lyrathorpe/legacy-email-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

POP3 proxy should ignore client-supplied credentials #14

New Issue
Closed
opened 2026-06-17 18:09:39 +01:00 by lyrathorpe · 0 comments
lyrathorpe commented 2026-06-17 18:09:39 +01:00
Owner
Copy Link
Copy Source

Summary

Some legacy POP3 clients require the user to enter a username and password and will not connect without them. The proxy does not need or use these per-client credentials: it always authenticates to the IMAP backend with its own configured account (BACKEND_IMAP_USER / BACKEND_IMAP_PASS).

Desired behaviour

  • USER and PASS from the client are accepted unconditionally (always +OK).
  • Client-supplied credentials are never validated or used for the backend connection.
  • The proxy always connects to the backend with the configured credentials.
  • If backend credentials are not configured, authentication fails with a clear configuration error rather than silently falling back to client credentials.

Note

This intentionally accepts any credentials at the POP3 listener. The listener is already documented as unauthenticated and is expected to run only on a trusted network. This is by design.

## Summary Some legacy POP3 clients require the user to enter a username and password and will not connect without them. The proxy does not need or use these per-client credentials: it always authenticates to the IMAP backend with its own configured account (`BACKEND_IMAP_USER` / `BACKEND_IMAP_PASS`). ## Desired behaviour - `USER` and `PASS` from the client are accepted unconditionally (always `+OK`). - Client-supplied credentials are never validated or used for the backend connection. - The proxy always connects to the backend with the configured credentials. - If backend credentials are not configured, authentication fails with a clear configuration error rather than silently falling back to client credentials. ## Note This intentionally accepts any credentials at the POP3 listener. The listener is already documented as unauthenticated and is expected to run only on a trusted network. This is by design.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Defect / incorrect behaviour
 ci
CI / build pipeline
 docs
Documentation
 enhancement
Improvement to existing behaviour
 security
Security hardening
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lyrathorpe
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lyrathorpe/legacy-email-proxy#14
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?