feat: enable draft-pqc feature on pgp crate

This is needed to have support of v6 PQC keys
by the time users start generating profiles
using such keys.

Test key was generated with rsop/v0.10.0-16-gd98265f
(commit d98265f821e7bb181d06da1d634c5c4668d89e83)
using the command
cargo run --features draft-pqc generate-key \
          --profile draft-ietf-openpgp-pqc-14-v6-ed25519-mlkem768x25519

Cargo.lock

@@ -2608,6 +2608,25 @@ dependencies = [
  "libm",
 ]
 
+[[package]]
+name = "hybrid-array"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2d35805454dc9f8662a98d6d61886ffe26bd465f5960e0e55345c70d5c0d2a9"
+dependencies = [
+ "typenum",
+]
+
+[[package]]
+name = "hybrid-array"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "891d15931895091dea5c47afa5b3c9a01ba634b311919fd4d41388fa0e3d76af"
+dependencies = [
+ "typenum",
+ "zeroize",
+]
+
 [[package]]
 name = "hyper"
 version = "1.9.0"
@@ -3257,6 +3276,16 @@ dependencies = [
  "cpufeatures 0.2.17",
 ]
 
+[[package]]
+name = "kem"
+version = "0.3.0-pre.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b8645470337db67b01a7f966decf7d0bafedbae74147d33e641c67a91df239f"
+dependencies = [
+ "rand_core 0.6.4",
+ "zeroize",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -3470,6 +3499,35 @@ dependencies = [
  "windows-sys 0.61.1",
 ]
 
+[[package]]
+name = "ml-dsa"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac4a46643af2001eafebcc37031fc459eb72d45057aac5d7a15b00046a2ad6db"
+dependencies = [
+ "const-oid",
+ "hybrid-array 0.3.1",
+ "num-traits",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sha3",
+ "signature",
+ "zeroize",
+]
+
+[[package]]
+name = "ml-kem"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de49b3df74c35498c0232031bb7e85f9389f913e2796169c8ab47a53993a18f"
+dependencies = [
+ "hybrid-array 0.2.3",
+ "kem",
+ "rand_core 0.6.4",
+ "sha3",
+ "zeroize",
+]
+
 [[package]]
 name = "moka"
 version = "0.12.10"
@@ -3941,15 +3999,14 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "openssl"
-version = "0.10.78"
+version = "0.10.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222"
+checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542"
 dependencies = [
  "bitflags 2.11.0",
  "cfg-if",
  "foreign-types",
  "libc",
- "once_cell",
  "openssl-macros",
  "openssl-sys",
 ]
@@ -3982,9 +4039,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.114"
+version = "0.9.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6"
+checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781"
 dependencies = [
  "cc",
  "libc",
@@ -4206,6 +4263,8 @@ dependencies = [
  "k256",
  "log",
  "md-5",
+ "ml-dsa",
+ "ml-kem",
  "nom 8.0.0",
  "num-bigint-dig",
  "num-traits",
@@ -4224,6 +4283,7 @@ dependencies = [
  "sha2",
  "sha3",
  "signature",
+ "slh-dsa",
  "smallvec",
  "snafu",
  "twofish",
@@ -5688,6 +5748,25 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "slh-dsa"
+version = "0.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd2f20f4049197e03db1104a6452f4d9e96665d79f880198dce4a7026ba5f267"
+dependencies = [
+ "const-oid",
+ "digest",
+ "hmac",
+ "hybrid-array 0.3.1",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sha2",
+ "sha3",
+ "signature",
+ "typenum",
+ "zerocopy",
+]
+
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -7426,9 +7505,9 @@ checksum = "2164e798d9e3d84ee2c91139ace54638059a3b23e361f5c11781c2c6459bde0f"
 
 [[package]]
 name = "zerocopy"
-version = "0.7.32"
+version = "0.7.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74d4d3961e53fa4c9a25a8637fc2bfaf2595b3d3ae34875568a5cf64787716be"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
 dependencies = [
  "byteorder",
  "zerocopy-derive",
@@ -7436,9 +7515,9 @@ dependencies = [
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.7.32"
+version = "0.7.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
 dependencies = [
  "proc-macro2",
  "quote",

Cargo.toml

@@ -78,7 +78,7 @@ num-derive = "0.4"
 num-traits = { workspace = true }
 parking_lot = "0.12.4"
 percent-encoding = "2.3"
-pgp = { version = "0.19.0", default-features = false }
+pgp = { version = "0.19.0", features = ["draft-pqc"], default-features = false }
 pin-project = "1"
 qrcodegen = "1.7.0"
 quick-xml = { version = "0.39", features = ["escape-html"] }

deltachat-ffi/deltachat.h

@@ -413,6 +413,11 @@ char*           dc_get_blobdir               (const dc_context_t* context);
  *                    Messages in the "saved messages" chat (see dc_chat_is_self_talk()) are skipped.
  *                    Messages are deleted whether they were seen or not, the UI should clearly point that out.
  *                    See also dc_estimate_deletion_cnt().
+ * - `delete_server_after` = 0=do not delete messages from server automatically (default),
+ *                    1=delete messages directly after receiving from server, mvbox is skipped.
+ *                    >1=seconds, after which messages are deleted automatically from the server, mvbox is used as defined.
+ *                    "Saved messages" are deleted from the server as well as emails, the UI should clearly point that out.
+ *                    See also dc_estimate_deletion_cnt().
  * - `media_quality` = DC_MEDIA_QUALITY_BALANCED (0) =
  *                    good outgoing images/videos/voice quality at reasonable sizes (default)
  *                    DC_MEDIA_QUALITY_WORSE (1)
@@ -1456,16 +1461,16 @@ dc_chatlist_t*     dc_get_similar_chatlist   (dc_context_t* context, uint32_t ch
 
 /**
  * Estimate the number of messages that will be deleted
- * by the dc_set_config()-option `delete_device_after`.
+ * by the dc_set_config()-options `delete_device_after` or `delete_server_after`.
  * This is typically used to show the estimated impact to the user
  * before actually enabling deletion of old messages.
  *
  * @memberof dc_context_t
  * @param context The context object as returned from dc_context_new().
- * @param from_server Deprecated, pass 0 here
+ * @param from_server 1=Estimate deletion count for server, 0=Estimate deletion count for device
  * @param seconds Count messages older than the given number of seconds.
  * @return Number of messages that are older than the given number of seconds.
- *     Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
+ *     Messages in the "saved messages" folder are not counted as they will not be deleted automatically.
  */
 int             dc_estimate_deletion_cnt    (dc_context_t* context, int from_server, int64_t seconds);
 
@@ -3998,8 +4003,6 @@ int             dc_msg_get_viewtype           (const dc_msg_t* msg);
  *   Marked as read on IMAP and MDN may be sent. Use dc_markseen_msgs() to mark messages as being seen.
  *
  * Outgoing message states:
- * - @ref DC_STATE_OUT_PREPARING - For files which need time to be prepared before they can be sent,
- *   the message enters this state before @ref DC_STATE_OUT_PENDING. Deprecated.
  * - @ref DC_STATE_OUT_DRAFT - Message saved as draft using dc_set_draft()
  * - @ref DC_STATE_OUT_PENDING - The user has pressed the "send" button but the
  *   message is not yet sent and is pending in some way. Maybe we're offline (no checkmark).
@@ -5584,13 +5587,6 @@ int64_t         dc_lot_get_timestamp     (const dc_lot_t* lot);
  */
 #define         DC_STATE_IN_SEEN             16
 
-/**
- * Outgoing message being prepared. See dc_msg_get_state() for details.
- *
- * @deprecated 2024-12-07
- */
-#define         DC_STATE_OUT_PREPARING       18
-
 /**
  * Outgoing message drafted. See dc_msg_get_state() for details.
  */

deltachat-ffi/src/lot.rs

@@ -230,7 +230,6 @@ pub enum LotState {
     MsgInFresh = 10,
     MsgInNoticed = 13,
     MsgInSeen = 16,
-    MsgOutPreparing = 18,
     MsgOutDraft = 19,
     MsgOutPending = 20,
     MsgOutFailed = 24,
@@ -246,7 +245,6 @@ impl From<MessageState> for LotState {
             InFresh => LotState::MsgInFresh,
             InNoticed => LotState::MsgInNoticed,
             InSeen => LotState::MsgInSeen,
-            OutPreparing => LotState::MsgOutPreparing,
             OutDraft => LotState::MsgOutDraft,
             OutPending => LotState::MsgOutPending,
             OutFailed => LotState::MsgOutFailed,

deltachat-jsonrpc/src/api.rs

@@ -735,19 +735,10 @@ impl CommandApi {
         Ok(msg_ids)
     }
 
-    /// Estimates the number of messages that will be deleted
-    /// by the `set_config()`-option `delete_device_after`.
-    ///
+    /// Estimate the number of messages that will be deleted
+    /// by the set_config()-options `delete_device_after` or `delete_server_after`.
     /// This is typically used to show the estimated impact to the user
     /// before actually enabling deletion of old messages.
-    ///
-    /// Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
-    ///
-    /// Parameters:
-    /// - `from_server`: Deprecated, pass `false` here
-    /// - `seconds`: Count messages older than the given number of seconds.
-    ///
-    /// Returns the number of messages that are older than the given number of seconds.
     async fn estimate_auto_deletion_count(
         &self,
         account_id: u32,

deltachat-rpc-client/src/deltachat_rpc_client/const.py

@@ -190,7 +190,6 @@ class MessageState(IntEnum):
     IN_FRESH = 10
     IN_NOTICED = 13
     IN_SEEN = 16
-    OUT_PREPARING = 18
     OUT_DRAFT = 19
     OUT_PENDING = 20
     OUT_FAILED = 24

deltachat-rpc-client/tests/test_folders.py

@@ -14,13 +14,10 @@ def test_moved_markseen(acfactory, direct_imap, log):
     ac2.add_or_update_transport({"addr": addr, "password": password})
     ac2.bring_online()
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
-
     log.section("ac2: creating DeltaChat folder")
     ac2_direct_imap = direct_imap(ac2)
     ac2_direct_imap.create_folder("DeltaChat")
+    ac2.set_config("delete_server_after", "0")
     ac2.set_config("sync_msgs", "0")  # Do not send a sync message when accepting a contact request.
 
     ac2.add_or_update_transport({"addr": addr, "password": password, "imapFolder": "DeltaChat"})
@@ -60,9 +57,11 @@ def test_moved_markseen(acfactory, direct_imap, log):
 def test_markseen_message_and_mdn(acfactory, direct_imap):
     ac1, ac2 = acfactory.get_online_accounts(2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
+    for ac in ac1, ac2:
+        ac.set_config("delete_server_after", "0")
+
+    # Do not send BCC to self, we only want to test MDN on ac1.
+    ac1.set_config("bcc_self", "0")
 
     acfactory.get_accepted_chat(ac1, ac2).send_text("hi")
     msg = ac2.wait_for_incoming_msg()
@@ -82,18 +81,17 @@ def test_markseen_message_and_mdn(acfactory, direct_imap):
     ac1_direct_imap.select_folder("INBOX")
     ac2_direct_imap.select_folder("INBOX")
 
-    # Check that the mdn and original message is marked as seen
-    assert len(list(ac1_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 2
-    assert len(list(ac2_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 2
+    # Check that the mdn is marked as seen
+    assert len(list(ac1_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 1
+    # Check original message is marked as seen
+    assert len(list(ac2_direct_imap.conn.fetch(AND(seen=True), mark_seen=False))) == 1
 
 
 def test_trash_multiple_messages(acfactory, direct_imap, log):
     ac1, ac2 = acfactory.get_online_accounts(2)
     ac2.stop_io()
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
+    ac2.set_config("delete_server_after", "0")
     ac2.set_config("sync_msgs", "0")
 
     ac2.start_io()

deltachat-rpc-client/tests/test_multidevice.py

@@ -4,29 +4,39 @@ from deltachat_rpc_client import EventType
 from deltachat_rpc_client.const import MessageState
 
 
-def test_bcc_self_is_enabled_when_setting_up_second_device(acfactory):
+def test_bcc_self_delete_server_after_defaults(acfactory):
+    """Test default values for bcc_self and delete_server_after."""
     ac = acfactory.get_online_account()
 
     # Initially after getting online
     # the setting bcc_self is set to 0 because there is only one device
+    # and delete_server_after is "1", meaning immediate deletion.
     assert ac.get_config("bcc_self") == "0"
+    assert ac.get_config("delete_server_after") == "1"
 
     # Setup a second device.
     ac_clone = ac.clone()
     ac_clone.bring_online()
 
-    # Second device setup enables bcc_self.
+    # Second device setup
+    # enables bcc_self and changes default delete_server_after.
     assert ac.get_config("bcc_self") == "1"
-    assert ac_clone.get_config("bcc_self") == "1"
+    assert ac.get_config("delete_server_after") == "0"
 
-    # Test manually disabling bcc_self
+    assert ac_clone.get_config("bcc_self") == "1"
+    assert ac_clone.get_config("delete_server_after") == "0"
+
+    # Manually disabling bcc_self
+    # also restores the default for delete_server_after.
     ac.set_config("bcc_self", "0")
     assert ac.get_config("bcc_self") == "0"
+    assert ac.get_config("delete_server_after") == "1"
 
-    # Cloning the account again enables bcc_self again
+    # Cloning the account again enables bcc_self
     # even though it was manually disabled.
     ac_clone = ac.clone()
     assert ac.get_config("bcc_self") == "1"
+    assert ac.get_config("delete_server_after") == "0"
 
 
 def test_one_account_send_bcc_setting(acfactory, log, direct_imap):

deltachat-rpc-client/tests/test_something.py

@@ -1232,12 +1232,11 @@ def test_leave_and_delete_group(acfactory, log):
 
 
 def test_immediate_autodelete(acfactory, direct_imap, log):
-    """
-    `bcc_self` is off by default,
-    so that messages are supposed to be immediately autodeleted
-    """
     ac1, ac2 = acfactory.get_online_accounts(2)
 
+    # "1" means delete immediately, while "0" means do not delete
+    ac2.set_config("delete_server_after", "1")
+
     log.section("ac1: create chat with ac2")
     chat1 = ac1.create_chat(ac2)
     ac2.create_chat(ac1)

deny.toml

@@ -43,7 +43,12 @@ ignore = [
     # hickory-proto 0.25.2 quadratic complexity issue.
     # Dependency of iroh 0.35.0, cannot be updated as of 2026-05-02.
     # <https://rustsec.org/advisories/RUSTSEC-2026-0119>
-    "RUSTSEC-2026-0119"
+    "RUSTSEC-2026-0119",
+
+    # Timing side channel in ml-dsa dependency of rPGP.
+    # We enable PQC for encryption rather than signatures.
+    # <https://rustsec.org/advisories/RUSTSEC-2025-0144>
+    "RUSTSEC-2025-0144",
 ]
 
 [bans]
@@ -62,6 +67,7 @@ skip = [
      { name = "getrandom", version = "0.2.12" },
      { name = "heck", version = "0.4.1" },
      { name = "http", version = "0.2.12" },
+     { name = "hybrid-array", version = "0.2.3" },
      { name = "linux-raw-sys", version = "0.4.14" },
      { name = "lru", version = "0.12.5" },
      { name = "netlink-packet-route", version = "0.17.1" },

python/src/deltachat/chat.py

@@ -271,15 +271,6 @@ class Chat:
            sent out.  This is the same object as was passed in, which
            has been modified with the new state of the core.
         """
-        if msg.is_out_preparing():
-            assert msg.id != 0
-            # get a fresh copy of dc_msg, the core needs it
-            maybe_msg = Message.from_db(self.account, msg.id)
-            if maybe_msg is not None:
-                msg = maybe_msg
-            else:
-                raise ValueError("message does not exist")
-
         sent_id = lib.dc_send_msg(self.account._dc_context, self.id, msg._dc_msg)
         if sent_id == 0:
             raise ValueError("message could not be sent")
@@ -333,26 +324,6 @@ class Chat:
             raise ValueError("message could not be sent")
         return Message.from_db(self.account, sent_id)
 
-    def send_prepared(self, message):
-        """send a previously prepared message.
-
-        :param message: a :class:`Message` instance previously returned by
-                        :meth:`prepare_file`.
-        :raises ValueError: if message can not be sent.
-        :returns: a :class:`deltachat.message.Message` instance as sent out.
-        """
-        assert message.id != 0 and message.is_out_preparing()
-        # get a fresh copy of dc_msg, the core needs it
-        msg = Message.from_db(self.account, message.id)
-
-        # pass 0 as chat-id because core-docs say it's ok when out-preparing
-        sent_id = lib.dc_send_msg(self.account._dc_context, 0, msg._dc_msg)
-        if sent_id == 0:
-            raise ValueError("message could not be sent")
-        assert sent_id == msg.id
-        # modify message in place to avoid bad state for the caller
-        msg._dc_msg = Message.from_db(self.account, sent_id)._dc_msg
-
     def set_draft(self, message):
         """set message as draft.
 

python/src/deltachat/message.py

@@ -351,17 +351,12 @@ class Message:
     def is_outgoing(self):
         """Return True if Message is outgoing."""
         return lib.dc_msg_get_state(self._dc_msg) in (
-            const.DC_STATE_OUT_PREPARING,
             const.DC_STATE_OUT_PENDING,
             const.DC_STATE_OUT_FAILED,
             const.DC_STATE_OUT_MDN_RCVD,
             const.DC_STATE_OUT_DELIVERED,
         )
 
-    def is_out_preparing(self):
-        """Return True if Message is outgoing, but its file is being prepared."""
-        return self._msgstate == const.DC_STATE_OUT_PREPARING
-
     def is_out_pending(self):
         """Return True if Message is outgoing, but is pending (no single checkmark)."""
         return self._msgstate == const.DC_STATE_OUT_PENDING

python/src/deltachat/testplugin.py

@@ -521,6 +521,7 @@ class ACFactory:
         assert "addr" in configdict and "mail_pw" in configdict, configdict
         configdict.setdefault("bcc_self", False)
         configdict.setdefault("sync_msgs", False)
+        configdict.setdefault("delete_server_after", 0)
         ac.update_config(configdict)
         self._acsetup._account2config[ac] = configdict
         self._preconfigure_key(ac)

python/tests/test_0_complex_or_slow.py

@@ -298,6 +298,73 @@ def test_use_new_verified_group_after_going_online(acfactory, data, tmp_path, lp
     assert msg_in.text == msg_out.text
 
 
+def test_verified_group_vs_delete_server_after(acfactory, tmp_path, lp):
+    """Test for the issue #4346:
+    - User is added to a verified group.
+    - First device of the user downloads "member added" from the group.
+    - First device removes "member added" from the server.
+    - Some new messages are sent to the group.
+    - Second device comes online, receives these new messages.
+      The result is an unverified group with unverified members.
+    - First device re-gossips Autocrypt keys to the group.
+    - Now the second device has all members and group verified.
+    """
+    ac1, ac2 = acfactory.get_online_accounts(2)
+    acfactory.remove_preconfigured_keys()
+    ac2_offl = acfactory.new_online_configuring_account(cloned_from=ac2)
+    for ac in [ac2, ac2_offl]:
+        ac.set_config("bcc_self", "1")
+    ac2.set_config("delete_server_after", "1")
+    ac2.set_config("gossip_period", "0")  # Re-gossip in every message
+    acfactory.bring_accounts_online()
+    dir = tmp_path / "exportdir"
+    dir.mkdir()
+    ac2.export_self_keys(str(dir))
+    ac2_offl.import_self_keys(str(dir))
+    ac2_offl.stop_io()
+
+    lp.sec("ac1: create verified-group QR, ac2 scans and joins")
+    chat1 = ac1.create_group_chat("hello")
+    qr = chat1.get_join_qr()
+    lp.sec("ac2: start QR-code based join-group protocol")
+    chat2 = ac2.qr_join_chat(qr)
+    ac1._evtracker.wait_securejoin_inviter_progress(1000)
+    # Wait for "Member Me (<addr>) added by <addr>." message.
+    msg_in = ac2._evtracker.wait_next_incoming_message()
+    assert msg_in.is_system_message()
+
+    lp.sec("ac2: waiting for 'member added' to be deleted on the server")
+    ac2._evtracker.get_matching("DC_EVENT_IMAP_MESSAGE_DELETED")
+
+    lp.sec("ac1: sending 'hi' to the group")
+    ac2.set_config("delete_server_after", "0")
+    chat1.send_text("hi")
+
+    lp.sec("ac2_offl: going online, checking the 'hi' message")
+    ac2_offl.start_io()
+    msg_in = ac2_offl._evtracker.wait_next_incoming_message()
+    assert not msg_in.is_system_message()
+    assert msg_in.text == "hi"
+    ac2_offl_ac1_contact = msg_in.get_sender_contact()
+    assert ac2_offl_ac1_contact.addr == ac1.get_config("addr")
+    assert not ac2_offl_ac1_contact.is_verified()
+    chat2_offl = msg_in.chat
+
+    lp.sec("ac2: sending message re-gossiping Autocrypt keys")
+    chat2.send_text("hi2")
+
+    lp.sec("ac2_offl: receiving message")
+    ev = ac2_offl._evtracker.get_matching("DC_EVENT_INCOMING_MSG|DC_EVENT_MSGS_CHANGED")
+    msg_in = ac2_offl.get_message_by_id(ev.data2)
+    assert not msg_in.is_system_message()
+    assert msg_in.text == "hi2"
+    assert msg_in.chat == chat2_offl
+    assert msg_in.get_sender_contact().addr == ac2.get_config("addr")
+    # Until we reset verifications and then send the _verified header,
+    # verification is not gossiped here:
+    assert not ac2_offl_ac1_contact.is_verified()
+
+
 def test_deleted_msgs_dont_reappear(acfactory):
     ac1 = acfactory.new_online_configuring_account()
     acfactory.bring_accounts_online()

python/tests/test_1_online.py

@@ -15,9 +15,6 @@ def test_basic_imap_api(acfactory, tmp_path):
     ac1, ac2 = acfactory.get_online_accounts(2)
     chat12 = acfactory.get_accepted_chat(ac1, ac2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
     imap2 = ac2.direct_imap
 
     with imap2.idle() as idle2:
@@ -165,9 +162,6 @@ def test_webxdc_message(acfactory, data, lp):
     ac1, ac2 = acfactory.get_online_accounts(2)
     chat = acfactory.get_accepted_chat(ac1, ac2)
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
-
     lp.sec("ac1: prepare and send text message to ac2")
     msg1 = chat.send_text("message0")
     assert not msg1.is_webxdc()
@@ -368,10 +362,6 @@ def test_send_and_receive_message_markseen(acfactory, lp):
     # make DC's life harder wrt to encodings
     ac1.set_config("displayname", "ä name")
 
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-    ac2.set_config("bcc_self", "1")
-
     # clear any fresh device messages
     ac1.get_device_chat().mark_noticed()
     ac2.get_device_chat().mark_noticed()
@@ -516,15 +506,9 @@ def test_mdn_asymmetric(acfactory, lp):
     ac1.set_config("mdns_enabled", "1")
     ac2.set_config("mdns_enabled", "1")
 
-    # Make sure that the mdn is not immediately auto-deleted on the server:
-    ac1.set_config("bcc_self", "1")
-
     lp.sec("sending text message from ac1 to ac2")
     msg_out = chat.send_text("message1")
 
-    # Wait for the message to be marked as seen on IMAP.
-    ac1._evtracker.get_info_contains("Marked messages [0-9]+ in folder INBOX as seen.")
-
     assert len(chat.get_messages()) == 1 + E2EE_INFO_MSGS
 
     lp.sec("disable ac1 MDNs")
@@ -541,7 +525,7 @@ def test_mdn_asymmetric(acfactory, lp):
     lp.sec("ac1: waiting for incoming activity")
     assert len(chat.get_messages()) == 1 + E2EE_INFO_MSGS
 
-    # Wait for the mdn to be marked as seen on IMAP.
+    # Wait for the message to be marked as seen on IMAP.
     ac1._evtracker.get_info_contains("Marked messages [0-9]+ in folder INBOX as seen.")
 
     # MDN is received even though MDNs are already disabled
@@ -1089,8 +1073,6 @@ def test_send_receive_locations(acfactory, lp):
 
 def test_delete_multiple_messages(acfactory, lp):
     ac1, ac2 = acfactory.get_online_accounts(2)
-    # Make sure that messages are not immediately auto-deleted on the server:
-    ac2.set_config("bcc_self", "1")
     chat12 = acfactory.get_accepted_chat(ac1, ac2)
 
     lp.sec("ac1: sending seven messages")

scripts/update-provider-database.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 export TZ=UTC
 
 # Provider database revision.
-REV=2cba4b72f4c6e6417b83ba549aff7781be5f166c
+REV=ad097ee40579c884e7757de2d3bb0a51f481a32a
 
 CORE_ROOT="$PWD"
 TMP="$(mktemp -d)"

src/chat.rs

@@ -2613,7 +2613,7 @@ pub async fn send_msg(context: &Context, chat_id: ChatId, msg: &mut Message) ->
         "chat_id cannot be a special chat: {chat_id}"
     );
 
-    if msg.state != MessageState::Undefined && msg.state != MessageState::OutPreparing {
+    if msg.state != MessageState::Undefined {
         msg.param.remove(Param::GuaranteeE2ee);
         msg.param.remove(Param::ForcePlaintext);
         // create_send_msg_jobs() will update `param` in the db.
@@ -2721,10 +2721,7 @@ async fn prepare_send_msg(
         None
     };
 
-    if matches!(
-        msg.state,
-        MessageState::Undefined | MessageState::OutPreparing
-    )
+    if msg.state == MessageState::Undefined
         // Legacy SecureJoin "v*-request" messages are unencrypted.
         && msg.param.get_cmd() != SystemMessage::SecurejoinMessage
         && chat.is_encrypted(context).await?
@@ -2937,8 +2934,8 @@ pub(crate) async fn create_send_msg_jobs(context: &Context, msg: &mut Message) -
 UPDATE msgs SET
     timestamp=(
         SELECT MAX(timestamp) FROM msgs INDEXED BY msgs_index7 WHERE
-            -- From `InFresh` to `OutMdnRcvd` inclusive except `OutDraft`.
-            state IN(10,13,16,18,20,24,26,28) AND
+            -- From `InFresh` to `OutDelivered` inclusive, except `OutDraft`.
+            state IN(10,13,16,18,20,24,26) AND
             hidden IN(0,1) AND
             chat_id=? AND
             id<=?
@@ -4539,6 +4536,7 @@ pub async fn forward_msgs_2ctx(
 
         msg.state = MessageState::OutPending;
         msg.rfc724_mid = create_outgoing_rfc724_mid();
+        msg.pre_rfc724_mid.clear();
         msg.timestamp_sort = curr_timestamp;
         chat.prepare_msg_raw(ctx_dst, &mut msg, None).await?;
 

src/config.rs

@@ -194,6 +194,17 @@ pub enum Config {
     #[strum(props(default = "0"))] // also change MediaQuality.default() on changes
     MediaQuality,
 
+    /// Timer in seconds after which the message is deleted from the
+    /// server.
+    ///
+    /// 0 means messages are never deleted by Delta Chat.
+    ///
+    /// Value 1 is treated as "delete at once": messages are deleted
+    /// immediately, without moving to DeltaChat folder.
+    ///
+    /// Default is 1 for chatmail accounts without `BccSelf`, 0 otherwise.
+    DeleteServerAfter,
+
     /// Timer in seconds after which the message is deleted from the
     /// device.
     ///
@@ -543,6 +554,14 @@ impl Context {
         // Default values
         let val = match key {
             Config::ConfiguredInboxFolder => Some("INBOX".to_string()),
+            Config::DeleteServerAfter => {
+                match !Box::pin(self.get_config_bool(Config::BccSelf)).await?
+                    && Box::pin(self.is_chatmail()).await?
+                {
+                    true => Some("1".to_string()),
+                    false => Some("0".to_string()),
+                }
+            }
             Config::Addr => self.get_config_opt(Config::ConfiguredAddr).await?,
             _ => key.get_str("default").map(|s| s.to_string()),
         };
@@ -623,6 +642,23 @@ impl Context {
         self.get_config_bool(Config::MdnsEnabled).await
     }
 
+    /// Gets configured "delete_server_after" value.
+    ///
+    /// `None` means never delete the message, `Some(0)` means delete
+    /// at once, `Some(x)` means delete after `x` seconds.
+    pub async fn get_config_delete_server_after(&self) -> Result<Option<i64>> {
+        let val = match self
+            .get_config_parsed::<i64>(Config::DeleteServerAfter)
+            .await?
+            .unwrap_or(0)
+        {
+            0 => None,
+            1 => Some(0),
+            x => Some(x),
+        };
+        Ok(val)
+    }
+
     /// Gets the configured provider.
     ///
     /// The provider is determined by the current primary transport.

src/config/config_tests.rs

@@ -142,6 +142,28 @@ async fn test_mdns_default_behaviour() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_delete_server_after_default() -> Result<()> {
+    let t = &TestContext::new_alice().await;
+
+    // Check that the settings are displayed correctly.
+    assert_eq!(t.get_config(Config::BccSelf).await?, Some("1".to_string()));
+    assert_eq!(
+        t.get_config(Config::DeleteServerAfter).await?,
+        Some("0".to_string())
+    );
+
+    // Leaving emails on the server even w/o `BccSelf` is a good default at least because other
+    // MUAs do so even if the server doesn't save sent messages to some sentbox (like Gmail
+    // does).
+    t.set_config_bool(Config::BccSelf, false).await?;
+    assert_eq!(
+        t.get_config(Config::DeleteServerAfter).await?,
+        Some("0".to_string())
+    );
+    Ok(())
+}
+
 const SAVED_MESSAGES_DEDUPLICATED_FILE: &str = "969142cb84015bc135767bc2370934a.png";
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]

src/context.rs

@@ -973,6 +973,12 @@ impl Context {
                 .await?
                 .to_string(),
         );
+        res.insert(
+            "delete_server_after",
+            self.get_config_int(Config::DeleteServerAfter)
+                .await?
+                .to_string(),
+        );
         res.insert(
             "last_housekeeping",
             self.get_config_int(Config::LastHousekeeping)

src/download.rs

@@ -15,6 +15,12 @@ use crate::{EventType, chatlist_events};
 pub(crate) mod post_msg_metadata;
 pub(crate) use post_msg_metadata::PostMsgMetadata;
 
+/// If a message is downloaded only partially
+/// and `delete_server_after` is set to small timeouts (eg. "at once"),
+/// the user might have no chance to actually download that message.
+/// `MIN_DELETE_SERVER_AFTER` increases the timeout in this case.
+pub(crate) const MIN_DELETE_SERVER_AFTER: i64 = 48 * 60 * 60;
+
 /// From this point onward outgoing messages are considered large
 /// and get a Pre-Message, which announces the Post-Message.
 /// This is only about sending so we can modify it any time.

src/ephemeral.rs

@@ -23,15 +23,16 @@
 //! ## Device settings
 //!
 //! In addition to per-chat ephemeral message setting, each device has
-//! a global user-configured setting that complements per-chat
-//! settings, `delete_device_after`.
-//! This setting is not synchronized among devices and applies to all
+//! two global user-configured settings that complement per-chat
+//! settings: `delete_device_after` and `delete_server_after`. These
+//! settings are not synchronized among devices and apply to all
 //! messages known to the device, including messages sent or received
 //! before configuring the setting.
 //!
 //! `delete_device_after` configures the maximum time device is
-//! storing the messages locally,
-//! but does not delete messages from the server.
+//! storing the messages locally. `delete_server_after` configures the
+//! time after which device will delete the messages it knows about
+//! from the server.
 //!
 //! ## How messages are deleted
 //!
@@ -59,8 +60,9 @@
 //!
 //! Server deletion happens by updating the `imap` table based on
 //! the database entries which are expired either according to their
-//! ephemeral message timers.
+//! ephemeral message timers or global `delete_server_after` setting.
 
+use std::cmp::max;
 use std::collections::BTreeSet;
 use std::fmt;
 use std::num::ParseIntError;
@@ -76,6 +78,7 @@ use crate::chat::{ChatId, ChatIdBlocked, send_msg};
 use crate::constants::{DC_CHAT_ID_LAST_SPECIAL, DC_CHAT_ID_TRASH};
 use crate::contact::ContactId;
 use crate::context::Context;
+use crate::download::MIN_DELETE_SERVER_AFTER;
 use crate::events::EventType;
 use crate::log::{LogExt, warn};
 use crate::message::{Message, MessageState, MsgId, Viewtype};
@@ -648,8 +651,23 @@ pub(crate) async fn ephemeral_loop(context: &Context, interrupt_receiver: Receiv
 }
 
 /// Schedules expired IMAP messages for deletion.
+#[expect(clippy::arithmetic_side_effects)]
 pub(crate) async fn delete_expired_imap_messages(context: &Context) -> Result<()> {
     let now = time();
+
+    let (threshold_timestamp, threshold_timestamp_extended) =
+        match context.get_config_delete_server_after().await? {
+            None => (0, 0),
+            Some(delete_server_after) => (
+                match delete_server_after {
+                    // Guarantee immediate deletion.
+                    0 => i64::MAX,
+                    _ => now - delete_server_after,
+                },
+                now - max(delete_server_after, MIN_DELETE_SERVER_AFTER),
+            ),
+        };
+
     context
         .sql
         .execute(
@@ -657,9 +675,11 @@ pub(crate) async fn delete_expired_imap_messages(context: &Context) -> Result<()
              SET target=''
              WHERE rfc724_mid IN (
                SELECT rfc724_mid FROM msgs
-               WHERE ephemeral_timestamp != 0 AND ephemeral_timestamp <= ?
+               WHERE ((download_state = 0 AND timestamp < ?) OR
+                      (download_state != 0 AND timestamp < ?) OR
+                      (ephemeral_timestamp != 0 AND ephemeral_timestamp <= ?))
              )",
-            (now,),
+            (threshold_timestamp, threshold_timestamp_extended, now),
         )
         .await?;
 

src/ephemeral/ephemeral_tests.rs

@@ -455,6 +455,7 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
     let uidvalidity = 12345;
     for (id, timestamp, ephemeral_timestamp) in &[
         (900, now - 2 * HOUR, 0),
+        (1000, now - 23 * HOUR - MIN_DELETE_SERVER_AFTER, 0),
         (1010, now - 23 * HOUR, 0),
         (1020, now - 21 * HOUR, 0),
         (1030, now - 19 * HOUR, 0),
@@ -511,6 +512,29 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
         0
     );
 
+    t.set_config(Config::DeleteServerAfter, Some(&*(25 * HOUR).to_string()))
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1000).await?;
+
+    MsgId::new(1000)
+        .update_download_state(&t, DownloadState::Available)
+        .await?;
+    t.sql
+        .execute("UPDATE imap SET target=folder WHERE rfc724_mid='1000'", ())
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1000).await?; // Delete downloadable anyway.
+    remove_uid(&t, 1000).await?;
+
+    t.set_config(Config::DeleteServerAfter, Some(&*(22 * HOUR).to_string()))
+        .await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 1010).await?;
+    t.sql
+        .execute("UPDATE imap SET target=folder WHERE rfc724_mid='1010'", ())
+        .await?;
+
     MsgId::new(1010)
         .update_download_state(&t, DownloadState::Available)
         .await?;
@@ -523,6 +547,10 @@ async fn test_delete_expired_imap_messages() -> Result<()> {
         0
     );
 
+    t.set_config(Config::DeleteServerAfter, Some("1")).await?;
+    delete_expired_imap_messages(&t).await?;
+    test_marked_for_deletion(&t, 3000).await?;
+
     Ok(())
 }
 

src/imap.rs

@@ -1284,7 +1284,6 @@ impl Session {
         if request_uids.is_empty() {
             return Ok(());
         }
-        let is_chatmail = self.is_chatmail();
 
         for (request_uids, set) in build_sequence_sets(&request_uids)? {
             info!(context, "Starting UID FETCH of message set \"{}\".", set);
@@ -1382,20 +1381,6 @@ impl Session {
                     "Passing message UID {} to receive_imf().", request_uid
                 );
                 let res = receive_imf_inner(context, rfc724_mid, body, is_seen).await;
-
-                // If the message is not needed anymore on the server, mark it for deletion:
-                if !context.get_config_bool(Config::BccSelf).await? && is_chatmail {
-                    context
-                        .sql
-                        .execute(
-                            "UPDATE imap SET target='' WHERE rfc724_mid=?",
-                            (rfc724_mid,),
-                        )
-                        .await?;
-                    context.scheduler.interrupt_inbox().await;
-                }
-
-                // If there was an error receiving the message, show a device message:
                 let received_msg = match res {
                     Err(err) => {
                         warn!(context, "receive_imf error: {err:#}.");

src/imex.rs

@@ -980,15 +980,20 @@ mod tests {
 
         // Check that the settings are displayed correctly.
         assert_eq!(
-            context1.get_config(Config::BccSelf).await?,
+            context1.get_config(Config::DeleteServerAfter).await?,
             Some("0".to_string())
         );
         context1.set_config_bool(Config::IsChatmail, true).await?;
+        assert_eq!(
+            context1.get_config(Config::BccSelf).await?,
+            Some("0".to_string())
+        );
+        assert_eq!(
+            context1.get_config(Config::DeleteServerAfter).await?,
+            Some("1".to_string())
+        );
 
-        assert_eq!(context1.get_config_bool(Config::IsMuted).await?, false);
-        context1.set_config_bool(Config::IsMuted, true).await?;
-        assert_eq!(context1.get_config_bool(Config::IsMuted).await?, true);
-
+        assert_eq!(context1.get_config_delete_server_after().await?, Some(0));
         imex(context1, ImexMode::ExportBackup, backup_dir.path(), None).await?;
         let _event = context1
             .evtracker
@@ -1005,9 +1010,15 @@ mod tests {
         assert!(context2.is_configured().await?);
         assert!(context2.is_chatmail().await?);
         for ctx in [context1, context2] {
-            // BccSelf should be enabled automatically when exporting a backup
-            assert_eq!(ctx.get_config_bool(Config::BccSelf).await?, true);
-            assert_eq!(ctx.get_config_bool(Config::IsMuted).await?, true);
+            assert_eq!(
+                ctx.get_config(Config::BccSelf).await?,
+                Some("1".to_string())
+            );
+            assert_eq!(
+                ctx.get_config(Config::DeleteServerAfter).await?,
+                Some("0".to_string())
+            );
+            assert_eq!(ctx.get_config_delete_server_after().await?, None);
         }
         Ok(())
     }

src/key.rs

@@ -570,9 +570,11 @@ pub async fn preconfigure_keypair(context: &Context, secret_data: &str) -> Resul
 pub struct Fingerprint(Vec<u8>);
 
 impl Fingerprint {
-    /// Creates new 160-bit (20 bytes) fingerprint.
+    /// Creates new fingerprint.
+    ///
+    /// It is 160-bit (20 bytes) for v4 keys and 32 bytes for v6 keys.
     pub fn new(v: Vec<u8>) -> Fingerprint {
-        debug_assert_eq!(v.len(), 20);
+        debug_assert!(v.len() == 20 || v.len() == 32);
         Fingerprint(v)
     }
 

src/message.rs

@@ -1381,13 +1381,8 @@ pub enum MessageState {
     /// IMAP and MDN may be sent.
     InSeen = 16,
 
-    /// For files which need time to be prepared before they can be
-    /// sent, the message enters this state before
-    /// OutPending.
-    ///
-    /// Deprecated 2024-12-07.
-    OutPreparing = 18,
-
+    // Deprecated 2024-12-07. Removed 2026-04.
+    // OutPreparing = 18,
     /// Message saved as draft.
     OutDraft = 19,
 
@@ -1420,7 +1415,6 @@ impl std::fmt::Display for MessageState {
                 Self::InFresh => "Fresh",
                 Self::InNoticed => "Noticed",
                 Self::InSeen => "Seen",
-                Self::OutPreparing => "Preparing",
                 Self::OutDraft => "Draft",
                 Self::OutPending => "Pending",
                 Self::OutFailed => "Failed",
@@ -1437,7 +1431,7 @@ impl MessageState {
         use MessageState::*;
         matches!(
             self,
-            OutPreparing | OutPending | OutDelivered | OutMdnRcvd // OutMdnRcvd can still fail because it could be a group message and only some recipients failed.
+            OutPending | OutDelivered | OutMdnRcvd // OutMdnRcvd can still fail because it could be a group message and only some recipients failed.
         )
     }
 
@@ -1446,7 +1440,7 @@ impl MessageState {
         use MessageState::*;
         matches!(
             self,
-            OutPreparing | OutDraft | OutPending | OutFailed | OutDelivered | OutMdnRcvd
+            OutDraft | OutPending | OutFailed | OutDelivered | OutMdnRcvd
         )
     }
 
@@ -2105,52 +2099,63 @@ pub async fn get_request_msg_cnt(context: &Context) -> usize {
 }
 
 /// Estimates the number of messages that will be deleted
-/// by the `set_config()`-option `delete_device_after`.
+/// by the options `delete_device_after` or `delete_server_after`.
 ///
 /// This is typically used to show the estimated impact to the user
 /// before actually enabling deletion of old messages.
 ///
-/// Messages in the "Saved Messages" chat are not counted as they will not be deleted automatically.
+/// If `from_server` is true,
+/// estimate deletion count for server,
+/// otherwise estimate deletion count for device.
 ///
-/// Parameters:
-/// - `from_server`: Deprecated, pass `false` here
-/// - `seconds`: Count messages older than the given number of seconds.
+/// Count messages older than the given number of `seconds`.
 ///
 /// Returns the number of messages that are older than the given number of seconds.
+/// Messages in the "saved messages" folder are not counted as they will not be deleted automatically.
 #[expect(clippy::arithmetic_side_effects)]
 pub async fn estimate_deletion_cnt(
     context: &Context,
     from_server: bool,
     seconds: i64,
 ) -> Result<usize> {
-    ensure!(
-        !from_server,
-        "The `delete_server_after` config option was removed. You need to pass `false` for `from_server`."
-    );
-
     let self_chat_id = ChatIdBlocked::lookup_by_contact(context, ContactId::SELF)
         .await?
         .map(|c| c.id)
         .unwrap_or_default();
     let threshold_timestamp = time() - seconds;
 
-    let cnt = context
-        .sql
-        .count(
-            "SELECT COUNT(*)
+    let cnt = if from_server {
+        context
+            .sql
+            .count(
+                "SELECT COUNT(*)
+             FROM msgs m
+             WHERE m.id > ?
+               AND timestamp < ?
+               AND chat_id != ?
+               AND EXISTS (SELECT * FROM imap WHERE rfc724_mid=m.rfc724_mid);",
+                (DC_MSG_ID_LAST_SPECIAL, threshold_timestamp, self_chat_id),
+            )
+            .await?
+    } else {
+        context
+            .sql
+            .count(
+                "SELECT COUNT(*)
              FROM msgs m
              WHERE m.id > ?
                AND timestamp < ?
                AND chat_id != ?
                AND chat_id != ? AND hidden = 0;",
-            (
-                DC_MSG_ID_LAST_SPECIAL,
-                threshold_timestamp,
-                self_chat_id,
-                DC_CHAT_ID_TRASH,
-            ),
-        )
-        .await?;
+                (
+                    DC_MSG_ID_LAST_SPECIAL,
+                    threshold_timestamp,
+                    self_chat_id,
+                    DC_CHAT_ID_TRASH,
+                ),
+            )
+            .await?
+    };
     Ok(cnt)
 }
 

src/mimeparser.rs

@@ -356,7 +356,7 @@ impl MimeMessage {
         let decrypted_msg; // Decrypted signed OpenPGP message.
         let expected_sender_fingerprint: Option<String>;
 
-        let (mail, is_encrypted) = match decrypt::decrypt(context, &mail).await {
+        let (mail, is_encrypted) = match Box::pin(decrypt::decrypt(context, &mail)).await {
             Ok(Some((mut msg, expected_sender_fp))) => {
                 mail_raw = msg.as_data_vec().unwrap_or_default();
 

src/pgp.rs

@@ -847,4 +847,21 @@ mod tests {
         assert!(merge_openpgp_certificates(alice.clone(), bob.clone()).is_err());
         assert!(merge_openpgp_certificates(bob.clone(), alice.clone()).is_err());
     }
+
+    /// Test PQC support.
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn test_pqc() -> Result<()> {
+        let mut tcm = TestContextManager::new();
+        let alice = &tcm.alice().await;
+        let pqc = &tcm.pqc().await;
+
+        let pqc_received_message = tcm.send_recv_accept(alice, pqc, "Hi!").await;
+        let pqc_chat_id = pqc_received_message.chat_id;
+        let pqc_sent = pqc.send_text(pqc_chat_id, "Hello back!").await;
+
+        let alice_rcvd = alice.recv_msg(&pqc_sent).await;
+        assert_eq!(alice_rcvd.text, "Hello back!");
+
+        Ok(())
+    }
 }

src/provider/data.rs

@@ -890,10 +890,16 @@ static P_NAUTA_CU: Provider = Provider {
         strict_tls: false,
         ..ProviderOptions::new()
     },
-    config_defaults: Some(&[ConfigDefault {
-        key: Config::MediaQuality,
-        value: "1",
-    }]),
+    config_defaults: Some(&[
+        ConfigDefault {
+            key: Config::DeleteServerAfter,
+            value: "1",
+        },
+        ConfigDefault {
+            key: Config::MediaQuality,
+            value: "1",
+        },
+    ]),
     oauth2_authorizer: None,
 };
 
@@ -2376,4 +2382,4 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
     });
 
 pub static _PROVIDER_UPDATED: LazyLock<chrono::NaiveDate> =
-    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 5, 6).unwrap());
+    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 4, 21).unwrap());

src/quota.rs

@@ -66,12 +66,6 @@ impl Context {
 
     /// Updates `quota.recent`, sets `quota.modified` to the current time
     /// and emits an event to let the UIs update connectivity view.
-    ///
-    /// Moreover, once each time quota gets larger than `QUOTA_WARN_THRESHOLD_PERCENTAGE`,
-    /// a device message is added.
-    /// As the message is added only once, the user is not spammed
-    /// in case for some providers the quota is always at ~100%
-    /// and new space is allocated as needed.
     pub(crate) async fn update_recent_quota(
         &self,
         session: &mut ImapSession,

src/receive_imf.rs

@@ -806,8 +806,6 @@ UPDATE config SET value=? WHERE keyname='configured_addr' AND value!=?1
                 if transport_changed {
                     info!(context, "Primary transport changed to {from_addr:?}.");
                     context.sql.uncache_raw_config("configured_addr").await;
-
-                    // Regenerate User ID in V4 keys.
                     context.self_public_key.lock().await.take();
 
                     context.emit_event(EventType::TransportsModified);
@@ -904,8 +902,10 @@ UPDATE config SET value=? WHERE keyname='configured_addr' AND value!=?1
     }
 
     // Get user-configured server deletion
+    let delete_server_after = context.get_config_delete_server_after().await?;
+
     if !received_msg.msg_ids.is_empty() {
-        let target = if received_msg.needs_delete_job {
+        let target = if received_msg.needs_delete_job || delete_server_after == Some(0) {
             Some("".to_string())
         } else {
             None

src/receive_imf/receive_imf_tests.rs

@@ -1978,10 +1978,15 @@ async fn test_no_smtp_job_for_self_chat() -> Result<()> {
     assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_none());
 
     bob.set_config_bool(Config::BccSelf, true).await?;
+    bob.set_config(Config::DeleteServerAfter, Some("1")).await?;
+    let mut msg = Message::new_text("Happy birthday to me".to_string());
+    chat::send_msg(bob, chat_id, &mut msg).await?;
+    assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_none());
+
+    bob.set_config(Config::DeleteServerAfter, None).await?;
     let mut msg = Message::new_text("Happy birthday to me".to_string());
     chat::send_msg(bob, chat_id, &mut msg).await?;
     assert!(bob.pop_sent_msg_opt(Duration::ZERO).await.is_some());
-
     Ok(())
 }
 

src/smtp.rs

@@ -699,22 +699,26 @@ pub(crate) async fn add_self_recipients(
     recipients: &mut Vec<String>,
     encrypted: bool,
 ) -> Result<()> {
-    // Avoid sending unencrypted messages to all transports, chatmail relays won't accept
-    // them. Normally the user should have a non-chatmail primary transport to send unencrypted
-    // messages.
-    if encrypted {
-        for addr in context.get_published_secondary_self_addrs().await? {
-            recipients.push(addr);
+    // Previous versions of Delta Chat did not send BCC self
+    // if DeleteServerAfter was set to immediately delete messages
+    // from the server. This is not the case anymore
+    // because BCC-self messages are also used to detect
+    // that message was sent if SMTP server is slow to respond
+    // and connection is frequently lost
+    // before receiving status line. NB: This is not a problem for chatmail servers, so `BccSelf`
+    // disabled by default is fine.
+    if context.get_config_delete_server_after().await? != Some(0) || !recipients.is_empty() {
+        // Avoid sending unencrypted messages to all transports, chatmail relays won't accept
+        // them. Normally the user should have a non-chatmail primary transport to send unencrypted
+        // messages.
+        if encrypted {
+            for addr in context.get_published_secondary_self_addrs().await? {
+                recipients.push(addr);
+            }
         }
+        // `from` must be the last addr, see `receive_imf_inner()` why.
+        let from = context.get_primary_self_addr().await?;
+        recipients.push(from);
     }
-    // `from` must be the last addr
-    // because `receive_imf_inner()` marks the message as 'delivered'
-    // if it arrives to the self-server via `bcc_self`.
-    // This helps with marking messages as delivered
-    // if the server is slow and we never get an `OK` response
-    // before the connection times out.
-    let from = context.get_primary_self_addr().await?;
-    recipients.push(from);
-
     Ok(())
 }

src/sql/migrations.rs

@@ -2373,6 +2373,18 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
         .await?;
     }
 
+    inc_and_check(&mut migration_version, 152)?;
+    if dbversion < migration_version {
+        sql.execute_migration(
+            "
+UPDATE msgs SET state=26 WHERE state=28; -- Change OutMdnRcvd to OutDelivered.
+UPDATE msgs SET state=19 WHERE state=24; -- Change OutPreparing to OutFailed.
+            ",
+            migration_version,
+        )
+        .await?;
+    }
+
     let new_version = sql
         .get_raw_config_int(VERSION_CFG)
         .await?

src/test_utils.rs

@@ -137,6 +137,17 @@ impl TestContextManager {
             .await
     }
 
+    /// Returns a new "device" with a preconfigured v6 PQC key.
+    pub async fn pqc(&mut self) -> TestContext {
+        TestContext::builder()
+            .with_key_pair(pqc_keypair())
+            .with_address("pqc@example.org".to_string())
+            .with_id_offset(7000)
+            .with_log_sink(self.log_sink.clone())
+            .build(Some(&mut self.used_names))
+            .await
+    }
+
     /// Creates a new unconfigured test account.
     pub async fn unconfigured(&mut self) -> TestContext {
         TestContext::builder()
@@ -304,6 +315,9 @@ impl TestContextManager {
 pub struct TestContextBuilder {
     key_pair: Option<SignedSecretKey>,
 
+    /// Email address.
+    address: Option<String>,
+
     /// Log sink if set.
     ///
     /// If log sink is not set,
@@ -328,6 +342,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(alice_keypair())`.
     pub fn configure_alice(self) -> Self {
         self.with_key_pair(alice_keypair())
+            .with_address("alice@example.org".to_string())
     }
 
     /// Configures as bob@example.net with fixed secret key.
@@ -335,6 +350,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(bob_keypair())`.
     pub fn configure_bob(self) -> Self {
         self.with_key_pair(bob_keypair())
+            .with_address("bob@example.net".to_string())
     }
 
     /// Configures as charlie@example.net with fixed secret key.
@@ -342,6 +358,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(charlie_keypair())`.
     pub fn configure_charlie(self) -> Self {
         self.with_key_pair(charlie_keypair())
+            .with_address("charlie@example.net".to_string())
     }
 
     /// Configures as dom@example.net with fixed secret key.
@@ -349,6 +366,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(dom_keypair())`.
     pub fn configure_dom(self) -> Self {
         self.with_key_pair(dom_keypair())
+            .with_address("dom@example.net".to_string())
     }
 
     /// Configures as elena@example.net with fixed secret key.
@@ -356,6 +374,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(elena_keypair())`.
     pub fn configure_elena(self) -> Self {
         self.with_key_pair(elena_keypair())
+            .with_address("elena@example.net".to_string())
     }
 
     /// Configures as fiona@example.net with fixed secret key.
@@ -363,6 +382,7 @@ impl TestContextBuilder {
     /// This is a shortcut for `.with_key_pair(fiona_keypair())`.
     pub fn configure_fiona(self) -> Self {
         self.with_key_pair(fiona_keypair())
+            .with_address("fiona@example.net".to_string())
     }
 
     /// Configures the new [`TestContext`] with the provided [`SignedSecretKey`].
@@ -374,6 +394,12 @@ impl TestContextBuilder {
         self
     }
 
+    /// Sets email address.
+    pub fn with_address(mut self, address: String) -> Self {
+        self.address = Some(address);
+        self
+    }
+
     /// Attaches a [`LogSink`] to this [`TestContext`].
     ///
     /// This is useful when using multiple [`TestContext`] instances in one test: it allows
@@ -396,16 +422,7 @@ impl TestContextBuilder {
     /// Builds the [`TestContext`].
     pub async fn build(self, used_names: Option<&mut BTreeSet<String>>) -> TestContext {
         if let Some(key_pair) = self.key_pair {
-            let userid = {
-                let public_key = key_pair.to_public_key();
-                let id_bstr = public_key.details.users.first().unwrap().id.id();
-                String::from_utf8(id_bstr.to_vec()).unwrap()
-            };
-            let addr = mailparse::addrparse(&userid)
-                .unwrap()
-                .extract_single_info()
-                .unwrap()
-                .addr;
+            let addr = self.address.expect("Address is not set").clone();
             let name = EmailAddress::new(&addr).unwrap().local;
 
             let mut unused_name = name.clone();
@@ -1420,6 +1437,13 @@ pub fn fiona_keypair() -> SignedSecretKey {
     key::SignedSecretKey::from_asc(include_str!("../test-data/key/fiona-secret.asc")).unwrap()
 }
 
+/// Loads a pre-generated v6 PQC keypair from disk.
+///
+/// Like [alice_keypair] but a different key and identity.
+pub fn pqc_keypair() -> SignedSecretKey {
+    key::SignedSecretKey::from_asc(include_str!("../test-data/key/pqc-secret.asc")).unwrap()
+}
+
 /// Utility to help wait for and retrieve events.
 ///
 /// This buffers the events in order they are emitted.  This allows consuming events in

src/tests/pre_messages/forward_and_save.rs

@@ -1,4 +1,6 @@
 //! Tests about forwarding and saving Pre-Messages
+use std::time::Duration;
+
 use anyhow::Result;
 use pretty_assertions::assert_eq;
 
@@ -8,6 +10,7 @@ use crate::chatlist::get_last_message_for_chat;
 use crate::download::{DownloadState, PRE_MSG_ATTACHMENT_SIZE_THRESHOLD};
 use crate::message::{Message, Viewtype};
 use crate::test_utils::TestContextManager;
+use crate::tests::pre_messages::util::send_large_file_message;
 
 /// Test that forwarding Pre-Message should forward additional text to not be empty
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -86,6 +89,43 @@ async fn test_forwarding_pre_message_empty_text() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_receive_both() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+    let alice_chat_id = alice.create_group_with_members("", &[bob]).await;
+
+    let (pre_message, post_message, alice_msg_id) =
+        send_large_file_message(alice, alice_chat_id, Viewtype::File, &vec![0u8; 200_000]).await?;
+
+    let msg = bob.recv_msg(&pre_message).await;
+    let _ = bob.recv_msg_trash(&post_message).await;
+    let msg = Message::load_from_db(bob, msg.id).await?;
+    assert_eq!(msg.download_state(), DownloadState::Done);
+    assert_eq!(msg.text, "test".to_owned());
+
+    forward_msgs(alice, &[alice_msg_id], alice_chat_id).await?;
+    let rev_order = false;
+    let msg = bob
+        .recv_msg(
+            &alice
+                .pop_sent_msg_ex(rev_order, Duration::ZERO)
+                .await
+                .unwrap(),
+        )
+        .await;
+    assert_eq!(msg.download_state(), DownloadState::Available);
+    assert_eq!(msg.is_forwarded(), true);
+    assert_eq!(msg.text, "test".to_owned());
+    let _ = bob.recv_msg_trash(&alice.pop_sent_msg().await).await;
+    let msg = Message::load_from_db(bob, msg.id).await?;
+    assert_eq!(msg.download_state(), DownloadState::Done);
+    assert_eq!(msg.is_forwarded(), true);
+    assert_eq!(msg.text, "test".to_owned());
+    Ok(())
+}
+
 /// Test that forwarding Pre-Message should forward additional text to not be empty
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_saving_pre_message_empty_text() -> Result<()> {

src/transport.rs

@@ -791,7 +791,18 @@ pub(crate) async fn sync_transports(
     context
         .sql
         .transaction(|transaction| {
+            let configured_addr = transaction.query_row(
+                "SELECT value FROM config WHERE keyname='configured_addr'",
+                (),
+                |row| {
+                    let addr: String = row.get(0)?;
+                    Ok(addr)
+                },
+            )?;
             for RemovedTransportData { addr, timestamp } in removed_transports {
+                if *addr == configured_addr {
+                    continue;
+                }
                 modified |= transaction.execute(
                     "DELETE FROM transports
                      WHERE addr=? AND add_timestamp<=?",

src/webxdc.rs

@@ -550,7 +550,7 @@ impl Context {
 
         let send_now = !matches!(
             instance.state,
-            MessageState::Undefined | MessageState::OutPreparing | MessageState::OutDraft
+            MessageState::Undefined | MessageState::OutDraft
         );
 
         status_update.uid = Some(create_id());

test-data/key/pqc-secret.asc

@@ -0,0 +1,39 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xUsGaf8NSRsAAAAgYy+GaofURMeV0+bcZZGY2ZdAamU+LG69ONjd3haVU3cAhm6G
+IT/UEgFgVdPEhiXER9cfPLiCgkiw/L5mrAZfuLfCqgYfGwgAAABLBQJp/w1JIiEG
+hys0q6D+DFWPnwQoWtuX0mL6ovH2kCjWmDufAFmB0+QCGwMCHgkECwkIBwYVCg4J
+CAwBFg0nCQIIAgcCCQEIAQcBAAAAAEGQEO9Py9Q7njj1WXhtn1wMJSLBdHBE+qQu
+RaCaiWkY5l4EWLlVRPAjX2bBSGq6n3+M+H6oFpOHETAX8IcFSxc260UD+PM0jQpV
+H6ReNy7PBCQKx8RrBmn/DUkjAAAEwPmkVcPy1ye0/7D9nDQCkENUGry97iLkpcw/
+tLJfzL5gJAdzrPkDkyukHxrO7kiUx+mzpiGZRZeyRgBd5YQ+mTgGrptxXLFHcKFR
+79Fjg1UjgHEFjxCkCHUfnNcGZVM3p5skESnNgzsgFGiODfKhM4ew3AFgkUc5LNZj
+Zgpgt4ETIhylbLUY89ccfNpKnQeJl3cv8lvA/yqhoUutJXwZQ/qYKFnEIGEBTFto
+hLZn0KauF9KYOYvOV4yjeZQBlxSPNAWj9SqSNcalpTUFzwoQVSsqWwiys1PEzGAu
+twQVKsZ3e/hlZAyR4eGMiYEmCEy7qjuaOJsqHQuW7hdOHWdVRUpRHOtfj3QAzdc0
+CehVbyCRJVwnTSKiT3AYsdACH8U7mhI5/VxeSHNRIDN1Y6g6N5sx6Wur/HuKGFwx
+L4urdPdpJJgyLXR8GUkL/yeqUhogu4mbVAmULbq2BCIKFNpMyGdhnDugN6Sp5MWc
+GOxCW7CASuBYPHW/rto0C4M/3gCtN2sPtRAhOsXNBBhMqLlzzCgawulCiGtNjHUK
+HsVhghgYwKRBT7vLSKDNsCVizzoZxNQq8yUEXpFIRsTGt3wYoigZn4wOSpmQbxGe
+P3Uc2GWuuukCBNEP5oW4+TCFaNw5mvZgZwl5n4K34poxVgpqBIM2m2fEu8oyLPJZ
+bBxnbty3MUAdLpxv+0otGSHJF4xa3lsEyUdr6+JZZXohNXKoyjeJMGo6qPkvCADI
+upMnDSYZeLU5bVstHWS6otuRMEcjdLBkYfqfzBhkzbptscaUXzsaK4cd/iQzAA1r
+A0ygvcA78Vo363cElNAJh3lntrZZGpBYnzcU/zLACKAVJCYPy3Cj8Al8x+gHP0Yr
+ZSOYdZA1q9s2Kuqk7upCpcYDZ+uXGZs3ubA0TYCcO3FKhAwLhzJad5WApBFETYt2
+3KJEwgEjQaCs7sNNiwaKxhLC2VJhUckgluGs5iUu9ck5jdU+N9MqTmloF/u2Gok8
+QEqF9+DBhPg/fJoI9sN8sIyLrksEUQsm59mvJbVWOpxtbwpWZ+J4cat4azHE0khy
+rolL6lZqDJYW4xVeoAVl5iccicjE6mJLemoxf6iJdohi5cN5JXyZtgtdsbIesJib
+BLPJVahmv5W1Q4RmrwEp5Ua4xra5Mcac4PeINTOkGMErIhdvnuxEH/Cxd8VKhNlU
+vdty4MOyUOkRRPhOMNKUyTkwS9yjprK3QbhEJgrJygHCGpQ0jwp9PrtKqNnOONSX
+t4ZORuiAYHDFz3DPlJhLLzNoAJse0RAyolkPThoMl2JlY5ci8pVHb+Ed/kaeFxnE
+UJJIOZvDFfNCFCM5CCXG/2pi/icA7nHPDFVBeYPMz1B5vrgmdDNMMFVQNMBtrroT
+4pi1N5U4+EAv1vah40akQ/iFcfZjt4sE/jG0M0NCWqHBDPO7e0ae+2IqnIJmsHjL
+N1ak3egY00CnRHdrPCkOkhooFIHA1hYxIwyP07qfkhUBNwSqZ4AfF8UW/nuLjeaj
+ajEWz3zGLvQpfHSobEGPQKk+eIA1fOVeAuJAUAmJz5YO1Dk4OfczeQqQiOhtv+qe
+PYaZQfBFJVamGocDHomPQkP/IvAJhuO9xWPapqbdRwGfVRJZgGsAy89mT1w0PU1C
+u6VpIoyZB2J9LZkw9qb9sRRJAr2gpWGBD4CCmPZ8d17ZGDcIr8o+eI+bo5eKf+1j
+6NhsjM7AmIccStNxZYWE4ZucvYYbPvT3ns/TNa7BH2DBqfGK84PawosGGBsIAAAA
+LAUCaf8NSQIbDCIhBocrNKug/gxVj58EKFrbl9Ji+qLx9pAo1pg7nwBZgdPkAAAA
+ADrcEIqnwTwJoiZAxzK+w7uQFHzsYMWIj8x+DKsn7D1silKINHDnFSrlSKRtbAW6
+x9+HrN/nvR7bOnXZvZhz7lQ3Lp3YUdzEcqRMj8BWW8IXdm0C
+-----END PGP PRIVATE KEY BLOCK-----