feat: ignore client-supplied POP3 credentials (#15 )

Accept any POP3 `USER`/`PASS` from the client and discard them. The proxy always authenticates to the IMAP backend with the configured `BACKEND_IMAP_USER` / `BACKEND_IMAP_PASS`. ## Changes - `handle_user` / `handle_pass`: accept client credentials unconditionally, no validation. - `authenticate`: always use backend credentials; remove the fallback that connected with client-supplied credentials when backend credentials were unset. Raise a clear configuration error when backend credentials are missing. - Tests: client credentials are ignored; missing backend credentials are reported. Closes #14 --------- Co-authored-by: Emma Thorpe <emma.thorpe@citrix.com> Reviewed-on: #15
Document unauthenticated listener exposure (#13 )
2026-06-17 18:16:37 +01:00 · 2026-06-17 17:33:51 +01:00 · 2026-06-17 17:33:37 +01:00 · 2026-06-17 17:33:23 +01:00 · 2026-06-17 17:33:09 +01:00
5 changed files with 79 additions and 22 deletions
@@ -45,16 +45,16 @@ jobs:
        with:
          python-version: 3.12

-      - name: Install test dependencies
-        run: python -m pip install --upgrade pip && pip install -r requirements-dev.txt
-
      - name: Cache pip dependencies
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
-          key: "$RUNNER_OS-pip-${{ hashFiles('requirements-dev.txt') }}"
+          key: "${{ runner.os }}-pip-${{ hashFiles('requirements-dev.txt') }}"
          restore-keys: |
-            $RUNNER_OS-pip-
+            ${{ runner.os }}-pip-
+
+      - name: Install test dependencies
+        run: python -m pip install --upgrade pip && pip install -r requirements-dev.txt

      - name: Run unit tests
        run: python -m pytest -q
@@ -3,11 +3,16 @@ FROM python:3.12-slim
 WORKDIR /app
 ENV PYTHONUNBUFFERED=1

+# Create a dedicated non-root user and group to run the proxy.
+RUN groupadd --system appuser && useradd --system --gid appuser appuser
+
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt

-COPY proxy_server.py ./
+COPY --chown=appuser:appuser proxy_server.py ./

 EXPOSE 110 25

+USER appuser
+
 CMD ["python", "proxy_server.py"]
@@ -63,3 +63,11 @@ pytest -q
 ## Notes

 This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.
+
+## Security
+
+By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are **unencrypted** and **unauthenticated**. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.
+
+Because of this, the listeners **must** be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and **must not** be exposed to untrusted networks or the public internet.
+
+Operators who need to restrict the bind address can set `POP3_BIND_ADDR` / `SMTP_BIND_ADDR` to a specific internal interface instead of `0.0.0.0`.
@@ -253,30 +253,31 @@ class POP3Session:
        return await self.send_line("-ERR Unsupported command")

    async def handle_user(self, args):
-        if len(args) != 1:
-            return await self.send_line("-ERR USER requires username")
-        self.username = args[0]
+        # Accept any username. Client credentials are intentionally ignored;
+        # some legacy clients insist on supplying them, so they are accepted
+        # blindly. The backend is always reached with the proxy's own creds.
+        self.username = args[0] if args else None
        return await self.send_line("+OK")

    async def handle_pass(self, args):
-        if len(args) != 1:
-            return await self.send_line("-ERR PASS requires password")
-        self.password = args[0]
+        # Accept any password. See handle_user: client credentials are
+        # accepted but never used or validated.
+        self.password = args[0] if args else None
        await asyncio.to_thread(self.authenticate)
        return await self.send_line("+OK User authenticated")

    def authenticate(self):
-        """Authenticate to the IMAP backend using configured credentials."""
-        if Settings.BACKEND_IMAP_USER and Settings.BACKEND_IMAP_PASS:
-            username = Settings.BACKEND_IMAP_USER
-            password = Settings.BACKEND_IMAP_PASS
-        elif self.username and self.password:
-            username = self.username
-            password = self.password
-        else:
-            raise RuntimeError("No IMAP credentials available")
+        """Authenticate to the IMAP backend using the configured proxy credentials.

-        backend = IMAPBackend(username, password)
+        Client-supplied POP3 credentials are deliberately ignored: the proxy
+        always connects to the backend with ``BACKEND_IMAP_USER`` /
+        ``BACKEND_IMAP_PASS``. This is by design for legacy clients that require
+        credentials to be entered even though the proxy does not use them.
+        """
+        if not (Settings.BACKEND_IMAP_USER and Settings.BACKEND_IMAP_PASS):
+            raise RuntimeError("Backend IMAP credentials are not configured")
+
+        backend = IMAPBackend(Settings.BACKEND_IMAP_USER, Settings.BACKEND_IMAP_PASS)
        backend.login()
        self._imap = backend
        # Snapshot the maildrop once; it stays static for the session lifetime
@@ -227,6 +227,49 @@ def test_top_returns_headers_and_limited_body():
    assert output.endswith(b".\r\n")


+def test_authenticate_ignores_client_credentials(monkeypatch):
+    captured = {}
+
+    def fake_login(self):
+        captured["username"] = self.username
+        captured["password"] = self.password
+
+    monkeypatch.setattr(IMAPBackend, "login", fake_login)
+    monkeypatch.setattr(IMAPBackend, "list_uids", lambda self: [])
+    previous_user = Settings.BACKEND_IMAP_USER
+    previous_pass = Settings.BACKEND_IMAP_PASS
+    Settings.BACKEND_IMAP_USER = "backend-user"
+    Settings.BACKEND_IMAP_PASS = "backend-pass"
+
+    session = POP3Session(None, FakeWriter())
+    session.username = "client-user"
+    session.password = "client-pass"
+    session.authenticate()
+
+    # The proxy must connect with its own credentials, never the client's.
+    assert captured["username"] == "backend-user"
+    assert captured["password"] == "backend-pass"
+
+    Settings.BACKEND_IMAP_USER = previous_user
+    Settings.BACKEND_IMAP_PASS = previous_pass
+
+
+def test_authenticate_requires_backend_credentials(monkeypatch):
+    previous_user = Settings.BACKEND_IMAP_USER
+    previous_pass = Settings.BACKEND_IMAP_PASS
+    Settings.BACKEND_IMAP_USER = None
+    Settings.BACKEND_IMAP_PASS = None
+
+    session = POP3Session(None, FakeWriter())
+    session.username = "client-user"
+    session.password = "client-pass"
+    with pytest.raises(RuntimeError, match="Backend IMAP credentials are not configured"):
+        session.authenticate()
+
+    Settings.BACKEND_IMAP_USER = previous_user
+    Settings.BACKEND_IMAP_PASS = previous_pass
+
+
 def test_dele_survives_stat_list_uidl_until_quit():
    session = make_session([b"1", b"2", b"3"])
    asyncio.run(session.handle_dele(["2"]))
Author	SHA1	Message	Date
lyrathorpe	9a4bab33e2	feat: ignore client-supplied POP3 credentials (#15 ) Build and publish container / build (push) Successful in 12m15s Details Accept any POP3 `USER`/`PASS` from the client and discard them. The proxy always authenticates to the IMAP backend with the configured `BACKEND_IMAP_USER` / `BACKEND_IMAP_PASS`. ## Changes - `handle_user` / `handle_pass`: accept client credentials unconditionally, no validation. - `authenticate`: always use backend credentials; remove the fallback that connected with client-supplied credentials when backend credentials were unset. Raise a clear configuration error when backend credentials are missing. - Tests: client credentials are ignored; missing backend credentials are reported. Closes #14 --------- Co-authored-by: Emma Thorpe <emma.thorpe@citrix.com> Reviewed-on: #15	2026-06-17 18:16:37 +01:00
lyrathorpe	e51740b8db	Document unauthenticated listener exposure (#13 ) Adds a Security section: the front-end POP3/SMTP listeners are unauthenticated and must be bound to a trusted internal network only. Closes #9 Reviewed-on: #13 Co-authored-by: Lyra Thorpe <iam@emmathe.dev> Co-committed-by: Lyra Thorpe <iam@emmathe.dev>	2026-06-17 17:33:51 +01:00
lyrathorpe	4ab12f8ce6	Cache pip before install and fix cache key expansion (#12 ) Moves the actions/cache step ahead of the install step and uses the runner.os Actions expression in the cache key. Closes #8 Reviewed-on: #12 Co-authored-by: Lyra Thorpe <iam@emmathe.dev> Co-committed-by: Lyra Thorpe <iam@emmathe.dev>	2026-06-17 17:33:37 +01:00
lyrathorpe	7930235efd	Run container as non-root user (#11 ) Build and publish container / build (push) Successful in 5m59s Details Adds a dedicated non-root user and switches to it before CMD. Verified the container runs as a non-root uid. Closes #7 Reviewed-on: #11 Co-authored-by: Lyra Thorpe <iam@emmathe.dev> Co-committed-by: Lyra Thorpe <iam@emmathe.dev>	2026-06-17 17:33:23 +01:00
lyrathorpe	bde999185a	Fix POP3/SMTP correctness and IMAP robustness (#10 ) Build and publish container / build (push) Has been cancelled Details POP3/SMTP proxy correctness fixes. - RETR now returns the message body (reads the FETCH tuple). Closes #1 - Maildrop snapshotted once; DELE marks survive STAT/LIST/UIDL. Closes #2 - RETR/TOP dot-stuff and CRLF-terminate per RFC 1939. Closes #3 - SMTP relays raw bytes, no UTF-8 mangling. Closes #4 - Message sizes batched in one IMAP round-trip off the event loop; IMAP timeout added. Closes #5 - POP3 TOP implemented. Closes #6 pytest: 10 passed. Reviewed-on: #10 Co-authored-by: Lyra Thorpe <iam@emmathe.dev> Co-committed-by: Lyra Thorpe <iam@emmathe.dev>	2026-06-17 17:33:09 +01:00