From 4a4136e4a61c23d74ce8d46c2c0e3b829c1c658c Mon Sep 17 00:00:00 2001
From: sysops <sysops@LenovoT14Gen5>
Date: Fri, 20 Mar 2026 00:32:25 +0100
Subject: [PATCH] feat: FQDN-Support, IMAP-TLS und SMTP-TLS via Master-Cert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- config: IMAPServerConfig um TLSCert/TLSKey erweitert
- imapserver: TLS-Support (tls.Listen) mit automatischem Port 993-Default
- Server-Konfiguration: FQDN archivmail.scahome.local
  - nginx server_name auf archivmail.scahome.local gesetzt
  - SMTP domain auf archivmail.scahome.local
  - SMTP TLS aktiviert (/etc/ssl/archivmail/archivmail.crt)
  - IMAP-Server TLS auf Port 993 aktiviert
  - secure_cookies: true (HTTPS)
  - Firewall: Port 993 geöffnet
  - Zertifikat neu ausgestellt (SAN: archivmail.scahome.local + archivmail + 192.168.1.131)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 config/config.go              |  4 +++-
 internal/imapserver/server.go | 31 +++++++++++++++++++++++++++----
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/config/config.go b/config/config.go
index 0b3d887..7657e04 100644
--- a/config/config.go
+++ b/config/config.go
@@ -35,7 +35,9 @@ type Config struct {
 // IMAPServerConfig holds settings for the embedded read-only IMAP archive server.
 type IMAPServerConfig struct {
 	Enabled bool   `yaml:"enabled"`
-	Bind    string `yaml:"bind"` // default: "127.0.0.1:1143"
+	Bind    string `yaml:"bind"`    // plain: ":1143", TLS: ":993"
+	TLSCert string `yaml:"tls_cert"` // path to PEM certificate; if set, TLS is enabled
+	TLSKey  string `yaml:"tls_key"`  // path to PEM private key
 }
 
 // ServerConfig holds port settings for the main services.
diff --git a/internal/imapserver/server.go b/internal/imapserver/server.go
index 7b880c6..f77817a 100644
--- a/internal/imapserver/server.go
+++ b/internal/imapserver/server.go
@@ -9,6 +9,7 @@ package imapserver
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log/slog"
 	"net"
@@ -81,12 +82,34 @@ func New(
 func (s *Server) Start() error {
 	bind := s.cfg.Bind
 	if bind == "" {
-		bind = "127.0.0.1:1143"
+		if s.cfg.TLSCert != "" {
+			bind = ":993"
+		} else {
+			bind = "127.0.0.1:1143"
+		}
 	}
 
-	ln, err := net.Listen("tcp", bind)
-	if err != nil {
-		return fmt.Errorf("imapserver: listen %s: %w", bind, err)
+	var ln net.Listener
+	var err error
+	if s.cfg.TLSCert != "" && s.cfg.TLSKey != "" {
+		cert, err := tls.LoadX509KeyPair(s.cfg.TLSCert, s.cfg.TLSKey)
+		if err != nil {
+			return fmt.Errorf("imapserver: load TLS cert: %w", err)
+		}
+		tlsCfg := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
+		}
+		ln, err = tls.Listen("tcp", bind, tlsCfg)
+		if err != nil {
+			return fmt.Errorf("imapserver: tls listen %s: %w", bind, err)
+		}
+		s.logger.Info("IMAP archive server TLS enabled", "addr", bind)
+	} else {
+		ln, err = net.Listen("tcp", bind)
+		if err != nil {
+			return fmt.Errorf("imapserver: listen %s: %w", bind, err)
+		}
 	}
 
 	s.mu.Lock()