« Back to Main
SMTP250.org TECHNICAL WHITEPAPER
Version: 1.0 (November 2025)
Status: Production
Author: ADHOCON GmbH, Development Team
This document outlines the technical architecture, security measures, and forensic validity of the SMTP250.org proof-of-delivery service.
1. ARCHITECTURE OVERVIEW
SMTP250 operates as a Transactional Man-in-the-Middle (TMitM) Proxy specifically designed for legal logging.
[CLIENT] ---> [SMTP250 INGRESS] ---> [PROCESSOR] ---> [EGRESS RELAY] ---> [RECIPIENT]
(SMTP) (Python aiosmtpd) (Hash/Sign) (Postfix) (MX Record)
1.1 Ingress (The Listener)
We utilize a custom Python-based SMTP handler binding to Port 25. It enforces Opportunistic TLS (STARTTLS). This ensures that the connection between the sender and our server is encrypted if the client supports it.
1.2 The Processor (Forensic Engine)
Upon receipt, the email is not stored in a persistent database. Instead:
- The raw byte-stream is isolated in volatile memory (RAM).
- A SHA-256 Hash is calculated over the entire raw content (Headers + Body + Attachments).
- This ensures mathematical integrity: Changing a single bit in the original email would result in a completely different hash.
2. CRYPTOGRAPHY & SIGNING
The core value proposition is the cryptographically signed PDF ("The Receipt").
2.1 Key Management
- Algorithm: RSA-2048 with SHA-256 digest.
- Padding: PSS (Probabilistic Signature Scheme) for maximum security against collision attacks.
- Key Storage: The private key is stored on a hardened server partition with restricted root-only access.
2.2 Public Key for Verification
To verify the signature on any generated PDF, you can use our Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs16TvMrOqRXO5Em8toRo
iV1gs0OkGApPXn2NKeHuJengp//StWDTdkTPSde22uxz4A61MveTTDILHLytJLKo
+zHkAF+O3i9VhgHntALEmPZ41meopDIKSMDA6h0qUwOfvzaj6hzxnVhvR5dK7jXT
VFhkCYQKZg+M9SQtIvKEZDK+kYgSVbJLwlk75HDWQt9Jpyi3b6RzQ/wAuI9BcURD
5Lmw4yI86KzNi/y1PvcurQX2N/i6JPpOcQuAPAcs3f2VVMMQE2QXbkl+4qhfQEX6
mwEdIyvJarQNQ607DbMsVQzF9Uu/NSVbCKHvB1pXi1UJerbHHUp1jFlZzpljdK5A
5QIDAQAB
-----END PUBLIC KEY-----
3. EMAIL DELIVERABILITY & COMPLIANCE
3.1 SPF / DKIM / DMARC
To ensure high deliverability, SMTP250.org implements full sender authentication:
- SPF: Strict allow-listing of our outbound IPs.
- DKIM: Every outgoing email (receipts and relays) is signed with
rsa-sha256 using OpenDKIM.
- DMARC: Policy set to
quarantine to prevent spoofing.
3.2 The Forwarding Challenge (SRS)
When relaying emails (e.g., from GMX to Gmail), standard forwarding breaks SPF alignment. SMTP250 solves this by rewriting the Envelope Sender to noreply@mail.smtp250.org while keeping the Header From intact. This ensures that technical bounces return to us for analysis, while the recipient still sees the original sender in their email client.
4. PRIVACY & GDPR (DSGVO)
We adhere to a strictly minimal data retention policy ("Privacy by Design").
- No Database: Email bodies are processed in RAM and temporary files only.
- Immediate Deletion: Once the transaction (payment & delivery) is complete, the temporary file is wiped from the disk.
- Server Location: All processing occurs in Falkenstein/Nuremberg, Germany (Hetzner Online GmbH), fully under German jurisdiction.
© 2025 ADHOCON GmbH. Legal / Impressum