feat: add STARTTLS detection for FTP, LMTP, NNTP, Sieve; fix FTP hang on AUTH TLS rejection

- _fingerprint_banner now detects ftp/lmtp (via 220 banner content),
  nntp (200/201), and sieve ("IMPLEMENTATION"/"SIEVE" capability lines)
- _probe_ftp pre-checks AUTH TLS over raw socket before invoking openssl,
  preventing a hang when servers reply 500 instead of 234
- FTP greeting/response reads use loop accumulation (TCP segment safety)
- dataclasses.replace() used instead of post-construction mutation
- Empty AUTH TLS response reports "(no response)" in error message
- All docstrings updated (assessor, checker, cli, models, tls_utils)
- 230 tests, 100% coverage

Author: t0kubetsu

CHANGELOG.md

@@ -9,6 +9,34 @@ Version numbers follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html
 
 ## [Unreleased]
 
+### Changed
+- **`_probe_ftp` greeting/response reads are now loop-safe** — replaced single
+  `sock.recv(1024)` calls with chunk-accumulation loops that read until `\n` or
+  1024 bytes, guarding against TCP segmentation on slow links.
+- **`_probe_ftp` uses `dataclasses.replace()`** instead of post-construction
+  field mutation when stamping `detected_starttls="ftp"` onto the openssl result.
+- **Empty AUTH TLS response** now reports `"(no response)"` in the error message
+  instead of a trailing bare colon.
+- **`_fingerprint_banner` docstring** documents the FTP keyword-detection
+  limitation (FileZilla) and the NNTP `200`/`201` heuristic caveat.
+
+### Fixed
+- **FTP probe no longer hangs on servers that reject AUTH TLS** — `openssl
+  s_client -starttls ftp` does not exit cleanly when the server replies with
+  e.g. `500 AUTH not understood`; it hangs until the subprocess timeout fires.
+  A new `_probe_ftp` function now sends `AUTH TLS` over a raw socket first;
+  if the server responds with anything other than `234`, the error is returned
+  immediately without invoking `openssl`.
+
+### Added
+- **Extended STARTTLS protocol detection** — `_fingerprint_banner` now
+  auto-detects FTP (`220 … FTP …`), LMTP (`220 … LMTP …`), NNTP (`200 `/`201 `),
+  and ManageSieve (`"IMPLEMENTATION"` / `"SIEVE"` / `"STARTTLS"` capability
+  lines) from server banners, dispatching to the correct `openssl -starttls`
+  mode automatically. Protocols that send no opening banner (XMPP, LDAP,
+  MySQL, PostgreSQL) remain unsupported in auto-detect mode by design, keeping
+  the probe protocol-agnostic.
+
 ---
 
 ## [0.4.0] — 2026-04-29

README.md

@@ -2,16 +2,17 @@
 
 > Validate post-quantum cryptography readiness of internet-exposed TLS, STARTTLS, and SSH services — from the command line or as a Python library.
 
-**quantumvalidator** actively probes HTTPS, SMTP/STARTTLS, IMAP/STARTTLS, POP3/STARTTLS, and SSH
-endpoints to detect whether a PQC hybrid key exchange (ML-KEM) was negotiated, returning a binary
-**SAFE** / **UNSAFE** verdict aligned with NSA CNSA 2.0, BSI TR-02102-2 (TLS), and BSI TR-02102-4 (SSH).
+**quantumvalidator** actively probes HTTPS, SMTP/STARTTLS, IMAP/STARTTLS, POP3/STARTTLS,
+FTP/STARTTLS, LMTP/STARTTLS, NNTP/STARTTLS, ManageSieve/STARTTLS, and SSH endpoints to detect
+whether a PQC hybrid key exchange (ML-KEM) was negotiated, returning a binary **SAFE** / **UNSAFE**
+verdict aligned with NSA CNSA 2.0, BSI TR-02102-2 (TLS), and BSI TR-02102-4 (SSH).
 
 ```bash
 $ quantumvalidator check cloudflare.com
 ```
 
 ![Python](https://img.shields.io/badge/python-%3E%3D3.11-blue)
-![Tests](https://img.shields.io/badge/tests-206%20passing-brightgreen)
+![Tests](https://img.shields.io/badge/tests-230%20passing-brightgreen)
 ![Coverage](https://img.shields.io/badge/coverage-100%25-brightgreen)
 ![License](https://img.shields.io/badge/license-GPLv3-lightgrey)
 
@@ -126,16 +127,32 @@ quantumvalidator check example.com --output report.html
 
 ### STARTTLS probe (auto-detected)
 
+Banner fingerprinting selects the correct `-starttls` mode automatically.
+
 ```bash
-# SMTP/STARTTLS — detected automatically from server banner
+# SMTP/STARTTLS — detected from "220 … ESMTP …" banner
 quantumvalidator check smtp.gmail.com --port 587
 quantumvalidator check smtp.gmail.com -p 587        # short form
+quantumvalidator check mx1.example.com -p 25
 
-# IMAP/STARTTLS
+# IMAP/STARTTLS — detected from "* OK …" banner
 quantumvalidator check mail.example.com -p 143
 
-# SMTP on port 25
-quantumvalidator check mx1.example.com -p 25
+# POP3/STARTTLS — detected from "+OK …" banner
+quantumvalidator check mail.example.com -p 110
+
+# FTP/STARTTLS (AUTH TLS) — detected from "220 … FTP …" banner
+# Note: servers that do not support AUTH TLS return an immediate error.
+quantumvalidator check ftp.example.com -p 21
+
+# LMTP/STARTTLS — detected from "220 … LMTP …" banner
+quantumvalidator check lmtp.example.com -p 24
+
+# NNTP/STARTTLS — detected from "200 …" / "201 …" banner
+quantumvalidator check news.example.com -p 119
+
+# ManageSieve/STARTTLS — detected from '"IMPLEMENTATION" …' capability line
+quantumvalidator check sieve.example.com -p 4190
 ```
 
 ### SSH probe (auto-detected)
@@ -185,7 +202,7 @@ report = assess("cloudflare.com")
 print(report.verdict)           # Verdict.SAFE or Verdict.UNSAFE
 print(report.is_safe)           # True / False
 print(report.target)            # "cloudflare.com"
-print(report.detected_starttls) # None (raw TLS) | "smtp" | "imap" | "pop3"
+print(report.detected_starttls) # None (raw TLS) | "smtp" | "imap" | "pop3" | "ftp" | "lmtp" | "nntp" | "sieve" | "ssh"
 print(report.port)              # 443
 print(report.tls_version)       # "TLSv1.3" or None
 print(report.negotiated_group)  # "X25519MLKEM768" or None
@@ -244,7 +261,7 @@ quantumvalidator/
 │   ├── constants.py      PQC_GROUPS, SAFE_GROUPS, PROBE_GROUPS, check_openssl()
 │   ├── models.py         Verdict, Status, CheckResult, QuantumReport
 │   ├── reporter.py       print_report() — Rich terminal renderer
-│   ├── tls_utils.py      probe_tls() — subprocess openssl s_client wrapper
+│   ├── tls_utils.py      probe_tls() — banner-first probe; openssl s_client + SSH/FTP native handlers
 │   └── verdict.py        determine_verdict() / build_checks()
 ├── tests/
 │   ├── conftest.py
@@ -280,7 +297,7 @@ pytest tests/test_tls_utils.py
 pytest tests/test_assessor.py::TestAssessHttps -v
 ```
 
-The test suite has **206 tests** and maintains **100% statement coverage**.
+The test suite has **230 tests** and maintains **100% statement coverage**.
 
 All network I/O (`openssl s_client` subprocess) is mocked at the `probe_tls` boundary —
 no test touches a real server or the internet.

quantumvalidator/assessor.py

@@ -34,8 +34,8 @@ def assess(
 ) -> QuantumReport:
     """Probe *target* and assess its post-quantum TLS key exchange readiness.
 
-    The probe auto-detects STARTTLS mode (smtp/imap/pop3) via banner
-    fingerprinting if a raw TLS handshake fails.
+    The probe auto-detects STARTTLS mode (smtp/imap/pop3/ftp/lmtp/nntp/sieve)
+    via banner fingerprinting, and SSH via ``SSH-2.0-`` banner.
 
     :param target: Hostname or IP address to probe.
     :param port: TCP port override; defaults to 443.

quantumvalidator/checker.py

@@ -13,8 +13,9 @@
 def check_tls(host: str, port: int, timeout: int = 10) -> TLSProbeResult:
     """Probe *host*:*port* for PQC key exchange support.
 
-    The underlying probe auto-detects STARTTLS mode (smtp/imap/pop3) via
-    banner fingerprinting if a raw TLS handshake fails.
+    The underlying probe auto-detects STARTTLS mode (smtp/imap/pop3/ftp/lmtp/
+    nntp/sieve) via banner fingerprinting. Protocols that send no opening banner
+    (xmpp, ldap, mysql, postgres) cannot be auto-detected.
 
     :param host: Target hostname or IP.
     :param port: TCP port.

quantumvalidator/cli.py

@@ -25,9 +25,10 @@
     name="quantumvalidator",
     help=(
         "Validate post-quantum cryptography readiness of any TLS-bearing service. "
-        "Auto-detects STARTTLS protocols (SMTP, IMAP, POP3) via banner fingerprinting. "
+        "Auto-detects STARTTLS protocols (SMTP, IMAP, POP3, FTP, LMTP, NNTP, Sieve) "
+        "via banner fingerprinting, and SSH via SSH-2.0- banner. "
         "Checks whether the service negotiates a PQC hybrid key exchange group (ML-KEM) "
-        "as required by CNSA 2.0 and BSI TR-02102-2."
+        "as required by CNSA 2.0 and BSI TR-02102-2/TR-02102-4."
     ),
     add_completion=False,
 )
@@ -54,9 +55,10 @@ def check(
         help="Save report to file (.txt / .svg / .html).",
     ),
 ) -> None:
-    """Probe *TARGET* for post-quantum TLS key exchange support.
+    """Probe *TARGET* for post-quantum TLS/SSH key exchange support.
 
-    Auto-detects STARTTLS mode (SMTP, IMAP, POP3) if raw TLS fails.
+    Auto-detects STARTTLS protocols (SMTP, IMAP, POP3, FTP, LMTP, NNTP, Sieve)
+    from server banners, and SSH from the SSH-2.0- version string.
     """
     from quantumvalidator.assessor import assess
 

quantumvalidator/models.py

@@ -64,7 +64,7 @@ class QuantumReport:
     """Hostname or IP that was probed."""
 
     detected_starttls: Optional[str]
-    """STARTTLS mode auto-detected from server banner ('smtp'/'imap'/'pop3'), or None for raw TLS."""
+    """STARTTLS mode detected from server banner (e.g. ``'smtp'``/``'ftp'``/``'nntp'``/``'ssh'``), or ``None`` for raw TLS."""
 
     port: int
     """TCP port used for the probe."""

quantumvalidator/tls_utils.py

@@ -13,7 +13,7 @@
 import re
 import socket
 import subprocess
-from dataclasses import dataclass
+from dataclasses import dataclass, replace
 from typing import Optional
 
 from quantumvalidator.constants import (
@@ -66,7 +66,7 @@ class TLSProbeResult:
     error: Optional[str] = None
     """Error message if the probe failed, None on success."""
     detected_starttls: Optional[str] = None
-    """STARTTLS mode auto-detected from server banner ('smtp'/'imap'/'pop3'), or None."""
+    """STARTTLS mode detected from server banner (e.g. ``'smtp'``/``'ftp'``/``'nntp'``/``'ssh'``), or ``None``."""
 
     @property
     def ok(self) -> bool:
@@ -112,6 +112,9 @@ def probe_tls(
     if detected == "ssh":
         return _probe_ssh(host, port, timeout)
 
+    if detected == "ftp":
+        return _probe_ftp(host, port, timeout)
+
     if detected:
         logger.info(
             "Banner detected '%s' for %s:%d — probing with -starttls %s",
@@ -129,7 +132,7 @@ def _build_cmd(host: str, port: int, starttls: Optional[str]) -> list[str]:
 
     :param host: Target hostname or IP.
     :param port: TCP port.
-    :param starttls: STARTTLS mode (``'smtp'``/``'imap'``/``'pop3'``), or ``None`` for raw TLS.
+    :param starttls: openssl ``-starttls`` mode (e.g. ``'smtp'``/``'ftp'``/``'xmpp'``), or ``None`` for raw TLS.
     :returns: Command list for ``subprocess.run``.
     :rtype: list[str]
     """
@@ -161,7 +164,7 @@ def _run_openssl(
 
     :param host: Target hostname or IP.
     :param port: TCP port.
-    :param starttls: STARTTLS mode (``'smtp'``/``'imap'``/``'pop3'``), or ``None`` for raw TLS.
+    :param starttls: openssl ``-starttls`` mode (e.g. ``'smtp'``/``'ftp'``/``'xmpp'``), or ``None`` for raw TLS.
     :param timeout: Connection timeout in seconds.
     :returns: Probe result; ``raw_output`` always populated from subprocess output.
     :rtype: TLSProbeResult
@@ -362,26 +365,104 @@ def _probe_ssh(host: str, port: int, timeout: int) -> TLSProbeResult:
     )
 
 
-def _fingerprint_banner(output: str) -> Optional[str]:
-    """Detect STARTTLS mode from raw openssl output containing a server banner.
+def _probe_ftp(host: str, port: int, timeout: int) -> TLSProbeResult:
+    """Pre-check AUTH TLS support, then probe FTP STARTTLS for PQC key exchange.
+
+    ``openssl s_client -starttls ftp`` hangs when the server rejects ``AUTH TLS``
+    instead of responding with ``234 Proceed with negotiation``.  This function
+    issues ``AUTH TLS`` over a raw socket first; only if the server responds with
+    ``234`` does it dispatch to ``_run_openssl``.
+
+    :param host: Target hostname or IP.
+    :param port: TCP port (typically 21).
+    :param timeout: Connection and read timeout in seconds.
+    :returns: Probe result with ``detected_starttls="ftp"``.
+    :rtype: TLSProbeResult
+    """
+    try:
+        with socket.create_connection((host, port), timeout=timeout) as sock:
+            sock.settimeout(timeout)
+            # Consume the 220 greeting with a loop — a single recv() is not
+            # guaranteed to return the full line when TCP segments are small.
+            buf = b""
+            while b"\n" not in buf and len(buf) < 1024:
+                chunk = sock.recv(256)
+                if not chunk:
+                    break
+                buf += chunk
+            sock.sendall(b"AUTH TLS\r\n")
+            # Read the AUTH TLS response, also loop-safe.
+            resp = b""
+            while b"\n" not in resp and len(resp) < 1024:
+                chunk = sock.recv(256)
+                if not chunk:
+                    break
+                resp += chunk
+            raw = resp.decode("utf-8", errors="replace")
+    except (OSError, socket.timeout) as exc:
+        logger.warning("FTP AUTH TLS check failed for %s:%d: %s", host, port, exc)
+        return TLSProbeResult(
+            host=host, port=port,
+            tls_version=None, negotiated_group=None,
+            error=str(exc),
+            detected_starttls="ftp",
+        )
 
-    Scans all lines for known application-protocol banner prefixes that indicate
-    the server expects a STARTTLS upgrade rather than direct TLS.
+    first_line = (raw.strip().splitlines()[0] if raw.strip() else "(no response)").strip()
+    if not first_line.startswith("234"):
+        logger.info(
+            "FTP server %s:%d does not support AUTH TLS: %s", host, port, first_line
+        )
+        return TLSProbeResult(
+            host=host, port=port,
+            tls_version=None, negotiated_group=None,
+            error=f"FTP server does not support AUTH TLS: {first_line[:100]}",
+            detected_starttls="ftp",
+        )
 
-    :param output: Combined stdout+stderr from a failed raw TLS probe.
-    :returns: Detected STARTTLS mode (``'smtp'``/``'imap'``/``'pop3'``), or ``None``.
+    logger.info("FTP server %s:%d accepted AUTH TLS — probing TLS", host, port)
+    return replace(_run_openssl(host, port, starttls="ftp", timeout=timeout), detected_starttls="ftp")
+
+
+def _fingerprint_banner(output: str) -> Optional[str]:
+    """Detect STARTTLS mode from a server's opening banner.
+
+    Scans all lines for known application-protocol banner prefixes that
+    indicate the server expects a STARTTLS upgrade rather than direct TLS.
+
+    FTP and LMTP both open with ``"220 "`` like SMTP; they are distinguished
+    by banner content: LMTP servers include ``"LMTP"``, FTP servers include
+    ``"FTP"`` (without ``"ESMTP"``).  FTP servers that omit the word "FTP"
+    from their greeting (e.g. FileZilla) will fall back to ``"smtp"``.
+    NNTP is identified by ``"200 "``/``"201 "`` prefixes, which are uncommon
+    as opening banners outside NNTP but not unique — treat as a best-effort
+    heuristic.  Protocols that send no banner on connect (XMPP, LDAP, MySQL,
+    PostgreSQL) cannot be auto-detected here.
+
+    :param output: Server banner string (raw TCP read before TLS handshake).
+    :returns: openssl ``-starttls`` mode string, or ``None`` if unrecognised.
     :rtype: str | None
     """
     for line in output.splitlines():
         stripped = line.strip()
         if stripped.startswith("220 "):
+            lower = stripped.lower()
+            if "lmtp" in lower:
+                return "lmtp"
+            if "ftp" in lower and "esmtp" not in lower:
+                return "ftp"
             return "smtp"
         if stripped.startswith("* OK"):
             return "imap"
         if stripped.startswith("+OK"):
             return "pop3"
         if stripped.startswith("SSH-"):
             return "ssh"
+        if stripped.startswith(("200 ", "201 ")):
+            return "nntp"
+        # ManageSieve (RFC 5804): capability lines are double-quoted strings
+        if stripped.startswith(('"IMPLEMENTATION"', '"SIEVE"', '"STARTTLS"')):
+            return "sieve"
     return None