Fix four crash and memory-safety bugs: NULL deref in fetch_ruf, assert in config_free, strncpy misuse, header buffer overflow

[thegushi]

This issue tracks fixes for four distinct bugs identified in issues #18, #140, #152, and #256.

#256 — NULL dereference in opendmarc_policy_fetch_ruf()

The guard condition used || instead of &&, causing memset(NULL, '\0', size) when called with list_buf=NULL, size_of_buf>0. Unreachable in the current codebase (always called with both NULL and 0) but a real library API hazard. The identical guard in opendmarc_policy_fetch_rua() already used && correctly.

#18 — SIGABRT from assert(conf->conf_refcnt == 0) in dmarcf_config_free()

Multiple shutdown and config-reload call sites invoke dmarcf_config_free() without checking the refcount first, so the assert can fire on normal teardown, aborting the daemon.

#140 — strncpy without null-termination guarantee in mlfi_envfrom()

strncpy(mctx_envdomain, p+1, BUFRSZ) does not null-terminate if the source fills the buffer. Replaced with strlcpy(..., sizeof mctx_envdomain).

#152 — MAXHEADER too small for Authentication-Results headers

Two snprintf() calls building the Authentication-Results header can produce ~2080 bytes; the 1025-byte buffer caused silent truncation of outgoing headers. Bumped MAXHEADER from 1024 → 4096. Also fixed an off-by-one in opendmarc-ar.c (MAXHEADER+2 → MAXHEADER+1).

Closes #18, #140, #152, #256.