

set ssl_starttls=no
set ssl_force_tls=no
set send_charset="us-ascii:utf-8"
kindly explain.

In terms of not seeing new emails, the suggestion $ I never tried, but worked around it via a binding

bind index G imap-fetch-mail

This worked but still had some delays.

[ajkessel]

Normally you would be running hydroxide and mutt on the same box and not exposing hydroxide to the internet. So your hydroxide password is just going locally from mutt to hydroxide, not over any network, and thus encryption is not essential. Your connection between hydroxide and the Protonmail server is of course encrypted since Protonmail requires it.

[curiousgg]

Yes, mitt and hydroxide is run on same machine. But I am still a little dumbfounded to understand what exactly happens when I enter my password

hydroxide auth [email protected]
Password:

What happens to the Password I actually enter? How is this used to log me into my protonmail; it seems unreasonable to assume that the bridge password is the one that actually logs me into my protonmail.
Or better let me frame it this way.

How is my Password used to enable hydroxide to authenticate me and issue the bridge password. Should it not travel across the net? If it does indeed have to travel over the internet, how can i ensure that it is "of course encrypted" since Protonmail requires it.

As you can see I am a little bit concerned about potential attack vectors ...

[ajkessel]

Well, you should realize this software is alpha at best and may not be your best bet if you are looking for something rock solid. Is there a reason you aren't using the official bridge?

That said, it's open source, so you can look at all the code.

My understanding is what's happening is the hydroxide password you provide is just used locally between your MUA (mutt) and the bridge (hydroxide) to give your MUA access to the local IMAP interface. Meanwhile, the bridge is separately configured with your Protonmail password and uses that to authenticate securely to the Protonmail server. I haven't literally verified this myself, but from first principles it seems impossible that the Protonmail server would accept an insecure/plain-text connection.