ScanTransit

ScanTransit – Technical details

Last updated: 8 July 2026

This page is for the person who has to actually approve, deploy or firewall this thing. It covers exactly how ScanTransit works, what it asks for, what it stores, and what leaves your network.

How it works

ScanTransit runs a background daemon (relayd) on a Mac on your local network. The daemon listens for inbound SMTP connections on ports 25, 465 and 587, accepting authentication the same way any legacy scanner, copier or MFD expects – a plain device username and password, no OAuth support required on the device side.

When a device sends a scan via SMTP, relayd re-sends that message outbound using OAuth 2.0 against the Google Workspace or Microsoft 365 mailbox you’ve authorised. The device’s connection to relayd and relayd’s connection to Google/Microsoft are entirely separate – the legacy device is never exposed to the internet, and it never needs to know OAuth exists.

Supported SMTP modes

  • Plain SMTP on TCP port 25
  • Implicit TLS (SMTPS) on TCP port 465
  • STARTTLS on TCP port 587

Configure whichever your device supports on ports 25, 465 or 587 – relayd matches accordingly.

OAuth scopes requested

ScanTransit requests the minimum scope needed to send mail, nothing else – it cannot read your mailbox, list contacts, or access anything beyond outbound send.

Microsoft 365 / Outlook

  • https://outlook.office.com/SMTP.Send – send mail via SMTP
  • offline_access – required to maintain a refresh token so you don’t have to re-authenticate manually

Google Workspace (Gmail)

  • https://www.googleapis.com/auth/gmail.send – send-only Gmail scope

System requirements

  • macOS Ventura (13.0) or later
  • Any Mac capable of running Ventura is sufficient for typical scan-to-email volumes – spooling and forwarding a scanned file is not resource-intensive. Even an older Intel-based Mac mini is more than capable for most sites. Higher-volume scanning environments will benefit from a faster machine, but there’s no specific minimum beyond running a supported macOS version.
  • ScanTransit will coexist with most other apps on the Mac. If you’re already running a Mac mini as a utility server, it should be able to handle the minimal additional load of relaying emails to Microsoft 365 or Google.
  • The Mac must remain powered on and network-connected to act as the relay – most sites dedicate a Mac mini to this role rather than using a workstation.

Signing and distribution

ScanTransit is signed with an Apple Developer ID and notarised by Apple. It is not distributed via the Mac App Store, because relayd runs as a privileged background daemon – a class of software the App Store sandbox does not permit.

Network requirements

  • Inbound: none required from outside your LAN. Devices connect to relayd on your local network only.
  • Outbound: SMTP/TLS to Google Workspace or Microsoft 365 (standard mail provider endpoints), plus HTTPS (443) to licensing.automatica.com.au for licence activation and periodic revalidation.
  • If your outbound traffic is filtered by hostname allowlist, licensing.automatica.com.au needs to be permitted alongside your normal mail provider endpoints. Licence revalidation tolerates temporary network interruption – a brief outage will not interrupt scanning.

Licensing

Licence keys are cryptographically signed using Ed25519, not encrypted. The signature proves the key was issued by Automatica and hasn’t been tampered with – it isn’t a container for hiding data. Note that the current licence key format does embed the purchaser’s email address at the time of activation (see Data handling, below); this is a known implementation detail we may revise, and is disclosed here rather than left implicit.

Security

  • ScanTransit never proxies or intercepts your mail. Everything runs on your own Mac; no Automatica server is ever in the path of a scan or an email.
  • Device-facing authentication (the username/password your scanner uses) is stored bcrypt-hashed on the local Mac – never in plaintext.
  • Mailbox access uses OAuth 2.0. ScanTransit never stores or transmits your mailbox password. OAuth tokens are stored in a root-only, encrypted location on the local Mac and are never sent across the network except to Google/Microsoft themselves.
  • ScanTransit is not an open relay. Outbound mail can only be sent as the single mailbox you’ve explicitly authenticated – it cannot be used to relay mail as any other account or through any other provider.

Data handling

We try to collect as little as possible, and we’d rather over-disclose than leave anything vague.

What ScanTransit sends to Automatica:

  • A daily licence “ping” (roughly every 24 hours, more frequently only while a trial or licence check is pending): a salted hash of your Mac’s hardware serial number (never the raw serial), the installed app version, and your current licence state (trial, licensed, expired, etc.). No hostname, username, scan volume, or message content is ever included.
  • At licence activation only: the signed licence key is sent to our server to validate it. That key currently has the purchaser’s email address embedded in it – this is the only point at which your email travels from the app to Automatica’s licensing server, and it’s stored against your licence record from then on.

What ScanTransit does not do:

  • No crash reporting or analytics of any kind – there is no such SDK anywhere in the app or daemon.
  • No document, scan, or email content is ever transmitted to Automatica, under any circumstances.
  • No recipient addresses, mailbox contents, or OAuth tokens ever leave your Mac.

What’s stored locally, and never transmitted:

relayd keeps a local log file (/Library/Application Support/ScanTransit/relayd.log) containing SMTP session details useful for troubleshooting: the sending device’s LAN IP address, the device username used to authenticate (not its password), the sender mailbox address, message size, and recipient counts (not recipient addresses). No document content, recipient email addresses, OAuth tokens, or licence keys ever appear in this log, and nothing in it is transmitted anywhere.

What Automatica retains server-side:

Licence and purchase records (including the email address associated with your licence) are retained for as long as your licence is valid, to support activation, revalidation and maintenance entitlement. Daily ping data is purged from our active database after 90 days; it may persist for longer in encrypted backups retained for business continuity and disaster recovery purposes.

If you have questions about data handling not covered here, contact [email protected].

← Back to overview    Setup guide →