fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance)

- Remove port 143 from mailserver (only expose 993/IMAPS)
- Enable SSL_TYPE=manual with Let's Encrypt certs
- Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
- Add pentest_imap_tls config field (defaults to true)

Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-agent/src/config.rs

@@ -54,6 +54,9 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
         pentest_verification_email: env_var_opt("PENTEST_VERIFICATION_EMAIL"),
         pentest_imap_host: env_var_opt("PENTEST_IMAP_HOST"),
         pentest_imap_port: env_var_opt("PENTEST_IMAP_PORT").and_then(|p| p.parse().ok()),
+        pentest_imap_tls: env_var_opt("PENTEST_IMAP_TLS")
+            .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+            .unwrap_or(true),
         pentest_imap_username: env_var_opt("PENTEST_IMAP_USERNAME"),
         pentest_imap_password: env_secret_opt("PENTEST_IMAP_PASSWORD"),
     })

compliance-agent/src/pentest/cleanup.rs

@@ -336,6 +336,7 @@ mod tests {
             pentest_verification_email: None,
             pentest_imap_host: None,
             pentest_imap_port: None,
+            pentest_imap_tls: true,
             pentest_imap_username: None,
             pentest_imap_password: None,
         }