How to secure email clients? (e.g. Evolution/GNOME)

I am using Evolution on Linux Mint, and am realizing how my emails are an open book for anyone or anything which infiltrates my system. Why should I put so much effort into securing my passwords for all accounts, when perhaps the most sensitive info of all is not secure.

If I add my password to the keyring, then I am always logged in, without any need to insert a password beyond unlocking my device. And if I do not add my password to the keyring, I remain logged in until I end session. Closing the application or inactivity does not log me out.

I suspect this is not normal behaviour, because according to GNOME, “the keyrings are locked and a master keyring password has to be provided in order to unlock each of them. A keyring can be configured to be locked automatically after a period of inactivity.”

But this is not the case by default for me, and I can find no way of changing it.

I wonder if other people’s email clients are always logged in as it is for me? How can I change it so my emails and ability to send emails requires a password to unlock, and relocks when closing client or after inactivity?

(edit: link to GNOME quote )

This is by design - for convenience sake.

I think the best way to access email is still through the service provider’s website with a 2FA, preferrably a hardware key (like Yubikey), through Mullvad Browser/Brave/Firefox with Arkenfox.

If your local machine is pwned, all bets are off. It may not be possible to trust a compromised computer afterwards. The key is to secure not just the email client but the entire OS.

You may have framed your computer security concern incorrectly.

I use Protonmail Bridge and Evolution. It is pretty much open to everyone if I step out so I close the lid of my laptop/logout when it is not in view. My threat model does not really include APTs.

I think you can logout from the Protonmail Bridge but that would also stop the imap sync so that futre emails wont come through. The files stored locally would still be viewable though. You could probably have it set on a Veracrypt container, maybe. I havent tried it like that though, especially not with a Protonmail Bridge.