dcaccount for servers with self-signed certificates

[link2xt]

Relays with self-signed certificates (madmail, chatmail/relay#919) currently use dclogin scheme to disable TLS checks permanently.

The result of this is that:

1. OpenSSL is used instead of Rustls. This was only meant for nauta.cu support with its RSA1024 keys which Rustls is not going to support.
2. There is no protection against active attacks, it is trivial to MITM the connection and then monitor the mailbox with remembered credentials afterwards: https://support.delta.chat/t/tls-requirements-why-not-self-signed/5077/3
3. Proxy cannot be used, using proxy enables strict TLS checks because proxies are not trusted. It could work by remembering SPKI hash since feat: allow TLS connections with invalid certificate if the key is unchanged #8086, but we don't remember SPKI hash in the first place because OpenSSL is used and the code for saving it is for Rustls.
4. Users scan the same dclogin multiple times: feat: support setup with only an IPv4 address, but no domain relay#919 (comment)
5. dclogin allows to only configure one port for IMAP and one port for SMTP
6. In most cases dclogin does not specify is and ss parameters for IMAP and SMTP security, this results in trying both implicit TLS and STARTTLS on the same port (

   core/src/configure/server_params.rs

   Lines 108 to 120 in 6e04993

   	} else if self.socket == Socket::Automatic {
   	vec![
   	// Try TLS over user-provided port.
   	Self {
   	socket: Socket::Ssl,
   	..self.clone()
   	},
   	// Try STARTTLS over user-provided port.
   	Self {
   	socket: Socket::Starttls,
   	..self
   	},
   	]

   ). Because in STARTTLS server talks (sends a banner) first and in implicit TLS client talks (sends TLS ClientHello), when STARTTLS is tried against implicit TLS port, connection times out after 1 minute. This is the problem in feat: support setup with only an IPv4 address, but no domain relay#919 at the moment, madmail 0.47.0 even explicitly generates is=default and ss=default for implicit TLS ports.

With #8086 key hash is remembered when TLS certificate is valid, the only problem is getting SPKI hash into storage for new domains and IP addresses. Can either extend dcaccount if it can be made compatible (probably not) or introduce another scheme with a place to put SPKI hash. It should then either be stored or passed around during the configuration, so autoconfig XML can be fetched (which is needed to configure multiple ports).