fix(security): Kritische Sicherheitslücken beheben (SEC-01/02/03/05/08/17/22/26/28)

- SEC-01: Privilege Escalation verhindert — Rollenhierarchie in Create/Update/DeleteUser
- SEC-02: Tenant-Isolation in Update/DeleteUser — domain_admin nur eigene Nutzer
- SEC-03: IMAP/POP3 Owner-Check via auth.HasRole statt direktem String-Vergleich
- SEC-05: Export PDF/ZIP prüft Tenant-Zugehörigkeit vor Dateiausgabe
- SEC-08: HKDF-SHA256 trennt JWT-Secret von AES-Key (archivmail-jwt-v1 / archivmail-aes-v1)
- SEC-17: handleSecurityFix erfordert requireRole(superadmin)
- SEC-22: Mail-ID Regex [0-9a-f]{64} in allen Handlern (Path-Traversal-Schutz)
- SEC-26: SMTP Fail-Closed — leere AllowedIPs blockiert alles statt zu erlauben
- SEC-28: handleGetRaw — Parse-Fehler bricht ab statt Fallthrough zu Dateizugriff

BREAKING: IMAP/POP3/LDAP-Passwörter müssen nach Deploy einmalig neu eingegeben
werden (neuer AES-Key). JWT-Sessions laufen ab (einmaliges Re-Login nötig).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/smtpd/smtpd.go

@@ -310,11 +310,12 @@ func (s *session) Logout() error {
 
 // ── Helpers ───────────────────────────────────────────────────────────────
 
-// isAllowed returns true if the IP is in the allowlist, or if the allowlist
-// is empty (allow-all mode for development).
+// isAllowed returns true if the IP is in the allowlist.
+// SEC-26: Fail-closed — empty allowlist means NO IP is allowed (was fail-open before).
+// To allow all IPs, set allowed_ips: ["0.0.0.0/0", "::/0"] explicitly in config.
 func (d *Daemon) isAllowed(ip string) bool {
 	if len(d.cfg.AllowedIPs) == 0 {
-		return true // no restriction configured
+		return false // fail-closed: no IPs configured = block everything
 	}
 	for _, allowed := range d.cfg.AllowedIPs {
 		// Support CIDR notation (e.g. 192.168.1.0/24)