feat: Don't send unencrypted Auto-Submitted header (#7938)

Cherry-picked 8c09ca3

Follow-up to https://github.com/chatmail/core/pull/7935

src/imap/session.rs

@@ -23,7 +23,6 @@ const PREFETCH_FLAGS: &str = "(UID INTERNALDATE RFC822.SIZE BODY.PEEK[HEADER.FIE
                               FROM \
                               CHAT-VERSION \
                               CHAT-IS-POST-MESSAGE \
-                              AUTO-SUBMITTED \
                               AUTOCRYPT-SETUP-MESSAGE\
                               )])";
 

src/mimefactory.rs

@@ -1553,13 +1553,10 @@ impl MimeFactory {
             | SystemMessage::MultiDeviceSync
             | SystemMessage::WebxdcStatusUpdate => {
                 // This should prevent automatic replies,
-                // such as non-delivery reports.
+                // such as non-delivery reports,
+                // if the message is unencrypted.
                 //
                 // See <https://tools.ietf.org/html/rfc3834>
-                //
-                // Adding this header without encryption leaks some
-                // information about the message contents, but it can
-                // already be easily guessed from message timing and size.
                 headers.push((
                     "Auto-Submitted",
                     mail_builder::headers::raw::Raw::new("auto-generated").into(),
@@ -2190,10 +2187,7 @@ fn group_headers_by_confidentiality(
                         mail_builder::headers::raw::Raw::new("[...]").into(),
                     ));
                 }
-                "auto-submitted"
-                | "chat-version"
-                | "autocrypt-setup-message"
-                | "chat-is-post-message" => {
+                "chat-version" | "autocrypt-setup-message" | "chat-is-post-message" => {
                     unprotected_headers.push(header.clone());
                 }
                 _ => {

src/securejoin/securejoin_tests.rs

@@ -138,14 +138,15 @@ async fn test_setup_contact_ex(case: SetupContactCase) {
     );
 
     let sent = alice.pop_sent_msg().await;
-    assert_eq!(
-        sent.payload.contains("Auto-Submitted: auto-generated"),
-        alice_auto_submitted_hdr
-    );
+    assert_eq!(sent.payload.contains("Auto-Submitted:"), false);
     assert!(!sent.payload.contains("Alice Exampleorg"));
     let msg = bob.parse_msg(&sent).await;
     assert!(msg.was_encrypted());
     assert_eq!(msg.get_header(HeaderDef::SecureJoin).unwrap(), "vc-pubkey");
+    assert_eq!(
+        msg.get_header(HeaderDef::AutoSubmitted),
+        alice_auto_submitted_hdr.then_some("auto-generated")
+    );
 
     let bob_chat = bob.get_chat(&alice).await;
     assert_eq!(bob_chat.can_send(&bob).await.unwrap(), true);
@@ -266,7 +267,7 @@ async fn test_setup_contact_ex(case: SetupContactCase) {
     let sent = alice.pop_sent_msg().await;
     assert_eq!(
         sent.payload.contains("Auto-Submitted: auto-generated"),
-        alice_auto_submitted_hdr
+        false
     );
     assert!(!sent.payload.contains("Alice Exampleorg"));
     let msg = bob.parse_msg(&sent).await;