add account config option to prevent the account for setting their own custom password, and enable by default for new accounts

accounts with this option enabled can only generate get a new randomly
generated password. this prevents password reuse across services and weak
passwords. existing accounts keep their current ability to set custom
passwords. only admins can change this setting for an account.

related to issue #286 by skyguy

quickstart.go

@@ -44,24 +44,6 @@ import (
 //go:embed mox.service
 var moxService string
 
-func pwgen() string {
-	chars := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*-_;:,<.>/"
-	s := ""
-	buf := make([]byte, 1)
-	for i := 0; i < 12; i++ {
-		for {
-			cryptorand.Read(buf)
-			i := int(buf[0])
-			if i+len(chars) > 255 {
-				continue // Prevent bias.
-			}
-			s += string(chars[i%len(chars)])
-			break
-		}
-	}
-	return s
-}
-
 func cmdQuickstart(c *cmd) {
 	c.params = "[-skipdial] [-existing-webserver] [-hostname host] user@domain [user | uid]"
 	c.help = `Quickstart generates configuration files and prints instructions to quickly set up a mox instance.
@@ -761,7 +743,7 @@ many authentication failures).
 
 	dataDir := "data" // ../data is relative to config/
 	os.MkdirAll(dataDir, 0770)
-	adminpw := pwgen()
+	adminpw := mox.GeneratePassword()
 	adminpwhash, err := bcrypt.GenerateFromPassword([]byte(adminpw), bcrypt.DefaultCost)
 	if err != nil {
 		fatalf("generating hash for generated admin password: %s", err)
@@ -1000,7 +982,7 @@ and check the admin page for the needed DNS records.`)
 	}
 	cleanupPaths = append(cleanupPaths, dataDir, filepath.Join(dataDir, "accounts"), filepath.Join(dataDir, "accounts", accountName), filepath.Join(dataDir, "accounts", accountName, "index.db"))
 
-	password := pwgen()
+	password := mox.GeneratePassword()
 
 	// Kludge to cause no logging to be printed about setting a new password.
 	loglevel := mox.Conf.Log[""]