Step-by-Step Guide

How to secure scan-to-email from an MFP.

A five-step procedure for IT and security teams to lock down multifunction printer scan-to-email across any copier brand. Inventory the fleet, test for plaintext SMTP, block the unencrypted path, map every scan workflow, and deploy the SecureMFP gateway. Two to four weeks for a regional fleet, five minutes per device, no firmware change required.

The problem in 2026

The MFP scan-to-email setup problem in 2026

The default scan-to-email configuration on most multifunction printer brands has not changed in fifteen years of product evolution. The device authenticates to an SMTP relay using credentials stored on the device. The connection is often on port 25 with AUTH PLAIN authentication. The credentials are base64 encoded, which is reversible to plaintext in seconds. The connection itself is not wrapped in TLS unless an administrator explicitly enabled it on the admin web console. Most administrators never touched the default. The Quocirca 2024 Print Security Landscape found that just 16 percent of organizations are completely confident in their print security while 67 percent suffered a print-related breach in the past year. The gap between confidence and breach reality is the unaddressed compliance exposure that auditors, regulators, and cyber insurance underwriters started flagging in 2024 and 2025 across financial, healthcare, education, and automotive verticals nationwide.

Step 1

Inventory your MFP fleet and find the SMTP relay

Build a complete inventory of every multifunction printer on the network. Capture make, model, firmware version, IP address, location, and which SMTP relay each device authenticates against. Most fleets discover devices the IT team did not know existed during this step. Use network discovery tools like Nmap with the print-port scan, or pull device lists from the managed-print services contract and reconcile against the network. The output is a spreadsheet with one row per device. Add a column for the SMTP relay each device targets. Some devices route through the corporate Exchange relay. Others route through a managed-print services aggregator. Some route directly to Office 365 or Google Workspace. The relay assignment determines what changes are possible in step three and how the SecureMFP gateway gets placed in step five.

Step 2

Test whether your fleet is sending TLS or plaintext

Run a packet capture on the SMTP relay or use the relay logs to determine which devices are authenticating with TLS and which are falling back to plaintext. Use Wireshark, tcpdump, or the relay's native session logging. Filter on the device source IPs from the inventory in step one. For each device, look for STARTTLS in the initial SMTP exchange. If STARTTLS is absent, the connection is plaintext. If STARTTLS is present but the server response indicates fallback, the connection is degraded. Document the TLS status per device. The output is two columns added to the spreadsheet: TLS status and authentication mechanism. The result usually surprises the IT team.

Step 3

Block plaintext SMTP at the network and SMTP-relay layer

Disable AUTH PLAIN and AUTH LOGIN on port 25 at the SMTP relay. Force devices to use port 587 with STARTTLS or port 465 with implicit TLS. Apply firewall rules to block outbound port 25 from the multifunction printer VLAN to any host outside the relay. Coordinate with the change-management process because some legacy devices will fail to send mail until they are reconfigured. The reconfiguration step on each device requires the administrative credentials documented in step one. Some copier brands store the SMTP credential in a way that survives the port change. Others require the credential to be re-entered. The work is per-device manual touch unless the institution has a fleet management console with bulk push capability. Test the change on a small group of devices before applying institution-wide.

Step 4

Map every scan workflow to its destination system

Document every scan workflow on every device: scan-to-email, scan-to-folder, scan-to-fax, scan-to-cloud. Identify the destination system for each: mailbox, file share, fax-over-IP relay, line-of-business application. The audit gap lives in the workflows the IT team has not documented yet. Walk through the device control panel on a sample of each model class and capture every preset destination configured by the user community. Most fleets discover scan-to-folder destinations that point to file shares which no longer exist on the network, scan-to-fax destinations that point to fax-over-IP services the institution no longer pays for, and scan-to-cloud destinations that route to consumer Dropbox or Google Drive accounts. The output is a workflow inventory. Each row identifies the device, the workflow name, the destination, the authentication mechanism, and whether the path is encrypted today.

Step 5

Deploy SecureMFP between MFP and SMTP relay

Deploy the SecureMFP gateway between the multifunction printer fleet and the SMTP relay. SecureMFP is the only product purpose-built for this gap. The gateway terminates the SMTP, SMB, LDAP, and fax protocols at the network edge. SMTP, SMB, LDAP, and fax credentials migrate from individual devices to the gateway. Every scan job routes through encrypted transport with a per-document audit log. Five minutes per device with no firmware change on any copier brand. The configuration backup on the device no longer carries credentials because the device no longer stores them. The audit log produced at the gateway maps to NIST SP 800-53 SC-8, HIPAA 164.312(e)(1), GLBA, FTC Safeguards 314.4(c)(3), and SOC 2 CC6.6 and CC6.7. A typical regional fleet rollout runs two to four weeks.

Brand-specific notes

What setup looks like on common copier brands

Each brand has its own admin interface and defaults. HP and Xerox default to port 25 with plaintext SMTP. Ricoh and Konica Minolta often have a unified-mode setting to disable. Canon uses a different SMTP path. The SecureMFP gateway normalizes the configuration across every brand without touching firmware.

BrandDefault state and reconfiguration notes
HPDefault port 25 with plaintext. EWS under Networking, then SMTP. Set port 587 with STARTTLS.
XeroxDefault port 25. CentreWare Internet Services, Properties, Connectivity, Protocols, SMTP. Toggle STARTTLS.
RicohWeb Image Monitor, Configuration, System Settings, Email. Disable unified mode. Port 587 with TLS.
CanonRemote UI, Settings, Network Settings, SMTP TX Settings. Verify auth path per-device.
Konica MinoltaPageScope Web Connection, Network, Email Settings. Switch to direct SMTP-AUTH over TLS.
Why TLS alone is not enough

Why even encrypted SMTP doesn't solve the audit gap on its own

Compliance frameworks like HIPAA Security Rule Transmission Security, GLBA Safeguards, NIST SP 800-53 SC-8, and SOC 2 Trust Services Criteria CC6.6 and CC6.7 require encryption in transit and an audit trail showing the encryption was active for each transmission. Encrypted SMTP gives the institution the first half. It does not give a per-document audit log that the assessor can sample to verify the encryption was active when a specific scan was sent. It does not remove the credential-storage exposure on the device documented in CVE-2024-12510 and CVE-2024-12511. It does not authenticate the recipient. Compliance is the union of four requirements: encryption in transit, recipient authentication, per-document audit log, and credential consolidation off the device. SecureMFP closes all four in a single deployment.

FAQ, TLS and plaintext detection

Whether TLS closes the gap and how to detect plaintext

Whether TLS on the relay is sufficient, and how to detect which devices still send plaintext.

Does enabling TLS on the SMTP relay close the audit gap?

Partially. TLS encrypts the connection between the MFP and the SMTP relay. It does not encrypt the relay-to-recipient hop if STARTTLS falls back. It does not produce a per-document audit log. It does not remove credential-storage exposure on the device. The four issues are separate.

How do I tell if my MFP is sending plaintext SMTP?

Run a packet capture on the SMTP relay during a test scan from each device class. Look for AUTH PLAIN or AUTH LOGIN on port 25 without STARTTLS. Alternatively, examine the SMTP relay logs for the device source IP and check whether the connection was wrapped in TLS. Most copier brands default to port 25 with no encryption.

FAQ, blocking the port and brand specifics

Blocking port 25 safely and what differs across copier brands

Whether the network team can simply firewall the port, and how the procedure differs across copier vendors.

Can I just block port 25 on the firewall?

Blocking outbound port 25 from the MFP VLAN forces the devices to fail or reconfigure to port 587 or 465. Some legacy devices do not support TLS on those ports without firmware updates the OEM no longer ships. Inventory first, test second, block third. Without prior steps, blocking takes the fleet offline.

What about HP, Xerox, Ricoh, Canon, and Konica Minolta specifically?

Each brand has its own admin interface and defaults. HP and Xerox default to port 25 with plaintext SMTP. Ricoh and Konica Minolta often have a unified-mode setting to disable. Canon uses a different SMTP authentication path. The SecureMFP gateway normalizes the configuration across every brand without touching device firmware.

FAQ, compliance and timeline

Why encryption alone misses compliance and how long the procedure takes

The compliance posture left by encrypted SMTP, and the end-to-end timeline.

Why does encrypted SMTP not close the compliance gap on its own?

Compliance frameworks require encryption in transit and an audit trail showing the encryption was active for each transmission. Encrypted SMTP gives you the first half. It does not give you a per-document audit log the assessor can sample. It does not remove credential exposure on the device. It does not authenticate the recipient. Compliance is the union of all four.

How long does the full procedure take?

Inventory and testing take one to three days. Network blocking takes one day with change-management approval. Workflow mapping takes two to five days. SecureMFP deployment takes five minutes per device, so a 100-device fleet completes in roughly two days of on-site work. A typical regional fleet closes out in two to four weeks end to end.

FAQ, users and leases

User training requirements and how the procedure works under MPS contracts

The final two operational questions cover end-user training and what happens when the multifunction printer fleet is leased through a managed-print services contract.

Do I need to retrain my users?

No. The user-facing workflow at the MFP control panel is unchanged. The user selects scan-to-email, picks a recipient from the address book, scans the document. The encryption, credential consolidation, and audit logging happen between the device and the SMTP relay. Users do not see the change.

What if my fleet is leased through a managed-print services contract?

The lease and managed-print services contract are unchanged. SecureMFP sits between the MFP and the SMTP relay and is brand-agnostic across the fleet. The copier vendor continues to handle the device-level service relationship. The SecureMFP deployment is run by the IT team or by a channel partner authorized by the institution, depending on the operating model.

Talk to a specialist

Talk to a SecureMFP specialist about your fleet

A SecureMFP specialist will walk through the five-step procedure for your specific fleet, including the brand mix, the SMTP relay topology, the workflow inventory, and the gateway placement. Thirty minutes is the standard slot. The walkthrough covers the inventory template, the TLS detection methodology, the network-blocking change-management script, the workflow-mapping checklist, and the gateway-cutover plan. Forward-thinking IT and security teams are running this procedure before the next audit asks. Most regional fleets close out the gap in two to four weeks of elapsed time. The SecureMFP deployment is five minutes per device on site, with no firmware change required on any HP, Xerox, Ricoh, Konica Minolta, Canon, Lexmark, Sharp, Kyocera, Brother, or Toshiba device.