This patch adds checks that verify:
- The envelope from must match the authenticated user. This prevents
impersonation at the envelope level (while still allowing bounces, of
course).
- If the destination is remote, then the user must have completed
authentication. This prevents unauthorized relaying.
The patch ends up adjusting quite a few tests, as they were not written
considering these restrictions so they have to be changed accordingly.
This patch introduces an "envelope" package which, for now, provides simple
utilities for getting the user and domain of an address.
It also changes the couriers to use it (but other implementations remain, will
be moved over in subsequent patches).
