refactor(ratelimit): Return Duration from Ratelimit functions

- `Ratelimit` is rather a low-level Rust tool, so it should only use `Duration` and `SystemTime`.
- Rename `Ratelimit::update_interval()` to `min_send_interval()`, the word "update" only occurs in
  `last_update`, but it's a private field.

deltachat-ffi/deltachat.h

@@ -413,6 +413,11 @@ char*           dc_get_blobdir               (const dc_context_t* context);
  *                    Messages in the "saved messages" chat (see dc_chat_is_self_talk()) are skipped.
  *                    Messages are deleted whether they were seen or not, the UI should clearly point that out.
  *                    See also dc_estimate_deletion_cnt().
+ * - `delete_server_after` = 0=do not delete messages from server automatically (default),
+ *                    1=delete messages directly after receiving from server, mvbox is skipped.
+ *                    >1=seconds, after which messages are deleted automatically from the server, mvbox is used as defined.
+ *                    "Saved messages" are deleted from the server as well as emails, the UI should clearly point that out.
+ *                    See also dc_estimate_deletion_cnt().
  * - `media_quality` = DC_MEDIA_QUALITY_BALANCED (0) =
  *                    good outgoing images/videos/voice quality at reasonable sizes (default)
  *                    DC_MEDIA_QUALITY_WORSE (1)
@@ -1456,16 +1461,16 @@ dc_chatlist_t*     dc_get_similar_chatlist   (dc_context_t* context, uint32_t ch
 
 /**
  * Estimate the number of messages that will be deleted
- * by the dc_set_config()-option `delete_device_after`.
+ * by the dc_set_config()-options `delete_device_after` or `delete_server_after`.
  * This is typically used to show the estimated impact to the user
  * before actually enabling deletion of old messages.
  *
  * @memberof dc_context_t
  * @param context The context object as returned from dc_context_new().
- * @param from_server Deprecated, pass 0 here
+ * @param from_server 1=Estimate deletion count for server, 0=Estimate deletion count for device
  * @param seconds Count messages older than the given number of seconds.
  * @return Number of messages that are older than the given number of seconds.
- *     Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
+ *     Messages in the "saved messages" folder are not counted as they will not be deleted automatically.
  */
 int             dc_estimate_deletion_cnt    (dc_context_t* context, int from_server, int64_t seconds);
 

deltachat-jsonrpc/src/api.rs

@@ -735,19 +735,10 @@ impl CommandApi {
         Ok(msg_ids)
     }
 
-    /// Estimates the number of messages that will be deleted
-    /// by the `set_config()`-option `delete_device_after`.
-    ///
+    /// Estimate the number of messages that will be deleted
+    /// by the set_config()-options `delete_device_after` or `delete_server_after`.
     /// This is typically used to show the estimated impact to the user
     /// before actually enabling deletion of old messages.
-    ///
-    /// Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
-    ///
-    /// Parameters:
-    /// - `from_server`: Deprecated, pass `false` here
-    /// - `seconds`: Count messages older than the given number of seconds.
-    ///
-    /// Returns the number of messages that are older than the given number of seconds.
     async fn estimate_auto_deletion_count(
         &self,
         account_id: u32,

deltachat-jsonrpc/src/api/types/webxdc.rs

@@ -66,7 +66,7 @@ impl WebxdcMessageInfo {
             self_addr,
             is_app_sender,
             is_broadcast,
-            send_update_interval,
+            send_update_interval_ms,
             send_update_max_size,
         } = message.get_webxdc_info(context).await?;
 
@@ -80,7 +80,7 @@ impl WebxdcMessageInfo {
             self_addr,
             is_app_sender,
             is_broadcast,
-            send_update_interval,
+            send_update_interval: send_update_interval_ms,
             send_update_max_size,
         })
     }

deltachat-ratelimit/src/lib.rs

@@ -91,9 +91,9 @@ impl Ratelimit {
         self.until_can_send_at(SystemTime::now())
     }
 
-    /// Returns minimum possible update interval in milliseconds.
-    pub fn update_interval(&self) -> usize {
-        (self.window.as_millis() as f64 / self.quota) as usize
+    /// Returns the minimum possible sending interval.
+    pub fn min_send_interval(&self) -> Duration {
+        self.window.div_f64(self.quota)
     }
 }
 
@@ -107,7 +107,7 @@ mod tests {
 
         let mut ratelimit = Ratelimit::new_at(Duration::new(60, 0), 3.0, now);
         assert!(ratelimit.can_send_at(now));
-        assert_eq!(ratelimit.update_interval(), 20_000);
+        assert_eq!(ratelimit.min_send_interval(), Duration::new(20, 0));
 
         // Send burst of 3 messages.
         ratelimit.send_at(now);

deltachat-rpc-client/tests/test_folders.py

@@ -14,13 +14,10 @@ def test_moved_markseen(acfactory, direct_imap, log):
     ac2.add_or_update_transport({"addr": addr, "password": password})
     ac2.bring_online()
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
-
     log.section("ac2: creating DeltaChat folder")
     ac2_direct_imap = direct_imap(ac2)
     ac2_direct_imap.create_folder("DeltaChat")
+    ac2.set_config("delete_server_after", "0")
     ac2.set_config("sync_msgs", "0")  # Do not send a sync message when accepting a contact request.
 
     ac2.add_or_update_transport({"addr": addr, "password": password, "imapFolder": "DeltaChat"})
@@ -60,9 +57,11 @@ def test_moved_markseen(acfactory, direct_imap, log):
 def test_markseen_message_and_mdn(acfactory, direct_imap):
     ac1, ac2 = acfactory.get_online_accounts(2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
+    for ac in ac1, ac2:
+        ac.set_config("delete_server_after", "0")
+
+    # Do not send BCC to self, we only want to test MDN on ac1.
+    ac1.set_config("bcc_self", "0")
 
     acfactory.get_accepted_chat(ac1, ac2).send_text("hi")
     msg = ac2.wait_for_incoming_msg()
@@ -82,18 +81,17 @@ def test_markseen_message_and_mdn(acfactory, direct_imap):
     ac1_direct_imap.select_folder("INBOX")
     ac2_direct_imap.select_folder("INBOX")
 
-    # Check that the mdn and original message is marked as seen
-    assert len(list(ac1_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 2
-    assert len(list(ac2_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 2
+    # Check that the mdn is marked as seen
+    assert len(list(ac1_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 1
+    # Check original message is marked as seen
+    assert len(list(ac2_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 1
 
 
 def test_trash_multiple_messages(acfactory, direct_imap, log):
     ac1, ac2 = acfactory.get_online_accounts(2)
     ac2.stop_io()
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
+    ac2.set_config("delete_server_after", "0")
     ac2.set_config("sync_msgs", "0")
 
     ac2.start_io()

deltachat-rpc-client/tests/test_multidevice.py

@@ -4,29 +4,39 @@ from deltachat_rpc_client import EventType
 from deltachat_rpc_client.const import MessageState
 
 
-def test_bcc_self_is_enabled_when_setting_up_second_device(acfactory):
+def test_bcc_self_delete_server_after_defaults(acfactory):
+    """Test default values for bcc_self and delete_server_after."""
     ac = acfactory.get_online_account()
 
     # Initially after getting online
     # the setting bcc_self is set to 0 because there is only one device
+    # and delete_server_after is "1", meaning immediate deletion.
     assert ac.get_config("bcc_self") == "0"
+    assert ac.get_config("delete_server_after") == "1"
 
     # Setup a second device.
     ac_clone = ac.clone()
     ac_clone.bring_online()
 
-    # Second device setup enables bcc_self.
+    # Second device setup
+    # enables bcc_self and changes default delete_server_after.
     assert ac.get_config("bcc_self") == "1"
-    assert ac_clone.get_config("bcc_self") == "1"
+    assert ac.get_config("delete_server_after") == "0"
 
-    # Test manually disabling bcc_self
+    assert ac_clone.get_config("bcc_self") == "1"
+    assert ac_clone.get_config("delete_server_after") == "0"
+
+    # Manually disabling bcc_self
+    # also restores the default for delete_server_after.
     ac.set_config("bcc_self", "0")
     assert ac.get_config("bcc_self") == "0"
+    assert ac.get_config("delete_server_after") == "1"
 
-    # Cloning the account again enables bcc_self again
+    # Cloning the account again enables bcc_self
     # even though it was manually disabled.
     ac_clone = ac.clone()
     assert ac.get_config("bcc_self") == "1"
+    assert ac.get_config("delete_server_after") == "0"
 
 
 def test_one_account_send_bcc_setting(acfactory, log, direct_imap):

deltachat-rpc-client/tests/test_something.py

@@ -1232,12 +1232,11 @@ def test_leave_and_delete_group(acfactory, log):
 
 
 def test_immediate_autodelete(acfactory, direct_imap, log):
-    """
-    `bcc_self` is off by default,
-    so that messages are supposed to be immediately autodeleted
-    """
     ac1, ac2 = acfactory.get_online_accounts(2)
 
+    # "1" means delete immediately, while "0" means do not delete
+    ac2.set_config("delete_server_after", "1")
+
     log.section("ac1: create chat with ac2")
     chat1 = ac1.create_chat(ac2)
     ac2.create_chat(ac1)

python/src/deltachat/testplugin.py

@@ -521,6 +521,7 @@ class ACFactory:
         assert "addr" in configdict and "mail_pw" in configdict, configdict
         configdict.setdefault("bcc_self", False)
         configdict.setdefault("sync_msgs", False)
+        configdict.setdefault("delete_server_after", 0)
         ac.update_config(configdict)
         self._acsetup._account2config[ac] = configdict
         self._preconfigure_key(ac)

python/tests/test_0_complex_or_slow.py

@@ -298,6 +298,73 @@ def test_use_new_verified_group_after_going_online(acfactory, data, tmp_path, lp
     assert msg_in.text == msg_out.text
 
 
+def test_verified_group_vs_delete_server_after(acfactory, tmp_path, lp):
+    """Test for the issue #4346:
+    - User is added to a verified group.
+    - First device of the user downloads "member added" from the group.
+    - First device removes "member added" from the server.
+    - Some new messages are sent to the group.
+    - Second device comes online, receives these new messages.
+      The result is an unverified group with unverified members.
+    - First device re-gossips Autocrypt keys to the group.
+    - Now the second device has all members and group verified.
+    """
+    ac1, ac2 = acfactory.get_online_accounts(2)
+    acfactory.remove_preconfigured_keys()
+    ac2_offl = acfactory.new_online_configuring_account(cloned_from=ac2)
+    for ac in [ac2, ac2_offl]:
+        ac.set_config("bcc_self", "1")
+    ac2.set_config("delete_server_after", "1")
+    ac2.set_config("gossip_period", "0")  # Re-gossip in every message
+    acfactory.bring_accounts_online()
+    dir = tmp_path / "exportdir"
+    dir.mkdir()
+    ac2.export_self_keys(str(dir))
+    ac2_offl.import_self_keys(str(dir))
+    ac2_offl.stop_io()
+
+    lp.sec("ac1: create verified-group QR, ac2 scans and joins")
+    chat1 = ac1.create_group_chat("hello")
+    qr = chat1.get_join_qr()
+    lp.sec("ac2: start QR-code based join-group protocol")
+    chat2 = ac2.qr_join_chat(qr)
+    ac1._evtracker.wait_securejoin_inviter_progress(1000)
+    # Wait for "Member Me (<addr>) added by <addr>." message.
+    msg_in = ac2._evtracker.wait_next_incoming_message()
+    assert msg_in.is_system_message()
+
+    lp.sec("ac2: waiting for 'member added' to be deleted on the server")
+    ac2._evtracker.get_matching("DC_EVENT_IMAP_MESSAGE_DELETED")
+
+    lp.sec("ac1: sending 'hi' to the group")
+    ac2.set_config("delete_server_after", "0")
+    chat1.send_text("hi")
+
+    lp.sec("ac2_offl: going online, checking the 'hi' message")
+    ac2_offl.start_io()
+    msg_in = ac2_offl._evtracker.wait_next_incoming_message()
+    assert not msg_in.is_system_message()
+    assert msg_in.text == "hi"
+    ac2_offl_ac1_contact = msg_in.get_sender_contact()
+    assert ac2_offl_ac1_contact.addr == ac1.get_config("addr")
+    assert not ac2_offl_ac1_contact.is_verified()
+    chat2_offl = msg_in.chat
+
+    lp.sec("ac2: sending message re-gossiping Autocrypt keys")
+    chat2.send_text("hi2")
+
+    lp.sec("ac2_offl: receiving message")
+    ev = ac2_offl._evtracker.get_matching("DC_EVENT_INCOMING_MSG|DC_EVENT_MSGS_CHANGED")
+    msg_in = ac2_offl.get_message_by_id(ev.data2)
+    assert not msg_in.is_system_message()
+    assert msg_in.text == "hi2"
+    assert msg_in.chat == chat2_offl
+    assert msg_in.get_sender_contact().addr == ac2.get_config("addr")
+    # Until we reset verifications and then send the _verified header,
+    # verification is not gossiped here:
+    assert not ac2_offl_ac1_contact.is_verified()
+
+
 def test_deleted_msgs_dont_reappear(acfactory):
     ac1 = acfactory.new_online_configuring_account()
     acfactory.bring_accounts_online()

python/tests/test_1_online.py

@@ -15,9 +15,6 @@ def test_basic_imap_api(acfactory, tmp_path):
     ac1, ac2 = acfactory.get_online_accounts(2)
     chat12 = acfactory.get_accepted_chat(ac1, ac2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
     imap2 = ac2.direct_imap
 
     with imap2.idle() as idle2:
@@ -165,9 +162,6 @@ def test_webxdc_message(acfactory, data, lp):
     ac1, ac2 = acfactory.get_online_accounts(2)
     chat = acfactory.get_accepted_chat(ac1, ac2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
     lp.sec("ac1: prepare and send text message to ac2")
     msg1 = chat.send_text("message0")
     assert not msg1.is_webxdc()
@@ -368,10 +362,6 @@ def test_send_and_receive_message_markseen(acfactory, lp):
     # make DC's life harder wrt to encodings
     ac1.set_config("displayname", "ä name")
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
-
     # clear any fresh device messages
     ac1.get_device_chat().mark_noticed()
     ac2.get_device_chat().mark_noticed()
@@ -516,15 +506,9 @@ def test_mdn_asymmetric(acfactory, lp):
     ac1.set_config("mdns_enabled", "1")
     ac2.set_config("mdns_enabled", "1")
 
-    # Make sure that the mdn is not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-
     lp.sec("sending text message from ac1 to ac2")
     msg_out = chat.send_text("message1")
 
-    # Wait for the message to be marked as seen on IMAP.
-    ac1._evtracker.get_info_contains("Marked messages [0-9]+ in folder INBOX as seen.")
-
     assert len(chat.get_messages()) == 1 + E2EE_INFO_MSGS
 
     lp.sec("disable ac1 MDNs")
@@ -541,7 +525,7 @@ def test_mdn_asymmetric(acfactory, lp):
     lp.sec("ac1: waiting for incoming activity")
     assert len(chat.get_messages()) == 1 + E2EE_INFO_MSGS
 
-    # Wait for the mdn to be marked as seen on IMAP.
+    # Wait for the message to be marked as seen on IMAP.
     ac1._evtracker.get_info_contains("Marked messages [0-9]+ in folder INBOX as seen.")
 
     # MDN is received even though MDNs are already disabled
@@ -1089,8 +1073,6 @@ def test_send_receive_locations(acfactory, lp):
 
 def test_delete_multiple_messages(acfactory, lp):
     ac1, ac2 = acfactory.get_online_accounts(2)
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
     chat12 = acfactory.get_accepted_chat(ac1, ac2)
 
     lp.sec("ac1: sending seven messages")

scripts/update-provider-database.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 export TZ=UTC
 
 # Provider database revision.
-REV=2cba4b72f4c6e6417b83ba549aff7781be5f166c
+REV=ad097ee40579c884e7757de2d3bb0a51f481a32a
 
 CORE_ROOT="$PWD"
 TMP="$(mktemp -d)"

src/config.rs

@@ -194,6 +194,17 @@ pub enum Config {
     #[strum(props(default = "0"))] // also change MediaQuality.default() on changes
     MediaQuality,
 
+    /// Timer in seconds after which the message is deleted from the
+    /// server.
+    ///
+    /// 0 means messages are never deleted by Delta Chat.
+    ///
+    /// Value 1 is treated as "delete at once": messages are deleted
+    /// immediately, without moving to DeltaChat folder.
+    ///
+    /// Default is 1 for chatmail accounts without `BccSelf`, 0 otherwise.
+    DeleteServerAfter,
+
     /// Timer in seconds after which the message is deleted from the
     /// device.
     ///
@@ -543,6 +554,14 @@ impl Context {
         // Default values
         let val = match key {
             Config::ConfiguredInboxFolder => Some("INBOX".to_string()),
+            Config::DeleteServerAfter => {
+                match !Box::pin(self.get_config_bool(Config::BccSelf)).await?
+                    && Box::pin(self.is_chatmail()).await?
+                {
+                    true => Some("1".to_string()),
+                    false => Some("0".to_string()),
+                }
+            }
             Config::Addr => self.get_config_opt(Config::ConfiguredAddr).await?,
             _ => key.get_str("default").map(|s| s.to_string()),
         };
@@ -623,6 +642,23 @@ impl Context {
         self.get_config_bool(Config::MdnsEnabled).await
     }
 
+    /// Gets configured "delete_server_after" value.
+    ///
+    /// `None` means never delete the message, `Some(0)` means delete
+    /// at once, `Some(x)` means delete after `x` seconds.
+    pub async fn get_config_delete_server_after(&self) -> Result<Option<i64>> {
+        let val = match self
+            .get_config_parsed::<i64>(Config::DeleteServerAfter)
+            .await?
+            .unwrap_or(0)
+        {
+            0 => None,
+            1 => Some(0),
+            x => Some(x),
+        };
+        Ok(val)
+    }
+
     /// Gets the configured provider.
     ///
     /// The provider is determined by the current primary transport.

src/config/config_tests.rs

@@ -142,6 +142,28 @@ async fn test_mdns_default_behaviour() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_delete_server_after_default() -> Result<()> {
+    let t = &TestContext::new_alice().await;
+
+    // Check that the settings are displayed correctly.
+    assert_eq!(t.get_config(Config::BccSelf).await?, Some("1".to_string()));
+    assert_eq!(
+        t.get_config(Config::DeleteServerAfter).await?,
+        Some("0".to_string())
+    );
+
+    // Leaving emails on the server even w/o `BccSelf` is a good default at least because other
+    // MUAs do so even if the server doesn't save sent messages to some sentbox (like Gmail
+    // does).
+    t.set_config_bool(Config::BccSelf, false).await?;
+    assert_eq!(
+        t.get_config(Config::DeleteServerAfter).await?,
+        Some("0".to_string())
+    );
+    Ok(())
+}
+
 const SAVED_MESSAGES_DEDUPLICATED_FILE: &str = "969142cb84015bc135767bc2370934a.png";
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]

src/context.rs

@@ -973,6 +973,12 @@ impl Context {
                 .await?
                 .to_string(),
         );
+        res.insert(
+            "delete_server_after",
+            self.get_config_int(Config::DeleteServerAfter)
+                .await?
+                .to_string(),
+        );
         res.insert(
             "last_housekeeping",
             self.get_config_int(Config::LastHousekeeping)

src/download.rs

@@ -15,6 +15,12 @@ use crate::{EventType, chatlist_events};
 pub(crate) mod post_msg_metadata;
 pub(crate) use post_msg_metadata::PostMsgMetadata;
 
+/// If a message is downloaded only partially
+/// and `delete_server_after` is set to small timeouts (eg. "at once"),
+/// the user might have no chance to actually download that message.
+/// `MIN_DELETE_SERVER_AFTER` increases the timeout in this case.
+pub(crate) const MIN_DELETE_SERVER_AFTER: i64 = 48 * 60 * 60;
+
 /// From this point onward outgoing messages are considered large
 /// and get a Pre-Message, which announces the Post-Message.
 /// This is only about sending so we can modify it any time.

src/ephemeral.rs

@@ -23,15 +23,16 @@
 //! ## Device settings
 //!
 //! In addition to per-chat ephemeral message setting, each device has
-//! a global user-configured setting that complements per-chat
-//! settings, `delete_device_after`.
-//! This setting is not synchronized among devices and applies to all
+//! two global user-configured settings that complement per-chat
+//! settings: `delete_device_after` and `delete_server_after`. These
+//! settings are not synchronized among devices and apply to all
 //! messages known to the device, including messages sent or received
 //! before configuring the setting.
 //!
 //! `delete_device_after` configures the maximum time device is
-//! storing the messages locally,
-//! but does not delete messages from the server.
+//! storing the messages locally. `delete_server_after` configures the
+//! time after which device will delete the messages it knows about
+//! from the server.
 //!
 //! ## How messages are deleted
 //!
@@ -59,8 +60,9 @@
 //!
 //! Server deletion happens by updating the `imap` table based on
 //! the database entries which are expired either according to their
-//! ephemeral message timers.
+//! ephemeral message timers or global `delete_server_after` setting.
 
+use std::cmp::max;
 use std::collections::BTreeSet;
 use std::fmt;
 use std::num::ParseIntError;
@@ -76,6 +78,7 @@ use crate::chat::{ChatId, ChatIdBlocked, send_msg};
 use crate::constants::{DC_CHAT_ID_LAST_SPECIAL, DC_CHAT_ID_TRASH};
 use crate::contact::ContactId;
 use crate::context::Context;
+use crate::download::MIN_DELETE_SERVER_AFTER;
 use crate::events::EventType;
 use crate::log::{LogExt, warn};
 use crate::message::{Message, MessageState, MsgId, Viewtype};
@@ -648,8 +651,23 @@ pub(crate) async fn ephemeral_loop(context: &Context, interrupt_receiver: Receiv
 }
 
 /// Schedules expired IMAP messages for deletion.
+#[expect(clippy::arithmetic_side_effects)]
 pub(crate) async fn delete_expired_imap_messages(context: &Context) -> Result<()> {
     let now = time();
+
+    let (threshold_timestamp, threshold_timestamp_extended) =
+        match context.get_config_delete_server_after().await? {
+            None => (0, 0),
+            Some(delete_server_after) => (
+                match delete_server_after {
+                    // Guarantee immediate deletion.
+                    0 => i64::MAX,
+                    _ => now - delete_server_after,
+                },
+                now - max(delete_server_after, MIN_DELETE_SERVER_AFTER),
+            ),
+        };
+
     context
         .sql
         .execute(
@@ -657,9 +675,11 @@ pub(crate) async fn delete_expired_imap_messages(context: &Context) -> Result<()
              SET target=''
              WHERE rfc724_mid IN (
                SELECT rfc724_mid FROM msgs
-               WHERE ephemeral_timestamp != 0 AND ephemeral_timestamp <= ?
+               WHERE ((download_state = 0 AND timestamp < ?) OR
+                      (download_state != 0 AND timestamp < ?) OR
+                      (ephemeral_timestamp != 0 AND ephemeral_timestamp <= ?))
              )",
-            (now,),
+            (threshold_timestamp, threshold_timestamp_extended, now),
         )
         .await?;
 

src/ephemeral/ephemeral_tests.rs

@@ -455,6 +455,7 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
     let uidvalidity = 12345;
     for (id, timestamp, ephemeral_timestamp) in &[
         (900, now - 2 * HOUR, 0),
+        (1000, now - 23 * HOUR - MIN_DELETE_SERVER_AFTER, 0),
         (1010, now - 23 * HOUR, 0),
         (1020, now - 21 * HOUR, 0),
         (1030, now - 19 * HOUR, 0),
@@ -511,6 +512,29 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
         0
     );
 
+    t.set_config(Config::DeleteServerAfter, Some(&*(25 * HOUR).to_string()))
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1000).await?;
+
+    MsgId::new(1000)
+        .update_download_state(&t, DownloadState::Available)
+        .await?;
+    t.sql
+        .execute("UPDATE imap SET target=folder WHERE rfc724_mid='1000'", ())
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1000).await?; // Delete downloadable anyway.
+    remove_uid(&t, 1000).await?;
+
+    t.set_config(Config::DeleteServerAfter, Some(&*(22 * HOUR).to_string()))
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1010).await?;
+    t.sql
+        .execute("UPDATE imap SET target=folder WHERE rfc724_mid='1010'", ())
+        .await?;
+
     MsgId::new(1010)
         .update_download_state(&t, DownloadState::Available)
         .await?;
@@ -523,6 +547,10 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
         0
     );
 
+    t.set_config(Config::DeleteServerAfter, Some("1")).await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 3000).await?;
+
     Ok(())
 }
 

src/imap.rs

@@ -1284,7 +1284,6 @@ impl Session {
         if request_uids.is_empty() {
             return Ok(());
         }
-        let is_chatmail = self.is_chatmail();
 
         for (request_uids, set) in build_sequence_sets(&request_uids)? {
             info!(context, "Starting UID FETCH of message set \"{}\".", set);
@@ -1382,20 +1381,6 @@ impl Session {
                     "Passing message UID {} to receive_imf().", request_uid
                 );
                 let res = receive_imf_inner(context, rfc724_mid, body, is_seen).await;
-
-                // If the message is not needed anymore on the server, mark it for deletion:
-                if !context.get_config_bool(Config::BccSelf).await? && is_chatmail {
-                    context
-                        .sql
-                        .execute(
-                            "UPDATE imap SET target='' WHERE rfc724_mid=?",
-                            (rfc724_mid,),
-                        )
-                        .await?;
-                    context.scheduler.interrupt_inbox().await;
-                }
-
-                // If there was an error receiving the message, show a device message:
                 let received_msg = match res {
                     Err(err) => {
                         warn!(context, "receive_imf error: {err:#}.");

src/imex.rs

@@ -980,15 +980,20 @@ mod tests {
 
         // Check that the settings are displayed correctly.
         assert_eq!(
-            context1.get_config(Config::BccSelf).await?,
+            context1.get_config(Config::DeleteServerAfter).await?,
             Some("0".to_string())
         );
         context1.set_config_bool(Config::IsChatmail, true).await?;
+        assert_eq!(
+            context1.get_config(Config::BccSelf).await?,
+            Some("0".to_string())
+        );
+        assert_eq!(
+            context1.get_config(Config::DeleteServerAfter).await?,
+            Some("1".to_string())
+        );
 
-        assert_eq!(context1.get_config_bool(Config::IsMuted).await?, false);
-        context1.set_config_bool(Config::IsMuted, true).await?;
-        assert_eq!(context1.get_config_bool(Config::IsMuted).await?, true);
-
+        assert_eq!(context1.get_config_delete_server_after().await?, Some(0));
         imex(context1, ImexMode::ExportBackup, backup_dir.path(), None).await?;
         let _event = context1
             .evtracker
@@ -1005,9 +1010,15 @@ mod tests {
         assert!(context2.is_configured().await?);
         assert!(context2.is_chatmail().await?);
         for ctx in [context1, context2] {
-            // BccSelf should be enabled automatically when exporting a backup
-            assert_eq!(ctx.get_config_bool(Config::BccSelf).await?, true);
-            assert_eq!(ctx.get_config_bool(Config::IsMuted).await?, true);
+            assert_eq!(
+                ctx.get_config(Config::BccSelf).await?,
+                Some("1".to_string())
+            );
+            assert_eq!(
+                ctx.get_config(Config::DeleteServerAfter).await?,
+                Some("0".to_string())
+            );
+            assert_eq!(ctx.get_config_delete_server_after().await?, None);
         }
         Ok(())
     }

src/message.rs

@@ -2105,52 +2105,63 @@ pub async fn get_request_msg_cnt(context: &Context) -> usize {
 }
 
 /// Estimates the number of messages that will be deleted
-/// by the `set_config()`-option `delete_device_after`.
+/// by the options `delete_device_after` or `delete_server_after`.
 ///
 /// This is typically used to show the estimated impact to the user
 /// before actually enabling deletion of old messages.
 ///
-/// Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
+/// If `from_server` is true,
+/// estimate deletion count for server,
+/// otherwise estimate deletion count for device.
 ///
-/// Parameters:
-/// - `from_server`: Deprecated, pass `false` here
-/// - `seconds`: Count messages older than the given number of seconds.
+/// Count messages older than the given number of `seconds`.
 ///
 /// Returns the number of messages that are older than the given number of seconds.
+/// Messages in the "saved messages" folder are not counted as they will not be deleted automatically.
 #[expect(clippy::arithmetic_side_effects)]
 pub async fn estimate_deletion_cnt(
     context: &Context,
     from_server: bool,
     seconds: i64,
 ) -> Result<usize> {
-    ensure!(
-        !from_server,
-        "The `delete_server_after` config option was removed. You need to pass `false` for `from_server`."
-    );
-
     let self_chat_id = ChatIdBlocked::lookup_by_contact(context, ContactId::SELF)
         .await?
         .map(|c| c.id)
         .unwrap_or_default();
     let threshold_timestamp = time() - seconds;
 
-    let cnt = context
-        .sql
-        .count(
-            "SELECT COUNT(*)
+    let cnt = if from_server {
+        context
+            .sql
+            .count(
+                "SELECT COUNT(*)
+             FROM msgs m
+             WHERE m.id > ?
+               AND timestamp < ?
+               AND chat_id != ?
+               AND EXISTS (SELECT * FROM imap WHERE rfc724_mid=m.rfc724_mid);",
+                (DC_MSG_ID_LAST_SPECIAL, threshold_timestamp, self_chat_id),
+            )
+            .await?
+    } else {
+        context
+            .sql
+            .count(
+                "SELECT COUNT(*)
              FROM msgs m
              WHERE m.id > ?
                AND timestamp < ?
                AND chat_id != ?
                AND chat_id != ? AND hidden = 0;",
-            (
-                DC_MSG_ID_LAST_SPECIAL,
-                threshold_timestamp,
-                self_chat_id,
-                DC_CHAT_ID_TRASH,
-            ),
-        )
-        .await?;
+                (
+                    DC_MSG_ID_LAST_SPECIAL,
+                    threshold_timestamp,
+                    self_chat_id,
+                    DC_CHAT_ID_TRASH,
+                ),
+            )
+            .await?
+    };
     Ok(cnt)
 }
 

src/provider/data.rs

@@ -890,10 +890,16 @@ static P_NAUTA_CU: Provider = Provider {
         strict_tls: false,
         ..ProviderOptions::new()
     },
-    config_defaults: Some(&[ConfigDefault {
-        key: Config::MediaQuality,
-        value: "1",
-    }]),
+    config_defaults: Some(&[
+        ConfigDefault {
+            key: Config::DeleteServerAfter,
+            value: "1",
+        },
+        ConfigDefault {
+            key: Config::MediaQuality,
+            value: "1",
+        },
+    ]),
     oauth2_authorizer: None,
 };
 
@@ -2376,4 +2382,4 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
     });
 
 pub static _PROVIDER_UPDATED: LazyLock<chrono::NaiveDate> =
-    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 5, 6).unwrap());
+    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 4, 21).unwrap());

src/receive_imf.rs

@@ -904,8 +904,10 @@ UPDATE config SET value=? WHERE keyname='configured_addr' AND value!=?1
     }
 
     // Get user-configured server deletion
+    let delete_server_after = context.get_config_delete_server_after().await?;
+
     if !received_msg.msg_ids.is_empty() {
-        let target = if received_msg.needs_delete_job {
+        let target = if received_msg.needs_delete_job || delete_server_after == Some(0) {
             Some("".to_string())
         } else {
             None

src/receive_imf/receive_imf_tests.rs

@@ -1978,10 +1978,15 @@ async fn test_no_smtp_job_for_self_chat() -> Result<()> {
     assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_none());
 
     bob.set_config_bool(Config::BccSelf, true).await?;
+    bob.set_config(Config::DeleteServerAfter, Some("1")).await?;
+    let mut msg = Message::new_text("Happy birthday to me".to_string());
+    chat::send_msg(bob, chat_id, &mut msg).await?;
+    assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_none());
+
+    bob.set_config(Config::DeleteServerAfter, None).await?;
     let mut msg = Message::new_text("Happy birthday to me".to_string());
     chat::send_msg(bob, chat_id, &mut msg).await?;
     assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_some());
-
     Ok(())
 }
 

src/smtp.rs

@@ -699,22 +699,26 @@ pub(crate) async fn add_self_recipients(
     recipients: &mut Vec<String>,
     encrypted: bool,
 ) -> Result<()> {
-    // Avoid sending unencrypted messages to all transports, chatmail relays won't accept
-    // them. Normally the user should have a non-chatmail primary transport to send unencrypted
-    // messages.
-    if encrypted {
-        for addr in context.get_published_secondary_self_addrs().await? {
-            recipients.push(addr);
+    // Previous versions of Delta Chat did not send BCC self
+    // if DeleteServerAfter was set to immediately delete messages
+    // from the server. This is not the case anymore
+    // because BCC-self messages are also used to detect
+    // that message was sent if SMTP server is slow to respond
+    // and connection is frequently lost
+    // before receiving status line. NB: This is not a problem for chatmail servers, so `BccSelf`
+    // disabled by default is fine.
+    if context.get_config_delete_server_after().await? != Some(0) || !recipients.is_empty() {
+        // Avoid sending unencrypted messages to all transports, chatmail relays won't accept
+        // them. Normally the user should have a non-chatmail primary transport to send unencrypted
+        // messages.
+        if encrypted {
+            for addr in context.get_published_secondary_self_addrs().await? {
+                recipients.push(addr);
+            }
         }
+        // `from` must be the last addr, see `receive_imf_inner()` why.
+        let from = context.get_primary_self_addr().await?;
+        recipients.push(from);
     }
-    // `from` must be the last addr
-    // because `receive_imf_inner()` marks the message as 'delivered'
-    // if it arrives to the self-server via `bcc_self`.
-    // This helps with marking messages as delivered
-    // if the server is slow and we never get an `OK` response
-    // before the connection times out.
-    let from = context.get_primary_self_addr().await?;
-    recipients.push(from);
-
     Ok(())
 }

src/webxdc.rs

@@ -21,6 +21,7 @@ mod maps_integration;
 use std::cmp::max;
 use std::collections::HashMap;
 use std::path::Path;
+use std::time::Duration;
 
 use anyhow::{Context as _, Result, anyhow, bail, ensure, format_err};
 
@@ -119,7 +120,7 @@ pub struct WebxdcInfo {
 
     /// Milliseconds to wait before calling `sendUpdate()` again since the last call.
     /// Should be exposed to `window.sendUpdateInterval` in JS land.
-    pub send_update_interval: usize,
+    pub send_update_interval_ms: usize,
 
     /// Maximum number of bytes accepted for a serialized update object.
     /// Should be exposed to `window.sendUpdateMaxSize` in JS land.
@@ -974,7 +975,16 @@ impl Message {
             self_addr,
             is_app_sender,
             is_broadcast,
-            send_update_interval: context.ratelimit.read().await.update_interval(),
+            send_update_interval_ms: context
+                .ratelimit
+                .read()
+                .await
+                .min_send_interval()
+                // Round the value up so that it's not 0 at least.
+                .checked_add(Duration::from_nanos(999_999))
+                .context("Overflow occurred")?
+                .as_millis()
+                .try_into()?,
             send_update_max_size: RECOMMENDED_FILE_SIZE as usize,
         })
     }

src/webxdc/webxdc_tests.rs

@@ -1226,7 +1226,7 @@ async fn test_get_webxdc_info() -> Result<()> {
     let info = instance.get_webxdc_info(&t).await?;
     assert_eq!(info.name, "minimal.xdc");
     assert_eq!(info.icon, WEBXDC_DEFAULT_ICON.to_string());
-    assert_eq!(info.send_update_interval, 1000);
+    assert_eq!(info.send_update_interval_ms, 1000);
     assert_eq!(info.send_update_max_size, RECOMMENDED_FILE_SIZE as usize);
 
     let mut instance = create_webxdc_instance(