do not try to get a tls cert for autoconfig.<domain> at startup if there is no listener with autoconfig enabled

reduces needless logging in setups that don't use autoconfig.

http/web.go

@@ -821,14 +821,22 @@ func portServes(l config.Listener) map[int]*serve {
 	}
 
 	if l.TLS != nil && l.TLS.ACME != "" {
-		hosts := map[dns.Domain]struct{}{
+		m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
-			mox.Conf.Static.HostnameDomain: {},
+		if ensureManagerHosts[m] == nil {
+			ensureManagerHosts[m] = map[dns.Domain]struct{}{}
 		}
+		hosts := ensureManagerHosts[m]
+		hosts[mox.Conf.Static.HostnameDomain] = struct{}{}
+
 		if l.HostnameDomain.ASCII != "" {
 			hosts[l.HostnameDomain] = struct{}{}
 		}
+
 		// All domains are served on all listeners. Gather autoconfig hostnames to ensure
-		// presence of TLS certificates for.
+		// presence of TLS certificates. Fetching a certificate on-demand may be too slow
+		// for the timeouts of clients doing autoconfig.
+
+		if l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS {
 			for _, name := range mox.Conf.Domains() {
 				if dom, err := dns.ParseDomain(name); err != nil {
 					pkglog.Errorx("parsing domain from config", err)
@@ -844,9 +852,7 @@ func portServes(l config.Listener) map[int]*serve {
 					hosts[autoconfdom] = struct{}{}
 				}
 			}
-
+		}
-		m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
-		ensureManagerHosts[m] = hosts
 	}
 
 	for _, srv := range portServe {