lyrathorpe/legacy-email-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9a4bab33e22fdd54a335a7ca4bf54d98d5c2dca8
legacy-email-proxy/README.md
T
lyrathorpe e51740b8db Document unauthenticated listener exposure (#13) 
Adds a Security section: the front-end POP3/SMTP listeners are unauthenticated and must be bound to a trusted internal network only. Closes #9

Reviewed-on: #13
Co-authored-by: Lyra Thorpe <iam@emmathe.dev>
Co-committed-by: Lyra Thorpe <iam@emmathe.dev>
2026-06-17 17:33:51 +01:00

2.6 KiB
Raw Blame History

Legacy Email Proxy

Proxy an unauthenticated, unencrypted POP3 / SMTP server to authenticated IMAPS and SMTPS backends.

Features

  • Exposes legacy POP3 on 0.0.0.0:110 and legacy SMTP on 0.0.0.0:25
  • Forwards POP3 mailbox access to an IMAP backend
  • Forwards SMTP submissions to an SMTPS backend
  • Backend host, ports, and credentials are configured via environment variables

Environment Variables

  • POP3_BIND_ADDR (default 0.0.0.0)

  • POP3_BIND_PORT (default 110)

  • SMTP_BIND_ADDR (default 0.0.0.0)

  • SMTP_BIND_PORT (default 25)

  • BACKEND_IMAP_HOST

  • BACKEND_IMAP_PORT (default 993)

  • BACKEND_IMAP_USER

  • BACKEND_IMAP_PASS

  • BACKEND_IMAP_USE_SSL (default true)

  • BACKEND_IMAP_USE_STARTTLS (default false)

  • BACKEND_SMTP_HOST

  • BACKEND_SMTP_PORT (default 465)

  • BACKEND_SMTP_USER

  • BACKEND_SMTP_PASS

  • BACKEND_SMTP_USE_SSL (default true)

  • BACKEND_SMTP_USE_TLS (default false)

Build and run

This project targets the latest Python LTS release. The included Dockerfile uses python:3.12-slim, which is compatible with Python 3.12 and later LTS releases.

docker build -t legacy-email-proxy .
docker run --rm -p 110:110 -p 25:25 \
  -e BACKEND_IMAP_HOST=imap.example.com \
  -e BACKEND_IMAP_PORT=993 \
  -e BACKEND_IMAP_USER=imap-user \
  -e BACKEND_IMAP_PASS=imap-pass \
  -e BACKEND_SMTP_HOST=smtp.example.com \
  -e BACKEND_SMTP_PORT=465 \
  -e BACKEND_SMTP_USER=smtp-user \
  -e BACKEND_SMTP_PASS=smtp-pass \
  legacy-email-proxy

Tests

Install development dependencies and run the test suite:

python -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements-dev.txt
pytest -q

Notes

This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.

Security

By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are unencrypted and unauthenticated. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.

Because of this, the listeners must be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and must not be exposed to untrusted networks or the public internet.

Operators who need to restrict the bind address can set POP3_BIND_ADDR / SMTP_BIND_ADDR to a specific internal interface instead of 0.0.0.0.

Reference in New Issue View Git Blame Copy Permalink