* Add email-based password reset
Fixes#734
* rename SETPASS to RESETPASS
* review fixes
* abuse mitigations
* SENDPASS and RESETPASS should both touch the client login throttle
* Produce a logline and a sno on SENDPASS (since it actually sends an email)
* don't re-retrieve the settings value
* add email confirmation for NS SET EMAIL
* smtp: if require-tls is disabled, don't validate server cert
* review fixes
* remove cooldown for NS SET EMAIL
If you accidentally set the wrong address, the cooldown would prevent you
from fixing your mistake. Since we touch the registration throttle anyway,
this shouldn't present more of an abuse concern than registration itself.
1. Fix auth bypass in the default configuration with the addition of
server.password (the REGISTER command was allowed before connection
registration, allowing unauthenticated users to REGISTER and then
take advantage of skip-server-password)
2. Caution operators against the use of require-sasl without disabling
user-initiated account registration. (Such a configuration is still valid
in the case of a public server that requires everyone to register.)
Two objectives:
1. Reduce thundering-herd effects on server restart (a cost of 4 should be
approximately 1 millisecond of CPU time per reconnecting client)
2. Speed up mobile reattach as much as possible (see also #1420)
Whenever CIDR is mentioned in the config, it's in combination with IP so
talking about addressese in these points gives wrong impression that a
domain name would be valid as those are often thought as addresses.
I think that 'moderator vs admin' is a pretty common set of priv levels,
whereas 'oper vs admin' is a little confusing, esp. to less irc-savvy
people.
/SAJOIN and /SAMODE are really common for joining channels to check out
what's going on and for e.g. opping someone when nobody in the channel
is opered, so it makes sense for mods to have those. I feel similarly
about vhosts, they're usually something that's delegated to less-prived
opers.
Changed the whois line from 'a server admin' to 'the server admin' to
make it a bit more clear that this is one single user, rather than a set
of privs to be shared. And it's a tiny thing, but removed the 'less
privileged' term from alice's oper block because it felt a bit dodgy.
