implement an email rate limiter (#21)

It's unclear to me whether the original Redis-based IP limiter worked, but we can't use our (known working) fail2ban-based IP limiter for email address, so we're forced to look into this.

This is a modified copy of the IpRateLimiter. I could have improved the IpRateLimiter to be more generic and check multiple components but that seemed like more trouble, after reviewing the way it works. We would have to copy the entire check() logic anyways, so it feels like it makes sense to just vendor that code completely for now, especially since we're in maintenance mode.

The IP rate limiter doesn't have unit tests so unfortunately we don't have any here. It would be difficult to implemetn this anyways without mocking Redis, but if we deploy this and it fails to do its job, it's the next step.