fix(mailserver): Enable submission/smtps/pop3s ports

- Add fix-ports command to enable ports 587, 465, 995
- Install dovecot-pop3d package for POP3S support
- Add submission/smtps services to Postfix master.cf
- Uncomment pop3s/imaps SSL listeners in Dovecot
- Add Fix Ports button to LuCI Quick Actions
- Include dovecot-pop3d in initial container setup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/HISTORY.md

@@ -639,3 +639,27 @@ _Last updated: 2026-02-07_
     - **RPCD methods**: status, results, score, compliance, check, pending, history, suggest, remediate, remediate_safe, set_config
     - **UCI configuration**: main (enabled, check_interval, auto_remediate), compliance (framework, strict_mode), scoring (passing_score, weights), categories (enable/disable), localai (url, model)
     - Part of v1.0.0 certification roadmap (ANSSI CSPN compliance tooling).
+
+43. **Mail Server Port Fixes & Password Reset (2026-02-07)**
+    - Fixed mail ports 587 (Submission), 465 (SMTPS), and 995 (POP3S) not listening.
+    - **Root causes identified**:
+      - Postfix master.cf missing submission and smtps service entries
+      - Dovecot 10-master.conf had pop3s listener commented out
+      - `dovecot-pop3d` package not installed in Alpine LXC container
+    - **mailctl fix-ports command**:
+      - Adds submission (587) service to Postfix master.cf with SASL auth
+      - Adds smtps (465) service with TLS wrapper mode
+      - Installs `dovecot-pop3d` if missing
+      - Uncomments pop3/pop3s listeners in Dovecot 10-master.conf
+      - Enables SSL on pop3s (995) and imaps (993) listeners
+      - Restarts Postfix and Dovecot to apply changes
+    - **LuCI password reset feature**:
+      - Added "Reset Password" button in mail users table
+      - Modal dialog with password and confirmation fields
+      - RPCD `user_passwd` method with stdin JSON fallback
+      - `callUserPasswd` RPC declaration in overview.js
+    - **LuCI Fix Ports button**:
+      - Added to Quick Actions section
+      - RPCD `fix_ports` method wrapping CLI command
+      - Visual feedback with modal spinner
+    - Updated container.sh to include `dovecot-pop3d` in initial package list.

.claude/WIP.md

@@ -102,6 +102,13 @@ _Last updated: 2026-02-07_
   - This blocked Thunderbird from connecting to external mail (ssl0.ovh.net)
   - Fix: Added `-i $WAN_IF` to only redirect inbound WAN traffic
 
+- **Mail Ports 587/465/995 Not Listening** — RESOLVED (2026-02-07)
+  - Root cause: Postfix master.cf missing submission/smtps entries
+  - Dovecot 10-master.conf had pop3s commented out
+  - `dovecot-pop3d` package not installed in container
+  - Fix: Added `mailctl fix-ports` command to enable all mail ports
+  - Also added password reset for mail users in LuCI dashboard
+
 ### Just Completed
 
 - **Unified Backup Manager** — DONE (2026-02-05)

package/secubox/luci-app-mailserver/htdocs/luci-static/resources/view/mailserver/overview.js

@@ -99,6 +99,12 @@ var callMeshBackup = rpc.declare({
 	expect: {}
 });
 
+var callFixPorts = rpc.declare({
+	object: 'luci.mailserver',
+	method: 'fix_ports',
+	expect: {}
+});
+
 return view.extend({
 	load: function() {
 		return Promise.all([
@@ -188,7 +194,11 @@ return view.extend({
 					E('button', {
 						'class': 'btn cbi-button-neutral',
 						'click': ui.createHandlerFn(this, this.doMeshBackup)
-					}, 'Mesh Backup')
+					}, 'Mesh Backup'),
+					E('button', {
+						'class': 'btn cbi-button-neutral',
+						'click': ui.createHandlerFn(this, this.doFixPorts)
+					}, 'Fix Ports')
 				])
 			]),
 
@@ -544,6 +554,21 @@ return view.extend({
 		});
 	},
 
+	doFixPorts: function() {
+		ui.showModal('Fixing Ports', [
+			E('p', { 'class': 'spinning' }, 'Enabling submission (587), smtps (465), and POP3S (995) ports...')
+		]);
+		return callFixPorts().then(function(res) {
+			ui.hideModal();
+			if (res.code === 0) {
+				ui.addNotification(null, E('p', 'Ports enabled successfully'), 'success');
+			} else {
+				ui.addNotification(null, E('p', res.output || 'Some ports may still not be listening'), 'warning');
+			}
+			window.location.reload();
+		});
+	},
+
 	handleSaveApply: null,
 	handleSave: null,
 	handleReset: null

package/secubox/luci-app-mailserver/root/usr/libexec/rpcd/luci.mailserver

@@ -27,7 +27,8 @@ case "$1" in
 			"ssl_setup": {},
 			"webmail_configure": {},
 			"mesh_backup": {},
-			"mesh_sync": { "mode": "string" }
+			"mesh_sync": { "mode": "string" },
+			"fix_ports": {}
 		}
 		EOF
 		;;
@@ -333,6 +334,14 @@ case "$1" in
 				json_add_string "output" "$output"
 				json_dump
 				;;
+
+			fix_ports)
+				json_init
+				output=$($MAILCTL fix-ports 2>&1)
+				json_add_int "code" "$?"
+				json_add_string "output" "$output"
+				json_dump
+				;;
 		esac
 		;;
 esac

package/secubox/secubox-app-mailserver/files/usr/lib/mailserver/container.sh

@@ -71,7 +71,7 @@ EOF
 	cat > "$rootfs/root/setup.sh" << 'SETUP'
 #!/bin/sh
 apk update
-apk add postfix postfix-pcre dovecot dovecot-lmtpd dovecot-pigeonhole-plugin rspamd opendkim
+apk add postfix postfix-pcre dovecot dovecot-lmtpd dovecot-pop3d dovecot-pigeonhole-plugin rspamd opendkim
 # Configure Dovecot for local plaintext auth (needed for Docker webmail containers)
 echo "disable_plaintext_auth = no" >> /etc/dovecot/dovecot.conf
 # Configure postfix

package/secubox/secubox-app-mailserver/files/usr/sbin/mailctl

@@ -324,6 +324,95 @@ cmd_fix_postfix() {
 	log "If you still see errors, restart the container: mailctl restart"
 }
 
+cmd_fix_ports() {
+	local container=$(uci_get main.container)
+	container="${container:-mailserver}"
+
+	log "Enabling submission (587), smtps (465), and POP3S (995) ports..."
+
+	lxc-attach -n "$container" -- sh -c '
+		# Enable submission port (587) in master.cf
+		if ! grep -q "^submission " /etc/postfix/master.cf; then
+			echo "submission inet n       -       n       -       -       smtpd" >> /etc/postfix/master.cf
+			echo "  -o syslog_name=postfix/submission" >> /etc/postfix/master.cf
+			echo "  -o smtpd_tls_security_level=encrypt" >> /etc/postfix/master.cf
+			echo "  -o smtpd_sasl_auth_enable=yes" >> /etc/postfix/master.cf
+			echo "  -o smtpd_tls_auth_only=yes" >> /etc/postfix/master.cf
+			echo "  -o smtpd_reject_unlisted_recipient=no" >> /etc/postfix/master.cf
+			echo "  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject" >> /etc/postfix/master.cf
+			echo "  -o milter_macro_daemon_name=ORIGINATING" >> /etc/postfix/master.cf
+		fi
+
+		# Enable smtps port (465) in master.cf
+		if ! grep -q "^smtps " /etc/postfix/master.cf; then
+			echo "smtps     inet  n       -       n       -       -       smtpd" >> /etc/postfix/master.cf
+			echo "  -o syslog_name=postfix/smtps" >> /etc/postfix/master.cf
+			echo "  -o smtpd_tls_wrappermode=yes" >> /etc/postfix/master.cf
+			echo "  -o smtpd_sasl_auth_enable=yes" >> /etc/postfix/master.cf
+			echo "  -o smtpd_reject_unlisted_recipient=no" >> /etc/postfix/master.cf
+			echo "  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject" >> /etc/postfix/master.cf
+			echo "  -o milter_macro_daemon_name=ORIGINATING" >> /etc/postfix/master.cf
+		fi
+
+		# Restart Postfix to apply master.cf changes
+		postfix stop 2>/dev/null
+		postfix start
+
+		# Install dovecot-pop3d if missing
+		if [ ! -f /usr/libexec/dovecot/pop3 ]; then
+			apk add dovecot-pop3d 2>/dev/null
+		fi
+
+		# Configure Dovecot for POP3S (995)
+		if [ -f /etc/dovecot/dovecot.conf ]; then
+			# Enable POP3 protocol
+			if ! grep -q "protocols.*pop3" /etc/dovecot/dovecot.conf; then
+				sed -i "s/^protocols = .*/& pop3/" /etc/dovecot/dovecot.conf
+			fi
+			# If no protocols line exists, add one
+			grep -q "^protocols" /etc/dovecot/dovecot.conf || \
+				echo "protocols = imap pop3 lmtp" >> /etc/dovecot/dovecot.conf
+
+			# Configure POP3S listener - uncomment ports in 10-master.conf
+			if [ -f /etc/dovecot/conf.d/10-master.conf ]; then
+				# Uncomment and enable pop3s with SSL
+				sed -i "/service pop3-login/,/^}/ {
+					s/#port = 110/port = 110/
+					s/#port = 995/port = 995/
+					s/#ssl = yes/ssl = yes/
+				}" /etc/dovecot/conf.d/10-master.conf
+
+				# Also ensure IMAPS is properly enabled
+				sed -i "/service imap-login/,/^}/ {
+					s/#port = 143/port = 143/
+					s/#port = 993/port = 993/
+					s/#ssl = yes/ssl = yes/
+				}" /etc/dovecot/conf.d/10-master.conf
+			fi
+		fi
+
+		# Restart Dovecot to apply changes
+		rc-service dovecot restart 2>/dev/null || {
+			killall dovecot 2>/dev/null
+			sleep 1
+			dovecot
+		}
+	'
+
+	log "Ports enabled. Checking status..."
+	sleep 2
+
+	# Verify ports
+	local ports_status=$(lxc-attach -n "$container" -- netstat -tln 2>/dev/null)
+	for port in 587 465 995; do
+		if echo "$ports_status" | grep -q ":$port "; then
+			log "Port $port: listening"
+		else
+			warn "Port $port: still not listening"
+		fi
+	done
+}
+
 # ============================================================================
 # Logs & Diagnostics
 # ============================================================================
@@ -550,6 +639,7 @@ Diagnostics:
   test <email>         Send test email
   ssl-status           Show SSL cert info
   fix-postfix          Fix LMDB maps and DNS resolution
+  fix-ports            Enable submission/smtps/pop3s ports
 
 Examples:
   mailctl install
@@ -582,6 +672,7 @@ case "${1:-}" in
 	test)        shift; cmd_test "$@" ;;
 	report)      shift; cmd_report "$@" ;;
 	fix-postfix) shift; cmd_fix_postfix "$@" ;;
+	fix-ports)   shift; cmd_fix_ports "$@" ;;
 	help|--help|-h|'') show_help ;;
 	*)           error "Unknown command: $1"; show_help >&2; exit 1 ;;
 esac