Prevent `AUTHENTICATE` without matching `AUTH=#{mechanism}` capability

[nevans]

e.g. most servers disallow AUTH=PLAIN unless TLS is established. See also #32 for LOGINDISABLED.

We can provide an opt-out via kwarg to authenticate.

Depends on:

• cache capabilities and add capability?(name) #31
• error reporting and backward compatibility from Honoring server-reported and client-enabled capabilities #49

[nevans]

While working on SASL-IR, I looked more closely at the RFCs. And the specs do not treat AUTH={mechanism} as identical to LOGINDISABLED:

• LOGINDISABLED is a negative requirement on the client (MUST NOT login)
• AUTH={mechanism} is a positive suggestion to the server (SHOULD advertise allowed mechanisms).

SASL has an important benefit over login: we can ask server if it's okay to proceed prior to sending any sensitive data. As such, I made the decision in #90 to still support calling authenticate with any mechanism without any warnings, however this has the important caveat that the initial response is only sent when the mechanism is advertised.

• See ✨🔒 Add SASL-IR support #90
  

  net-imap/lib/net/imap.rb

  Lines 1077 to 1078 in aa0229a

  	if sasl_ir && capable?("SASL-IR") && auth_capable?(mechanism) &&
  	SASL.initial_response?(authenticator)