prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization

an é (e with accent) can also be written as e+\u0301. the first form is NFC,
the second NFD. when logging in, we transform usernames (email addresses) to
NFC. so both forms will be accepted. if a client is using NFD, they can log
in too.

for passwords, we apply the PRECIS "opaquestring", which (despite the name)
transforms the value too: unicode spaces are replaced with ascii spaces. the
string is also normalized to NFC. PRECIS may reject confusing passwords when
you set a password.

store/account.go

@@ -45,6 +45,7 @@ import (
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/text/secure/precis"
 	"golang.org/x/text/unicode/norm"
 
 	"github.com/mjl-/bstore"
@@ -1473,6 +1474,16 @@ func (a *Account) DeliverMessage(log mlog.Log, tx *bstore.Tx, m *Message, msgFil
 // SetPassword saves a new password for this account. This password is used for
 // IMAP, SMTP (submission) sessions and the HTTP account web page.
 func (a *Account) SetPassword(log mlog.Log, password string) error {
+	password, err := precis.OpaqueString.String(password)
+	if err != nil {
+		return fmt.Errorf(`password not allowed by "precis"`)
+	}
+
+	if len(password) < 8 {
+		// We actually check for bytes...
+		return fmt.Errorf("password must be at least 8 characters long")
+	}
+
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
 		return fmt.Errorf("generating password hash: %w", err)
@@ -2080,6 +2091,11 @@ func manageAuthCache() {
 //
 // The email address may contain a catchall separator.
 func OpenEmailAuth(log mlog.Log, email string, password string) (acc *Account, rerr error) {
+	password, err := precis.OpaqueString.String(password)
+	if err != nil {
+		return nil, ErrUnknownCredentials
+	}
+
 	acc, _, rerr = OpenEmail(log, email)
 	if rerr != nil {
 		return