lyrathorpe/legacy-email-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c580f494ea4a86b7fc76076ea43f8802357135d0
legacy-email-proxy/README.md
T
lyrathorpe c580f494ea
Build and publish container / build (pull_request) Successful in 8m58s
Details
docs: add Security section documenting unauthenticated listeners 
Document that the front-end POP3/SMTP listeners are unencrypted and
unauthenticated, warn that they must be bound to a trusted internal
network only, and note POP3_BIND_ADDR / SMTP_BIND_ADDR for restricting
the bind address.

Fixes #9

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 17:22:12 +01:00

74 lines
2.6 KiB
Markdown
Raw Blame History

# Legacy Email Proxy
Proxy an unauthenticated, unencrypted POP3 / SMTP server to authenticated IMAPS and SMTPS backends.
## Features
- Exposes legacy `POP3` on `0.0.0.0:110` and legacy `SMTP` on `0.0.0.0:25`
- Forwards POP3 mailbox access to an IMAP backend
- Forwards SMTP submissions to an SMTPS backend
- Backend host, ports, and credentials are configured via environment variables
## Environment Variables
- `POP3_BIND_ADDR` (default `0.0.0.0`)
- `POP3_BIND_PORT` (default `110`)
- `SMTP_BIND_ADDR` (default `0.0.0.0`)
- `SMTP_BIND_PORT` (default `25`)
- `BACKEND_IMAP_HOST`
- `BACKEND_IMAP_PORT` (default `993`)
- `BACKEND_IMAP_USER`
- `BACKEND_IMAP_PASS`
- `BACKEND_IMAP_USE_SSL` (default `true`)
- `BACKEND_IMAP_USE_STARTTLS` (default `false`)
- `BACKEND_SMTP_HOST`
- `BACKEND_SMTP_PORT` (default `465`)
- `BACKEND_SMTP_USER`
- `BACKEND_SMTP_PASS`
- `BACKEND_SMTP_USE_SSL` (default `true`)
- `BACKEND_SMTP_USE_TLS` (default `false`)
## Build and run
This project targets the latest Python LTS release. The included `Dockerfile` uses `python:3.12-slim`, which is compatible with Python 3.12 and later LTS releases.
```bash
docker build -t legacy-email-proxy .
docker run --rm -p 110:110 -p 25:25 \
-e BACKEND_IMAP_HOST=imap.example.com \
-e BACKEND_IMAP_PORT=993 \
-e BACKEND_IMAP_USER=imap-user \
-e BACKEND_IMAP_PASS=imap-pass \
-e BACKEND_SMTP_HOST=smtp.example.com \
-e BACKEND_SMTP_PORT=465 \
-e BACKEND_SMTP_USER=smtp-user \
-e BACKEND_SMTP_PASS=smtp-pass \
legacy-email-proxy
```
## Tests
Install development dependencies and run the test suite:
```bash
python -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements-dev.txt
pytest -q
```
## Notes
This implementation begins the proxy with a minimal POP3 command set and SMTP delivery path. It is designed to start development on the required application architecture.
## Security
By design, the front-end POP3 (port 110) and SMTP (port 25) listeners are **unencrypted** and **unauthenticated**. Anyone who can reach port 110 obtains full mailbox access, and anyone who can reach port 25 can relay mail through the configured backend SMTP credentials, which is an open relay from the network's perspective.
Because of this, the listeners **must** be bound to a trusted internal network only, such as a private Docker bridge, a VPN interface, or localhost, and **must not** be exposed to untrusted networks or the public internet.
Operators who need to restrict the bind address can set `POP3_BIND_ADDR` / `SMTP_BIND_ADDR` to a specific internal interface instead of `0.0.0.0`.
Reference in New Issue View Git Blame Copy Permalink