Emma Thorpe
78a3c21ac7
POP3 clients may be required to send USER/PASS, but the proxy never uses them. Accept any client credentials blindly and always authenticate to the IMAP backend with the configured BACKEND_IMAP_USER / BACKEND_IMAP_PASS. Remove the previous fallback that connected to the backend using client-supplied credentials when backend credentials were unset; the proxy now raises a clear configuration error in that case. Add tests covering that client credentials are ignored and that missing backend credentials are reported. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Legacy Email Proxy
Proxy an unauthenticated, unencrypted POP3 / SMTP server to authenticated IMAPS and SMTPS backends.
Features
- Exposes legacy
POP3on0.0.0.0:110and legacySMTPon0.0.0.0:25 - Forwards POP3 mailbox access to an IMAP backend
- Forwards SMTP submissions to an SMTPS backend
- Backend host, ports, and credentials are configured via environment variables
Environment Variables
-
POP3_BIND_ADDR(default0.0.0.0) -
POP3_BIND_PORT(default110) -
SMTP_BIND_ADDR(default0.0.0.0) -
SMTP_BIND_PORT(default25) -
BACKEND_IMAP_HOST -
BACKEND_IMAP_PORT(default993) -
BACKEND_IMAP_USER -
BACKEND_IMAP_PASS -
BACKEND_IMAP_USE_SSL(defaulttrue) -
BACKEND_IMAP_USE_STARTTLS(defaultfalse) -
BACKEND_SMTP_HOST -
BACKEND_SMTP_PORT(default465) -
BACKEND_SMTP_USER -
BACKEND_SMTP_PASS -
BACKEND_SMTP_USE_SSL(defaulttrue) -
BACKEND_SMTP_USE_TLS(defaultfalse)
Build and run
This project targets the latest Python LTS release. The included Dockerfile uses python:3.12-slim, which is compatible with Python 3.12 and later LTS releases.
docker build -t legacy-email-proxy .
docker run --rm -p 110:110 -p 25:25 \
-e BACKEND_IMAP_HOST=imap.example.com \
-e BACKEND_IMAP_PORT=993 \
-e BACKEND_IMAP_USER=imap-user \
-e BACKEND_IMAP_PASS=imap-pass \
-e BACKEND_SMTP_HOST=smtp.example.com \
-e BACKEND_SMTP_PORT=465 \
-e BACKEND_SMTP_USER=smtp-user \
-e BACKEND_SMTP_PASS=smtp-pass \
legacy-email-proxy
Tests
Install development dependencies and run the test suite:
python -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements-dev.txt
pytest -q
Notes
This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.
Security
By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are unencrypted and unauthenticated. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.
Because of this, the listeners must be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and must not be exposed to untrusted networks or the public internet.
Operators who need to restrict the bind address can set POP3_BIND_ADDR / SMTP_BIND_ADDR to a specific internal interface instead of 0.0.0.0.