add config options to disable a domain and to disable logins for an account

to facilitate migrations from/to other mail setups.

a domain can be added in "disabled" mode (or can be disabled/enabled later on).
you can configure a disabled domain, but incoming/outgoing messages involving
the domain are rejected with temporary error codes (as this may occur during a
migration, remote servers will try again, hopefully to the correct machine or
after this machine has been configured correctly). also, no acme tls certs will
be requested for disabled domains (the autoconfig/mta-sts dns records may still
point to the current/previous machine). accounts with addresses at disabled
domains can still login, unless logins are disabled for their accounts.

an account now has an option to disable logins. you can specify an error
message to show. this will be shown in smtp, imap and the web interfaces. it
could contain a message about migrations, and possibly a URL to a page with
information about how to migrate. incoming/outgoing email involving accounts
with login disabled are still accepted/delivered as normal (unless the domain
involved in the messages is disabled too). account operations by the admin,
such as importing/exporting messages still works.

in the admin web interface, listings of domains/accounts show if they are disabled.
domains & accounts can be enabled/disabled through the config file, cli
commands and admin web interface.

for issue #175 by RobSlgm

mox-/config.go

@@ -214,6 +214,18 @@ func (c *Config) Accounts() (l []string) {
 	return
 }
 
+func (c *Config) AccountsDisabled() (all, disabled []string) {
+	c.withDynamicLock(func() {
+		for name, conf := range c.Dynamic.Accounts {
+			all = append(all, name)
+			if conf.LoginDisabled != "" {
+				disabled = append(disabled, name)
+			}
+		}
+	})
+	return
+}
+
 // DomainLocalparts returns a mapping of encoded localparts to account names for a
 // domain, and encoded localparts to aliases. An empty localpart is a catchall
 // destination for a domain.
@@ -247,6 +259,16 @@ func (c *Config) Domain(d dns.Domain) (dom config.Domain, ok bool) {
 	return
 }
 
+func (c *Config) DomainConfigs() (doms []config.Domain) {
+	c.withDynamicLock(func() {
+		doms = make([]config.Domain, 0, len(c.Dynamic.Domains))
+		for _, d := range c.Dynamic.Domains {
+			doms = append(doms, d)
+		}
+	})
+	return
+}
+
 func (c *Config) Account(name string) (acc config.Account, ok bool) {
 	c.withDynamicLock(func() {
 		acc, ok = c.Dynamic.Accounts[name]
@@ -309,6 +331,12 @@ func (c *Config) allowACMEHosts(log mlog.Log, checkACMEHosts bool) {
 				continue
 			}
 
+			// Do not fetch TLS certs for disabled domains. The A/AAAA records may not be
+			// configured or still point to a previous machine before a migration.
+			if dom.Disabled {
+				continue
+			}
+
 			if l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS {
 				if d, err := dns.ParseDomain("autoconfig." + dom.Domain.ASCII); err != nil {
 					log.Errorx("parsing autoconfig domain", err, slog.Any("domain", dom.Domain))
@@ -1340,6 +1368,16 @@ func prepareDynamicConfig(ctx context.Context, log mlog.Log, dynamicPath string,
 		}
 		checkMailboxNormf(acc.RejectsMailbox, "rejects mailbox", addErrorf)
 
+		if len(acc.LoginDisabled) > 256 {
+			addAccountErrorf("message for disabled login must be <256 characters")
+		}
+		for _, c := range acc.LoginDisabled {
+			// For IMAP and SMTP. IMAP only allows UTF8 after "ENABLE IMAPrev2".
+			if c < ' ' || c >= 0x7f {
+				addAccountErrorf("message cannot contain control characters including newlines, and must be ascii-only")
+			}
+		}
+
 		if acc.AutomaticJunkFlags.JunkMailboxRegexp != "" {
 			r, err := regexp.Compile(acc.AutomaticJunkFlags.JunkMailboxRegexp)
 			if err != nil {