Add email password change feature and fix nginx config

- Add public page at /email/change-password for Poste.io mailbox password management
- Add API routes for SMTP credential verification and Poste.io password change
- Rewrite nginx config as HTTP-only (certbot --nginx will add SSL)
- Add Poste.io admin API env vars to docker-compose and env templates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docker/.env.production

@@ -41,6 +41,14 @@ SMTP_USER=noreply@monaco-opc.com
 SMTP_PASS=CHANGE_ME
 EMAIL_FROM=MOPC Platform <noreply@monaco-opc.com>
 
+# =============================================================================
+# POSTE.IO ADMIN API (for email password management)
+# =============================================================================
+POSTE_API_URL=https://mail.monaco-opc.com
+POSTE_ADMIN_EMAIL=admin@monaco-opc.com
+POSTE_ADMIN_PASSWORD=CHANGE_ME
+POSTE_MAIL_DOMAIN=monaco-opc.com
+
 # =============================================================================
 # AI (OpenAI - optional)
 # =============================================================================

docker/docker-compose.yml

@@ -33,6 +33,10 @@ services:
       - SMTP_USER=${SMTP_USER}
       - SMTP_PASS=${SMTP_PASS}
       - EMAIL_FROM=${EMAIL_FROM}
+      - POSTE_API_URL=${POSTE_API_URL:-https://mail.monaco-opc.com}
+      - POSTE_ADMIN_EMAIL=${POSTE_ADMIN_EMAIL}
+      - POSTE_ADMIN_PASSWORD=${POSTE_ADMIN_PASSWORD}
+      - POSTE_MAIL_DOMAIN=${POSTE_MAIL_DOMAIN:-monaco-opc.com}
       - OPENAI_API_KEY=${OPENAI_API_KEY:-}
       - OPENAI_MODEL=${OPENAI_MODEL:-gpt-4o}
       - MAX_FILE_SIZE=${MAX_FILE_SIZE:-524288000}

docker/nginx/mopc-platform.conf

@@ -1,31 +1,26 @@
 # =============================================================================
 # MOPC Platform - Nginx Reverse Proxy Configuration
 # =============================================================================
-# Install: sudo ln -s /opt/mopc/docker/nginx/mopc-platform.conf /etc/nginx/sites-enabled/
-# Test:    sudo nginx -t
-# Reload:  sudo systemctl reload nginx
+# Setup steps:
+#   1. sudo ln -s /opt/mopc/docker/nginx/mopc-platform.conf /etc/nginx/sites-enabled/
+#   2. sudo nginx -t && sudo systemctl reload nginx
+#   3. sudo certbot --nginx -d portal.monaco-opc.com
+#
+# Certbot will automatically add SSL configuration to this file.
 
 # Rate limiting zone
 limit_req_zone $binary_remote_addr zone=mopc_limit:10m rate=10r/s;
 
-# MOPC Platform - HTTPS
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 80;
+    listen [::]:80;
     server_name portal.monaco-opc.com;
 
-    # SSL certificates (managed by Certbot)
-    ssl_certificate /etc/letsencrypt/live/portal.monaco-opc.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/portal.monaco-opc.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self';" always;
 
     # File upload size (500MB for videos)
     client_max_body_size 500M;
@@ -68,11 +63,3 @@ server {
         access_log off;
     }
 }
-
-# HTTP to HTTPS redirect
-server {
-    listen 80;
-    listen [::]:80;
-    server_name portal.monaco-opc.com;
-    return 301 https://$host$request_uri;
-}