This adds a "Must Encrypt" mail behavior, which discards mail content and all identifying details, replacing it with a link to the /mail/ application. Users can follow the link to view the message over HTTPS.
The flag discards body content, attachments, and headers which imply things about the content of the object. It retains threading headers and headers which may uniquely identify the object as long as they don't disclose anyting about the content.
The bin/mail list-outbound command now flags these messages with a # mark.
The bin/mail show-outbound command now shows sent/suppressed headers and the body content as delivered (if it differs from the original body content).
The /mail/ web UI now shows a tag for messages marked with this flag.
For now, there is no way to actually set this flag on mail.