Bypass auth.email-domains

Email addresses are stored as `VARCHAR(128)`. However, Phabricator does not verify the length of an email address upon registration. This allows attackers to bypass the allowed email-domains defined in `auth.email-domains`. Exploiting this is rather straightforward: get an email address of 128 characters long ([This StackOverflow answer](http://stackoverflow.com/a/574698/2425609) indicates that the maximum length of an email address is 254 characters). Now register with your 128 character email address with `@allowed-domain.com` appended to it. The `@allowed-domain.com` part will be truncated because MySQL can’t store it, and you will receive a verification email on your 128 character email address. This is especially easy if you’re using a Gmail address: if you own `[email protected]`, you’ll also receive any mails sent to `attacker+aaaaaaaaaaa…[email protected]`.