Protect against symlink attacks on MBX lockfile in /tmp as best we can:

 * if system supports O_NOFOLLOW, use it, protection complete
 * else detect the attack "too late" and abort, where at worst an empty file
   has been created as the attacked user
Our hands are tied by not changing the locking algorithm.

fixes: bug #989