From a509bdcb2e8c3999a1d64c5629a67b6648b821f4 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar Date: Wed, 18 Mar 2026 09:29:34 +0100 Subject: [PATCH] fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance) - Remove port 143 from mailserver (only expose 993/IMAPS) - Enable SSL_TYPE=manual with Let's Encrypt certs - Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes - Add pentest_imap_tls config field (defaults to true) Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143 Co-Authored-By: Claude Opus 4.6 (1M context) --- compliance-agent/src/config.rs | 3 +++ compliance-agent/src/pentest/cleanup.rs | 1 + compliance-core/src/config.rs | 2 ++ deploy/docker-compose.mailserver.yml | 16 +++++++++++----- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/compliance-agent/src/config.rs b/compliance-agent/src/config.rs index f534b01..3361ad8 100644 --- a/compliance-agent/src/config.rs +++ b/compliance-agent/src/config.rs @@ -54,6 +54,9 @@ pub fn load_config() -> Result { pentest_verification_email: env_var_opt("PENTEST_VERIFICATION_EMAIL"), pentest_imap_host: env_var_opt("PENTEST_IMAP_HOST"), pentest_imap_port: env_var_opt("PENTEST_IMAP_PORT").and_then(|p| p.parse().ok()), + pentest_imap_tls: env_var_opt("PENTEST_IMAP_TLS") + .map(|v| v == "1" || v.eq_ignore_ascii_case("true")) + .unwrap_or(true), pentest_imap_username: env_var_opt("PENTEST_IMAP_USERNAME"), pentest_imap_password: env_secret_opt("PENTEST_IMAP_PASSWORD"), }) diff --git a/compliance-agent/src/pentest/cleanup.rs b/compliance-agent/src/pentest/cleanup.rs index d155978..b15f8bc 100644 --- a/compliance-agent/src/pentest/cleanup.rs +++ b/compliance-agent/src/pentest/cleanup.rs @@ -336,6 +336,7 @@ mod tests { pentest_verification_email: None, pentest_imap_host: None, pentest_imap_port: None, + pentest_imap_tls: true, pentest_imap_username: None, pentest_imap_password: None, } diff --git a/compliance-core/src/config.rs b/compliance-core/src/config.rs index d92ce32..9f29915 100644 --- a/compliance-core/src/config.rs +++ b/compliance-core/src/config.rs @@ -33,6 +33,8 @@ pub struct AgentConfig { pub pentest_verification_email: Option, pub pentest_imap_host: Option, pub pentest_imap_port: Option, + /// Use implicit TLS (IMAPS, port 993) instead of plain IMAP. + pub pentest_imap_tls: bool, pub pentest_imap_username: Option, pub pentest_imap_password: Option, } diff --git a/deploy/docker-compose.mailserver.yml b/deploy/docker-compose.mailserver.yml index ab9bdf7..7bf3141 100644 --- a/deploy/docker-compose.mailserver.yml +++ b/deploy/docker-compose.mailserver.yml @@ -8,14 +8,14 @@ services: container_name: mailserver ports: - "25:25" # SMTP (inbound mail) - - "143:143" # IMAP (orchestrator reads mail) - - "993:993" # IMAPS (TLS) - - "587:587" # Submission (outbound, if needed) + - "993:993" # IMAPS (TLS-only) + - "587:587" # Submission (STARTTLS) volumes: - maildata:/var/mail - mailstate:/var/mail-state - maillogs:/var/log/mail - /etc/localtime:/etc/localtime:ro + - /etc/letsencrypt:/etc/letsencrypt:ro environment: # Hostname - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com @@ -34,8 +34,14 @@ services: # Plus-addressing (critical for pentest) - POSTFIX_RECIPIENT_DELIMITER=+ - # SSL (start with no TLS, add Let's Encrypt later) - - SSL_TYPE= + # TLS — use Let's Encrypt certs mounted from Coolify/Caddy + - SSL_TYPE=manual + - SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem + - SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem + + # Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance) + # Disable plaintext auth on unencrypted connections + - DOVECOT_DISABLE_PLAINTEXT_AUTH=yes # Accept mail for our domain - PERMIT_DOCKER=none