fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance)

- Remove port 143 from mailserver (only expose 993/IMAPS)
- Enable SSL_TYPE=manual with Let's Encrypt certs
- Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
- Add pentest_imap_tls config field (defaults to true)

Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/docker-compose.mailserver.yml

@@ -8,14 +8,14 @@ services:
     container_name: mailserver
     ports:
       - "25:25"      # SMTP (inbound mail)
-      - "143:143"    # IMAP (orchestrator reads mail)
-      - "993:993"    # IMAPS (TLS)
-      - "587:587"    # Submission (outbound, if needed)
+      - "993:993"    # IMAPS (TLS-only)
+      - "587:587"    # Submission (STARTTLS)
     volumes:
       - maildata:/var/mail
       - mailstate:/var/mail-state
       - maillogs:/var/log/mail
       - /etc/localtime:/etc/localtime:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
     environment:
       # Hostname
       - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
@@ -34,8 +34,14 @@ services:
       # Plus-addressing (critical for pentest)
       - POSTFIX_RECIPIENT_DELIMITER=+
 
-      # SSL (start with no TLS, add Let's Encrypt later)
-      - SSL_TYPE=
+      # TLS — use Let's Encrypt certs mounted from Coolify/Caddy
+      - SSL_TYPE=manual
+      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
+      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem
+
+      # Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
+      # Disable plaintext auth on unencrypted connections
+      - DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
 
       # Accept mail for our domain
       - PERMIT_DOCKER=none