in smtp banner and imap ID command response when unauthenticated, don't send the mox version number

Attackers scanning the internet can use it to easily create a database of
hosts, software and versions. Let's not make it too easy to find old versions
that may be vulnerable to potential bugs found in the future. We could try
hiding the name "mox" as well, but the banner will still be identifyable, so
there isn't much point, and the public knowing approximately which software is
running can be useful for debugging.

The ID command in IMAP is used by clients to announce their software and
version. We only respond with our version when the user is authenticated.

There are still ways to discover the version number. But they don't involve
standard banner scanning, so someone would have to specifically target mox. We
could tighten that in the future.

For issue #322, based on email. Thanks everyone for discussing.

imapserver/server.go

@@ -1837,8 +1837,12 @@ func (c *conn) cmdID(tag, cmd string, p *parser) {
 	c.log.Info("client id", slog.Any("params", params))
 
 	// Response syntax: ../rfc/2971:243
-	// We send our name and version. ../rfc/2971:193
-	c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
+	// We send our name, and only the version for authenticated users. ../rfc/2971:193
+	if c.state == stateAuthenticated || c.state == stateSelected {
+		c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
+	} else {
+		c.bwritelinef(`* ID ("name" "mox")`)
+	}
 	c.ok(tag, cmd)
 }