#333 Update gen-postfix-conf.sh and replace hardcoded Thunder credentials

[manupawickramasinghe]

📌 Description

The thunder_authenticate() function in scripts/utils/thunder-auth.sh sent hardcoded "username":"admin","password":"admin" in the authentication JSON payload to Thunder. This meant credentials were visible in source code and couldn't be customized per-deployment without modifying the script.

• Closes [TASK] Hardcoded authentication credentials in thunder-auth.sh #333

---

🔍 Changes Made

• Replaced hardcoded "username":"admin","password":"admin" in scripts/utils/thunder-auth.sh:112 with ${THUNDER_ADMIN_USERNAME:-admin} and ${THUNDER_ADMIN_PASSWORD:-admin} shell parameter expansion
• Environment variables THUNDER_ADMIN_USERNAME and THUNDER_ADMIN_PASSWORD are already defined in services/.env.example and services/.env
• Backward compatible — falls back to admin/admin defaults if env vars are not set

---

✅ Checklist (Email System)

• Core services tested (SMTP, IMAP, mail storage, end-to-end delivery)
• Security & compliance verified (auth via Thunder IDP, TLS, DKIM/SPF/DMARC, spam/virus filtering)
• Configuration & deployment checked (configs generated, Docker/Compose updated)
• Reliability confirmed (error handling, logging, monitoring)
• Documentation & usage notes updated (README, deployment, API)

---

🧪 Testing Instructions

1. Checkout branch, run source scripts/utils/thunder-auth.sh and verify script syntax is valid
2. Verify default behavior: run thunder_authenticate without env vars set — payload should contain "username":"admin","password":"admin"
3. Verify custom behavior: run with THUNDER_ADMIN_USERNAME=customuser THUNDER_ADMIN_PASSWORD=securepass123 — payload should contain "username":"customuser","password":"securepass123"
4. Verify partial override: run with only THUNDER_ADMIN_USERNAME set — password should fall back to admin

---

📷 Screenshots / Logs (if applicable)

Test results — env var substitution verified:

Test Case	THUNDER_ADMIN_USERNAME	THUNDER_ADMIN_PASSWORD	Result
Default fallback	unset	unset	"username":"admin","password":"admin"
Custom env vars	customuser	securepass123	"username":"customuser","password":"securepass123"
Partial (username only)	anotheruser	unset	"username":"anotheruser","password":"admin"

All three cases produce valid JSON. Script syntax check: bash -n scripts/utils/thunder-auth.sh — OK.

---

⚠️ Notes for Reviewers

• No schema or port changes
• The .env.example already documents these variables — no doc update needed
• Two consumer scripts source thunder-auth.sh: scripts/user/create_test_users.sh and scripts/user/remove_test_users.sh — they will automatically pick up the env vars
• Deployments can set custom values in services/.env without touching any script files

[Copilot]

Pull request overview

This PR updates the Thunder authentication helper script to avoid hardcoded admin credentials by allowing deployments to supply THUNDER_ADMIN_USERNAME / THUNDER_ADMIN_PASSWORD via environment variables (with admin/admin as defaults for backward compatibility).

Changes:

• Replaced hardcoded "username":"admin","password":"admin" in the Thunder /flow/execute authentication payload with ${THUNDER_ADMIN_USERNAME:-admin} and ${THUNDER_ADMIN_PASSWORD:-admin}.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request updates the authentication script to use environment variables for admin credentials instead of hardcoded values. Feedback was provided to improve the robustness of the JSON payload by properly escaping special characters in the username and password to prevent potential malformed requests.