CVE-2026-4873: connection reuse ignores TLS requirement

Libcurl connection reuse for cleartext-upgrade mail protocols does not include the later transfer's CURLOPT_USE_SSL. If a plaintext connection to one of these protocols is already open and reusable, a later transfer that explicitly requires STARTTLS can incorrectly reuse that plaintext connection. This affects smtp://, pop3://, and imap:// ## Reproduction Start the server: ```bash python3 ./server.py --port 2525 ``` Control: ```bash curl -sv \ -u alice:pw \ --url 'imap://127.0.0.1:2525/Box/;MAILINDEX=1' \ --ssl-reqd ``` Reuse: ```bash curl -sv \ -u alice:pw \ --url 'imap://127.0.0.1:2525/' \ -X NOOP \ --next \ -sv \ -u alice:pw \ --url 'imap://127.0.0.1:2525/Box/;MAILINDEX=1' \ --ssl-reqd ``` ## Impact A later TLS-required mail transfer can be sent over a previously established plaintext connection, contrary to expectation.