fix(encryptid): use port 25 without auth for internal Mailcow SMTP

SMTP auth (port 587) credentials are stale, causing 535 auth failures
on startup. Detect internal mailcow/postfix hosts and connect on port
25 without auth, matching the pattern already used in server/spaces.ts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/encryptid/server.ts

@@ -213,17 +213,17 @@ const CONFIG = {
 
 let smtpTransport: Transporter | null = null;
 
-if (CONFIG.smtp.pass) {
+const isInternalSmtp = CONFIG.smtp.host.includes('mailcow') || CONFIG.smtp.host.includes('postfix');
+if (CONFIG.smtp.pass || isInternalSmtp) {
   smtpTransport = createTransport({
     host: CONFIG.smtp.host,
-    port: CONFIG.smtp.port,
+    port: isInternalSmtp ? 25 : CONFIG.smtp.port,
-    secure: CONFIG.smtp.port === 465,
+    secure: !isInternalSmtp && CONFIG.smtp.port === 465,
-    auth: {
+    ...(isInternalSmtp ? {} : {
-      user: CONFIG.smtp.user,
+      auth: { user: CONFIG.smtp.user, pass: CONFIG.smtp.pass },
-      pass: CONFIG.smtp.pass,
+    }),
-    },
     tls: {
-      rejectUnauthorized: false,  // Internal Mailcow uses self-signed cert
+      rejectUnauthorized: false,
     },
   });
 
@@ -232,11 +232,11 @@ if (CONFIG.smtp.pass) {
     console.log('EncryptID: SMTP connected to', CONFIG.smtp.host);
   }).catch((err) => {
     console.error('EncryptID: SMTP connection failed —', err.message);
-    console.error('EncryptID: Email recovery will not work until SMTP is configured');
+    console.error('EncryptID: Email delivery will not work until SMTP is configured');
     smtpTransport = null;
   });
 } else {
-  console.warn('EncryptID: SMTP_PASS not set — email recovery disabled (tokens logged to console)');
+  console.warn('EncryptID: SMTP not configured — email delivery disabled');
 }
 
 async function sendRecoveryEmail(to: string, token: string, username: string): Promise<boolean> {