feat(M42): Postfix/Dovecot mail server target connector

Dual-mode TLS connector for mail servers — single package with mode
field selecting Postfix or Dovecot defaults. File-based cert/key
deployment with correct permissions (cert 0644, key 0600), optional
chain append, shell injection prevention, and configurable
reload/validate commands. 18 tests covering config validation,
deployment, and security. GUI wizard fields and OpenAPI enum updated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/target/postfix/postfix.go

@@ -0,0 +1,310 @@
+package postfix
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/connector/target"
+	"github.com/shankar0123/certctl/internal/validation"
+)
+
+// Config represents the Postfix/Dovecot deployment target configuration.
+// This connector supports dual-mode operation: "postfix" for Postfix MTA
+// and "dovecot" for Dovecot IMAP/POP3. The mode determines default file
+// paths and reload commands. Both modes write cert/key/chain files and
+// reload the mail service.
+type Config struct {
+	Mode            string `json:"mode"`              // "postfix" (default) or "dovecot"
+	CertPath        string `json:"cert_path"`         // Path where cert will be written
+	KeyPath         string `json:"key_path"`           // Path where private key will be written
+	ChainPath       string `json:"chain_path"`         // Path where CA chain will be written (optional — if empty, chain appended to cert)
+	ReloadCommand   string `json:"reload_command"`     // Command to reload service
+	ValidateCommand string `json:"validate_command"`   // Optional command to validate config before reload
+}
+
+// Connector implements the target.Connector interface for Postfix and Dovecot
+// mail servers. This connector runs on the AGENT side and handles local
+// certificate deployment for mail server TLS (STARTTLS, SMTPS, IMAPS, POP3S).
+type Connector struct {
+	config *Config
+	logger *slog.Logger
+}
+
+// New creates a new Postfix/Dovecot target connector with the given configuration and logger.
+func New(config *Config, logger *slog.Logger) *Connector {
+	return &Connector{
+		config: config,
+		logger: logger,
+	}
+}
+
+// applyDefaults sets mode-specific default values for any unconfigured fields.
+func applyDefaults(cfg *Config) {
+	if cfg.Mode == "" {
+		cfg.Mode = "postfix"
+	}
+
+	switch cfg.Mode {
+	case "dovecot":
+		if cfg.CertPath == "" {
+			cfg.CertPath = "/etc/dovecot/certs/cert.pem"
+		}
+		if cfg.KeyPath == "" {
+			cfg.KeyPath = "/etc/dovecot/certs/key.pem"
+		}
+		if cfg.ReloadCommand == "" {
+			cfg.ReloadCommand = "doveadm reload"
+		}
+		if cfg.ValidateCommand == "" {
+			cfg.ValidateCommand = "doveconf -n"
+		}
+	default: // "postfix"
+		if cfg.CertPath == "" {
+			cfg.CertPath = "/etc/postfix/certs/cert.pem"
+		}
+		if cfg.KeyPath == "" {
+			cfg.KeyPath = "/etc/postfix/certs/key.pem"
+		}
+		if cfg.ReloadCommand == "" {
+			cfg.ReloadCommand = "postfix reload"
+		}
+		if cfg.ValidateCommand == "" {
+			cfg.ValidateCommand = "postfix check"
+		}
+	}
+}
+
+// ValidateConfig checks that the configuration is valid for the selected mode.
+// It applies mode-specific defaults, validates shell commands against injection,
+// and verifies the certificate directory exists.
+func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(rawConfig, &cfg); err != nil {
+		return fmt.Errorf("invalid mail server config: %w", err)
+	}
+
+	// Validate mode
+	if cfg.Mode != "" && cfg.Mode != "postfix" && cfg.Mode != "dovecot" {
+		return fmt.Errorf("invalid mode %q: must be \"postfix\" or \"dovecot\"", cfg.Mode)
+	}
+
+	// Apply mode-specific defaults
+	applyDefaults(&cfg)
+
+	// Validate commands to prevent injection attacks
+	if err := validation.ValidateShellCommand(cfg.ReloadCommand); err != nil {
+		return fmt.Errorf("invalid reload_command: %w", err)
+	}
+	if cfg.ValidateCommand != "" {
+		if err := validation.ValidateShellCommand(cfg.ValidateCommand); err != nil {
+			return fmt.Errorf("invalid validate_command: %w", err)
+		}
+	}
+
+	c.logger.Info("validating mail server configuration",
+		"mode", cfg.Mode,
+		"cert_path", cfg.CertPath,
+		"key_path", cfg.KeyPath,
+		"chain_path", cfg.ChainPath)
+
+	// Verify certificate directory exists
+	certDir := filepath.Dir(cfg.CertPath)
+	if _, err := os.Stat(certDir); os.IsNotExist(err) {
+		return fmt.Errorf("%s cert directory does not exist: %s", cfg.Mode, certDir)
+	}
+
+	// Verify validate command works (best-effort — service might not be installed yet)
+	if cfg.ValidateCommand != "" {
+		cmd := exec.CommandContext(ctx, "sh", "-c", cfg.ValidateCommand)
+		if err := cmd.Run(); err != nil {
+			c.logger.Warn("config validation command failed during config check",
+				"error", err,
+				"mode", cfg.Mode,
+				"validate_command", cfg.ValidateCommand)
+		}
+	}
+
+	c.config = &cfg
+	c.logger.Info("mail server configuration validated", "mode", cfg.Mode)
+	return nil
+}
+
+// DeployCertificate writes the certificate, key, and chain to the configured paths
+// and reloads the mail service to pick up the new certificates.
+//
+// Steps:
+// 1. Write certificate to cert_path with mode 0644 (if chain_path empty, append chain)
+// 2. Write private key to key_path with mode 0600
+// 3. If chain_path is set, write chain separately with mode 0644
+// 4. Validate configuration (if validate_command is set)
+// 5. Reload service
+func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
+	c.logger.Info("deploying certificate to mail server",
+		"mode", c.config.Mode,
+		"cert_path", c.config.CertPath,
+		"key_path", c.config.KeyPath)
+
+	startTime := time.Now()
+
+	// Build certificate data: if chain_path is set, write chain separately;
+	// otherwise append chain to cert file (fullchain behavior)
+	certData := request.CertPEM
+	if request.ChainPEM != "" && c.config.ChainPath == "" {
+		certData += "\n" + request.ChainPEM
+	}
+
+	// Write certificate with mode 0644 (rw-r--r--)
+	if err := os.WriteFile(c.config.CertPath, []byte(certData), 0644); err != nil {
+		errMsg := fmt.Sprintf("failed to write certificate: %v", err)
+		c.logger.Error("certificate deployment failed", "error", err)
+		return &target.DeploymentResult{
+			Success:       false,
+			TargetAddress: c.config.CertPath,
+			Message:       errMsg,
+			DeployedAt:    time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	// Write private key with secure permissions (0600: rw-------)
+	if c.config.KeyPath != "" && request.KeyPEM != "" {
+		if err := os.WriteFile(c.config.KeyPath, []byte(request.KeyPEM), 0600); err != nil {
+			errMsg := fmt.Sprintf("failed to write private key: %v", err)
+			c.logger.Error("key deployment failed", "error", err)
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: c.config.KeyPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+		c.logger.Info("private key written", "key_path", c.config.KeyPath)
+	}
+
+	// Write chain separately if chain_path is configured
+	if c.config.ChainPath != "" && request.ChainPEM != "" {
+		if err := os.WriteFile(c.config.ChainPath, []byte(request.ChainPEM), 0644); err != nil {
+			errMsg := fmt.Sprintf("failed to write chain: %v", err)
+			c.logger.Error("chain deployment failed", "error", err)
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: c.config.ChainPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	// Validate configuration before reload
+	if c.config.ValidateCommand != "" {
+		c.logger.Debug("validating configuration", "validate_command", c.config.ValidateCommand)
+		validateCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ValidateCommand)
+		if output, err := validateCmd.CombinedOutput(); err != nil {
+			errMsg := fmt.Sprintf("%s config validation failed: %v (output: %s)", c.config.Mode, err, string(output))
+			c.logger.Error("config validation failed", "error", err, "output", string(output))
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: c.config.CertPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	// Reload service
+	c.logger.Debug("reloading service", "reload_command", c.config.ReloadCommand)
+	reloadCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ReloadCommand)
+	if output, err := reloadCmd.CombinedOutput(); err != nil {
+		errMsg := fmt.Sprintf("%s reload failed: %v (output: %s)", c.config.Mode, err, string(output))
+		c.logger.Error("service reload failed", "error", err, "output", string(output))
+		return &target.DeploymentResult{
+			Success:       false,
+			TargetAddress: c.config.CertPath,
+			Message:       errMsg,
+			DeployedAt:    time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	deploymentDuration := time.Since(startTime)
+	c.logger.Info("certificate deployed to mail server successfully",
+		"mode", c.config.Mode,
+		"duration", deploymentDuration.String(),
+		"cert_path", c.config.CertPath)
+
+	return &target.DeploymentResult{
+		Success:       true,
+		TargetAddress: c.config.CertPath,
+		DeploymentID:  fmt.Sprintf("%s-%d", c.config.Mode, time.Now().Unix()),
+		Message:       fmt.Sprintf("Certificate deployed and %s reloaded successfully", c.config.Mode),
+		DeployedAt:    time.Now(),
+		Metadata: map[string]string{
+			"cert_path":   c.config.CertPath,
+			"key_path":    c.config.KeyPath,
+			"mode":        c.config.Mode,
+			"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
+		},
+	}, nil
+}
+
+// ValidateDeployment verifies that the deployed certificate is valid and accessible.
+// It runs the validate command (if configured) and checks that the cert file exists.
+func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
+	c.logger.Info("validating mail server deployment",
+		"mode", c.config.Mode,
+		"certificate_id", request.CertificateID,
+		"serial", request.Serial)
+
+	startTime := time.Now()
+
+	// Validate configuration if validate command is set
+	if c.config.ValidateCommand != "" {
+		validateCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ValidateCommand)
+		if output, err := validateCmd.CombinedOutput(); err != nil {
+			errMsg := fmt.Sprintf("%s config validation failed: %v (output: %s)", c.config.Mode, err, string(output))
+			c.logger.Error("validation failed", "error", err)
+			return &target.ValidationResult{
+				Valid:         false,
+				Serial:        request.Serial,
+				TargetAddress: c.config.CertPath,
+				Message:       errMsg,
+				ValidatedAt:   time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	// Verify certificate file exists and is readable
+	if _, err := os.Stat(c.config.CertPath); os.IsNotExist(err) {
+		errMsg := fmt.Sprintf("certificate file not found: %s", c.config.CertPath)
+		c.logger.Error("validation failed", "error", err)
+		return &target.ValidationResult{
+			Valid:         false,
+			Serial:        request.Serial,
+			TargetAddress: c.config.CertPath,
+			Message:       errMsg,
+			ValidatedAt:   time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	validationDuration := time.Since(startTime)
+	c.logger.Info("mail server deployment validated successfully",
+		"mode", c.config.Mode,
+		"duration", validationDuration.String())
+
+	return &target.ValidationResult{
+		Valid:         true,
+		Serial:        request.Serial,
+		TargetAddress: c.config.CertPath,
+		Message:       fmt.Sprintf("%s configuration valid and certificate accessible", c.config.Mode),
+		ValidatedAt:   time.Now(),
+		Metadata: map[string]string{
+			"mode":             c.config.Mode,
+			"validate_command": c.config.ValidateCommand,
+			"duration_ms":      fmt.Sprintf("%d", validationDuration.Milliseconds()),
+		},
+	}, nil
+}

internal/connector/target/postfix/postfix_test.go

@@ -0,0 +1,530 @@
+package postfix_test
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/target"
+	"github.com/shankar0123/certctl/internal/connector/target/postfix"
+)
+
+// --- Config Validation Tests ---
+
+func TestPostfixConnector_ValidateConfig_Success(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err != nil {
+		t.Fatalf("ValidateConfig failed: %v", err)
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_DovecotMode(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "dovecot",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err != nil {
+		t.Fatalf("ValidateConfig for dovecot mode failed: %v", err)
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_InvalidJSON(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	connector := postfix.New(&postfix.Config{}, logger)
+	err := connector.ValidateConfig(ctx, json.RawMessage(`{invalid}`))
+	if err == nil {
+		t.Fatal("expected error for invalid JSON")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_InvalidMode(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	cfg := postfix.Config{
+		Mode:          "nginx",
+		CertPath:      "/tmp/cert.pem",
+		ReloadCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for invalid mode")
+	}
+	if !strings.Contains(err.Error(), "invalid mode") {
+		t.Fatalf("expected 'invalid mode' error, got: %v", err)
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_DirectoryNotExists(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        "/nonexistent/directory/cert.pem",
+		KeyPath:         "/nonexistent/directory/key.pem",
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for non-existent cert directory")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_MissingCertPath(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	// An empty config with mode=postfix will get defaults applied.
+	// The defaults point to /etc/postfix/certs/ which won't exist in test,
+	// so this will fail at directory check — which is fine; it validates that
+	// defaults are applied and path validation catches missing dirs.
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error when default cert directory doesn't exist")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_DefaultsApplied(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	// Create a directory matching the postfix default path structure
+	tmpDir := t.TempDir()
+	certDir := filepath.Join(tmpDir, "postfix", "certs")
+	os.MkdirAll(certDir, 0755)
+
+	cfg := postfix.Config{
+		Mode:     "postfix",
+		CertPath: filepath.Join(certDir, "cert.pem"),
+		KeyPath:  filepath.Join(certDir, "key.pem"),
+		// Leave ReloadCommand and ValidateCommand empty to get defaults
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+
+	// Defaults will be applied for reload/validate commands.
+	// The validate command will be "postfix check" which won't exist in test env
+	// but ValidateConfig only warns on validate command failure (doesn't error).
+	// The reload command "postfix reload" will be validated by ValidateShellCommand.
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err != nil {
+		t.Fatalf("ValidateConfig with defaults failed: %v", err)
+	}
+}
+
+// --- Deployment Tests ---
+
+func TestPostfixConnector_DeployCertificate_Success(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	req := target.DeploymentRequest{
+		CertPEM:  "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----",
+		KeyPEM:   "-----BEGIN PRIVATE KEY-----\nkey\n-----END PRIVATE KEY-----",
+		ChainPEM: "-----BEGIN CERTIFICATE-----\nchain\n-----END CERTIFICATE-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, req)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("expected success, got: %s", result.Message)
+	}
+
+	// Verify cert file was written (just cert, not chain — since chain_path is set)
+	certData, err := os.ReadFile(cfg.CertPath)
+	if err != nil {
+		t.Fatalf("failed to read cert file: %v", err)
+	}
+	if string(certData) != req.CertPEM {
+		t.Errorf("cert content mismatch: got %q", string(certData))
+	}
+
+	// Verify key file was written
+	keyData, err := os.ReadFile(cfg.KeyPath)
+	if err != nil {
+		t.Fatalf("failed to read key file: %v", err)
+	}
+	if string(keyData) != req.KeyPEM {
+		t.Errorf("key content mismatch")
+	}
+
+	// Verify chain file was written
+	chainData, err := os.ReadFile(cfg.ChainPath)
+	if err != nil {
+		t.Fatalf("failed to read chain file: %v", err)
+	}
+	if string(chainData) != req.ChainPEM {
+		t.Errorf("chain content mismatch")
+	}
+
+	// Verify cert has correct permissions (0644)
+	info, err := os.Stat(cfg.CertPath)
+	if err != nil {
+		t.Fatalf("failed to stat cert file: %v", err)
+	}
+	if info.Mode().Perm() != 0644 {
+		t.Errorf("expected cert permissions 0644, got %v", info.Mode().Perm())
+	}
+
+	// Verify key has correct permissions (0600)
+	info, err = os.Stat(cfg.KeyPath)
+	if err != nil {
+		t.Fatalf("failed to stat key file: %v", err)
+	}
+	if info.Mode().Perm() != 0600 {
+		t.Errorf("expected key permissions 0600, got %v", info.Mode().Perm())
+	}
+
+	// Verify metadata
+	if result.Metadata == nil {
+		t.Fatal("expected metadata in result")
+	}
+	if result.Metadata["cert_path"] != cfg.CertPath {
+		t.Errorf("expected cert_path in metadata")
+	}
+	if result.Metadata["mode"] != "postfix" {
+		t.Errorf("expected mode=postfix in metadata, got %s", result.Metadata["mode"])
+	}
+	if _, ok := result.Metadata["duration_ms"]; !ok {
+		t.Errorf("expected duration_ms in metadata")
+	}
+}
+
+func TestPostfixConnector_DeployCertificate_ChainAppendedToCert(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ChainPath:       "", // No chain_path — chain should be appended to cert
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	certPEM := "-----BEGIN CERTIFICATE-----\ncert\n-----END CERTIFICATE-----"
+	chainPEM := "-----BEGIN CERTIFICATE-----\nchain\n-----END CERTIFICATE-----"
+
+	req := target.DeploymentRequest{
+		CertPEM:  certPEM,
+		KeyPEM:   "-----BEGIN PRIVATE KEY-----\nkey\n-----END PRIVATE KEY-----",
+		ChainPEM: chainPEM,
+	}
+
+	result, err := connector.DeployCertificate(ctx, req)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("expected success, got: %s", result.Message)
+	}
+
+	// Verify cert file contains both cert and chain (fullchain)
+	certData, err := os.ReadFile(cfg.CertPath)
+	if err != nil {
+		t.Fatalf("failed to read cert file: %v", err)
+	}
+	expected := certPEM + "\n" + chainPEM
+	if string(certData) != expected {
+		t.Errorf("expected fullchain content, got: %q", string(certData))
+	}
+}
+
+func TestPostfixConnector_DeployCertificate_CertWriteFail(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        "/nonexistent/directory/cert.pem",
+		KeyPath:         "/nonexistent/directory/key.pem",
+		ReloadCommand:   "true",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	req := target.DeploymentRequest{
+		CertPEM:  "cert",
+		ChainPEM: "chain",
+	}
+
+	result, err := connector.DeployCertificate(ctx, req)
+	if err == nil {
+		t.Fatal("expected error when cert write fails")
+	}
+	if result.Success {
+		t.Fatal("expected failure result")
+	}
+}
+
+func TestPostfixConnector_DeployCertificate_ValidateCommandFails(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "false", // Exits with code 1
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	req := target.DeploymentRequest{
+		CertPEM:  "cert",
+		ChainPEM: "chain",
+	}
+
+	result, err := connector.DeployCertificate(ctx, req)
+	if err == nil {
+		t.Fatal("expected error when validate command fails")
+	}
+	if result.Success {
+		t.Fatal("expected failure result")
+	}
+}
+
+func TestPostfixConnector_DeployCertificate_ReloadCommandFails(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "false", // Exits with code 1
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	req := target.DeploymentRequest{
+		CertPEM:  "cert",
+		ChainPEM: "chain",
+	}
+
+	result, err := connector.DeployCertificate(ctx, req)
+	if err == nil {
+		t.Fatal("expected error when reload command fails")
+	}
+	if result.Success {
+		t.Fatal("expected failure result")
+	}
+}
+
+// --- Validation Tests ---
+
+func TestPostfixConnector_ValidateDeployment_Success(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	certPath := filepath.Join(tmpDir, "cert.pem")
+	os.WriteFile(certPath, []byte("cert"), 0644)
+
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        certPath,
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	result, err := connector.ValidateDeployment(ctx, target.ValidationRequest{
+		CertificateID: "mc-test",
+		Serial:        "123",
+	})
+	if err != nil {
+		t.Fatalf("ValidateDeployment failed: %v", err)
+	}
+	if !result.Valid {
+		t.Fatal("expected valid deployment")
+	}
+	if result.Metadata == nil {
+		t.Fatal("expected metadata in result")
+	}
+	if result.Metadata["mode"] != "postfix" {
+		t.Errorf("expected mode=postfix in metadata")
+	}
+}
+
+func TestPostfixConnector_ValidateDeployment_CertNotFound(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	cfg := &postfix.Config{
+		Mode:            "postfix",
+		CertPath:        "/nonexistent/cert.pem",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(cfg, logger)
+
+	result, err := connector.ValidateDeployment(ctx, target.ValidationRequest{
+		CertificateID: "mc-test",
+		Serial:        "123",
+	})
+	if err == nil {
+		t.Fatal("expected error for missing cert file")
+	}
+	if result.Valid {
+		t.Fatal("expected invalid result")
+	}
+}
+
+// --- Security Tests (Command Injection Prevention) ---
+
+func TestPostfixConnector_ValidateConfig_RejectCommandInjectionSemicolon(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "postfix reload; rm -rf /",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command injection in reload_command")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_RejectCommandInjectionPipe(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "postfix check | cat /etc/passwd",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command injection in validate_command")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_RejectCommandSubstitution(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "echo $(whoami)",
+		ValidateCommand: "true",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command substitution in reload_command")
+	}
+}
+
+func TestPostfixConnector_ValidateConfig_RejectBackticks(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := postfix.Config{
+		Mode:            "postfix",
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		KeyPath:         filepath.Join(tmpDir, "key.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "postfix check `whoami`",
+	}
+
+	connector := postfix.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for backtick injection in validate_command")
+	}
+}

internal/domain/connector.go

@@ -85,4 +85,6 @@ const (
 	TargetTypeTraefik  TargetType = "Traefik"
 	TargetTypeCaddy    TargetType = "Caddy"
 	TargetTypeEnvoy    TargetType = "Envoy"
+	TargetTypePostfix  TargetType = "Postfix"
+	TargetTypeDovecot  TargetType = "Dovecot"
 )