3.1.7

Release 3.1.7 (#3572)

- feat(smtp_forward,smtp_proxy): honor `tls.ini` `[main]` and plugin
`[tls]`
  section for backend STARTTLS (matches docs). Behavior change: installs
that set `[main] rejectUnauthorized=true` in `tls.ini` will now see it
applied
to the forward/proxy paths. Untouched installs match the previous
behavior.
- fix(auth_proxy): try opportunistic STARTTLS w/o a key/cert,
#matchTheDocs
- feat(tls_socket): new `load_plugin_tls_options(plugin_tls_cfg)` helper
that
merges a plugin's `[tls]` section over `tls.ini` `[main]` for client
STARTTLS
- refactor: `outbound/tls.js#load_config()` delegates to
`load_plugin_tls_options()`
- change: update DSN.addr_bad_dest_system(...) to DSN.addr_null_mx(...)
- fix(tls): buffer discard on STARTTLS (RFC 3207 §4)
- fix(server): run the graceful restart/shutdown work queue
- fix(xclient): parse DESTPORT to int so the 587/465 auth check applies
- fix(smtp_client):
  - no_tls_hosts works correctly by referencing the correct path
  - unsupported AUTH no longer throws out of the event loop
- fix(smtputf8): all code paths use it, no more smtp_utf8
- fix(conn): reject control chars in HELO name (RFC 5321 §4.1.1.1)
- fix: sanitize AUTH usernames before storing
- fix: strip CR/LF from all strings passed into `auth_results()`
- fix(smtp_client,auth_proxy): redact AUTH credentials in protocol logs
- fix(prevent_credential_leaks): properly handle usernames w/o an `@`
- fix(queue/qmail-queue): size envelope dynamically; UTF-8 safe
- deps(some): bump patch versions to latest
- change: replace forEach with es6 style for...of #3569
- tests: add a few #3568
- doc(Plugins): add publish year to each plugin #3567
- deps(all): switch from ^ to ~ version ranges #3565