That's a very valid concern, but the larger one for me is that it implies that their IMAP servers are sitting right on the internet (no firewall/load-balancer/reverse proxy/whatever), or that they've automated their infrastructure so much that network-level security controls are essentially bypassed because any services in the Ansible definition are assumed to be authorized/intentional, or that someone intentionally added this one as a ham-fisted backdoor into customer email.
It also needs to be part of any regression testing against new releases. Doing it once against current code does nothing other than say "right now we're okay". I know. I've personally been burned by assumption that what was tested previously is assumed to still be good now.