Improve get-token reliability
On modern systems, there are issues with get-token calling itself when
invoked as root. Update routers to normalize where get-token is called
so that it is always called after seteuid() in the delivery process.
This is still not ideal: exim has to run without a PAG, and there's no
guarantee the directory / environment options will be run after
changing to the delivery user in the future.
Add `check_owner = false' to appendfile routers. We have patched exim
to support delivery into afs because it is overly paranoid about
chown() failures. Patch uses check_owner flag to allow chown() failure
since exim will ignore the owner in other cases anyway when it is
enabled.
Move tokens stashes to /var/local/mail-tokens rather than storing in
/tmp.
Leave some extra debugging in get-token for now.