starttls: Clear unencrypted commands from buffer

[Arusekk]

What do these changes do?

When a STARTTLS command is not the last one in a pipeline, extra unencrypted commands may treated as part of the encrypted communication, effectively allowing to bypass the ALLOWED_BEFORE_STARTTLS list used when require_starttls=True. This PR adds a buffer flush to ensure it does not happen.

Are there changes in behavior for the user?

No behaviour change. Documentation reflects the changes already.

Related issue number

None.

Checklist

• [x] I think the code is well written
• [ ] Unit tests for the changes exist
• [ ] tox testenvs have been executed in the following environments:
  • [x] Linux (Ubuntu 18.04, Ubuntu 20.04, Arch): {py36,py37,py38,py39}-{nocov,cov,diffcov}, qa, docs
  • [ ] Windows (7, 10): {py36,py37,py38,py39}-{nocov,cov,diffcov}
  • [ ] WSL 1.0 (Ubuntu 18.04): {py36,py37,py38,py39}-{nocov,cov,diffcov}, pypy3-{nocov,cov}, qa, docs
  • [ ] FreeBSD (12.2, 12.1, 11.4): {py36,pypy3}-{nocov,cov,diffcov}, qa
  • [ ] Cygwin: py36-{nocov,cov,diffcov}, qa, docs
• [x] Documentation reflects the changes
• [x] Add a news fragment into the NEWS.rst file