From e51740b8dbba05674d56757f07f627e99d6083ff Mon Sep 17 00:00:00 2001
From: Lyra Thorpe <iam@emmathe.dev>
Date: Wed, 17 Jun 2026 17:33:51 +0100
Subject: [PATCH] Document unauthenticated listener exposure (#13)

Adds a Security section: the front-end POP3/SMTP listeners are unauthenticated and must be bound to a trusted internal network only. Closes #9

Reviewed-on: https://code.emmathe.dev/lyrathorpe/legacy-email-proxy/pulls/13
Co-authored-by: Lyra Thorpe <iam@emmathe.dev>
Co-committed-by: Lyra Thorpe <iam@emmathe.dev>
---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 4ad7a25..b1f6eb5 100644
--- a/README.md
+++ b/README.md
@@ -63,3 +63,11 @@ pytest -q
 ## Notes
 
 This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.
+
+## Security
+
+By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are **unencrypted** and **unauthenticated**. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.
+
+Because of this, the listeners **must** be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and **must not** be exposed to untrusted networks or the public internet.
+
+Operators who need to restrict the bind address can set `POP3_BIND_ADDR` / `SMTP_BIND_ADDR` to a specific internal interface instead of `0.0.0.0`.