sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance)
All checks were successful
CI / Check (push) Has been skipped
Details
CI / Detect Changes (push) Successful in 7s
Details
CI / Deploy Agent (push) Successful in 2s
Details
CI / Deploy Dashboard (push) Successful in 1s
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Successful in 2s
Details

Browse Source 
- Remove port 143 from mailserver (only expose 993/IMAPS)
- Enable SSL_TYPE=manual with Let's Encrypt certs
- Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
- Add pentest_imap_tls config field (defaults to true)

Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
2026-03-18 09:29:34 +01:00
parent c461faa2fb
commit a509bdcb2e
4 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
compliance-agent/src/config.rs
View File

@@ -54,6 +54,9 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
pentest_verification_email: env_var_opt("PENTEST_VERIFICATION_EMAIL"),
pentest_imap_host: env_var_opt("PENTEST_IMAP_HOST"),
pentest_imap_port: env_var_opt("PENTEST_IMAP_PORT").and_then(|p| p.parse().ok()),
pentest_imap_tls: env_var_opt("PENTEST_IMAP_TLS")
.map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
.unwrap_or(true),
pentest_imap_username: env_var_opt("PENTEST_IMAP_USERNAME"),
pentest_imap_password: env_secret_opt("PENTEST_IMAP_PASSWORD"),
})

1
compliance-agent/src/pentest/cleanup.rs
View File

@@ -336,6 +336,7 @@ mod tests {
pentest_verification_email: None,
pentest_imap_host: None,
pentest_imap_port: None,
pentest_imap_tls: true,
pentest_imap_username: None,
pentest_imap_password: None,
}

2
compliance-core/src/config.rs
View File

@@ -33,6 +33,8 @@ pub struct AgentConfig {
pub pentest_verification_email: Option<String>,
pub pentest_imap_host: Option<String>,
pub pentest_imap_port: Option<u16>,
/// Use implicit TLS (IMAPS, port 993) instead of plain IMAP.
pub pentest_imap_tls: bool,
pub pentest_imap_username: Option<String>,
pub pentest_imap_password: Option<SecretString>,
}

16
deploy/docker-compose.mailserver.yml
View File

@@ -8,14 +8,14 @@ services:
container_name: mailserver
ports:
- "25:25" # SMTP (inbound mail)
- "143:143" # IMAP (orchestrator reads mail)
- "993:993" # IMAPS (TLS)
- "587:587" # Submission (outbound, if needed)
- "993:993" # IMAPS (TLS-only)
- "587:587" # Submission (STARTTLS)
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- maillogs:/var/log/mail
- /etc/localtime:/etc/localtime:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
environment:
# Hostname
- OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
@@ -34,8 +34,14 @@ services:
# Plus-addressing (critical for pentest)
- POSTFIX_RECIPIENT_DELIMITER=+
# SSL (start with no TLS, add Let's Encrypt later)
- SSL_TYPE=
# TLS — use Let's Encrypt certs mounted from Coolify/Caddy
- SSL_TYPE=manual
- SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem
# Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
# Disable plaintext auth on unencrypted connections
- DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
# Accept mail for our domain
- PERMIT_DOCKER=none