TLS is not properly enforced for IMAP connections

[mpurg]

In function get_imap_port(), if IO::Socket::SSL is not available TLS will be disabled with only a warning:

mail-dmarc/lib/Mail/DMARC/Report/Receive.pm

Line 191 in ac6d3ad

carp "no SSL, using insecure connection: $!\n";

Considering that in this case the credentials are sent in plain text, it might be better to change the default behavior to fail. The user could opt-in via a configuration option (e.g. allow_insecure_imap).

In the same function, the verification of server certificates is disabled if Mozilla::CA is not available. This largely defeats the purpose of using TLS, making it succeptible to MITM attacks. Please consider using the defaults provided by IO::Socket::SSL, as recommended here: https://metacpan.org/pod/IO::Socket::SSL#Common-Usage-Errors

[msimerson]

I'm thinking:

1. make port detection explicit and default to 993. The only way to get a port 143 connection is to ask for it.
2. add a SSL_verify_mode setting in the config, for users that need it.

[mpurg]

Sounds good, thanks for the prompt response!