tag/v0.3.0/README.md

# Legacy Email Proxy

Proxy an unauthenticated, unencrypted POP3 / SMTP server to authenticated IMAPS and SMTPS backends.

## Features

- Exposes legacy `POP3` on `0.0.0.0:110` and legacy `SMTP` on `0.0.0.0:25`
- Forwards POP3 mailbox access to an IMAP backend
- Forwards SMTP submissions to an SMTPS backend
- Backend host, ports, and credentials are configured via environment variables

## Environment Variables

- `POP3_BIND_ADDR` (default `0.0.0.0`)
- `POP3_BIND_PORT` (default `110`)
- `SMTP_BIND_ADDR` (default `0.0.0.0`)
- `SMTP_BIND_PORT` (default `25`)

- `BACKEND_IMAP_HOST`
- `BACKEND_IMAP_PORT` (default `993`)
- `BACKEND_IMAP_USER`
- `BACKEND_IMAP_PASS`
- `BACKEND_IMAP_USE_SSL` (default `true`)
- `BACKEND_IMAP_USE_STARTTLS` (default `false`)

- `BACKEND_SMTP_HOST`
- `BACKEND_SMTP_PORT` (default `465`)
- `BACKEND_SMTP_USER`
- `BACKEND_SMTP_PASS`
- `BACKEND_SMTP_USE_SSL` (default `true`)
- `BACKEND_SMTP_USE_TLS` (default `false`)

- `BACKEND_MUTATE` (default `false`) - when `true`, POP3 deletions are propagated to the
  backend IMAP server (STORE +FLAGS / EXPUNGE). Default behaviour is to never mutate
  the backend mailbox on POP client deletions; the proxy only hides messages for the
  duration of the client session.

## Build and run

This project targets the latest Python LTS release. The included `Dockerfile` uses `python:3.12-slim`, which is compatible with Python 3.12 and later LTS releases.

```bash
docker build -t legacy-email-proxy .
docker run --rm -p 110:110 -p 25:25 \
  -e BACKEND_IMAP_HOST=imap.example.com \
  -e BACKEND_IMAP_PORT=993 \
  -e BACKEND_IMAP_USER=imap-user \
  -e BACKEND_IMAP_PASS=imap-pass \
  -e BACKEND_SMTP_HOST=smtp.example.com \
  -e BACKEND_SMTP_PORT=465 \
  -e BACKEND_SMTP_USER=smtp-user \
  -e BACKEND_SMTP_PASS=smtp-pass \
  legacy-email-proxy
```

## Tests

Install development dependencies and run the test suite:

```bash
python -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements-dev.txt
pytest -q
```

## Notes

This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.

## Security

By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are **unencrypted** and **unauthenticated**. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.

Because of this, the listeners **must** be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and **must not** be exposed to untrusted networks or the public internet.

Operators who need to restrict the bind address can set `POP3_BIND_ADDR` / `SMTP_BIND_ADDR` to a specific internal interface instead of `0.0.0.0`.
chore: add documented POP3/SMTP proxy scaffold and Renovate config 2026-06-17 16:08:06 +01:00			`# Legacy Email Proxy`

			`Proxy an unauthenticated, unencrypted POP3 / SMTP server to authenticated IMAPS and SMTPS backends.`

			`## Features`

			- Exposes legacy `POP3` on `0.0.0.0:110` and legacy `SMTP` on `0.0.0.0:25`
			`- Forwards POP3 mailbox access to an IMAP backend`
			`- Forwards SMTP submissions to an SMTPS backend`
			`- Backend host, ports, and credentials are configured via environment variables`

			`## Environment Variables`

			- `POP3_BIND_ADDR` (default `0.0.0.0`)
			- `POP3_BIND_PORT` (default `110`)
			- `SMTP_BIND_ADDR` (default `0.0.0.0`)
			- `SMTP_BIND_PORT` (default `25`)

			- `BACKEND_IMAP_HOST`
			- `BACKEND_IMAP_PORT` (default `993`)
			- `BACKEND_IMAP_USER`
			- `BACKEND_IMAP_PASS`
			- `BACKEND_IMAP_USE_SSL` (default `true`)
			- `BACKEND_IMAP_USE_STARTTLS` (default `false`)

			- `BACKEND_SMTP_HOST`
			- `BACKEND_SMTP_PORT` (default `465`)
			- `BACKEND_SMTP_USER`
			- `BACKEND_SMTP_PASS`
			- `BACKEND_SMTP_USE_SSL` (default `true`)
			- `BACKEND_SMTP_USE_TLS` (default `false`)

feat: respect BACKEND_MUTATE to avoid mutating backend mailboxes by default; add tests and docs 2026-06-17 18:43:22 +01:00			- `BACKEND_MUTATE` (default `false`) - when `true`, POP3 deletions are propagated to the
			`backend IMAP server (STORE +FLAGS / EXPUNGE). Default behaviour is to never mutate`
			`the backend mailbox on POP client deletions; the proxy only hides messages for the`
			`duration of the client session.`

chore: add documented POP3/SMTP proxy scaffold and Renovate config 2026-06-17 16:08:06 +01:00			`## Build and run`

			This project targets the latest Python LTS release. The included `Dockerfile` uses `python:3.12-slim`, which is compatible with Python 3.12 and later LTS releases.

			```bash
			`docker build -t legacy-email-proxy .`
			`docker run --rm -p 110:110 -p 25:25 \`
			`-e BACKEND_IMAP_HOST=imap.example.com \`
			`-e BACKEND_IMAP_PORT=993 \`
			`-e BACKEND_IMAP_USER=imap-user \`
			`-e BACKEND_IMAP_PASS=imap-pass \`
			`-e BACKEND_SMTP_HOST=smtp.example.com \`
			`-e BACKEND_SMTP_PORT=465 \`
			`-e BACKEND_SMTP_USER=smtp-user \`
			`-e BACKEND_SMTP_PASS=smtp-pass \`
			`legacy-email-proxy`
			```

test: add pytest coverage and run tests in CI 2026-06-17 16:14:22 +01:00			`## Tests`

chore: separate runtime and dev dependencies, add pytest config and CI cache 2026-06-17 16:40:39 +01:00			`Install development dependencies and run the test suite:`
test: add pytest coverage and run tests in CI 2026-06-17 16:14:22 +01:00
			```bash
chore: separate runtime and dev dependencies, add pytest config and CI cache 2026-06-17 16:40:39 +01:00			`python -m venv .venv`
			`source .venv/bin/activate`
test: add pytest coverage and run tests in CI 2026-06-17 16:14:22 +01:00			`python -m pip install --upgrade pip`
chore: separate runtime and dev dependencies, add pytest config and CI cache 2026-06-17 16:40:39 +01:00			`pip install -r requirements-dev.txt`
test: add pytest coverage and run tests in CI 2026-06-17 16:14:22 +01:00			`pytest -q`
			```

chore: add documented POP3/SMTP proxy scaffold and Renovate config 2026-06-17 16:08:06 +01:00			`## Notes`

			`This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.`
Document unauthenticated listener exposure (#13 ) 2026-06-17 17:33:51 +01:00
			`## Security`

			`By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are unencrypted and unauthenticated. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.`

			`Because of this, the listeners must be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and must not be exposed to untrusted networks or the public internet.`

			Operators who need to restrict the bind address can set `POP3_BIND_ADDR` / `SMTP_BIND_ADDR` to a specific internal interface instead of `0.0.0.0`.