improve http request handling for internal services and multiple domains

per listener, you could enable the admin/account/webmail/webapi handlers. but
that would serve those services on their configured paths (/admin/, /,
/webmail/, /webapi/) on all domains mox would be webserving, including any
non-mail domains. so your www.example/admin/ would be serving the admin web
interface, with no way to disabled that.

with this change, the admin interface is only served on requests to (based on
Host header):
- ip addresses
- the listener host name (explicitly configured in the listener, with fallback
  to global hostname)
- "localhost" (for ssh tunnel/forwarding scenario's)

the account/webmail/webapi interfaces are served on the same domains as the
admin interface, and additionally:
- the client settings domains, as optionally configured in each Domain in
  domains.conf. typically "mail.<yourdomain>".

this means the internal services are no longer served on other domains
configured in the webserver, e.g. www.example.org/admin/ will not be handled
specially.

the order of evaluation of routes/services is also changed:
before this change, the internal handlers would always be evaluated first.
with this change, only the system handlers for
MTA-STS/autoconfig/ACME-validation will be evaluated first. then the webserver
handlers. and finally the internal services (admin/account/webmail/webapi).
this allows an admin to configure overrides for some of the domains (per
hostname-matching rules explained above) that would normally serve these
services.

webserver handlers can now be configured that pass the request to an internal
service: in addition to the existing static/redirect/forward config options,
there is now an "internal" config option, naming the service
(admin/account/webmail/webapi) for handling the request. this allows enabling
the internal services on custom domains.

for issue #160 by TragicLifeHu, thanks for reporting!

config/doc.go

@@ -172,7 +172,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			# NATed. Skips IP-related DNS self-checks. (optional)
 			IPsNATed: false
 
-			# If empty, the config global Hostname is used. (optional)
+			# If empty, the config global Hostname is used. The internal services webadmin,
+			# webaccount, webmail and webapi only match requests to IPs, this hostname,
+			# "localhost". All except webadmin also match for any client settings domain.
+			# (optional)
 			Hostname:
 
 			# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
@@ -303,7 +306,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			AccountHTTP:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -318,7 +322,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			AccountHTTPS:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -336,7 +341,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			AdminHTTP:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -351,7 +357,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			AdminHTTPS:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -365,7 +372,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			WebmailHTTP:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -380,7 +388,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			WebmailHTTPS:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -394,7 +403,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			WebAPIHTTP:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -409,7 +419,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			WebAPIHTTPS:
 				Enabled: false
 
-				# Default 80 for HTTP and 443 for HTTPS. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
 				# Path to serve requests on. (optional)
@@ -1225,12 +1236,15 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 	WebDomainRedirects:
 		x:
 
-	# Handle webserver requests by serving static files, redirecting or
-	# reverse-proxying HTTP(s). The first matching WebHandler will handle the request.
-	# Built-in handlers, e.g. for account, admin, autoconfig and mta-sts always run
-	# first. If no handler matches, the response status code is file not found (404).
-	# If functionality you need is missng, simply forward the requests to an
-	# application that can provide the needed functionality. (optional)
+	# Handle webserver requests by serving static files, redirecting, reverse-proxying
+	# HTTP(s) or passing the request to an internal service. The first matching
+	# WebHandler will handle the request. Built-in system handlers, e.g. for ACME
+	# validation, autoconfig and mta-sts always run first. Built-in handlers for
+	# admin, account, webmail and webapi are evaluated after all handlers, including
+	# webhandlers (allowing for overrides of internal services for some domains). If
+	# no handler matches, the response status code is file not found (404). If
+	# webserver features are missing, forward the requests to an application that
+	# provides the needed functionality itself. (optional)
 	WebHandlers:
 		-
 
@@ -1238,7 +1252,7 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 			LogName:
 
 			# Both Domain and PathRegexp must match for this WebHandler to match a request.
-			# Exactly one of WebStatic, WebRedirect, WebForward must be set.
+			# Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set.
 			Domain:
 
 			# Regular expression matched against request path, must always start with ^ to
@@ -1345,6 +1359,15 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 				ResponseHeaders:
 					x:
 
+			# Pass request to internal service, like webmail, webapi, etc. (optional)
+			WebInternal:
+
+				# Path to use as root of internal service, e.g. /webmail/.
+				BasePath:
+
+				# Name of the service, values: admin, account, webmail, webapi.
+				Service:
+
 	# Routes for delivering outgoing messages through the queue. Each delivery attempt
 	# evaluates account routes, domain routes and finally these global routes. The
 	# transport of the first matching route is used in the delivery attempt. If no