chore(release): prepare for 1.142.10

This fixes the bug that sometimes made QR scans fail.

The problem was:

When sorting headers into unprotected/hidden/protected, the From: header
was added twice for all messages: Once into unprotected_headers and once
into protected_headers. For messages that are `is_encrypted && verified
|| is_securejoin_message`, the display name is removed before pushing it
into unprotected_headers.

Later, duplicate headers are removed from unprotected_headers right
before prepending unprotected_headers to the message. But since the
unencrypted From: header got modified a bit when removing the display
name, it's not exactly the same anymore, so it's not removed from
unprotected_headers and consequently added again.

.github/dependabot.yml

@@ -7,3 +7,10 @@ updates:
     commit-message:
       prefix: "chore(cargo)"
     open-pull-requests-limit: 50
+
+  # Keep GitHub Actions up to date.
+  # <https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot>
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
     name: Lint Rust
     runs-on: ubuntu-latest
     env:
-      RUSTUP_TOOLCHAIN: 1.80.0
+      RUSTUP_TOOLCHAIN: 1.80.1
     steps:
       - uses: actions/checkout@v4
         with:
@@ -59,7 +59,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
-      - uses: EmbarkStudios/cargo-deny-action@v1
+      - uses: EmbarkStudios/cargo-deny-action@v2
         with:
           arguments: --all-features --workspace
           command: check
@@ -95,11 +95,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            rust: 1.80.0
+            rust: 1.80.1
           - os: windows-latest
-            rust: 1.80.0
+            rust: 1.80.1
           - os: macos-latest
-            rust: 1.80.0
+            rust: 1.80.1
 
           # Minimum Supported Rust Version = 1.77.0
           - os: ubuntu-latest

.github/workflows/dependabot.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v2.2.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve a PR

.github/workflows/node-docs.yml

@@ -31,7 +31,7 @@ jobs:
           mv docs js
 
       - name: Upload
-        uses: horochx/deploy-via-scp@v1.0.1
+        uses: horochx/deploy-via-scp@1.1.0
         with:
           user: ${{ secrets.USERNAME }}
           key: ${{ secrets.KEY }}

.github/workflows/upload-docs.yml

@@ -74,7 +74,7 @@ jobs:
           show-progress: false
           fetch-depth: 0 # Fetch history to calculate VCS version number.
       - name: Use Node.js
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: '18'
       - name: npm install

CHANGELOG.md

@@ -1,5 +1,157 @@
 # Changelog
 
+## [1.142.10] - 2024-08-26
+
+### Fixes
+
+- Only include one From: header in securejoin messages ([#5917](https://github.com/deltachat/deltachat-core-rust/pull/5917)).
+
+## [1.142.9] - 2024-08-24
+
+### Fixes
+
+- Fix reading of multiline SMTP greetings ([#5911](https://github.com/deltachat/deltachat-core-rust/pull/5911)).
+
+### Features / Changes
+
+- Update preloaded DNS cache.
+
+## [1.142.8] - 2024-08-21
+
+### Fixes
+
+- Do not panic on unknown CertificateChecks values.
+
+## [1.142.7] - 2024-08-17
+
+### Fixes
+
+- Do not save "Automatic" into configured_imap_certificate_checks. **This fixes regression introduced in core 1.142.4. Versions 1.142.4..1.142.6 should not be used in releases.**
+- Create a group unblocked for bot even if 1:1 chat is blocked ([#5514](https://github.com/deltachat/deltachat-core-rust/pull/5514)).
+- Update rpgp from 0.13.1 to 0.13.2 to fix "unable to decrypt" errors when sending messages to old Delta Chat clients and using Ed25519 keys to encrypt.
+- Do not request ALPN on standard ports and when using STARTTLS.
+
+### Features / Changes
+
+- jsonrpc: Add ContactObject::e2ee_avail.
+
+### Tests
+
+- Protected group for bot is auto-accepted.
+
+## [1.142.6] - 2024-08-15
+
+### Fixes
+
+- Default to strict TLS checks if not configured.
+
+### Miscellaneous Tasks
+
+- deltachat-rpc-client: Fix ruff 0.6.0 warnings.
+
+## [1.142.5] - 2024-08-14
+
+### Fixes
+
+- Still try to create "INBOX.DeltaChat" if couldn't create "DeltaChat" ([#5870](https://github.com/deltachat/deltachat-core-rust/pull/5870)).
+- `store_seen_flags_on_imap`: Skip to next messages if couldn't select folder ([#5870](https://github.com/deltachat/deltachat-core-rust/pull/5870)).
+- Increase timeout for QR generation to 60s ([#5882](https://github.com/deltachat/deltachat-core-rust/pull/5882)).
+
+### Documentation
+
+- Document new `mdns_enabled` behavior (bots do not send MDNs by default).
+
+### CI
+
+- Configure Dependabot to update GitHub Actions.
+
+### Miscellaneous Tasks
+
+- cargo: Bump regex from 1.10.5 to 1.10.6.
+- cargo: Bump serde from 1.0.204 to 1.0.205.
+- deps: Bump horochx/deploy-via-scp from 1.0.1 to 1.1.0.
+- deps: Bump dependabot/fetch-metadata from 1.1.1 to 2.2.0.
+- deps: Bump actions/setup-node from 2 to 4.
+- Update provider database.
+
+## [1.142.4] - 2024-08-09
+
+### Build system
+
+- Downgrade Tokio to 1.38 to fix Android compilation.
+- Use `--locked` with `cargo install`.
+
+### Features / Changes
+
+- Add Config::FixIsChatmail.
+- Always move outgoing auto-generated messages to the mvbox.
+- Disable requesting MDNs for bots by default.
+- Allow using OAuth 2 with SOCKS5.
+- Allow autoconfig when SOCKS5 is enabled.
+- Update provider database.
+- cargo: Update iroh from 0.21 to 0.22 ([#5860](https://github.com/deltachat/deltachat-core-rust/pull/5860)).
+
+### CI
+
+- Update Rust to 1.80.1.
+- Update EmbarkStudios/cargo-deny-action.
+
+### Documentation
+
+- Point to active Header Protection draft
+
+### Refactor
+
+- Derive `Default` for `CertificateChecks`.
+- Merge imap_certificate_checks and smtp_certificate_checks.
+- Remove param_addr_urlencoded argument from get_autoconfig().
+- Pass address to moz_autoconfigure() instead of LoginParam.
+
+## [1.142.3] - 2024-08-04
+
+### Build system
+
+- cargo: Update rusqlite and libsqlite3-sys.
+- Fix cargo warnings about default-features
+- Do not disable "vendored" feature in the workspace.
+- cargo: Bump quick-xml from 0.35.0 to 0.36.1.
+- cargo: Bump uuid from 1.9.1 to 1.10.0.
+- cargo: Bump tokio from 1.38.0 to 1.39.2.
+- cargo: Bump env_logger from 0.11.3 to 0.11.5.
+- Remove sha2 dependency.
+- Remove `backtrace` dependency.
+- Remove direct "quinn" dependency.
+
+## [1.142.2] - 2024-08-02
+
+### Features / Changes
+
+- Try only the full email address if username is unspecified.
+- Sort DNS results by successful connection timestamp ([#5818](https://github.com/deltachat/deltachat-core-rust/pull/5818)).
+
+### Fixes
+
+- Await the tasks after aborting them.
+- Do not reset is_chatmail config on failed reconfiguration.
+- Fix compilation on iOS.
+- Reset configured_provider on reconfiguration.
+
+### Refactor
+
+- Don't update message state to `OutMdnRcvd` anymore.
+
+### Build system
+
+- Use workspace dependencies to make cargo-deny 0.15.1 happy.
+- cargo: Update bytemuck from 0.14.3 to 0.16.3.
+- cargo: Bump toml from 0.8.14 to 0.8.15.
+- cargo: Bump serde_json from 1.0.120 to 1.0.122.
+- cargo: Bump human-panic from 2.0.0 to 2.0.1.
+- cargo: Bump thiserror from 1.0.61 to 1.0.63.
+- cargo: Bump syn from 2.0.68 to 2.0.72.
+- cargo: Bump quoted_printable from 0.5.0 to 0.5.1.
+- cargo: Bump serde from 1.0.203 to 1.0.204.
+
 ## [1.142.1] - 2024-07-30
 
 ### Features / Changes
@@ -4631,3 +4783,12 @@ https://github.com/deltachat/deltachat-core-rust/pulls?q=is%3Apr+is%3Aclosed
 [1.141.2]: https://github.com/deltachat/deltachat-core-rust/compare/v1.141.1...v1.141.2
 [1.142.0]: https://github.com/deltachat/deltachat-core-rust/compare/v1.141.2...v1.142.0
 [1.142.1]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.0...v1.142.1
+[1.142.2]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.1...v1.142.2
+[1.142.3]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.2...v1.142.3
+[1.142.4]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.3...v1.142.4
+[1.142.5]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.4...v1.142.5
+[1.142.6]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.5...v1.142.6
+[1.142.7]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.6...v1.142.7
+[1.142.8]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.7...v1.142.8
+[1.142.9]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.8...v1.142.9
+[1.142.10]: https://github.com/deltachat/deltachat-core-rust/compare/v1.142.9..v1.142.10

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "deltachat"
-version = "1.142.1"
+version = "1.142.10"
 edition = "2021"
 license = "MPL-2.0"
 rust-version = "1.77"
@@ -45,7 +45,6 @@ async-imap = { version = "0.9.7", default-features = false, features = ["runtime
 async-native-tls = { version = "0.5", default-features = false, features = ["runtime-tokio"] }
 async-smtp = { version = "0.9", default-features = false, features = ["runtime-tokio"] }
 async_zip = { version = "0.0.12", default-features = false, features = ["deflate", "fs"] }
-backtrace = "0.3"
 base64 = { workspace = true }
 brotli = { version = "6", default-features=false, features = ["std"] }
 chrono = { workspace = true, features = ["alloc", "clock", "std"] }
@@ -61,9 +60,8 @@ hickory-resolver = "0.24"
 humansize = "2"
 image = { version = "0.25.1", default-features=false, features = ["gif", "jpeg", "ico", "png", "pnm", "webp", "bmp"] }
 iroh_old = { version = "0.4.2", default-features = false, package = "iroh"}
-iroh-net = { version = "0.21.0", default-features = false }
-iroh-gossip = { version = "0.21.0", default-features = false, features = ["net"] }
-quinn = "0.10.0"
+iroh-net = { version = "0.22.0", default-features = false }
+iroh-gossip = { version = "0.22.0", default-features = false, features = ["net"] }
 kamadak-exif = "0.5.3"
 lettre_email = { git = "https://github.com/deltachat/lettre", branch = "master" }
 libc = { workspace = true }
@@ -75,9 +73,9 @@ num-traits = { workspace = true }
 once_cell = { workspace = true }
 percent-encoding = "2.3"
 parking_lot = "0.12"
-pgp = { version = "0.13", default-features = false }
+pgp = { version = "0.13.2", default-features = false }
 qrcodegen = "1.7.0"
-quick-xml = "0.35"
+quick-xml = "0.36"
 quoted_printable = "0.5"
 rand = { workspace = true }
 regex = { workspace = true }
@@ -88,7 +86,6 @@ sanitize-filename = { workspace = true }
 serde_json = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 sha-1 = "0.10"
-sha2 = "0.10"
 smallvec = "1.13.2"
 strum = "0.26"
 strum_macros = "0.26"
@@ -174,13 +171,20 @@ num-traits = "0.2"
 once_cell = "1.18.0"
 rand = "0.8"
 regex = "1.10"
-rusqlite = "0.31"
+rusqlite = "0.32"
 sanitize-filename = "0.5"
 serde_json = "1"
 serde = "1.0"
 tempfile = "3.10.1"
 thiserror = "1"
-tokio = "1.38.0"
+
+# 1.38 is the latest version before `mio` dependency update
+# that broke compilation with Android NDK r23c and r24.
+# Version 1.39.0 cannot be compiled using these NDKs,
+# see issue <https://github.com/tokio-rs/tokio/issues/6748>
+# for details.
+tokio = "~1.38.1"
+
 tokio-util = "0.7.11"
 tracing-subscriber = "0.3"
 yerpc = "0.6.2"

README.md

@@ -30,13 +30,13 @@ $ curl https://sh.rustup.rs -sSf | sh
 Compile and run Delta Chat Core command line utility, using `cargo`:
 
 ```
-$ cargo run -p deltachat-repl -- ~/deltachat-db
+$ cargo run --locked -p deltachat-repl -- ~/deltachat-db
 ```
 where ~/deltachat-db is the database file. Delta Chat will create it if it does not exist.
 
 Optionally, install `deltachat-repl` binary with
 ```
-$ cargo install --path deltachat-repl/
+$ cargo install --locked --path deltachat-repl/
 ```
 and run as
 ```

deltachat-ffi/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "deltachat_ffi"
-version = "1.142.1"
+version = "1.142.10"
 description = "Deltachat FFI"
 edition = "2018"
 readme = "README.md"
@@ -29,6 +29,6 @@ yerpc = { workspace = true, features = ["anyhow_expose"] }
 
 [features]
 default = ["vendored"]
-vendored = ["deltachat/vendored"]
+vendored = ["deltachat/vendored", "deltachat-jsonrpc/vendored"]
 jsonrpc = ["dep:deltachat-jsonrpc"]
 

deltachat-ffi/deltachat.h

@@ -409,7 +409,7 @@ char*           dc_get_blobdir               (const dc_context_t* context);
  * - `socks5_user` = SOCKS5 proxy username
  * - `socks5_password` = SOCKS5 proxy password
  * - `imap_certificate_checks` = how to check IMAP certificates, one of the @ref DC_CERTCK flags, defaults to #DC_CERTCK_AUTO (0)
- * - `smtp_certificate_checks` = how to check SMTP certificates, one of the @ref DC_CERTCK flags, defaults to #DC_CERTCK_AUTO (0)
+ * - `smtp_certificate_checks` = deprecated option, should be set to the same value as `imap_certificate_checks` but ignored by the new core
  * - `displayname`  = Own name to use when sending messages. MUAs are allowed to spread this way e.g. using CC, defaults to empty
  * - `selfstatus`   = Own status to display, e.g. in e-mail footers, defaults to empty
  * - `selfavatar`   = File containing avatar. Will immediately be copied to the 
@@ -420,7 +420,8 @@ char*           dc_get_blobdir               (const dc_context_t* context);
  *                    and also recoded to a reasonable size.
  * - `e2ee_enabled` = 0=no end-to-end-encryption, 1=prefer end-to-end-encryption (default)
  * - `mdns_enabled` = 0=do not send or request read receipts,
- *                    1=send and request read receipts (default)
+ *                    1=send and request read receipts
+ *                    default=send and request read receipts, only send but not reuqest if `bot` is set
  * - `bcc_self`     = 0=do not send a copy of outgoing messages to self (default),
  *                    1=send a copy of outgoing messages to self.
  *                    Sending messages to self is needed for a proper multi-account setup,

deltachat-jsonrpc/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "deltachat-jsonrpc"
-version = "1.142.1"
+version = "1.142.10"
 description = "DeltaChat JSON-RPC API"
 edition = "2021"
 default-run = "deltachat-jsonrpc-server"
@@ -33,7 +33,7 @@ base64 = { workspace = true }
 
 # optional dependencies
 axum = { version = "0.7", optional = true, features = ["ws"] }
-env_logger = { version = "0.11.3", optional = true }
+env_logger = { version = "0.11.5", optional = true }
 
 [dev-dependencies]
 tokio = { workspace = true, features = ["full", "rt-multi-thread"] }

deltachat-jsonrpc/src/api.rs

@@ -1672,10 +1672,10 @@ impl CommandApi {
     ///
     /// This call will block until the QR code is ready,
     /// even if there is no concurrent call to [`CommandApi::provide_backup`],
-    /// but will fail after 10 seconds to avoid deadlocks.
+    /// but will fail after 60 seconds to avoid deadlocks.
     async fn get_backup_qr(&self, account_id: u32) -> Result<String> {
         let qr = tokio::time::timeout(
-            Duration::from_secs(10),
+            Duration::from_secs(60),
             self.inner_get_backup_qr(account_id),
         )
         .await
@@ -1691,13 +1691,13 @@ impl CommandApi {
     ///
     /// This call will block until the QR code is ready,
     /// even if there is no concurrent call to [`CommandApi::provide_backup`],
-    /// but will fail after 10 seconds to avoid deadlocks.
+    /// but will fail after 60 seconds to avoid deadlocks.
     ///
     /// Returns the QR code rendered as an SVG image.
     async fn get_backup_qr_svg(&self, account_id: u32) -> Result<String> {
         let ctx = self.get_context(account_id).await?;
         let qr = tokio::time::timeout(
-            Duration::from_secs(10),
+            Duration::from_secs(60),
             self.inner_get_backup_qr(account_id),
         )
         .await

deltachat-jsonrpc/src/api/types/contact.rs

@@ -19,6 +19,7 @@ pub struct ContactObject {
     profile_image: Option<String>, // BLOBS
     name_and_addr: String,
     is_blocked: bool,
+    e2ee_avail: bool,
 
     /// True if the contact can be added to verified groups.
     ///
@@ -79,6 +80,7 @@ impl ContactObject {
             profile_image, //BLOBS
             name_and_addr: contact.get_name_n_addr(),
             is_blocked: contact.is_blocked(),
+            e2ee_avail: contact.e2ee_avail(context).await?,
             is_verified,
             is_profile_verified,
             verifier_id,

deltachat-jsonrpc/typescript/package.json

@@ -58,5 +58,5 @@
   },
   "type": "module",
   "types": "dist/deltachat.d.ts",
-  "version": "1.142.1"
+  "version": "1.142.10"
 }

deltachat-repl/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "deltachat-repl"
-version = "1.142.1"
+version = "1.142.10"
 license = "MPL-2.0"
 edition = "2021"
 repository = "https://github.com/deltachat/deltachat-core-rust"

deltachat-rpc-client/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "deltachat-rpc-client"
-version = "1.142.1"
+version = "1.142.10"
 description = "Python client for Delta Chat core JSON-RPC interface"
 classifiers = [
     "Development Status :: 5 - Production/Stable",

deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py

@@ -114,13 +114,13 @@ class ACFactory:
         return to_client.run_until(lambda e: e.kind == EventType.INCOMING_MSG)
 
 
-@pytest.fixture()
+@pytest.fixture
 def rpc(tmp_path) -> AsyncGenerator:
     rpc_server = Rpc(accounts_dir=str(tmp_path / "accounts"))
     with rpc_server:
         yield rpc_server
 
 
-@pytest.fixture()
+@pytest.fixture
 def acfactory(rpc) -> AsyncGenerator:
     return ACFactory(DeltaChat(rpc))

deltachat-rpc-client/tests/test_iroh_webxdc.py

@@ -12,10 +12,11 @@ import threading
 import time
 
 import pytest
+
 from deltachat_rpc_client import EventType
 
 
-@pytest.fixture()
+@pytest.fixture
 def path_to_webxdc(request):
     p = request.path.parent.parent.parent.joinpath("test-data/webxdc/chess.xdc")
     assert p.exists()

deltachat-rpc-client/tests/test_securejoin.py

@@ -1,6 +1,7 @@
 import logging
 
 import pytest
+
 from deltachat_rpc_client import Chat, EventType, SpecialContactId
 
 

deltachat-rpc-client/tests/test_something.py

@@ -3,11 +3,13 @@ import concurrent.futures
 import json
 import logging
 import os
+import socket
 import subprocess
 import time
 from unittest.mock import MagicMock
 
 import pytest
+
 from deltachat_rpc_client import Contact, EventType, Message, events
 from deltachat_rpc_client.const import DownloadState, MessageState
 from deltachat_rpc_client.direct_imap import DirectImap
@@ -69,6 +71,18 @@ def test_configure_starttls(acfactory) -> None:
     assert account.is_configured()
 
 
+def test_configure_ip(acfactory) -> None:
+    account = acfactory.new_preconfigured_account()
+
+    domain = account.get_config("addr").rsplit("@")[-1]
+    ip_address = socket.gethostbyname(domain)
+
+    # This should fail TLS check.
+    account.set_config("mail_server", ip_address)
+    with pytest.raises(JsonRpcError):
+        account.configure()
+
+
 def test_account(acfactory) -> None:
     alice, bob = acfactory.get_online_accounts(2)
 
@@ -621,3 +635,24 @@ def test_get_http_response(acfactory):
     http_response = alice._rpc.get_http_response(alice.id, "https://example.org")
     assert http_response["mimetype"] == "text/html"
     assert b"<title>Example Domain</title>" in base64.b64decode((http_response["blob"] + "==").encode())
+
+
+def test_configured_imap_certificate_checks(acfactory):
+    alice = acfactory.new_configured_account()
+    configured_certificate_checks = alice.get_config("configured_imap_certificate_checks")
+
+    # Certificate checks should be configured (not None)
+    assert configured_certificate_checks
+
+    # 0 is the value old Delta Chat core versions used
+    # to mean user entered "imap_certificate_checks=0" (Automatic)
+    # and configuration failed to use strict TLS checks
+    # so it switched strict TLS checks off.
+    #
+    # New versions of Delta Chat are not disabling TLS checks
+    # unless users explicitly disables them
+    # or provider database says provider has invalid certificates.
+    #
+    # Core 1.142.4, 1.142.5 and 1.142.6 saved this value due to bug.
+    # This test is a regression test to prevent this happening again.
+    assert configured_certificate_checks != "0"

deltachat-rpc-server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "deltachat-rpc-server"
-version = "1.142.1"
+version = "1.142.10"
 description = "DeltaChat JSON-RPC server"
 edition = "2021"
 readme = "README.md"
@@ -10,8 +10,8 @@ keywords = ["deltachat", "chat", "openpgp", "email", "encryption"]
 categories = ["cryptography", "std", "email"]
 
 [dependencies]
-deltachat-jsonrpc = { workspace = true, default-features = false }
-deltachat = { workspace = true, default-features = false }
+deltachat-jsonrpc = { workspace = true }
+deltachat = { workspace = true }
 
 anyhow = { workspace = true }
 futures-lite = { workspace = true }

deltachat-rpc-server/npm-package/package.json

@@ -15,5 +15,5 @@
   },
   "type": "module",
   "types": "index.d.ts",
-  "version": "1.142.1"
+  "version": "1.142.10"
 }

deny.toml

@@ -57,7 +57,6 @@ skip = [
      { name = "h2", version = "0.3.26" },
      { name = "http-body", version = "0.4.6" },
      { name = "http", version = "0.2.12" },
-     { name = "hyper-rustls", version = "0.24.2" },
      { name = "hyper", version = "0.14.28" },
      { name = "idna", version = "0.4.0" },
      { name = "netlink-packet-core", version = "0.5.0" },
@@ -75,7 +74,6 @@ skip = [
      { name = "redox_syscall", version = "0.3.5" },
      { name = "regex-automata", version = "0.1.10" },
      { name = "regex-syntax", version = "0.6.29" },
-     { name = "reqwest", version = "0.11.27" },
      { name = "ring", version = "0.16.20" },
      { name = "rustls-pemfile", version = "1.0.4" },
      { name = "rustls", version = "0.21.11" },

package.json

@@ -55,5 +55,5 @@
     "test:mocha": "mocha node/test/test.mjs --growl --reporter=spec --bail --exit"
   },
   "types": "node/dist/index.d.ts",
-  "version": "1.142.1"
+  "version": "1.142.10"
 }

python/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "deltachat"
-version = "1.142.1"
+version = "1.142.10"
 description = "Python bindings for the Delta Chat Core library using CFFI against the Rust-implemented libdeltachat"
 readme = "README.rst"
 requires-python = ">=3.7"

python/tests/test_1_online.py

@@ -484,6 +484,16 @@ def test_move_works_on_self_sent(acfactory):
     ac1._evtracker.get_matching("DC_EVENT_IMAP_MESSAGE_MOVED")
 
 
+def test_move_sync_msgs(acfactory):
+    ac1 = acfactory.new_online_configuring_account(bcc_self=True, sync_msgs=True, fix_is_chatmail=True)
+    acfactory.bring_accounts_online()
+
+    ac1.set_config("displayname", "Alice")
+    ac1._evtracker.get_matching("DC_EVENT_IMAP_MESSAGE_MOVED")
+    ac1.set_config("displayname", "Bob")
+    ac1._evtracker.get_matching("DC_EVENT_IMAP_MESSAGE_MOVED")
+
+
 def test_forward_messages(acfactory, lp):
     ac1, ac2 = acfactory.get_online_accounts(2)
     chat = ac1.create_chat(ac2)

release-date.in

@@ -1 +1 @@
-2024-07-30
+2024-08-26

scripts/coredeps/install-rust.sh

@@ -7,7 +7,7 @@ set -euo pipefail
 #
 # Avoid using rustup here as it depends on reading /proc/self/exe and
 # has problems running under QEMU.
-RUST_VERSION=1.80.0
+RUST_VERSION=1.80.1
 
 ARCH="$(uname -m)"
 test -f "/lib/libc.musl-$ARCH.so.1" && LIBC=musl || LIBC=gnu

scripts/make-rpc-testenv.sh

@@ -3,4 +3,4 @@ set -euo pipefail
 
 tox -c deltachat-rpc-client -e py --devenv venv
 venv/bin/pip install --upgrade pip
-cargo install --path deltachat-rpc-server/ --root "$PWD/venv" --debug
+cargo install --locked --path deltachat-rpc-server/ --root "$PWD/venv" --debug

scripts/run-rpc-test.sh

@@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 set -euo pipefail
-cargo install --path deltachat-rpc-server/ --root "$PWD/venv" --debug
+cargo install --locked --path deltachat-rpc-server/ --root "$PWD/venv" --debug
 PATH="$PWD/venv/bin:$PATH" tox -c deltachat-rpc-client

scripts/update-provider-database.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 export TZ=UTC
 
 # Provider database revision.
-REV=828e5ddc7e6609b582fbd7f063cc3f60b580ce96
+REV=05c1b2029da74718e4bdc3799a46e29c4f794dc7
 
 CORE_ROOT="$PWD"
 TMP="$(mktemp -d)"

src/config.rs

@@ -13,7 +13,7 @@ use strum_macros::{AsRefStr, Display, EnumIter, EnumString};
 use tokio::fs;
 
 use crate::blob::BlobObject;
-use crate::constants::{self, DC_VERSION_STR};
+use crate::constants;
 use crate::context::Context;
 use crate::events::EventType;
 use crate::log::LogExt;
@@ -59,7 +59,10 @@ pub enum Config {
     /// IMAP server security (e.g. TLS, STARTTLS).
     MailSecurity,
 
-    /// How to check IMAP server TLS certificates.
+    /// How to check TLS certificates.
+    ///
+    /// "IMAP" in the name is for compatibility,
+    /// this actually applies to both IMAP and SMTP connections.
     ImapCertificateChecks,
 
     /// SMTP server hostname.
@@ -77,7 +80,9 @@ pub enum Config {
     /// SMTP server security (e.g. TLS, STARTTLS).
     SendSecurity,
 
-    /// How to check SMTP server TLS certificates.
+    /// Deprecated option for backwards compatibilty.
+    ///
+    /// Certificate checks for SMTP are actually controlled by `imap_certificate_checks` config.
     SmtpCertificateChecks,
 
     /// Whether to use OAuth 2.
@@ -124,14 +129,14 @@ pub enum Config {
 
     /// True if Message Delivery Notifications (read receipts) should
     /// be sent and requested.
-    #[strum(props(default = "1"))]
     MdnsEnabled,
 
     /// True if "Sent" folder should be watched for changes.
     #[strum(props(default = "0"))]
     SentboxWatch,
 
-    /// True if chat messages should be moved to a separate folder.
+    /// True if chat messages should be moved to a separate folder. Auto-sent messages like sync
+    /// ones are moved there anyway.
     #[strum(props(default = "1"))]
     MvboxMove,
 
@@ -209,7 +214,12 @@ pub enum Config {
     /// Configured IMAP server security (e.g. TLS, STARTTLS).
     ConfiguredMailSecurity,
 
-    /// How to check IMAP server TLS certificates.
+    /// Configured TLS certificate checks.
+    /// This option is saved on successful configuration
+    /// and should not be modified manually.
+    ///
+    /// This actually applies to both IMAP and SMTP connections,
+    /// but has "IMAP" in the name for backwards compatibility.
     ConfiguredImapCertificateChecks,
 
     /// Configured SMTP server hostname.
@@ -224,7 +234,9 @@ pub enum Config {
     /// Configured SMTP server port.
     ConfiguredSendPort,
 
-    /// How to check SMTP server TLS certificates.
+    /// Deprecated, stored for backwards compatibility.
+    ///
+    /// ConfiguredImapCertificateChecks is actually used.
     ConfiguredSmtpCertificateChecks,
 
     /// Whether OAuth 2 is used with configured provider.
@@ -257,6 +269,9 @@ pub enum Config {
     /// True if account is a chatmail account.
     IsChatmail,
 
+    /// True if `IsChatmail` mustn't be autoconfigured. For tests.
+    FixIsChatmail,
+
     /// True if account is muted.
     IsMuted,
 
@@ -382,9 +397,6 @@ impl Config {
     /// multiple users are sharing an account. Another example is `Self::SyncMsgs` itself which
     /// mustn't be controlled by other devices.
     pub(crate) fn is_synced(&self) -> bool {
-        // NB: We don't restart IO from the synchronisation code, so `MvboxMove` isn't effective
-        // immediately if `ConfiguredMvboxFolder` is unset, but only after a reconnect (see
-        // `Imap::prepare()`).
         matches!(
             self,
             Self::Displayname
@@ -398,10 +410,7 @@ impl Config {
 
     /// Whether the config option needs an IO scheduler restart to take effect.
     pub(crate) fn needs_io_restart(&self) -> bool {
-        matches!(
-            self,
-            Config::MvboxMove | Config::OnlyFetchMvbox | Config::SentboxWatch
-        )
+        matches!(self, Config::OnlyFetchMvbox | Config::SentboxWatch)
     }
 }
 
@@ -427,7 +436,7 @@ impl Context {
                         .into_owned()
                 })
             }
-            Config::SysVersion => Some((*DC_VERSION_STR).clone()),
+            Config::SysVersion => Some((*constants::DC_VERSION_STR).clone()),
             Config::SysMsgsizeMaxRecommended => Some(format!("{RECOMMENDED_FILE_SIZE}")),
             Config::SysConfigKeys => Some(get_config_keys_string()),
             _ => self.sql.get_raw_config(key.as_ref()).await?,
@@ -485,7 +494,8 @@ impl Context {
     /// Returns true if movebox ("DeltaChat" folder) should be watched.
     pub(crate) async fn should_watch_mvbox(&self) -> Result<bool> {
         Ok(self.get_config_bool(Config::MvboxMove).await?
-            || self.get_config_bool(Config::OnlyFetchMvbox).await?)
+            || self.get_config_bool(Config::OnlyFetchMvbox).await?
+            || !self.get_config_bool(Config::IsChatmail).await?)
     }
 
     /// Returns true if sentbox ("Sent" folder) should be watched.
@@ -504,6 +514,22 @@ impl Context {
             && !self.get_config_bool(Config::Bot).await?)
     }
 
+    /// Returns whether MDNs should be requested.
+    pub(crate) async fn should_request_mdns(&self) -> Result<bool> {
+        match self.get_config_bool_opt(Config::MdnsEnabled).await? {
+            Some(val) => Ok(val),
+            None => Ok(!self.get_config_bool(Config::Bot).await?),
+        }
+    }
+
+    /// Returns whether MDNs should be sent.
+    pub(crate) async fn should_send_mdns(&self) -> Result<bool> {
+        Ok(self
+            .get_config_bool_opt(Config::MdnsEnabled)
+            .await?
+            .unwrap_or(true))
+    }
+
     /// Gets configured "delete_server_after" value.
     ///
     /// `None` means never delete the message, `Some(0)` means delete
@@ -953,6 +979,17 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn test_mdns_default_behaviour() -> Result<()> {
+        let t = &TestContext::new_alice().await;
+        assert!(t.should_request_mdns().await?);
+        assert!(t.should_send_mdns().await?);
+        t.set_config_bool(Config::Bot, true).await?;
+        assert!(!t.should_request_mdns().await?);
+        assert!(t.should_send_mdns().await?);
+        Ok(())
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
     async fn test_sync() -> Result<()> {
         let alice0 = TestContext::new_alice().await;
@@ -979,7 +1016,6 @@ mod tests {
         // Reset to default. Test that it's not synced because defaults may differ across client
         // versions.
         alice0.set_config(Config::MdnsEnabled, None).await?;
-        assert_eq!(alice0.get_config_bool(Config::MdnsEnabled).await?, true);
         alice0.set_config_bool(Config::MdnsEnabled, false).await?;
         sync(&alice0, &alice1).await;
         assert_eq!(alice1.get_config_bool(Config::MdnsEnabled).await?, false);

src/configure.rs

@@ -189,10 +189,8 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
 
     // Step 1: Load the parameters and check email-address and password
 
-    // Do oauth2 only if socks5 is disabled. As soon as we have a http library that can do
-    // socks5 requests, this can work with socks5 too.  OAuth is always set either for both
-    // IMAP and SMTP or not at all.
-    if param.imap.oauth2 && !socks5_enabled {
+    // OAuth is always set either for both IMAP and SMTP or not at all.
+    if param.imap.oauth2 {
         // the used oauth2 addr may differ, check this.
         // if get_oauth2_addr() is not available in the oauth2 implementation, just use the given one.
         progress!(ctx, 10);
@@ -212,7 +210,6 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
 
     let parsed = EmailAddress::new(&param.addr).context("Bad email-address")?;
     let param_domain = parsed.domain;
-    let param_addr_urlencoded = utf8_percent_encode(&param.addr, NON_ALPHANUMERIC).to_string();
 
     // Step 2: Autoconfig
     progress!(ctx, 200);
@@ -263,7 +260,6 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
                                         }
                                     }
                                 },
-                                strict_tls: Some(provider.opt.strict_tls),
                             })
                             .collect();
 
@@ -278,19 +274,28 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
         } else {
             // Try receiving autoconfig
             info!(ctx, "no offline autoconfig found");
-            param_autoconfig = if socks5_enabled {
-                // Currently we can't do http requests through socks5, to not leak
-                // the ip, just don't do online autoconfig
-                info!(ctx, "socks5 enabled, skipping autoconfig");
-                None
-            } else {
-                get_autoconfig(ctx, param, &param_domain, &param_addr_urlencoded).await
-            }
+            param_autoconfig = get_autoconfig(ctx, param, &param_domain).await;
         }
     } else {
         param_autoconfig = None;
     }
 
+    let user_strict_tls = match param.certificate_checks {
+        CertificateChecks::Automatic => None,
+        CertificateChecks::Strict => Some(true),
+        CertificateChecks::AcceptInvalidCertificates
+        | CertificateChecks::AcceptInvalidCertificates2 => Some(false),
+    };
+    let provider_strict_tls = param.provider.map(|provider| provider.opt.strict_tls);
+    let strict_tls = user_strict_tls.or(provider_strict_tls).unwrap_or(true);
+
+    // Do not save `CertificateChecks::Automatic` into `configured_imap_certificate_checks`.
+    param.certificate_checks = if strict_tls {
+        CertificateChecks::Strict
+    } else {
+        CertificateChecks::AcceptInvalidCertificates
+    };
+
     progress!(ctx, 500);
 
     let mut servers = param_autoconfig.unwrap_or_default();
@@ -304,7 +309,6 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
             port: param.imap.port,
             socket: param.imap.security,
             username: param.imap.user.clone(),
-            strict_tls: None,
         })
     }
     if !servers
@@ -317,24 +321,9 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
             port: param.smtp.port,
             socket: param.smtp.security,
             username: param.smtp.user.clone(),
-            strict_tls: None,
         })
     }
 
-    // respect certificate setting from function parameters
-    for server in &mut servers {
-        let certificate_checks = match server.protocol {
-            Protocol::Imap => param.imap.certificate_checks,
-            Protocol::Smtp => param.smtp.certificate_checks,
-        };
-        server.strict_tls = match certificate_checks {
-            CertificateChecks::AcceptInvalidCertificates
-            | CertificateChecks::AcceptInvalidCertificates2 => Some(false),
-            CertificateChecks::Strict => Some(true),
-            CertificateChecks::Automatic => server.strict_tls,
-        };
-    }
-
     let servers = expand_param_vector(servers, &param.addr, &param_domain);
 
     progress!(ctx, 550);
@@ -350,9 +339,6 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
         .filter(|params| params.protocol == Protocol::Smtp)
         .cloned()
         .collect();
-    let provider_strict_tls = param
-        .provider
-        .map_or(socks5_config.is_some(), |provider| provider.opt.strict_tls);
 
     let smtp_config_task = task::spawn(async move {
         let mut smtp_configured = false;
@@ -362,18 +348,13 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
             smtp_param.server.clone_from(&smtp_server.hostname);
             smtp_param.port = smtp_server.port;
             smtp_param.security = smtp_server.socket;
-            smtp_param.certificate_checks = match smtp_server.strict_tls {
-                Some(true) => CertificateChecks::Strict,
-                Some(false) => CertificateChecks::AcceptInvalidCertificates,
-                None => CertificateChecks::Automatic,
-            };
 
             match try_smtp_one_param(
                 &context_smtp,
                 &smtp_param,
                 &socks5_config,
                 &smtp_addr,
-                provider_strict_tls,
+                strict_tls,
                 &mut smtp,
             )
             .await
@@ -409,18 +390,13 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
         param.imap.server.clone_from(&imap_server.hostname);
         param.imap.port = imap_server.port;
         param.imap.security = imap_server.socket;
-        param.imap.certificate_checks = match imap_server.strict_tls {
-            Some(true) => CertificateChecks::Strict,
-            Some(false) => CertificateChecks::AcceptInvalidCertificates,
-            None => CertificateChecks::Automatic,
-        };
 
         match try_imap_one_param(
             ctx,
             &param.imap,
             &param.socks5_config,
             &param.addr,
-            provider_strict_tls,
+            strict_tls,
         )
         .await
         {
@@ -454,19 +430,30 @@ async fn configure(ctx: &Context, param: &mut LoginParam) -> Result<()> {
 
     progress!(ctx, 900);
 
-    if imap_session.is_chatmail() {
-        ctx.set_config(Config::IsChatmail, Some("1")).await?;
+    let is_chatmail = match ctx.get_config_bool(Config::FixIsChatmail).await? {
+        false => {
+            let is_chatmail = imap_session.is_chatmail();
+            ctx.set_config(
+                Config::IsChatmail,
+                Some(match is_chatmail {
+                    false => "0",
+                    true => "1",
+                }),
+            )
+            .await?;
+            is_chatmail
+        }
+        true => ctx.get_config_bool(Config::IsChatmail).await?,
+    };
+    if is_chatmail {
         ctx.set_config(Config::SentboxWatch, None).await?;
         ctx.set_config(Config::MvboxMove, Some("0")).await?;
         ctx.set_config(Config::OnlyFetchMvbox, None).await?;
         ctx.set_config(Config::ShowEmails, None).await?;
         ctx.set_config(Config::E2eeEnabled, Some("1")).await?;
-    } else {
-        ctx.set_config(Config::IsChatmail, Some("0")).await?;
     }
 
-    let create_mvbox = ctx.should_watch_mvbox().await?;
-
+    let create_mvbox = !is_chatmail;
     imap.configure_folders(ctx, &mut imap_session, create_mvbox)
         .await?;
 
@@ -517,14 +504,15 @@ async fn get_autoconfig(
     ctx: &Context,
     param: &LoginParam,
     param_domain: &str,
-    param_addr_urlencoded: &str,
 ) -> Option<Vec<ServerParams>> {
+    let param_addr_urlencoded = utf8_percent_encode(&param.addr, NON_ALPHANUMERIC).to_string();
+
     if let Ok(res) = moz_autoconfigure(
         ctx,
         &format!(
             "https://autoconfig.{param_domain}/mail/config-v1.1.xml?emailaddress={param_addr_urlencoded}"
         ),
-        param,
+        &param.addr,
     )
     .await
     {
@@ -539,7 +527,7 @@ async fn get_autoconfig(
             "https://{}/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress={}",
             &param_domain, &param_addr_urlencoded
         ),
-        param,
+        &param.addr,
     )
     .await
     {
@@ -575,7 +563,7 @@ async fn get_autoconfig(
     if let Ok(res) = moz_autoconfigure(
         ctx,
         &format!("https://autoconfig.thunderbird.net/v1.1/{}", &param_domain),
-        param,
+        &param.addr,
     )
     .await
     {
@@ -590,15 +578,15 @@ async fn try_imap_one_param(
     param: &ServerLoginParam,
     socks5_config: &Option<Socks5Config>,
     addr: &str,
-    provider_strict_tls: bool,
+    strict_tls: bool,
 ) -> Result<(Imap, ImapSession), ConfigurationError> {
     let inf = format!(
-        "imap: {}@{}:{} security={} certificate_checks={} oauth2={} socks5_config={}",
+        "imap: {}@{}:{} security={} strict_tls={} oauth2={} socks5_config={}",
         param.user,
         param.server,
         param.port,
         param.security,
-        param.certificate_checks,
+        strict_tls,
         param.oauth2,
         if let Some(socks5_config) = socks5_config {
             socks5_config.to_string()
@@ -610,7 +598,7 @@ async fn try_imap_one_param(
 
     let (_s, r) = async_channel::bounded(1);
 
-    let mut imap = match Imap::new(param, socks5_config.clone(), addr, provider_strict_tls, r) {
+    let mut imap = match Imap::new(param, socks5_config.clone(), addr, strict_tls, r) {
         Err(err) => {
             info!(context, "failure: {:#}", err);
             return Err(ConfigurationError {
@@ -641,16 +629,16 @@ async fn try_smtp_one_param(
     param: &ServerLoginParam,
     socks5_config: &Option<Socks5Config>,
     addr: &str,
-    provider_strict_tls: bool,
+    strict_tls: bool,
     smtp: &mut Smtp,
 ) -> Result<(), ConfigurationError> {
     let inf = format!(
-        "smtp: {}@{}:{} security={} certificate_checks={} oauth2={} socks5_config={}",
+        "smtp: {}@{}:{} security={} strict_tls={} oauth2={} socks5_config={}",
         param.user,
         param.server,
         param.port,
         param.security,
-        param.certificate_checks,
+        strict_tls,
         param.oauth2,
         if let Some(socks5_config) = socks5_config {
             socks5_config.to_string()
@@ -661,7 +649,7 @@ async fn try_smtp_one_param(
     info!(context, "Trying: {}", inf);
 
     if let Err(err) = smtp
-        .connect(context, param, socks5_config, addr, provider_strict_tls)
+        .connect(context, param, socks5_config, addr, strict_tls)
         .await
     {
         info!(context, "SMTP failure: {err:#}.");

src/configure/auto_mozilla.rs

@@ -9,7 +9,6 @@ use quick_xml::events::{BytesStart, Event};
 
 use super::{Error, ServerParams};
 use crate::context::Context;
-use crate::login_param::LoginParam;
 use crate::net::read_url;
 use crate::provider::{Protocol, Socket};
 
@@ -248,7 +247,6 @@ fn parse_serverparams(in_emailaddr: &str, xml_raw: &str) -> Result<Vec<ServerPar
                 hostname: server.hostname,
                 port: server.port,
                 username: server.username,
-                strict_tls: None,
             })
         })
         .collect();
@@ -258,11 +256,11 @@ fn parse_serverparams(in_emailaddr: &str, xml_raw: &str) -> Result<Vec<ServerPar
 pub(crate) async fn moz_autoconfigure(
     context: &Context,
     url: &str,
-    param_in: &LoginParam,
+    addr: &str,
 ) -> Result<Vec<ServerParams>, Error> {
     let xml_raw = read_url(context, url).await?;
 
-    let res = parse_serverparams(&param_in.addr, &xml_raw);
+    let res = parse_serverparams(addr, &xml_raw);
     if let Err(err) = &res {
         warn!(
             context,

src/configure/auto_outlook.rs

@@ -187,7 +187,6 @@ fn protocols_to_serverparams(protocols: Vec<ProtocolTag>) -> Vec<ServerParams> {
                 hostname: protocol.server,
                 port: protocol.port,
                 username: String::new(),
-                strict_tls: None,
             })
         })
         .collect()

src/configure/server_params.rs

@@ -22,9 +22,6 @@ pub(crate) struct ServerParams {
 
     /// Username, empty if unknown.
     pub username: String,
-
-    /// Whether TLS certificates should be strictly checked or not, `None` for automatic.
-    pub strict_tls: Option<bool>,
 }
 
 impl ServerParams {
@@ -125,14 +122,6 @@ impl ServerParams {
             vec![self]
         }
     }
-
-    fn expand_strict_tls(self) -> Vec<ServerParams> {
-        vec![Self {
-            // Strict if not set by the user or provider database.
-            strict_tls: Some(self.strict_tls.unwrap_or(true)),
-            ..self
-        }]
-    }
 }
 
 /// Expands vector of `ServerParams`, replacing placeholders with
@@ -146,7 +135,6 @@ pub(crate) fn expand_param_vector(
         // The order of expansion is important.
         //
         // Ports are expanded the last, so they are changed the first.
-        .flat_map(|params| params.expand_strict_tls().into_iter())
         .flat_map(|params| params.expand_usernames(addr).into_iter())
         .flat_map(|params| params.expand_hostnames(domain).into_iter())
         .flat_map(|params| params.expand_ports().into_iter())
@@ -166,7 +154,6 @@ mod tests {
                 port: 0,
                 socket: Socket::Ssl,
                 username: "foobar".to_string(),
-                strict_tls: Some(true),
             }],
             "foobar@example.net",
             "example.net",
@@ -180,7 +167,6 @@ mod tests {
                 port: 993,
                 socket: Socket::Ssl,
                 username: "foobar".to_string(),
-                strict_tls: Some(true)
             }],
         );
 
@@ -191,7 +177,6 @@ mod tests {
                 port: 123,
                 socket: Socket::Automatic,
                 username: "foobar".to_string(),
-                strict_tls: None,
             }],
             "foobar@example.net",
             "example.net",
@@ -206,7 +191,6 @@ mod tests {
                     port: 123,
                     socket: Socket::Ssl,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true),
                 },
                 ServerParams {
                     protocol: Protocol::Smtp,
@@ -214,12 +198,10 @@ mod tests {
                     port: 123,
                     socket: Socket::Starttls,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 },
             ],
         );
 
-        // Test that strict_tls is not expanded for plaintext connections.
         let v = expand_param_vector(
             vec![ServerParams {
                 protocol: Protocol::Smtp,
@@ -227,7 +209,6 @@ mod tests {
                 port: 123,
                 socket: Socket::Plain,
                 username: "foobar".to_string(),
-                strict_tls: Some(true),
             }],
             "foobar@example.net",
             "example.net",
@@ -240,7 +221,6 @@ mod tests {
                 port: 123,
                 socket: Socket::Plain,
                 username: "foobar".to_string(),
-                strict_tls: Some(true)
             }],
         );
 
@@ -252,7 +232,6 @@ mod tests {
                 port: 10480,
                 socket: Socket::Ssl,
                 username: "foobar".to_string(),
-                strict_tls: Some(true),
             }],
             "foobar@example.net",
             "example.net",
@@ -266,7 +245,6 @@ mod tests {
                     port: 10480,
                     socket: Socket::Ssl,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 },
                 ServerParams {
                     protocol: Protocol::Imap,
@@ -274,7 +252,6 @@ mod tests {
                     port: 10480,
                     socket: Socket::Ssl,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 },
                 ServerParams {
                     protocol: Protocol::Imap,
@@ -282,7 +259,6 @@ mod tests {
                     port: 10480,
                     socket: Socket::Ssl,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 }
             ],
         );
@@ -296,7 +272,6 @@ mod tests {
                 port: 0,
                 socket: Socket::Automatic,
                 username: "foobar".to_string(),
-                strict_tls: Some(true),
             }],
             "foobar@example.net",
             "example.net",
@@ -310,7 +285,6 @@ mod tests {
                     port: 465,
                     socket: Socket::Ssl,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 },
                 ServerParams {
                     protocol: Protocol::Smtp,
@@ -318,7 +292,6 @@ mod tests {
                     port: 587,
                     socket: Socket::Starttls,
                     username: "foobar".to_string(),
-                    strict_tls: Some(true)
                 },
             ],
         );
@@ -338,7 +311,6 @@ mod tests {
                 port: 0,
                 socket: Socket::Automatic,
                 username: "".to_string(),
-                strict_tls: Some(true),
             }],
             "foobar@example.net",
             "example.net",
@@ -352,7 +324,6 @@ mod tests {
                     port: 993,
                     socket: Socket::Ssl,
                     username: "foobar@example.net".to_string(),
-                    strict_tls: Some(true)
                 },
                 ServerParams {
                     protocol: Protocol::Imap,
@@ -360,7 +331,6 @@ mod tests {
                     port: 143,
                     socket: Socket::Starttls,
                     username: "foobar@example.net".to_string(),
-                    strict_tls: Some(true)
                 },
             ],
         );

src/constants.rs

@@ -209,7 +209,7 @@ pub const WORSE_IMAGE_SIZE: u32 = 640;
 // Key for the folder configuration version (see below).
 pub(crate) const DC_FOLDERS_CONFIGURED_KEY: &str = "folders_configured";
 // this value can be increased if the folder configuration is changed and must be redone on next program start
-pub(crate) const DC_FOLDERS_CONFIGURED_VERSION: i32 = 4;
+pub(crate) const DC_FOLDERS_CONFIGURED_VERSION: i32 = 5;
 
 // If more recipients are needed in SMTP's `RCPT TO:` header, the recipient list is split into
 // chunks. This does not affect MIME's `To:` header. Can be overwritten by setting

src/contact.rs

@@ -1402,6 +1402,17 @@ impl Contact {
         self.status.as_str()
     }
 
+    /// Returns whether end-to-end encryption to the contact is available.
+    pub async fn e2ee_avail(&self, context: &Context) -> Result<bool> {
+        if self.id == ContactId::SELF {
+            return Ok(true);
+        }
+        let Some(peerstate) = Peerstate::from_addr(context, &self.addr).await? else {
+            return Ok(false);
+        };
+        Ok(peerstate.peek_key(false).is_some())
+    }
+
     /// Returns true if the contact
     /// can be added to verified chats,
     /// i.e. has a verified key
@@ -2673,6 +2684,8 @@ mod tests {
 
         let encrinfo = Contact::get_encrinfo(&alice, contact_bob_id).await?;
         assert_eq!(encrinfo, "No encryption");
+        let contact = Contact::get_by_id(&alice, contact_bob_id).await?;
+        assert!(!contact.e2ee_avail(&alice).await?);
 
         let bob = TestContext::new_bob().await;
         let chat_alice = bob
@@ -2696,6 +2709,8 @@ bob@example.net:
 CCCB 5AA9 F6E1 141C 9431
 65F1 DB18 B18C BCF7 0487"
         );
+        let contact = Contact::get_by_id(&alice, contact_bob_id).await?;
+        assert!(contact.e2ee_avail(&alice).await?);
         Ok(())
     }
 

src/context.rs

@@ -814,6 +814,12 @@ impl Context {
         }
 
         res.insert("is_chatmail", self.is_chatmail().await?.to_string());
+        res.insert(
+            "fix_is_chatmail",
+            self.get_config_bool(Config::FixIsChatmail)
+                .await?
+                .to_string(),
+        );
         res.insert(
             "is_muted",
             self.get_config_bool(Config::IsMuted).await?.to_string(),

src/headerdef.rs

@@ -11,6 +11,7 @@ pub enum HeaderDef {
     Date,
     From_,
     To,
+    AutoSubmitted,
 
     /// Carbon copy.
     Cc,

src/imap.rs

@@ -32,7 +32,7 @@ use crate::contact::{Contact, ContactId, Modifier, Origin};
 use crate::context::Context;
 use crate::events::EventType;
 use crate::headerdef::{HeaderDef, HeaderDefMap};
-use crate::login_param::{CertificateChecks, LoginParam, ServerLoginParam};
+use crate::login_param::{LoginParam, ServerLoginParam};
 use crate::message::{self, Message, MessageState, MessengerMessage, MsgId, Viewtype};
 use crate::mimeparser;
 use crate::oauth2::get_oauth2_access_token;
@@ -231,20 +231,13 @@ impl Imap {
         lp: &ServerLoginParam,
         socks5_config: Option<Socks5Config>,
         addr: &str,
-        provider_strict_tls: bool,
+        strict_tls: bool,
         idle_interrupt_receiver: Receiver<()>,
     ) -> Result<Self> {
         if lp.server.is_empty() || lp.user.is_empty() || lp.password.is_empty() {
             bail!("Incomplete IMAP connection parameters");
         }
 
-        let strict_tls = match lp.certificate_checks {
-            CertificateChecks::Automatic => provider_strict_tls,
-            CertificateChecks::Strict => true,
-            CertificateChecks::AcceptInvalidCertificates
-            | CertificateChecks::AcceptInvalidCertificates2 => false,
-        };
-
         let imap = Imap {
             idle_interrupt_receiver,
             addr: addr.to_string(),
@@ -272,17 +265,11 @@ impl Imap {
         }
 
         let param = LoginParam::load_configured_params(context).await?;
-        // the trailing underscore is correct
-
         let imap = Self::new(
             &param.imap,
             param.socks5_config.clone(),
             &param.addr,
-            param
-                .provider
-                .map_or(param.socks5_config.is_some(), |provider| {
-                    provider.opt.strict_tls
-                }),
+            param.strict_tls(),
             idle_interrupt_receiver,
         )?;
         Ok(imap)
@@ -446,7 +433,11 @@ impl Imap {
             .get_raw_config_int(constants::DC_FOLDERS_CONFIGURED_KEY)
             .await?;
         if folders_configured.unwrap_or_default() < constants::DC_FOLDERS_CONFIGURED_VERSION {
-            let create_mvbox = true;
+            let is_chatmail = match context.get_config_bool(Config::FixIsChatmail).await? {
+                false => session.is_chatmail(),
+                true => context.get_config_bool(Config::IsChatmail).await?,
+            };
+            let create_mvbox = !is_chatmail || context.get_config_bool(Config::MvboxMove).await?;
             self.configure_folders(context, &mut session, create_mvbox)
                 .await?;
         }
@@ -1054,18 +1045,12 @@ impl Session {
             .await?;
 
         for (folder, rowid_set, uid_set) in UidGrouper::from(rows) {
-            self.select_with_uidvalidity(context, &folder)
-                .await
-                .context("failed to select folder")?;
-
-            if let Err(err) = self.add_flag_finalized_with_set(&uid_set, "\\Seen").await {
+            if let Err(err) = self.select_with_uidvalidity(context, &folder).await {
+                warn!(context, "store_seen_flags_on_imap: Failed to select {folder}, will retry later: {err:#}.");
+            } else if let Err(err) = self.add_flag_finalized_with_set(&uid_set, "\\Seen").await {
                 warn!(
                     context,
-                    "Cannot mark messages {} in folder {} as seen, will retry later: {}.",
-                    uid_set,
-                    folder,
-                    err
-                );
+                    "Cannot mark messages {uid_set} in {folder} as seen, will retry later: {err:#}.");
             } else {
                 info!(
                     context,
@@ -1489,7 +1474,7 @@ impl Session {
         } else if !context.push_subscriber.heartbeat_subscribed().await {
             let context = context.clone();
             // Subscribe for heartbeat notifications.
-            tokio::spawn(async move { context.push_subscriber.subscribe().await });
+            tokio::spawn(async move { context.push_subscriber.subscribe(&context).await });
         }
 
         Ok(())
@@ -1519,8 +1504,8 @@ impl Session {
 
     /// Attempts to configure mvbox.
     ///
-    /// Tries to find any folder in the given list of `folders`. If none is found, tries to create
-    /// `folders[0]`. This method does not use LIST command to ensure that
+    /// Tries to find any folder examining `folders` in the order they go. If none is found, tries
+    /// to create any folder in the same order. This method does not use LIST command to ensure that
     /// configuration works even if mailbox lookup is forbidden via Access Control List (see
     /// <https://datatracker.ietf.org/doc/html/rfc4314>).
     ///
@@ -1554,16 +1539,17 @@ impl Session {
         if !create_mvbox {
             return Ok(None);
         }
-        let Some(folder) = folders.first() else {
-            return Ok(None);
-        };
-        match self.select_with_uidvalidity(context, folder).await {
-            Ok(_) => {
-                info!(context, "MVBOX-folder {} created.", folder);
-                return Ok(Some(folder));
-            }
-            Err(err) => {
-                warn!(context, "Cannot create MVBOX-folder {:?}: {}", folder, err);
+        // Some servers require namespace-style folder names like "INBOX.DeltaChat", so we try all
+        // the variants here.
+        for folder in folders {
+            match self.select_with_uidvalidity(context, folder).await {
+                Ok(_) => {
+                    info!(context, "MVBOX-folder {} created.", folder);
+                    return Ok(Some(folder));
+                }
+                Err(err) => {
+                    warn!(context, "Cannot create MVBOX-folder {:?}: {}", folder, err);
+                }
             }
         }
         Ok(None)
@@ -1811,6 +1797,20 @@ async fn needs_move_to_mvbox(
     context: &Context,
     headers: &[mailparse::MailHeader<'_>],
 ) -> Result<bool> {
+    let has_chat_version = headers.get_header_value(HeaderDef::ChatVersion).is_some();
+    if !context.get_config_bool(Config::IsChatmail).await?
+        && has_chat_version
+        && headers
+            .get_header_value(HeaderDef::AutoSubmitted)
+            .filter(|val| val.to_ascii_lowercase() == "auto-generated")
+            .is_some()
+    {
+        if let Some(from) = mimeparser::get_from(headers) {
+            if context.is_self_addr(&from.addr).await? {
+                return Ok(true);
+            }
+        }
+    }
     if !context.get_config_bool(Config::MvboxMove).await? {
         return Ok(false);
     }
@@ -1824,7 +1824,7 @@ async fn needs_move_to_mvbox(
         return Ok(false);
     }
 
-    if headers.get_header_value(HeaderDef::ChatVersion).is_some() {
+    if has_chat_version {
         Ok(true)
     } else if let Some(parent) = get_prefetch_parent_message(context, headers).await? {
         match parent.is_dc_message {

src/imap/client.rs

@@ -4,6 +4,7 @@ use std::ops::{Deref, DerefMut};
 use anyhow::{bail, format_err, Context as _, Result};
 use async_imap::Client as ImapClient;
 use async_imap::Session as ImapSession;
+use fast_socks5::client::Socks5Stream;
 use tokio::io::BufWriter;
 
 use super::capabilities::Capabilities;
@@ -12,10 +13,11 @@ use crate::context::Context;
 use crate::net::dns::{lookup_host_with_cache, update_connect_timestamp};
 use crate::net::session::SessionStream;
 use crate::net::tls::wrap_tls;
+use crate::net::update_connection_history;
 use crate::net::{connect_tcp_inner, connect_tls_inner};
 use crate::provider::Socket;
 use crate::socks::Socks5Config;
-use fast_socks5::client::Socks5Stream;
+use crate::tools::time;
 
 #[derive(Debug)]
 pub(crate) struct Client {
@@ -36,6 +38,16 @@ impl DerefMut for Client {
     }
 }
 
+/// Converts port number to ALPN list.
+fn alpn(port: u16) -> &'static [&'static str] {
+    if port == 993 {
+        // Do not request ALPN on standard port.
+        &[]
+    } else {
+        &["imap"]
+    }
+}
+
 /// Determine server capabilities.
 ///
 /// If server supports ID capability, send our client ID.
@@ -123,7 +135,9 @@ impl Client {
             let mut first_error = None;
             let load_cache =
                 strict_tls && (security == Socket::Ssl || security == Socket::Starttls);
-            for resolved_addr in lookup_host_with_cache(context, host, port, load_cache).await? {
+            for resolved_addr in
+                lookup_host_with_cache(context, host, port, "imap", load_cache).await?
+            {
                 let res = match security {
                     Socket::Automatic => bail!("IMAP port security is not configured"),
                     Socket::Ssl => Client::connect_secure(resolved_addr, host, strict_tls).await,
@@ -138,6 +152,8 @@ impl Client {
                         if load_cache {
                             update_connect_timestamp(context, host, &ip_addr).await?;
                         }
+                        update_connection_history(context, "imap", host, port, &ip_addr, time())
+                            .await?;
                         return Ok(client);
                     }
                     Err(err) => {
@@ -151,7 +167,7 @@ impl Client {
     }
 
     async fn connect_secure(addr: SocketAddr, hostname: &str, strict_tls: bool) -> Result<Self> {
-        let tls_stream = connect_tls_inner(addr, hostname, strict_tls, "imap").await?;
+        let tls_stream = connect_tls_inner(addr, hostname, strict_tls, alpn(addr.port())).await?;
         let buffered_stream = BufWriter::new(tls_stream);
         let session_stream: Box<dyn SessionStream> = Box::new(buffered_stream);
         let mut client = Client::new(session_stream);
@@ -191,7 +207,7 @@ impl Client {
         let buffered_tcp_stream = client.into_inner();
         let tcp_stream = buffered_tcp_stream.into_inner();
 
-        let tls_stream = wrap_tls(strict_tls, host, "imap", tcp_stream)
+        let tls_stream = wrap_tls(strict_tls, host, &[], tcp_stream)
             .await
             .context("STARTTLS upgrade failed")?;
 
@@ -211,7 +227,7 @@ impl Client {
         let socks5_stream = socks5_config
             .connect(context, domain, port, strict_tls)
             .await?;
-        let tls_stream = wrap_tls(strict_tls, domain, "imap", socks5_stream).await?;
+        let tls_stream = wrap_tls(strict_tls, domain, alpn(port), socks5_stream).await?;
         let buffered_stream = BufWriter::new(tls_stream);
         let session_stream: Box<dyn SessionStream> = Box::new(buffered_stream);
         let mut client = Client::new(session_stream);
@@ -264,7 +280,7 @@ impl Client {
         let buffered_socks5_stream = client.into_inner();
         let socks5_stream: Socks5Stream<_> = buffered_socks5_stream.into_inner();
 
-        let tls_stream = wrap_tls(strict_tls, hostname, "imap", socks5_stream)
+        let tls_stream = wrap_tls(strict_tls, hostname, &[], socks5_stream)
             .await
             .context("STARTTLS upgrade failed")?;
         let buffered_stream = BufWriter::new(tls_stream);

src/imap/session.rs

@@ -24,6 +24,7 @@ const PREFETCH_FLAGS: &str = "(UID INTERNALDATE RFC822.SIZE BODY.PEEK[HEADER.FIE
                               FROM \
                               IN-REPLY-TO REFERENCES \
                               CHAT-VERSION \
+                              AUTO-SUBMITTED \
                               AUTOCRYPT-SETUP-MESSAGE\
                               )])";
 

src/login_param.rs

@@ -2,7 +2,7 @@
 
 use std::fmt;
 
-use anyhow::{ensure, Result};
+use anyhow::{ensure, Context as _, Result};
 
 use crate::constants::{DC_LP_AUTH_FLAGS, DC_LP_AUTH_NORMAL, DC_LP_AUTH_OAUTH2};
 use crate::context::Context;
@@ -10,7 +10,7 @@ use crate::provider::Socket;
 use crate::provider::{get_provider_by_id, Provider};
 use crate::socks::Socks5Config;
 
-#[derive(Copy, Clone, Debug, Display, FromPrimitive, ToPrimitive, PartialEq, Eq)]
+#[derive(Copy, Clone, Debug, Default, Display, FromPrimitive, ToPrimitive, PartialEq, Eq)]
 #[repr(u32)]
 #[strum(serialize_all = "snake_case")]
 pub enum CertificateChecks {
@@ -30,6 +30,7 @@ pub enum CertificateChecks {
     /// means that provider database setting should be taken.
     /// If there is no provider database setting for certificate checks,
     /// `Automatic` is the same as `Strict`.
+    #[default]
     Automatic = 0,
 
     Strict = 1,
@@ -41,12 +42,6 @@ pub enum CertificateChecks {
     AcceptInvalidCertificates = 3,
 }
 
-impl Default for CertificateChecks {
-    fn default() -> Self {
-        Self::Automatic
-    }
-}
-
 /// Login parameters for a single server, either IMAP or SMTP
 #[derive(Default, Debug, Clone, PartialEq, Eq)]
 pub struct ServerLoginParam {
@@ -56,10 +51,6 @@ pub struct ServerLoginParam {
     pub port: u16,
     pub security: Socket,
     pub oauth2: bool,
-
-    /// TLS options: whether to allow invalid certificates and/or
-    /// invalid hostnames
-    pub certificate_checks: CertificateChecks,
 }
 
 #[derive(Default, Debug, Clone, PartialEq, Eq)]
@@ -69,6 +60,10 @@ pub struct LoginParam {
     pub smtp: ServerLoginParam,
     pub provider: Option<&'static Provider>,
     pub socks5_config: Option<Socks5Config>,
+
+    /// TLS options: whether to allow invalid certificates and/or
+    /// invalid hostnames
+    pub certificate_checks: CertificateChecks,
 }
 
 impl LoginParam {
@@ -130,10 +125,15 @@ impl LoginParam {
             .and_then(num_traits::FromPrimitive::from_i32)
             .unwrap_or_default();
 
+        // The setting is named `imap_certificate_checks`
+        // for backwards compatibility,
+        // but now it is a global setting applied to all protocols,
+        // while `smtp_certificate_checks` is ignored.
         let key = &format!("{prefix}imap_certificate_checks");
-        let imap_certificate_checks =
+        let certificate_checks =
             if let Some(certificate_checks) = sql.get_raw_config_int(key).await? {
-                num_traits::FromPrimitive::from_i32(certificate_checks).unwrap()
+                num_traits::FromPrimitive::from_i32(certificate_checks)
+                    .with_context(|| format!("Invalid {key} value"))?
             } else {
                 Default::default()
             };
@@ -157,14 +157,6 @@ impl LoginParam {
             .and_then(num_traits::FromPrimitive::from_i32)
             .unwrap_or_default();
 
-        let key = &format!("{prefix}smtp_certificate_checks");
-        let smtp_certificate_checks =
-            if let Some(certificate_checks) = sql.get_raw_config_int(key).await? {
-                num_traits::FromPrimitive::from_i32(certificate_checks).unwrap_or_default()
-            } else {
-                Default::default()
-            };
-
         let key = &format!("{prefix}server_flags");
         let server_flags = sql.get_raw_config_int(key).await?.unwrap_or_default();
         let oauth2 = matches!(server_flags & DC_LP_AUTH_FLAGS, DC_LP_AUTH_OAUTH2);
@@ -186,7 +178,6 @@ impl LoginParam {
                 port: mail_port as u16,
                 security: mail_security,
                 oauth2,
-                certificate_checks: imap_certificate_checks,
             },
             smtp: ServerLoginParam {
                 server: send_server,
@@ -195,8 +186,8 @@ impl LoginParam {
                 port: send_port as u16,
                 security: send_security,
                 oauth2,
-                certificate_checks: smtp_certificate_checks,
             },
+            certificate_checks,
             provider,
             socks5_config,
         })
@@ -227,7 +218,7 @@ impl LoginParam {
             .await?;
 
         let key = &format!("{prefix}imap_certificate_checks");
-        sql.set_raw_config_int(key, self.imap.certificate_checks as i32)
+        sql.set_raw_config_int(key, self.certificate_checks as i32)
             .await?;
 
         let key = &format!("{prefix}send_server");
@@ -247,8 +238,9 @@ impl LoginParam {
         sql.set_raw_config_int(key, self.smtp.security as i32)
             .await?;
 
+        // This is only saved for compatibility reasons, but never loaded.
         let key = &format!("{prefix}smtp_certificate_checks");
-        sql.set_raw_config_int(key, self.smtp.certificate_checks as i32)
+        sql.set_raw_config_int(key, self.certificate_checks as i32)
             .await?;
 
         // The OAuth2 flag is either set for both IMAP and SMTP or not at all.
@@ -259,13 +251,25 @@ impl LoginParam {
         };
         sql.set_raw_config_int(key, server_flags).await?;
 
-        if let Some(provider) = self.provider {
-            let key = &format!("{prefix}provider");
-            sql.set_raw_config(key, Some(provider.id)).await?;
-        }
+        let key = &format!("{prefix}provider");
+        sql.set_raw_config(key, self.provider.map(|provider| provider.id))
+            .await?;
 
         Ok(())
     }
+
+    pub fn strict_tls(&self) -> bool {
+        let user_strict_tls = match self.certificate_checks {
+            CertificateChecks::Automatic => None,
+            CertificateChecks::Strict => Some(true),
+            CertificateChecks::AcceptInvalidCertificates
+            | CertificateChecks::AcceptInvalidCertificates2 => Some(false),
+        };
+        let provider_strict_tls = self.provider.map(|provider| provider.opt.strict_tls);
+        user_strict_tls
+            .or(provider_strict_tls)
+            .unwrap_or(self.socks5_config.is_some())
+    }
 }
 
 impl fmt::Display for LoginParam {
@@ -275,7 +279,7 @@ impl fmt::Display for LoginParam {
 
         write!(
             f,
-            "{} imap:{}:{}:{}:{}:{}:cert_{}:{} smtp:{}:{}:{}:{}:{}:cert_{}:{}",
+            "{} imap:{}:{}:{}:{}:{}:{} smtp:{}:{}:{}:{}:{}:{} cert_{}",
             unset_empty(&self.addr),
             unset_empty(&self.imap.user),
             if !self.imap.password.is_empty() {
@@ -286,7 +290,6 @@ impl fmt::Display for LoginParam {
             unset_empty(&self.imap.server),
             self.imap.port,
             self.imap.security,
-            self.imap.certificate_checks,
             if self.imap.oauth2 {
                 "OAUTH2"
             } else {
@@ -301,12 +304,12 @@ impl fmt::Display for LoginParam {
             unset_empty(&self.smtp.server),
             self.smtp.port,
             self.smtp.security,
-            self.smtp.certificate_checks,
             if self.smtp.oauth2 {
                 "OAUTH2"
             } else {
                 "AUTH_NORMAL"
             },
+            self.certificate_checks
         )
     }
 }
@@ -347,7 +350,6 @@ mod tests {
                 port: 123,
                 security: Socket::Starttls,
                 oauth2: false,
-                certificate_checks: CertificateChecks::Strict,
             },
             smtp: ServerLoginParam {
                 server: "smtp.example.com".to_string(),
@@ -356,16 +358,24 @@ mod tests {
                 port: 456,
                 security: Socket::Ssl,
                 oauth2: false,
-                certificate_checks: CertificateChecks::AcceptInvalidCertificates,
             },
             provider: get_provider_by_id("example.com"),
             // socks5_config is not saved by `save_to_database`, using default value
             socks5_config: None,
+            certificate_checks: CertificateChecks::Strict,
         };
 
         param.save_as_configured_params(&t).await?;
         let loaded = LoginParam::load_configured_params(&t).await?;
+        assert_eq!(param, loaded);
 
+        // Remove provider.
+        let param = LoginParam {
+            provider: None,
+            ..param
+        };
+        param.save_as_configured_params(&t).await?;
+        let loaded = LoginParam::load_configured_params(&t).await?;
         assert_eq!(param, loaded);
         Ok(())
     }

src/message.rs

@@ -1769,19 +1769,17 @@ pub async fn markseen_msgs(context: &Context, msg_ids: Vec<MsgId>) -> Result<()>
             if curr_blocked == Blocked::Not
                 && curr_param.get_bool(Param::WantsMdn).unwrap_or_default()
                 && curr_param.get_cmd() == SystemMessage::Unknown
+                && context.should_send_mdns().await?
             {
-                let mdns_enabled = context.get_config_bool(Config::MdnsEnabled).await?;
-                if mdns_enabled {
-                    context
-                        .sql
-                        .execute(
-                            "INSERT INTO smtp_mdns (msg_id, from_id, rfc724_mid) VALUES(?, ?, ?)",
-                            (id, curr_from_id, curr_rfc724_mid),
-                        )
-                        .await
-                        .context("failed to insert into smtp_mdns")?;
-                    context.scheduler.interrupt_smtp().await;
-                }
+                context
+                    .sql
+                    .execute(
+                        "INSERT INTO smtp_mdns (msg_id, from_id, rfc724_mid) VALUES(?, ?, ?)",
+                        (id, curr_from_id, curr_rfc724_mid),
+                    )
+                    .await
+                    .context("failed to insert into smtp_mdns")?;
+                context.scheduler.interrupt_smtp().await;
             }
             updated_chat_ids.insert(curr_chat_id);
         }

src/mimefactory.rs

@@ -186,7 +186,7 @@ impl MimeFactory {
 
             if !msg.is_system_message()
                 && msg.param.get_int(Param::Reaction).unwrap_or_default() == 0
-                && context.get_config_bool(Config::MdnsEnabled).await?
+                && context.should_request_mdns().await?
             {
                 req_mdn = true;
             }
@@ -726,18 +726,18 @@ impl MimeFactory {
             } else if header_name == "autocrypt" {
                 unprotected_headers.push(header.clone());
             } else if header_name == "from" {
-                protected_headers.push(header.clone());
-                if is_encrypted && verified || is_securejoin_message {
-                    unprotected_headers.push(
-                        Header::new_with_value(
-                            header.name,
-                            vec![Address::new_mailbox(self.from_addr.clone())],
-                        )
-                        .unwrap(),
-                    );
-                } else {
-                    unprotected_headers.push(header);
+                // Unencrypted securejoin messages should _not_ include the display name:
+                if is_encrypted || !is_securejoin_message {
+                    protected_headers.push(header.clone());
                 }
+
+                unprotected_headers.push(
+                    Header::new_with_value(
+                        header.name,
+                        vec![Address::new_mailbox(self.from_addr.clone())],
+                    )
+                    .unwrap(),
+                );
             } else if header_name == "to" {
                 protected_headers.push(header.clone());
                 if is_encrypted {
@@ -902,12 +902,11 @@ impl MimeFactory {
                 .fold(message, |message, header| message.header(header.clone()));
 
             if skip_autocrypt || !context.get_config_bool(Config::SignUnencrypted).await? {
-                let protected: HashSet<Header> = HashSet::from_iter(protected_headers.into_iter());
-                for h in unprotected_headers.split_off(0) {
-                    if !protected.contains(&h) {
-                        unprotected_headers.push(h);
-                    }
-                }
+                // Deduplicate unprotected headers that also are in the protected headers:
+                let protected: HashSet<&str> =
+                    HashSet::from_iter(protected_headers.iter().map(|h| h.name.as_str()));
+                unprotected_headers.retain(|h| !protected.contains(&h.name.as_str()));
+
                 message
             } else {
                 let message = message.header(get_content_type_directives_header());

src/net.rs

@@ -10,6 +10,7 @@ use tokio::time::timeout;
 use tokio_io_timeout::TimeoutStream;
 
 use crate::context::Context;
+use crate::tools::time;
 
 pub(crate) mod dns;
 pub(crate) mod http;
@@ -25,6 +26,65 @@ use tls::wrap_tls;
 /// This constant should be more than the largest expected RTT.
 pub(crate) const TIMEOUT: Duration = Duration::from_secs(60);
 
+/// TTL for caches in seconds.
+pub(crate) const CACHE_TTL: u64 = 30 * 24 * 60 * 60;
+
+/// Removes connection history entries after `CACHE_TTL`.
+pub(crate) async fn prune_connection_history(context: &Context) -> Result<()> {
+    let now = time();
+    context
+        .sql
+        .execute(
+            "DELETE FROM connection_history
+             WHERE ? > timestamp + ?",
+            (now, CACHE_TTL),
+        )
+        .await?;
+    Ok(())
+}
+
+pub(crate) async fn update_connection_history(
+    context: &Context,
+    alpn: &str,
+    host: &str,
+    port: u16,
+    addr: &str,
+    now: i64,
+) -> Result<()> {
+    context
+        .sql
+        .execute(
+            "INSERT INTO connection_history (host, port, alpn, addr, timestamp)
+             VALUES (?, ?, ?, ?, ?)
+             ON CONFLICT (host, port, alpn, addr)
+             DO UPDATE SET timestamp=excluded.timestamp",
+            (host, port, alpn, addr, now),
+        )
+        .await?;
+    Ok(())
+}
+
+pub(crate) async fn load_connection_timestamp(
+    context: &Context,
+    alpn: &str,
+    host: &str,
+    port: u16,
+    addr: &str,
+) -> Result<Option<i64>> {
+    let timestamp = context
+        .sql
+        .query_get_value(
+            "SELECT timestamp FROM connection_history
+             WHERE host = ?
+               AND port = ?
+               AND alpn = ?
+               AND addr = ?",
+            (host, port, alpn, addr),
+        )
+        .await?;
+    Ok(timestamp)
+}
+
 /// Returns a TCP connection stream with read/write timeouts set
 /// and Nagle's algorithm disabled with `TCP_NODELAY`.
 ///
@@ -54,7 +114,7 @@ pub(crate) async fn connect_tls_inner(
     addr: SocketAddr,
     host: &str,
     strict_tls: bool,
-    alpn: &str,
+    alpn: &[&str],
 ) -> Result<TlsStream<Pin<Box<TimeoutStream<TcpStream>>>>> {
     let tcp_stream = connect_tcp_inner(addr).await?;
     let tls_stream = wrap_tls(strict_tls, host, alpn, tcp_stream).await?;
@@ -75,7 +135,7 @@ pub(crate) async fn connect_tcp(
 ) -> Result<Pin<Box<TimeoutStream<TcpStream>>>> {
     let mut first_error = None;
 
-    for resolved_addr in lookup_host_with_cache(context, host, port, load_cache).await? {
+    for resolved_addr in lookup_host_with_cache(context, host, port, "", load_cache).await? {
         match connect_tcp_inner(resolved_addr).await {
             Ok(stream) => {
                 return Ok(stream);

src/net/dns.rs

@@ -1,20 +1,75 @@
 //! DNS resolution and cache.
 
 use anyhow::{Context as _, Result};
+use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
 use std::str::FromStr;
 use tokio::net::lookup_host;
 use tokio::time::timeout;
 
+use super::load_connection_timestamp;
 use crate::context::Context;
 use crate::tools::time;
+use once_cell::sync::Lazy;
 
-async fn lookup_host_with_timeout(hostname: &str, port: u16) -> Result<Vec<SocketAddr>> {
-    let res = timeout(super::TIMEOUT, lookup_host((hostname, port)))
+/// Inserts entry into DNS cache
+/// or updates existing one with a new timestamp.
+async fn update_cache(context: &Context, host: &str, addr: &str, now: i64) -> Result<()> {
+    context
+        .sql
+        .execute(
+            "INSERT INTO dns_cache
+             (hostname, address, timestamp)
+             VALUES (?, ?, ?)
+             ON CONFLICT (hostname, address)
+             DO UPDATE SET timestamp=excluded.timestamp",
+            (host, addr, now),
+        )
+        .await?;
+    Ok(())
+}
+
+pub(crate) async fn prune_dns_cache(context: &Context) -> Result<()> {
+    let now = time();
+    context
+        .sql
+        .execute(
+            "DELETE FROM dns_cache
+             WHERE ? > timestamp + ?",
+            (now, super::CACHE_TTL),
+        )
+        .await?;
+    Ok(())
+}
+
+/// Looks up the hostname and updates DNS cache
+/// on success.
+async fn lookup_host_and_update_cache(
+    context: &Context,
+    hostname: &str,
+    port: u16,
+    now: i64,
+) -> Result<Vec<SocketAddr>> {
+    let res: Vec<SocketAddr> = timeout(super::TIMEOUT, lookup_host((hostname, port)))
         .await
         .context("DNS lookup timeout")?
-        .context("DNS lookup failure")?;
-    Ok(res.collect())
+        .context("DNS lookup failure")?
+        .collect();
+
+    for addr in &res {
+        let ip_string = addr.ip().to_string();
+        if ip_string == hostname {
+            // IP address resolved into itself, not interesting to cache.
+            continue;
+        }
+
+        info!(context, "Resolved {hostname}:{port} into {addr}.");
+
+        // Update the cache.
+        update_cache(context, hostname, &ip_string, now).await?;
+    }
+
+    Ok(res)
 }
 
 // Updates timestamp of the cached entry
@@ -53,18 +108,503 @@ pub(crate) async fn update_connect_timestamp(
     Ok(())
 }
 
+static DNS_PRELOAD: Lazy<HashMap<&'static str, Vec<IpAddr>>> = Lazy::new(|| {
+    HashMap::from([
+        (
+            "mail.sangham.net",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(159, 69, 186, 85)),
+                IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0xc17, 0x798c, 0, 0, 0, 1)),
+            ],
+        ),
+        (
+            "nine.testrun.org",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(116, 202, 233, 236)),
+                IpAddr::V4(Ipv4Addr::new(128, 140, 126, 197)),
+                IpAddr::V4(Ipv4Addr::new(49, 12, 116, 128)),
+                IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0x241, 0x4ce8, 0, 0, 0, 2)),
+            ],
+        ),
+        (
+            "disroot.org",
+            vec![IpAddr::V4(Ipv4Addr::new(178, 21, 23, 139))],
+        ),
+        (
+            "imap.gmail.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(142, 250, 110, 108)),
+                IpAddr::V4(Ipv4Addr::new(142, 250, 110, 109)),
+                IpAddr::V4(Ipv4Addr::new(66, 102, 1, 108)),
+                IpAddr::V4(Ipv4Addr::new(66, 102, 1, 109)),
+                IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x400c, 0xc1f, 0, 0, 0, 0x6c)),
+                IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x400c, 0xc1f, 0, 0, 0, 0x6d)),
+            ],
+        ),
+        (
+            "smtp.gmail.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(142, 250, 110, 109)),
+                IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4013, 0xc04, 0, 0, 0, 0x6c)),
+            ],
+        ),
+        (
+            "mail.autistici.org",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(198, 167, 222, 108)),
+                IpAddr::V4(Ipv4Addr::new(82, 94, 249, 234)),
+                IpAddr::V4(Ipv4Addr::new(93, 190, 126, 19)),
+            ],
+        ),
+        (
+            "smtp.autistici.org",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(198, 167, 222, 108)),
+                IpAddr::V4(Ipv4Addr::new(82, 94, 249, 234)),
+                IpAddr::V4(Ipv4Addr::new(93, 190, 126, 19)),
+            ],
+        ),
+        (
+            "daleth.cafe",
+            vec![IpAddr::V4(Ipv4Addr::new(37, 27, 6, 204))],
+        ),
+        (
+            "imap.163.com",
+            vec![IpAddr::V4(Ipv4Addr::new(111, 124, 203, 45))],
+        ),
+        (
+            "smtp.163.com",
+            vec![IpAddr::V4(Ipv4Addr::new(103, 129, 252, 45))],
+        ),
+        (
+            "imap.aol.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(212, 82, 101, 33)),
+                IpAddr::V4(Ipv4Addr::new(87, 248, 98, 69)),
+            ],
+        ),
+        (
+            "smtp.aol.com",
+            vec![IpAddr::V4(Ipv4Addr::new(87, 248, 97, 31))],
+        ),
+        (
+            "mail.arcor.de",
+            vec![IpAddr::V4(Ipv4Addr::new(2, 207, 150, 234))],
+        ),
+        (
+            "imap.arcor.de",
+            vec![IpAddr::V4(Ipv4Addr::new(2, 207, 150, 230))],
+        ),
+        (
+            "imap.fastmail.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(103, 168, 172, 43)),
+                IpAddr::V4(Ipv4Addr::new(103, 168, 172, 58)),
+            ],
+        ),
+        (
+            "smtp.fastmail.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(103, 168, 172, 45)),
+                IpAddr::V4(Ipv4Addr::new(103, 168, 172, 60)),
+            ],
+        ),
+        (
+            "imap.gmx.net",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 170)),
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 186)),
+            ],
+        ),
+        (
+            "imap.mail.de",
+            vec![IpAddr::V4(Ipv4Addr::new(62, 201, 172, 16))],
+        ),
+        (
+            "smtp.mailbox.org",
+            vec![IpAddr::V4(Ipv4Addr::new(185, 97, 174, 196))],
+        ),
+        (
+            "imap.mailbox.org",
+            vec![IpAddr::V4(Ipv4Addr::new(185, 97, 174, 199))],
+        ),
+        (
+            "imap.naver.com",
+            vec![IpAddr::V4(Ipv4Addr::new(125, 209, 238, 153))],
+        ),
+        (
+            "imap.ouvaton.coop",
+            vec![IpAddr::V4(Ipv4Addr::new(194, 36, 166, 20))],
+        ),
+        (
+            "imap.purelymail.com",
+            vec![IpAddr::V4(Ipv4Addr::new(18, 204, 123, 63))],
+        ),
+        (
+            "imap.tiscali.it",
+            vec![IpAddr::V4(Ipv4Addr::new(213, 205, 33, 10))],
+        ),
+        (
+            "smtp.tiscali.it",
+            vec![IpAddr::V4(Ipv4Addr::new(213, 205, 33, 13))],
+        ),
+        (
+            "imap.web.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 162)),
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 178)),
+            ],
+        ),
+        (
+            "imap.ziggo.nl",
+            vec![IpAddr::V4(Ipv4Addr::new(84, 116, 6, 3))],
+        ),
+        (
+            "imap.zoho.eu",
+            vec![IpAddr::V4(Ipv4Addr::new(185, 230, 214, 25))],
+        ),
+        (
+            "imaps.bluewin.ch",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(16, 62, 253, 42)),
+                IpAddr::V4(Ipv4Addr::new(16, 63, 141, 244)),
+                IpAddr::V4(Ipv4Addr::new(16, 63, 146, 183)),
+            ],
+        ),
+        (
+            "mail.buzon.uy",
+            vec![IpAddr::V4(Ipv4Addr::new(185, 101, 93, 79))],
+        ),
+        (
+            "mail.ecloud.global",
+            vec![IpAddr::V4(Ipv4Addr::new(95, 217, 246, 96))],
+        ),
+        (
+            "mail.ende.in.net",
+            vec![IpAddr::V4(Ipv4Addr::new(95, 217, 5, 72))],
+        ),
+        (
+            "mail.gmx.net",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 168)),
+                IpAddr::V4(Ipv4Addr::new(212, 227, 17, 190)),
+            ],
+        ),
+        (
+            "mail.infomaniak.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(83, 166, 143, 44)),
+                IpAddr::V4(Ipv4Addr::new(83, 166, 143, 45)),
+            ],
+        ),
+        (
+            "mail.mymagenta.at",
+            vec![IpAddr::V4(Ipv4Addr::new(80, 109, 253, 241))],
+        ),
+        (
+            "mail.nubo.coop",
+            vec![IpAddr::V4(Ipv4Addr::new(79, 99, 201, 10))],
+        ),
+        (
+            "mail.riseup.net",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(198, 252, 153, 70)),
+                IpAddr::V4(Ipv4Addr::new(198, 252, 153, 71)),
+            ],
+        ),
+        (
+            "mail.systemausfall.org",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(51, 75, 71, 249)),
+                IpAddr::V4(Ipv4Addr::new(80, 153, 252, 42)),
+            ],
+        ),
+        (
+            "mail.systemli.org",
+            vec![IpAddr::V4(Ipv4Addr::new(93, 190, 126, 36))],
+        ),
+        (
+            "mehl.cloud",
+            vec![IpAddr::V4(Ipv4Addr::new(95, 217, 223, 172))],
+        ),
+        (
+            "mx.freenet.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(195, 4, 92, 210)),
+                IpAddr::V4(Ipv4Addr::new(195, 4, 92, 211)),
+                IpAddr::V4(Ipv4Addr::new(195, 4, 92, 212)),
+                IpAddr::V4(Ipv4Addr::new(195, 4, 92, 213)),
+            ],
+        ),
+        (
+            "newyear.aktivix.org",
+            vec![IpAddr::V4(Ipv4Addr::new(162, 247, 75, 192))],
+        ),
+        (
+            "pimap.schulon.org",
+            vec![IpAddr::V4(Ipv4Addr::new(194, 77, 246, 20))],
+        ),
+        (
+            "posteo.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(185, 67, 36, 168)),
+                IpAddr::V4(Ipv4Addr::new(185, 67, 36, 169)),
+            ],
+        ),
+        (
+            "psmtp.schulon.org",
+            vec![IpAddr::V4(Ipv4Addr::new(194, 77, 246, 20))],
+        ),
+        (
+            "secureimap.t-online.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 114)),
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 115)),
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 50)),
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 51)),
+            ],
+        ),
+        (
+            "securesmtp.t-online.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 110)),
+                IpAddr::V4(Ipv4Addr::new(194, 25, 134, 46)),
+            ],
+        ),
+        (
+            "smtp.aliyun.com",
+            vec![IpAddr::V4(Ipv4Addr::new(47, 246, 136, 232))],
+        ),
+        (
+            "smtp.mail.de",
+            vec![IpAddr::V4(Ipv4Addr::new(62, 201, 172, 21))],
+        ),
+        (
+            "smtp.mail.ru",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(217, 69, 139, 160)),
+                IpAddr::V4(Ipv4Addr::new(94, 100, 180, 160)),
+            ],
+        ),
+        (
+            "imap.mail.yahoo.com",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(87, 248, 103, 8)),
+                IpAddr::V4(Ipv4Addr::new(212, 82, 101, 24)),
+            ],
+        ),
+        (
+            "smtp.mail.yahoo.com",
+            vec![IpAddr::V4(Ipv4Addr::new(87, 248, 97, 36))],
+        ),
+        (
+            "imap.mailo.com",
+            vec![IpAddr::V4(Ipv4Addr::new(213, 182, 54, 20))],
+        ),
+        (
+            "smtp.mailo.com",
+            vec![IpAddr::V4(Ipv4Addr::new(213, 182, 54, 20))],
+        ),
+        (
+            "smtp.naver.com",
+            vec![IpAddr::V4(Ipv4Addr::new(125, 209, 238, 155))],
+        ),
+        (
+            "smtp.ouvaton.coop",
+            vec![IpAddr::V4(Ipv4Addr::new(194, 36, 166, 20))],
+        ),
+        (
+            "smtp.purelymail.com",
+            vec![IpAddr::V4(Ipv4Addr::new(18, 204, 123, 63))],
+        ),
+        (
+            "imap.qq.com",
+            vec![IpAddr::V4(Ipv4Addr::new(43, 129, 255, 54))],
+        ),
+        (
+            "smtp.qq.com",
+            vec![IpAddr::V4(Ipv4Addr::new(43, 129, 255, 54))],
+        ),
+        (
+            "imap.rambler.ru",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 169)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 171)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 168)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 170)),
+            ],
+        ),
+        (
+            "smtp.rambler.ru",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 165)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 167)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 166)),
+                IpAddr::V4(Ipv4Addr::new(81, 19, 77, 164)),
+            ],
+        ),
+        (
+            "imap.vivaldi.net",
+            vec![IpAddr::V4(Ipv4Addr::new(31, 209, 137, 15))],
+        ),
+        (
+            "smtp.vivaldi.net",
+            vec![IpAddr::V4(Ipv4Addr::new(31, 209, 137, 12))],
+        ),
+        (
+            "imap.vodafonemail.de",
+            vec![IpAddr::V4(Ipv4Addr::new(2, 207, 150, 230))],
+        ),
+        (
+            "smtp.vodafonemail.de",
+            vec![IpAddr::V4(Ipv4Addr::new(2, 207, 150, 234))],
+        ),
+        (
+            "smtp.web.de",
+            vec![
+                IpAddr::V4(Ipv4Addr::new(213, 165, 67, 108)),
+                IpAddr::V4(Ipv4Addr::new(213, 165, 67, 124)),
+            ],
+        ),
+        (
+            "imap.yandex.com",
+            vec![IpAddr::V4(Ipv4Addr::new(77, 88, 21, 125))],
+        ),
+        (
+            "smtp.yandex.com",
+            vec![IpAddr::V4(Ipv4Addr::new(77, 88, 21, 158))],
+        ),
+        (
+            "smtp.ziggo.nl",
+            vec![IpAddr::V4(Ipv4Addr::new(84, 116, 6, 3))],
+        ),
+        (
+            "smtp.zoho.eu",
+            vec![IpAddr::V4(Ipv4Addr::new(185, 230, 212, 164))],
+        ),
+        (
+            "smtpauths.bluewin.ch",
+            vec![IpAddr::V4(Ipv4Addr::new(195, 186, 120, 54))],
+        ),
+        (
+            "stinpriza.net",
+            vec![IpAddr::V4(Ipv4Addr::new(5, 9, 122, 184))],
+        ),
+        (
+            "undernet.uy",
+            vec![IpAddr::V4(Ipv4Addr::new(167, 62, 254, 153))],
+        ),
+        (
+            "webbox222.server-home.org",
+            vec![IpAddr::V4(Ipv4Addr::new(91, 203, 111, 88))],
+        ),
+    ])
+});
+
+/// Load hardcoded cache if everything else fails.
+///
+/// See <https://support.delta.chat/t/no-dns-resolution-result/2778> and
+/// <https://github.com/deltachat/deltachat-core-rust/issues/4920> for reasons.
+///
+/// In the future we may pre-resolve all provider database addresses
+/// and build them in.
+fn load_hardcoded_cache(hostname: &str, port: u16) -> Vec<SocketAddr> {
+    if let Some(ips) = DNS_PRELOAD.get(hostname) {
+        ips.iter().map(|ip| SocketAddr::new(*ip, port)).collect()
+    } else {
+        Vec::new()
+    }
+}
+
+async fn lookup_cache(
+    context: &Context,
+    host: &str,
+    port: u16,
+    alpn: &str,
+    now: i64,
+) -> Result<Vec<SocketAddr>> {
+    let mut res = Vec::new();
+    for cached_address in context
+        .sql
+        .query_map(
+            "SELECT dns_cache.address
+             FROM dns_cache
+             LEFT JOIN connection_history
+               ON dns_cache.hostname = connection_history.host
+               AND dns_cache.address = connection_history.addr
+               AND connection_history.port = ?
+               AND connection_history.alpn = ?
+             WHERE dns_cache.hostname = ?
+             AND ? < dns_cache.timestamp + ?
+             ORDER BY IFNULL(connection_history.timestamp, dns_cache.timestamp) DESC
+             LIMIT 50",
+            (port, alpn, host, now, super::CACHE_TTL),
+            |row| {
+                let address: String = row.get(0)?;
+                Ok(address)
+            },
+            |rows| {
+                rows.collect::<std::result::Result<Vec<String>, _>>()
+                    .map_err(Into::into)
+            },
+        )
+        .await?
+    {
+        match IpAddr::from_str(&cached_address) {
+            Ok(ip_addr) => {
+                let addr = SocketAddr::new(ip_addr, port);
+                res.push(addr);
+            }
+            Err(err) => {
+                warn!(
+                    context,
+                    "Failed to parse cached address {:?}: {:#}.", cached_address, err
+                );
+            }
+        }
+    }
+    Ok(res)
+}
+
+/// Sorts DNS resolution results by connection timestamp in descending order
+/// so IP addresses that we recently connected to successfully are tried first.
+async fn sort_by_connection_timestamp(
+    context: &Context,
+    input: Vec<SocketAddr>,
+    alpn: &str,
+    host: &str,
+) -> Result<Vec<SocketAddr>> {
+    let mut res: Vec<(Option<i64>, SocketAddr)> = Vec::new();
+    for addr in input {
+        let timestamp =
+            load_connection_timestamp(context, alpn, host, addr.port(), &addr.ip().to_string())
+                .await?;
+        res.push((timestamp, addr));
+    }
+    res.sort_by_key(|(ts, _addr)| std::cmp::Reverse(*ts));
+    Ok(res.into_iter().map(|(_ts, addr)| addr).collect())
+}
+
 /// Looks up hostname and port using DNS and updates the address resolution cache.
 ///
+/// `alpn` is used to sort DNS results by the time we have successfully
+/// connected to the IP address using given `alpn`.
+/// If result sorting is not needed or `alpn` is unknown,
+/// pass empty string here, e.g. for HTTP requests
+/// or when resolving the IP address of SOCKS proxy.
+///
 /// If `load_cache` is true, appends cached results not older than 30 days to the end
 /// or entries from fallback cache if there are no cached addresses.
 pub(crate) async fn lookup_host_with_cache(
     context: &Context,
     hostname: &str,
     port: u16,
+    alpn: &str,
     load_cache: bool,
 ) -> Result<Vec<SocketAddr>> {
     let now = time();
-    let mut resolved_addrs = match lookup_host_with_timeout(hostname, port).await {
+    let mut resolved_addrs = match lookup_host_and_update_cache(context, hostname, port, now).await
+    {
         Ok(res) => res,
         Err(err) => {
             warn!(
@@ -74,144 +614,257 @@ pub(crate) async fn lookup_host_with_cache(
             Vec::new()
         }
     };
-
-    for addr in &resolved_addrs {
-        let ip_string = addr.ip().to_string();
-        if ip_string == hostname {
-            // IP address resolved into itself, not interesting to cache.
-            continue;
-        }
-
-        info!(context, "Resolved {}:{} into {}.", hostname, port, &addr);
-
-        // Update the cache.
-        context
-            .sql
-            .execute(
-                "INSERT INTO dns_cache
-                 (hostname, address, timestamp)
-                 VALUES (?, ?, ?)
-                 ON CONFLICT (hostname, address)
-                 DO UPDATE SET timestamp=excluded.timestamp",
-                (hostname, ip_string, now),
-            )
-            .await?;
+    if !alpn.is_empty() {
+        resolved_addrs =
+            sort_by_connection_timestamp(context, resolved_addrs, alpn, hostname).await?;
     }
 
     if load_cache {
-        for cached_address in context
-            .sql
-            .query_map(
-                "SELECT address
-                 FROM dns_cache
-                 WHERE hostname = ?
-                 AND ? < timestamp + 30 * 24 * 3600
-                 ORDER BY timestamp DESC",
-                (hostname, now),
-                |row| {
-                    let address: String = row.get(0)?;
-                    Ok(address)
-                },
-                |rows| {
-                    rows.collect::<std::result::Result<Vec<_>, _>>()
-                        .map_err(Into::into)
-                },
-            )
-            .await?
-        {
-            match IpAddr::from_str(&cached_address) {
-                Ok(ip_addr) => {
-                    let addr = SocketAddr::new(ip_addr, port);
-                    if !resolved_addrs.contains(&addr) {
-                        resolved_addrs.push(addr);
-                    }
-                }
-                Err(err) => {
-                    warn!(
-                        context,
-                        "Failed to parse cached address {:?}: {:#}.", cached_address, err
-                    );
-                }
+        for addr in lookup_cache(context, hostname, port, alpn, now).await? {
+            if !resolved_addrs.contains(&addr) {
+                resolved_addrs.push(addr);
             }
         }
 
         if resolved_addrs.is_empty() {
-            // Load hardcoded cache if everything else fails.
-            //
-            // See <https://support.delta.chat/t/no-dns-resolution-result/2778> and
-            // <https://github.com/deltachat/deltachat-core-rust/issues/4920> for reasons.
-            //
-            // In the future we may pre-resolve all provider database addresses
-            // and build them in.
-            match hostname {
-                "mail.sangham.net" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0xc17, 0x798c, 0, 0, 0, 1)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(159, 69, 186, 85)),
-                        port,
-                    ));
-                }
-                "nine.testrun.org" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0x241, 0x4ce8, 0, 0, 0, 2)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(116, 202, 233, 236)),
-                        port,
-                    ));
-                }
-                "disroot.org" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(178, 21, 23, 139)),
-                        port,
-                    ));
-                }
-                "mail.riseup.net" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(198, 252, 153, 70)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(198, 252, 153, 71)),
-                        port,
-                    ));
-                }
-                "imap.gmail.com" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x400c, 0xc1f, 0, 0, 0, 0x6c)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x400c, 0xc1f, 0, 0, 0, 0x6d)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(142, 250, 110, 109)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(142, 250, 110, 108)),
-                        port,
-                    ));
-                }
-                "smtp.gmail.com" => {
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4013, 0xc04, 0, 0, 0, 0x6c)),
-                        port,
-                    ));
-                    resolved_addrs.push(SocketAddr::new(
-                        IpAddr::V4(Ipv4Addr::new(142, 250, 110, 109)),
-                        port,
-                    ));
-                }
-                _ => {}
-            }
+            return Ok(load_hardcoded_cache(hostname, port));
         }
     }
 
     Ok(resolved_addrs)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use crate::net::update_connection_history;
+    use crate::test_utils::TestContext;
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn test_sort_by_connection_timestamp() {
+        let alice = &TestContext::new_alice().await;
+        let now = time();
+
+        let ipv6_addr = IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0x241, 0x4ce8, 0, 0, 0, 2));
+        let ipv4_addr = IpAddr::V4(Ipv4Addr::new(116, 202, 233, 236));
+
+        assert_eq!(
+            sort_by_connection_timestamp(
+                alice,
+                vec![
+                    SocketAddr::new(ipv6_addr, 993),
+                    SocketAddr::new(ipv4_addr, 993)
+                ],
+                "imap",
+                "nine.testrun.org"
+            )
+            .await
+            .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 993),
+                SocketAddr::new(ipv4_addr, 993)
+            ]
+        );
+        update_connection_history(
+            alice,
+            "imap",
+            "nine.testrun.org",
+            993,
+            "116.202.233.236",
+            now,
+        )
+        .await
+        .unwrap();
+        assert_eq!(
+            sort_by_connection_timestamp(
+                alice,
+                vec![
+                    SocketAddr::new(ipv6_addr, 993),
+                    SocketAddr::new(ipv4_addr, 993)
+                ],
+                "imap",
+                "nine.testrun.org"
+            )
+            .await
+            .unwrap(),
+            vec![
+                SocketAddr::new(ipv4_addr, 993),
+                SocketAddr::new(ipv6_addr, 993),
+            ]
+        );
+
+        assert_eq!(
+            sort_by_connection_timestamp(
+                alice,
+                vec![
+                    SocketAddr::new(ipv6_addr, 465),
+                    SocketAddr::new(ipv4_addr, 465)
+                ],
+                "smtp",
+                "nine.testrun.org"
+            )
+            .await
+            .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 465),
+                SocketAddr::new(ipv4_addr, 465),
+            ]
+        );
+        update_connection_history(
+            alice,
+            "smtp",
+            "nine.testrun.org",
+            465,
+            "116.202.233.236",
+            now,
+        )
+        .await
+        .unwrap();
+        assert_eq!(
+            sort_by_connection_timestamp(
+                alice,
+                vec![
+                    SocketAddr::new(ipv6_addr, 465),
+                    SocketAddr::new(ipv4_addr, 465)
+                ],
+                "smtp",
+                "nine.testrun.org"
+            )
+            .await
+            .unwrap(),
+            vec![
+                SocketAddr::new(ipv4_addr, 465),
+                SocketAddr::new(ipv6_addr, 465),
+            ]
+        );
+
+        update_connection_history(
+            alice,
+            "imap",
+            "nine.testrun.org",
+            993,
+            "2a01:4f8:241:4ce8::2",
+            now,
+        )
+        .await
+        .unwrap();
+        assert_eq!(
+            sort_by_connection_timestamp(
+                alice,
+                vec![
+                    SocketAddr::new(ipv6_addr, 993),
+                    SocketAddr::new(ipv4_addr, 993)
+                ],
+                "imap",
+                "nine.testrun.org"
+            )
+            .await
+            .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 993),
+                SocketAddr::new(ipv4_addr, 993)
+            ]
+        );
+    }
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn test_lookup_cache() {
+        let alice = &TestContext::new_alice().await;
+
+        let ipv4_addr = IpAddr::V4(Ipv4Addr::new(116, 202, 233, 236));
+        let ipv6_addr = IpAddr::V6(Ipv6Addr::new(0x2a01, 0x4f8, 0x241, 0x4ce8, 0, 0, 0, 2));
+
+        let now = time();
+        assert!(lookup_cache(alice, "nine.testrun.org", 587, "smtp", now)
+            .await
+            .unwrap()
+            .is_empty());
+
+        update_cache(alice, "nine.testrun.org", "116.202.233.236", now)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 587, "smtp", now)
+                .await
+                .unwrap(),
+            vec![SocketAddr::new(ipv4_addr, 587)]
+        );
+
+        // Cache should be returned for other ports and no ALPN as well,
+        // port and ALPN should only affect the order
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 443, "", now)
+                .await
+                .unwrap(),
+            vec![SocketAddr::new(ipv4_addr, 443)]
+        );
+
+        update_cache(alice, "nine.testrun.org", "2a01:4f8:241:4ce8::2", now + 30)
+            .await
+            .unwrap();
+
+        // New DNS cache entry should go first.
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 443, "", now + 60)
+                .await
+                .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 443),
+                SocketAddr::new(ipv4_addr, 443)
+            ],
+        );
+
+        // After successful connection to SMTP over port 465 using IPv4 address,
+        // IPv4 address has higher priority.
+        update_connection_history(
+            alice,
+            "smtp",
+            "nine.testrun.org",
+            465,
+            "116.202.233.236",
+            now + 100,
+        )
+        .await
+        .unwrap();
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 465, "smtp", now + 120)
+                .await
+                .unwrap(),
+            vec![
+                SocketAddr::new(ipv4_addr, 465),
+                SocketAddr::new(ipv6_addr, 465)
+            ]
+        );
+
+        // For other ports and ALPNs order remains the same.
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 993, "imap", now + 120)
+                .await
+                .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 993),
+                SocketAddr::new(ipv4_addr, 993)
+            ],
+        );
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 465, "imap", now + 120)
+                .await
+                .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 465),
+                SocketAddr::new(ipv4_addr, 465)
+            ],
+        );
+        assert_eq!(
+            lookup_cache(alice, "nine.testrun.org", 993, "smtp", now + 120)
+                .await
+                .unwrap(),
+            vec![
+                SocketAddr::new(ipv6_addr, 993),
+                SocketAddr::new(ipv4_addr, 993)
+            ],
+        );
+    }
+}

src/net/http.rs

@@ -119,7 +119,7 @@ impl reqwest::dns::Resolve for CustomResolver {
             let port = 443; // Actual port does not matter.
 
             let socket_addrs =
-                lookup_host_with_cache(&context, hostname.as_str(), port, load_cache).await;
+                lookup_host_with_cache(&context, hostname.as_str(), port, "", load_cache).await;
             match socket_addrs {
                 Ok(socket_addrs) => {
                     let addrs: reqwest::dns::Addrs = Box::new(socket_addrs.into_iter());

src/net/tls.rs

@@ -32,10 +32,10 @@ pub fn build_tls(strict_tls: bool, alpns: &[&str]) -> TlsConnector {
 pub async fn wrap_tls<T: AsyncRead + AsyncWrite + Unpin>(
     strict_tls: bool,
     hostname: &str,
-    alpn: &str,
+    alpn: &[&str],
     stream: T,
 ) -> Result<TlsStream<T>> {
-    let tls = build_tls(strict_tls, &[alpn]);
+    let tls = build_tls(strict_tls, alpn);
     let tls_stream = tls.connect(hostname, stream).await?;
     Ok(tls_stream)
 }

src/peer_channels.rs

@@ -26,15 +26,16 @@
 use anyhow::{anyhow, Context as _, Result};
 use email::Header;
 use futures_lite::StreamExt;
-use iroh_gossip::net::{Gossip, JoinTopicFut, GOSSIP_ALPN};
-use iroh_gossip::proto::{Event as IrohEvent, TopicId};
+use iroh_gossip::net::{Event, Gossip, GossipEvent, JoinOptions, GOSSIP_ALPN};
+use iroh_gossip::proto::TopicId;
 use iroh_net::key::{PublicKey, SecretKey};
 use iroh_net::relay::{RelayMap, RelayUrl};
 use iroh_net::{relay::RelayMode, Endpoint};
 use iroh_net::{NodeAddr, NodeId};
+use parking_lot::Mutex;
 use std::collections::{BTreeSet, HashMap};
 use std::env;
-use tokio::sync::RwLock;
+use tokio::sync::{oneshot, RwLock};
 use tokio::task::JoinHandle;
 use url::Url;
 
@@ -59,6 +60,9 @@ pub struct Iroh {
     /// [Gossip] needed for iroh peer channels.
     pub(crate) gossip: Gossip,
 
+    /// Sequence numbers for gossip channels.
+    pub(crate) sequence_numbers: Mutex<HashMap<TopicId, i32>>,
+
     /// Topics for which an advertisement has already been sent.
     pub(crate) iroh_channels: RwLock<HashMap<TopicId, ChannelState>>,
 
@@ -83,7 +87,7 @@ impl Iroh {
         &self,
         ctx: &Context,
         msg_id: MsgId,
-    ) -> Result<Option<JoinTopicFut>> {
+    ) -> Result<Option<oneshot::Receiver<()>>> {
         let topic = get_iroh_topic_for_msg(ctx, msg_id)
             .await?
             .with_context(|| format!("Message {msg_id} has no gossip topic"))?;
@@ -94,14 +98,9 @@ impl Iroh {
         // Otherwise we would receive every message twice or more times.
         let mut iroh_channels = self.iroh_channels.write().await;
 
-        let seq = if let Some(channel_state) = iroh_channels.get(&topic) {
-            if channel_state.subscribe_loop.is_some() {
-                return Ok(None);
-            }
-            channel_state.seq_number
-        } else {
-            0
-        };
+        if iroh_channels.contains_key(&topic) {
+            return Ok(None);
+        }
 
         let peers = get_iroh_gossip_peers(ctx, msg_id).await?;
         let node_ids = peers.iter().map(|p| p.node_id).collect::<Vec<_>>();
@@ -118,33 +117,35 @@ impl Iroh {
             }
         }
 
-        // Connect to all peers
-        let connect_future = self.gossip.join(topic, node_ids).await?;
+        let (join_tx, join_rx) = oneshot::channel();
+
+        let (gossip_sender, gossip_receiver) = self
+            .gossip
+            .join_with_opts(topic, JoinOptions::with_bootstrap(node_ids))
+            .split();
 
         let ctx = ctx.clone();
-        let gossip = self.gossip.clone();
         let subscribe_loop = tokio::spawn(async move {
-            if let Err(e) = subscribe_loop(&ctx, gossip, topic, msg_id).await {
+            if let Err(e) = subscribe_loop(&ctx, gossip_receiver, topic, msg_id, join_tx).await {
                 warn!(ctx, "subscribe_loop failed: {e}")
             }
         });
 
-        iroh_channels.insert(topic, ChannelState::new(seq, subscribe_loop));
+        iroh_channels.insert(topic, ChannelState::new(subscribe_loop, gossip_sender));
 
-        Ok(Some(connect_future))
+        Ok(Some(join_rx))
     }
 
     /// Add gossip peers to realtime channel if it is already active.
     pub async fn maybe_add_gossip_peers(&self, topic: TopicId, peers: Vec<NodeAddr>) -> Result<()> {
-        if let Some(state) = self.iroh_channels.read().await.get(&topic) {
-            if state.subscribe_loop.is_some() {
-                for peer in &peers {
-                    self.endpoint.add_node_addr(peer.clone())?;
-                }
-                self.gossip
-                    .join(topic, peers.into_iter().map(|peer| peer.node_id).collect())
-                    .await?;
+        if self.iroh_channels.read().await.get(&topic).is_some() {
+            for peer in &peers {
+                self.endpoint.add_node_addr(peer.clone())?;
             }
+
+            self.gossip
+                .join(topic, peers.into_iter().map(|peer| peer.node_id).collect())
+                .await?;
         }
         Ok(())
     }
@@ -161,11 +162,16 @@ impl Iroh {
             .with_context(|| format!("Message {msg_id} has no gossip topic"))?;
         self.join_and_subscribe_gossip(ctx, msg_id).await?;
 
-        let seq_num = self.get_and_incr(&topic).await;
+        let seq_num = self.get_and_incr(&topic);
+
+        let mut iroh_channels = self.iroh_channels.write().await;
+        let state = iroh_channels
+            .get_mut(&topic)
+            .context("Just created state does not exist")?;
         data.extend(seq_num.to_le_bytes());
         data.extend(self.public_key.as_bytes());
 
-        self.gossip.broadcast(topic, data.into()).await?;
+        state.sender.broadcast(data.into()).await?;
 
         if env::var("REALTIME_DEBUG").is_ok() {
             info!(ctx, "Sent realtime data");
@@ -174,13 +180,11 @@ impl Iroh {
         Ok(())
     }
 
-    async fn get_and_incr(&self, topic: &TopicId) -> i32 {
-        let mut seq = 0;
-        if let Some(state) = self.iroh_channels.write().await.get_mut(topic) {
-            seq = state.seq_number;
-            state.seq_number = state.seq_number.wrapping_add(1)
-        }
-        seq
+    fn get_and_incr(&self, topic: &TopicId) -> i32 {
+        let mut sequence_numbers = self.sequence_numbers.lock();
+        let entry = sequence_numbers.entry(*topic).or_default();
+        *entry = entry.wrapping_add(1);
+        *entry
     }
 
     /// Get the iroh [NodeAddr] without direct IP addresses.
@@ -192,12 +196,17 @@ impl Iroh {
 
     /// Leave the realtime channel for a given topic.
     pub(crate) async fn leave_realtime(&self, topic: TopicId) -> Result<()> {
-        if let Some(channel) = &mut self.iroh_channels.write().await.get_mut(&topic) {
-            if let Some(subscribe_loop) = channel.subscribe_loop.take() {
-                subscribe_loop.abort();
-            }
+        if let Some(channel) = self.iroh_channels.write().await.remove(&topic) {
+            // Dropping the last GossipTopic results in quitting the topic.
+            // It is split into GossipReceiver and GossipSender.
+            // GossipSender (`channel.sender`) is dropped automatically.
+
+            // Subscribe loop owns GossipReceiver.
+            // Aborting it and waiting for it to be dropped
+            // drops the receiver.
+            channel.subscribe_loop.abort();
+            let _ = channel.subscribe_loop.await;
         }
-        self.gossip.quit(topic).await?;
         Ok(())
     }
 }
@@ -205,17 +214,17 @@ impl Iroh {
 /// Single gossip channel state.
 #[derive(Debug)]
 pub(crate) struct ChannelState {
-    /// Sequence number for the gossip channel.
-    seq_number: i32,
     /// The subscribe loop handle.
-    subscribe_loop: Option<JoinHandle<()>>,
+    subscribe_loop: JoinHandle<()>,
+
+    sender: iroh_gossip::net::GossipSender,
 }
 
 impl ChannelState {
-    fn new(seq_number: i32, subscribe_loop: JoinHandle<()>) -> Self {
+    fn new(subscribe_loop: JoinHandle<()>, sender: iroh_gossip::net::GossipSender) -> Self {
         Self {
-            seq_number,
-            subscribe_loop: Some(subscribe_loop),
+            subscribe_loop,
+            sender,
         }
     }
 }
@@ -261,6 +270,7 @@ impl Context {
         Ok(Iroh {
             endpoint,
             gossip,
+            sequence_numbers: Mutex::new(HashMap::new()),
             iroh_channels: RwLock::new(HashMap::new()),
             public_key,
         })
@@ -370,7 +380,7 @@ pub(crate) async fn get_iroh_topic_for_msg(
 pub async fn send_webxdc_realtime_advertisement(
     ctx: &Context,
     msg_id: MsgId,
-) -> Result<Option<JoinTopicFut>> {
+) -> Result<Option<oneshot::Receiver<()>>> {
     if !ctx.get_config_bool(Config::WebxdcRealtimeEnabled).await? {
         return Ok(None);
     }
@@ -467,32 +477,50 @@ async fn handle_connection(
 
 async fn subscribe_loop(
     context: &Context,
-    gossip: Gossip,
+    mut stream: iroh_gossip::net::GossipReceiver,
     topic: TopicId,
     msg_id: MsgId,
+    join_tx: oneshot::Sender<()>,
 ) -> Result<()> {
-    let mut stream = gossip.subscribe(topic).await?;
-    loop {
-        let event = stream.recv().await?;
+    let mut join_tx = Some(join_tx);
+
+    while let Some(event) = stream.try_next().await? {
         match event {
-            IrohEvent::NeighborUp(node) => {
-                info!(context, "IROH_REALTIME: NeighborUp: {}", node.to_string());
-                iroh_add_peer_for_topic(context, msg_id, topic, node, None).await?;
+            Event::Gossip(event) => match event {
+                GossipEvent::Joined(nodes) => {
+                    if let Some(join_tx) = join_tx.take() {
+                        // Try to notify that at least one peer joined,
+                        // but ignore the error if receiver is dropped and nobody listens.
+                        join_tx.send(()).ok();
+                    }
+
+                    for node in nodes {
+                        iroh_add_peer_for_topic(context, msg_id, topic, node, None).await?;
+                    }
+                }
+                GossipEvent::NeighborUp(node) => {
+                    info!(context, "IROH_REALTIME: NeighborUp: {}", node.to_string());
+                    iroh_add_peer_for_topic(context, msg_id, topic, node, None).await?;
+                }
+                GossipEvent::NeighborDown(_node) => {}
+                GossipEvent::Received(message) => {
+                    info!(context, "IROH_REALTIME: Received realtime data");
+                    context.emit_event(EventType::WebxdcRealtimeData {
+                        msg_id,
+                        data: message
+                            .content
+                            .get(0..message.content.len() - 4 - PUBLIC_KEY_LENGTH)
+                            .context("too few bytes in iroh message")?
+                            .into(),
+                    });
+                }
+            },
+            Event::Lagged => {
+                warn!(context, "Gossip lost some messages");
             }
-            IrohEvent::Received(event) => {
-                info!(context, "IROH_REALTIME: Received realtime data");
-                context.emit_event(EventType::WebxdcRealtimeData {
-                    msg_id,
-                    data: event
-                        .content
-                        .get(0..event.content.len() - 4 - PUBLIC_KEY_LENGTH)
-                        .context("too few bytes in iroh message")?
-                        .into(),
-                });
-            }
-            _ => (),
         };
     }
+    Ok(())
 }
 
 #[cfg(test)]
@@ -540,10 +568,10 @@ mod tests {
         assert_eq!(alice_webxdc.get_viewtype(), Viewtype::Webxdc);
 
         let webxdc = alice.pop_sent_msg().await;
-        let bob_webdxc = bob.recv_msg(&webxdc).await;
-        assert_eq!(bob_webdxc.get_viewtype(), Viewtype::Webxdc);
+        let bob_webxdc = bob.recv_msg(&webxdc).await;
+        assert_eq!(bob_webxdc.get_viewtype(), Viewtype::Webxdc);
 
-        bob_webdxc.chat_id.accept(bob).await.unwrap();
+        bob_webxdc.chat_id.accept(bob).await.unwrap();
 
         // Alice advertises herself.
         send_webxdc_realtime_advertisement(alice, alice_webxdc.id)
@@ -554,7 +582,7 @@ mod tests {
         let bob_iroh = bob.get_or_try_init_peer_channel().await.unwrap();
 
         // Bob adds alice to gossip peers.
-        let members = get_iroh_gossip_peers(bob, bob_webdxc.id)
+        let members = get_iroh_gossip_peers(bob, bob_webxdc.id)
             .await
             .unwrap()
             .into_iter()
@@ -568,7 +596,7 @@ mod tests {
         );
 
         bob_iroh
-            .join_and_subscribe_gossip(bob, bob_webdxc.id)
+            .join_and_subscribe_gossip(bob, bob_webxdc.id)
             .await
             .unwrap()
             .unwrap()
@@ -596,7 +624,7 @@ mod tests {
         }
         // Bob sends ephemeral message
         bob_iroh
-            .send_webxdc_realtime_data(bob, bob_webdxc.id, "bob -> alice".as_bytes().to_vec())
+            .send_webxdc_realtime_data(bob, bob_webxdc.id, "bob -> alice".as_bytes().to_vec())
             .await
             .unwrap();
 
@@ -628,7 +656,7 @@ mod tests {
         );
 
         bob_iroh
-            .send_webxdc_realtime_data(bob, bob_webdxc.id, "bob -> alice 2".as_bytes().to_vec())
+            .send_webxdc_realtime_data(bob, bob_webxdc.id, "bob -> alice 2".as_bytes().to_vec())
             .await
             .unwrap();
 
@@ -686,10 +714,10 @@ mod tests {
         assert_eq!(alice_webxdc.get_viewtype(), Viewtype::Webxdc);
 
         let webxdc = alice.pop_sent_msg().await;
-        let bob_webdxc = bob.recv_msg(&webxdc).await;
-        assert_eq!(bob_webdxc.get_viewtype(), Viewtype::Webxdc);
+        let bob_webxdc = bob.recv_msg(&webxdc).await;
+        assert_eq!(bob_webxdc.get_viewtype(), Viewtype::Webxdc);
 
-        bob_webdxc.chat_id.accept(bob).await.unwrap();
+        bob_webxdc.chat_id.accept(bob).await.unwrap();
 
         // Alice advertises herself.
         send_webxdc_realtime_advertisement(alice, alice_webxdc.id)
@@ -700,7 +728,7 @@ mod tests {
         let bob_iroh = bob.get_or_try_init_peer_channel().await.unwrap();
 
         // Bob adds alice to gossip peers.
-        let members = get_iroh_gossip_peers(bob, bob_webdxc.id)
+        let members = get_iroh_gossip_peers(bob, bob_webxdc.id)
             .await
             .unwrap()
             .into_iter()
@@ -714,7 +742,7 @@ mod tests {
         );
 
         bob_iroh
-            .join_and_subscribe_gossip(bob, bob_webdxc.id)
+            .join_and_subscribe_gossip(bob, bob_webxdc.id)
             .await
             .unwrap()
             .unwrap()
@@ -741,11 +769,32 @@ mod tests {
             }
         }
 
-        // TODO: check that seq number is persisted
-        leave_webxdc_realtime(bob, bob_webdxc.id).await.unwrap();
+        let bob_topic = get_iroh_topic_for_msg(bob, bob_webxdc.id)
+            .await
+            .unwrap()
+            .unwrap();
+        let bob_sequence_number = bob
+            .iroh
+            .get()
+            .unwrap()
+            .sequence_numbers
+            .lock()
+            .get(&bob_topic)
+            .copied();
+        leave_webxdc_realtime(bob, bob_webxdc.id).await.unwrap();
+        let bob_sequence_number_after = bob
+            .iroh
+            .get()
+            .unwrap()
+            .sequence_numbers
+            .lock()
+            .get(&bob_topic)
+            .copied();
+        // Check that sequence number is persisted when leaving the channel.
+        assert_eq!(bob_sequence_number, bob_sequence_number_after);
 
         bob_iroh
-            .join_and_subscribe_gossip(bob, bob_webdxc.id)
+            .join_and_subscribe_gossip(bob, bob_webxdc.id)
             .await
             .unwrap()
             .unwrap()
@@ -753,7 +802,7 @@ mod tests {
             .unwrap();
 
         bob_iroh
-            .send_webxdc_realtime_data(bob, bob_webdxc.id, "bob -> alice".as_bytes().to_vec())
+            .send_webxdc_realtime_data(bob, bob_webxdc.id, "bob -> alice".as_bytes().to_vec())
             .await
             .unwrap();
 
@@ -783,7 +832,7 @@ mod tests {
             .await
             .unwrap()
             .unwrap();
-        assert!(if let Some(state) = alice
+        assert!(alice
             .iroh
             .get()
             .unwrap()
@@ -791,11 +840,7 @@ mod tests {
             .read()
             .await
             .get(&topic)
-        {
-            state.subscribe_loop.is_none()
-        } else {
-            false
-        });
+            .is_none());
     }
 
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]

src/provider/data.rs

@@ -520,7 +520,7 @@ static P_FREENET_DE: Provider = Provider {
 static P_GMAIL: Provider = Provider {
     id: "gmail",
     status: Status::Preparation,
-    before_login_hint: "For Gmail accounts, you need to create an app-password if you have \"2-Step Verification\" enabled. If this setting is not available, you need to enable \"less secure apps\".",
+    before_login_hint: "For Gmail accounts, you need to have \"2-Step Verification\" enabled and create an app-password.",
     after_login_hint: "",
     overview_page: "https://providers.delta.chat/gmail",
     server: &[
@@ -1037,6 +1037,20 @@ static P_NINE_TESTRUN_ORG: Provider = Provider {
             port: 587,
             username_pattern: Email,
         },
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "nine.testrun.org",
+            port: 443,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Ssl,
+            hostname: "nine.testrun.org",
+            port: 443,
+            username_pattern: Email,
+        },
     ],
     opt: ProviderOptions::new(),
     config_defaults: Some(&[ConfigDefault {
@@ -1260,14 +1274,14 @@ static P_RISEUP_NET: Provider = Provider {
             socket: Ssl,
             hostname: "mail.riseup.net",
             port: 993,
-            username_pattern: Emaillocalpart,
+            username_pattern: Email,
         },
         Server {
             protocol: Smtp,
             socket: Ssl,
             hostname: "mail.riseup.net",
             port: 465,
-            username_pattern: Emaillocalpart,
+            username_pattern: Email,
         },
     ],
     opt: ProviderOptions::new(),
@@ -1301,6 +1315,37 @@ static P_SONIC: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// stinpriza.net.md: stinpriza.net, stinpriza.eu, el-hoyo.net
+static P_STINPRIZA_NET: Provider = Provider {
+    id: "stinpriza.net",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/stinpriza-net",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Starttls,
+            hostname: "stinpriza.net",
+            port: 143,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "stinpriza.net",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions {
+        strict_tls: true,
+        ..ProviderOptions::new()
+    },
+    config_defaults: None,
+    oauth2_authorizer: None,
+};
+
 // systemausfall.org.md: systemausfall.org, solidaris.me
 static P_SYSTEMAUSFALL_ORG: Provider = Provider {
     id: "systemausfall.org",
@@ -1555,11 +1600,13 @@ static P_VIVALDI: Provider = Provider {
 // vk.com.md: vk.com
 static P_VK_COM: Provider = Provider {
     id: "vk.com",
-    status: Status::Broken,
-    before_login_hint: "К сожалению, VK Почта не поддерживает работу с Delta Chat. См. https://help.vk.mail.ru/vkmail/questions/client",
+    status: Status::Preparation,
+    before_login_hint: "Вам необходимо сгенерировать \"пароль для внешнего приложения\" в веб-интерфейсе mail.ru https://account.mail.ru/user/2-step-auth/passwords/ чтобы vk.com работал с Delta Chat.",
     after_login_hint: "",
     overview_page: "https://providers.delta.chat/vk-com",
     server: &[
+        Server { protocol: Imap, socket: Ssl, hostname: "imap.mail.ru", port: 993, username_pattern: Email },
+        Server { protocol: Smtp, socket: Ssl, hostname: "smtp.mail.ru", port: 465, username_pattern: Email },
     ],
     opt: ProviderOptions::new(),
     config_defaults: None,
@@ -1757,7 +1804,7 @@ static P_ZOHO: Provider = Provider {
     oauth2_authorizer: None,
 };
 
-pub(crate) static PROVIDER_DATA: [(&str, &Provider); 528] = [
+pub(crate) static PROVIDER_DATA: [(&str, &Provider); 531] = [
     ("163.com", &P_163),
     ("aktivix.org", &P_AKTIVIX_ORG),
     ("aliyun.com", &P_ALIYUN),
@@ -2212,6 +2259,9 @@ pub(crate) static PROVIDER_DATA: [(&str, &Provider); 528] = [
     ("riseup.net", &P_RISEUP_NET),
     ("rogers.com", &P_ROGERS_COM),
     ("sonic.net", &P_SONIC),
+    ("stinpriza.net", &P_STINPRIZA_NET),
+    ("stinpriza.eu", &P_STINPRIZA_NET),
+    ("el-hoyo.net", &P_STINPRIZA_NET),
     ("systemausfall.org", &P_SYSTEMAUSFALL_ORG),
     ("solidaris.me", &P_SYSTEMAUSFALL_ORG),
     ("systemli.org", &P_SYSTEMLI_ORG),
@@ -2343,6 +2393,7 @@ pub(crate) static PROVIDER_IDS: Lazy<HashMap<&'static str, &'static Provider>> =
         ("riseup.net", &P_RISEUP_NET),
         ("rogers.com", &P_ROGERS_COM),
         ("sonic", &P_SONIC),
+        ("stinpriza.net", &P_STINPRIZA_NET),
         ("systemausfall.org", &P_SYSTEMAUSFALL_ORG),
         ("systemli.org", &P_SYSTEMLI_ORG),
         ("t-online", &P_T_ONLINE),
@@ -2366,4 +2417,4 @@ pub(crate) static PROVIDER_IDS: Lazy<HashMap<&'static str, &'static Provider>> =
 });
 
 pub static _PROVIDER_UPDATED: Lazy<chrono::NaiveDate> =
-    Lazy::new(|| chrono::NaiveDate::from_ymd_opt(2024, 6, 24).unwrap());
+    Lazy::new(|| chrono::NaiveDate::from_ymd_opt(2024, 8, 14).unwrap());

src/push.rs

@@ -48,7 +48,7 @@ impl PushSubscriber {
 
     /// Subscribes for heartbeat notifications with previously set device token.
     #[cfg(target_os = "ios")]
-    pub(crate) async fn subscribe(&self) -> Result<()> {
+    pub(crate) async fn subscribe(&self, context: &Context) -> Result<()> {
         use crate::net::http;
 
         let mut state = self.inner.write().await;
@@ -61,8 +61,9 @@ impl PushSubscriber {
             return Ok(());
         };
 
-        let socks5_config = None;
-        let response = http::get_client(socks5_config)?
+        let load_cache = true;
+        let response = http::get_client(context, load_cache)
+            .await?
             .post("https://notifications.delta.chat/register")
             .body(format!("{{\"token\":\"{token}\"}}"))
             .send()
@@ -77,7 +78,7 @@ impl PushSubscriber {
 
     /// Placeholder to skip subscribing to heartbeat notifications outside iOS.
     #[cfg(not(target_os = "ios"))]
-    pub(crate) async fn subscribe(&self) -> Result<()> {
+    pub(crate) async fn subscribe(&self, _context: &Context) -> Result<()> {
         let mut state = self.inner.write().await;
         state.heartbeat_subscribed = true;
         Ok(())

src/qr.rs

@@ -1405,9 +1405,12 @@ mod tests {
             ctx.ctx.get_config(Config::SendUser).await?,
             Some("SendUser".to_owned())
         );
+
+        // `sc` option is actually ignored and `ic` is used instead
+        // because `smtp_certificate_checks` is deprecated.
         assert_eq!(
             ctx.ctx.get_config(Config::SmtpCertificateChecks).await?,
-            Some("3".to_owned())
+            Some("1".to_owned())
         );
         assert_eq!(
             ctx.ctx.get_config(Config::SendSecurity).await?,

src/qr/dclogin_scheme.rs

@@ -39,9 +39,6 @@ pub enum LoginOptions {
         /// IMAP socket security.
         imap_security: Option<Socket>,
 
-        /// IMAP certificate checks.
-        imap_certificate_checks: Option<CertificateChecks>,
-
         /// SMTP host.
         smtp_host: Option<String>,
 
@@ -57,8 +54,8 @@ pub enum LoginOptions {
         /// SMTP socket security.
         smtp_security: Option<Socket>,
 
-        /// SMTP certificate checks.
-        smtp_certificate_checks: Option<CertificateChecks>,
+        /// Certificate checks.
+        certificate_checks: Option<CertificateChecks>,
     },
 }
 
@@ -107,14 +104,13 @@ pub(super) fn decode_login(qr: &str) -> Result<Qr> {
                 imap_username: parameter_map.get("iu").map(|s| s.to_owned()),
                 imap_password: parameter_map.get("ipw").map(|s| s.to_owned()),
                 imap_security: parse_socket_security(parameter_map.get("is"))?,
-                imap_certificate_checks: parse_certificate_checks(parameter_map.get("ic"))?,
                 smtp_host: parameter_map.get("sh").map(|s| s.to_owned()),
                 smtp_port: parse_port(parameter_map.get("sp"))
                     .context("could not parse smtp port")?,
                 smtp_username: parameter_map.get("su").map(|s| s.to_owned()),
                 smtp_password: parameter_map.get("spw").map(|s| s.to_owned()),
                 smtp_security: parse_socket_security(parameter_map.get("ss"))?,
-                smtp_certificate_checks: parse_certificate_checks(parameter_map.get("sc"))?,
+                certificate_checks: parse_certificate_checks(parameter_map.get("ic"))?,
             },
             Some(Ok(v)) => LoginOptions::UnsuportedVersion(v),
             Some(Err(_)) => bail!("version could not be parsed as number E6"),
@@ -177,13 +173,12 @@ pub(crate) async fn configure_from_login_qr(
             imap_username,
             imap_password,
             imap_security,
-            imap_certificate_checks,
             smtp_host,
             smtp_port,
             smtp_username,
             smtp_password,
             smtp_security,
-            smtp_certificate_checks,
+            certificate_checks,
         } => {
             context
                 .set_config_internal(Config::MailPw, Some(&mail_pw))
@@ -216,14 +211,6 @@ pub(crate) async fn configure_from_login_qr(
                     .set_config_internal(Config::MailSecurity, Some(&code.to_string()))
                     .await?;
             }
-            if let Some(value) = imap_certificate_checks {
-                let code = value
-                    .to_u32()
-                    .context("could not convert imap certificate checks value to number")?;
-                context
-                    .set_config_internal(Config::ImapCertificateChecks, Some(&code.to_string()))
-                    .await?;
-            }
             if let Some(value) = smtp_host {
                 context
                     .set_config_internal(Config::SendServer, Some(&value))
@@ -252,10 +239,13 @@ pub(crate) async fn configure_from_login_qr(
                     .set_config_internal(Config::SendSecurity, Some(&code.to_string()))
                     .await?;
             }
-            if let Some(value) = smtp_certificate_checks {
+            if let Some(value) = certificate_checks {
                 let code = value
                     .to_u32()
-                    .context("could not convert smtp certificate checks value to number")?;
+                    .context("could not convert certificate checks value to number")?;
+                context
+                    .set_config_internal(Config::ImapCertificateChecks, Some(&code.to_string()))
+                    .await?;
                 context
                     .set_config_internal(Config::SmtpCertificateChecks, Some(&code.to_string()))
                     .await?;
@@ -284,13 +274,12 @@ mod test {
                 imap_username: None,
                 imap_password: None,
                 imap_security: None,
-                imap_certificate_checks: None,
                 smtp_host: None,
                 smtp_port: None,
                 smtp_username: None,
                 smtp_password: None,
                 smtp_security: None,
-                smtp_certificate_checks: None,
+                certificate_checks: None,
             }
         };
     }
@@ -392,13 +381,12 @@ mod test {
                     imap_username: Some("max".to_owned()),
                     imap_password: Some("87654".to_owned()),
                     imap_security: Some(Socket::Ssl),
-                    imap_certificate_checks: Some(CertificateChecks::Strict),
                     smtp_host: Some("mail.host.tld".to_owned()),
                     smtp_port: Some(3000),
                     smtp_username: Some("max@host.tld".to_owned()),
                     smtp_password: Some("3242HS".to_owned()),
                     smtp_security: Some(Socket::Plain),
-                    smtp_certificate_checks: Some(CertificateChecks::AcceptInvalidCertificates),
+                    certificate_checks: Some(CertificateChecks::Strict),
                 }
             );
         } else {

src/receive_imf.rs

@@ -807,7 +807,7 @@ async fn add_parts(
                         // 1:1 chat is blocked, but the contact is not.
                         // This happens when 1:1 chat is hidden
                         // during scanning of a group invitation code.
-                        Blocked::Request
+                        create_blocked_default
                     }
                 }
             }

src/receive_imf/tests.rs

@@ -14,6 +14,7 @@ use crate::contact;
 use crate::download::MIN_DOWNLOAD_LIMIT;
 use crate::imap::prefetch_should_download;
 use crate::imex::{imex, ImexMode};
+use crate::securejoin::get_securejoin_qr;
 use crate::test_utils::{get_chat_msg, mark_as_verified, TestContext, TestContextManager};
 use crate::tools::{time, SystemTime};
 
@@ -3275,6 +3276,46 @@ async fn test_auto_accept_group_for_bots() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_auto_accept_protected_group_for_bots() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+    bob.set_config(Config::Bot, Some("1")).await.unwrap();
+    mark_as_verified(alice, bob).await;
+    mark_as_verified(bob, alice).await;
+    let group_id = alice
+        .create_group_with_members(ProtectionStatus::Protected, "Group", &[bob])
+        .await;
+    let sent = alice.send_text(group_id, "Hello!").await;
+    let msg = bob.recv_msg(&sent).await;
+    let chat = chat::Chat::load_from_db(bob, msg.chat_id).await?;
+    assert!(!chat.is_contact_request());
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_bot_accepts_another_group_after_qr_scan() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+    bob.set_config(Config::Bot, Some("1")).await?;
+
+    let group_id = chat::create_group_chat(alice, ProtectionStatus::Protected, "Group").await?;
+    let qr = get_securejoin_qr(alice, Some(group_id)).await?;
+    tcm.exec_securejoin_qr(bob, alice, &qr).await;
+
+    let group_id = alice
+        .create_group_with_members(ProtectionStatus::Protected, "Group", &[bob])
+        .await;
+    let sent = alice.send_text(group_id, "Hello!").await;
+    let msg = bob.recv_msg(&sent).await;
+    let chat = chat::Chat::load_from_db(bob, msg.chat_id).await?;
+    assert!(!chat.is_contact_request());
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_send_as_bot() -> Result<()> {
     let mut tcm = TestContextManager::new();

src/scheduler.rs

@@ -466,11 +466,13 @@ pub async fn convert_folder_meaning(
 }
 
 async fn inbox_fetch_idle(ctx: &Context, imap: &mut Imap, mut session: Session) -> Result<Session> {
-    ctx.set_config_internal(
-        Config::IsChatmail,
-        crate::config::from_bool(session.is_chatmail()),
-    )
-    .await?;
+    if !ctx.get_config_bool(Config::FixIsChatmail).await? {
+        ctx.set_config_internal(
+            Config::IsChatmail,
+            crate::config::from_bool(session.is_chatmail()),
+        )
+        .await?;
+    }
 
     // Update quota no more than once a minute.
     if ctx.quota_needs_update(60).await {

src/securejoin.rs

@@ -843,6 +843,7 @@ mod tests {
         );
 
         let sent = bob.pop_sent_msg().await;
+        assert!(!sent.payload.contains("Bob Examplenet"));
         assert_eq!(sent.recipient(), EmailAddress::new(alice_addr).unwrap());
         let msg = alice.parse_msg(&sent).await;
         assert!(!msg.was_encrypted());
@@ -860,6 +861,7 @@ mod tests {
         );
 
         let sent = alice.pop_sent_msg().await;
+        assert!(!sent.payload.contains("Alice Exampleorg"));
         let msg = bob.parse_msg(&sent).await;
         assert!(msg.was_encrypted());
         assert_eq!(

src/smtp.rs

@@ -13,7 +13,7 @@ use crate::config::Config;
 use crate::contact::{Contact, ContactId};
 use crate::context::Context;
 use crate::events::EventType;
-use crate::login_param::{CertificateChecks, LoginParam, ServerLoginParam};
+use crate::login_param::{LoginParam, ServerLoginParam};
 use crate::message::Message;
 use crate::message::{self, MsgId};
 use crate::mimefactory::MimeFactory;
@@ -94,9 +94,7 @@ impl Smtp {
             &lp.smtp,
             &lp.socks5_config,
             &lp.addr,
-            lp.provider.map_or(lp.socks5_config.is_some(), |provider| {
-                provider.opt.strict_tls
-            }),
+            lp.strict_tls(),
         )
         .await
     }
@@ -108,7 +106,7 @@ impl Smtp {
         lp: &ServerLoginParam,
         socks5_config: &Option<Socks5Config>,
         addr: &str,
-        provider_strict_tls: bool,
+        strict_tls: bool,
     ) -> Result<()> {
         if self.is_connected() {
             warn!(context, "SMTP already connected.");
@@ -127,13 +125,6 @@ impl Smtp {
         let domain = &lp.server;
         let port = lp.port;
 
-        let strict_tls = match lp.certificate_checks {
-            CertificateChecks::Automatic => provider_strict_tls,
-            CertificateChecks::Strict => true,
-            CertificateChecks::AcceptInvalidCertificates
-            | CertificateChecks::AcceptInvalidCertificates2 => false,
-        };
-
         let session_stream = connect::connect_stream(
             context,
             domain,
@@ -640,9 +631,7 @@ async fn send_mdn_rfc724_mid(
 
 /// Tries to send a single MDN. Returns true if more MDNs should be sent.
 async fn send_mdn(context: &Context, smtp: &mut Smtp) -> Result<bool> {
-    let mdns_enabled = context.get_config_bool(Config::MdnsEnabled).await?;
-    if !mdns_enabled {
-        // User has disabled MDNs.
+    if !context.should_send_mdns().await? {
         context.sql.execute("DELETE FROM smtp_mdns", []).await?;
         return Ok(false);
     }

src/smtp/connect.rs

@@ -10,9 +10,21 @@ use crate::context::Context;
 use crate::net::dns::{lookup_host_with_cache, update_connect_timestamp};
 use crate::net::session::SessionBufStream;
 use crate::net::tls::wrap_tls;
+use crate::net::update_connection_history;
 use crate::net::{connect_tcp_inner, connect_tls_inner};
 use crate::provider::Socket;
 use crate::socks::Socks5Config;
+use crate::tools::time;
+
+/// Converts port number to ALPN list.
+fn alpn(port: u16) -> &'static [&'static str] {
+    if port == 465 {
+        // Do not request ALPN on standard port.
+        &[]
+    } else {
+        &["smtp"]
+    }
+}
 
 /// Returns TLS, STARTTLS or plaintext connection
 /// using SOCKS5 or direct connection depending on the given configuration.
@@ -50,7 +62,8 @@ pub(crate) async fn connect_stream(
         let mut first_error = None;
         let load_cache = strict_tls && (security == Socket::Ssl || security == Socket::Starttls);
 
-        for resolved_addr in lookup_host_with_cache(context, host, port, load_cache).await? {
+        for resolved_addr in lookup_host_with_cache(context, host, port, "smtp", load_cache).await?
+        {
             let res = match security {
                 Socket::Automatic => bail!("SMTP port security is not configured"),
                 Socket::Ssl => connect_secure(resolved_addr, host, strict_tls).await,
@@ -63,6 +76,8 @@ pub(crate) async fn connect_stream(
                     if load_cache {
                         update_connect_timestamp(context, host, &ip_addr).await?;
                     }
+                    update_connection_history(context, "smtp", host, port, &ip_addr, time())
+                        .await?;
                     return Ok(stream);
                 }
                 Err(err) => {
@@ -84,11 +99,12 @@ pub(crate) async fn connect_stream(
 async fn skip_smtp_greeting<R: tokio::io::AsyncBufReadExt + Unpin>(stream: &mut R) -> Result<()> {
     let mut line = String::with_capacity(512);
     loop {
+        line.clear();
         let read = stream.read_line(&mut line).await?;
         if read == 0 {
             bail!("Unexpected EOF while reading SMTP greeting.");
         }
-        if line.starts_with("220- ") {
+        if line.starts_with("220-") {
             continue;
         } else if line.starts_with("220 ") {
             return Ok(());
@@ -108,7 +124,7 @@ async fn connect_secure_socks5(
     let socks5_stream = socks5_config
         .connect(context, hostname, port, strict_tls)
         .await?;
-    let tls_stream = wrap_tls(strict_tls, hostname, "smtp", socks5_stream).await?;
+    let tls_stream = wrap_tls(strict_tls, hostname, alpn(port), socks5_stream).await?;
     let mut buffered_stream = BufStream::new(tls_stream);
     skip_smtp_greeting(&mut buffered_stream).await?;
     let session_stream: Box<dyn SessionBufStream> = Box::new(buffered_stream);
@@ -130,7 +146,7 @@ async fn connect_starttls_socks5(
     let client = SmtpClient::new().smtp_utf8(true);
     let transport = SmtpTransport::new(client, BufStream::new(socks5_stream)).await?;
     let tcp_stream = transport.starttls().await?.into_inner();
-    let tls_stream = wrap_tls(strict_tls, hostname, "smtp", tcp_stream)
+    let tls_stream = wrap_tls(strict_tls, hostname, &[], tcp_stream)
         .await
         .context("STARTTLS upgrade failed")?;
     let buffered_stream = BufStream::new(tls_stream);
@@ -158,7 +174,7 @@ async fn connect_secure(
     hostname: &str,
     strict_tls: bool,
 ) -> Result<Box<dyn SessionBufStream>> {
-    let tls_stream = connect_tls_inner(addr, hostname, strict_tls, "smtp").await?;
+    let tls_stream = connect_tls_inner(addr, hostname, strict_tls, alpn(addr.port())).await?;
     let mut buffered_stream = BufStream::new(tls_stream);
     skip_smtp_greeting(&mut buffered_stream).await?;
     let session_stream: Box<dyn SessionBufStream> = Box::new(buffered_stream);
@@ -176,7 +192,7 @@ async fn connect_starttls(
     let client = async_smtp::SmtpClient::new().smtp_utf8(true);
     let transport = async_smtp::SmtpTransport::new(client, BufStream::new(tcp_stream)).await?;
     let tcp_stream = transport.starttls().await?.into_inner();
-    let tls_stream = wrap_tls(strict_tls, host, "smtp", tcp_stream)
+    let tls_stream = wrap_tls(strict_tls, host, &[], tcp_stream)
         .await
         .context("STARTTLS upgrade failed")?;
 
@@ -192,3 +208,19 @@ async fn connect_insecure(addr: SocketAddr) -> Result<Box<dyn SessionBufStream>>
     let session_stream: Box<dyn SessionBufStream> = Box::new(buffered_stream);
     Ok(session_stream)
 }
+
+#[cfg(test)]
+mod tests {
+    use tokio::io::BufReader;
+
+    use super::*;
+
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn test_skip_smtp_greeting() -> Result<()> {
+        let greeting = b"220-server261.web-hosting.com ESMTP Exim 4.96.2 #2 Sat, 24 Aug 2024 12:25:53 -0400 \r\n\
+                         220-We do not authorize the use of this system to transport unsolicited,\r\n\
+                         220 and/or bulk e-mail.\r\n";
+        let mut buffered_stream = BufReader::new(&greeting[..]);
+        skip_smtp_greeting(&mut buffered_stream).await
+    }
+}

src/sql.rs

@@ -18,6 +18,8 @@ use crate::imex::BLOBS_BACKUP_NAME;
 use crate::location::delete_orphaned_poi_locations;
 use crate::log::LogExt;
 use crate::message::{Message, MsgId, Viewtype};
+use crate::net::dns::prune_dns_cache;
+use crate::net::prune_connection_history;
 use crate::param::{Param, Params};
 use crate::peerstate::Peerstate;
 use crate::stock_str;
@@ -103,9 +105,11 @@ impl Sql {
 
         // Test that the key is correct using a single connection.
         let connection = Connection::open(&self.dbfile)?;
-        connection
-            .pragma_update(None, "key", &passphrase)
-            .context("failed to set PRAGMA key")?;
+        if !passphrase.is_empty() {
+            connection
+                .pragma_update(None, "key", &passphrase)
+                .context("Failed to set PRAGMA key")?;
+        }
         let key_is_correct = connection
             .query_row("SELECT count(*) FROM sqlite_master", [], |_row| Ok(()))
             .is_ok();
@@ -322,8 +326,10 @@ impl Sql {
 
         let pool = lock.take().context("SQL connection pool is not open")?;
         let conn = pool.get().await?;
-        conn.pragma_update(None, "rekey", passphrase.clone())
-            .context("failed to set PRAGMA rekey")?;
+        if !passphrase.is_empty() {
+            conn.pragma_update(None, "rekey", passphrase.clone())
+                .context("Failed to set PRAGMA rekey")?;
+        }
         drop(pool);
 
         *lock = Some(Self::new_pool(&self.dbfile, passphrase.to_string())?);
@@ -695,7 +701,9 @@ fn new_connection(path: &Path, passphrase: &str) -> Result<Connection> {
         conn.pragma_update(None, "temp_store", "memory")?;
     }
 
-    conn.pragma_update(None, "key", passphrase)?;
+    if !passphrase.is_empty() {
+        conn.pragma_update(None, "key", passphrase)?;
+    }
     // Try to enable auto_vacuum. This will only be
     // applied if the database is new or after successful
     // VACUUM, which usually happens before backup export.
@@ -787,6 +795,17 @@ pub async fn housekeeping(context: &Context) -> Result<()> {
         .log_err(context)
         .ok();
 
+    prune_connection_history(context)
+        .await
+        .context("Failed to prune connection history")
+        .log_err(context)
+        .ok();
+    prune_dns_cache(context)
+        .await
+        .context("Failed to prune DNS cache")
+        .log_err(context)
+        .ok();
+
     // Delete POI locations
     // which don't have corresponding message.
     delete_orphaned_poi_locations(context)

src/sql/migrations.rs

@@ -955,6 +955,22 @@ CREATE INDEX msgs_status_updates_index2 ON msgs_status_updates (uid);
         .await?;
     }
 
+    inc_and_check(&mut migration_version, 117)?;
+    if dbversion < migration_version {
+        sql.execute_migration(
+            "CREATE TABLE connection_history (
+                host TEXT NOT NULL, -- server hostname
+                port INTEGER NOT NULL, -- server port
+                alpn TEXT NOT NULL, -- ALPN such as smtp or imap
+                addr TEXT NOT NULL, -- IP address
+                timestamp INTEGER NOT NULL, -- timestamp of the most recent successful connection
+                UNIQUE (host, port, alpn, addr)
+            ) STRICT",
+            migration_version,
+        )
+        .await?;
+    }
+
     let new_version = sql
         .get_raw_config_int(VERSION_CFG)
         .await?

src/test_utils.rs

@@ -2,7 +2,7 @@
 //!
 //! This private module is only compiled for test runs.
 #![allow(clippy::indexing_slicing)]
-use std::collections::BTreeMap;
+use std::collections::{BTreeMap, HashSet};
 use std::fmt::Write;
 use std::ops::{Deref, DerefMut};
 use std::panic;
@@ -175,7 +175,12 @@ impl TestContextManager {
         ));
 
         let qr = get_securejoin_qr(&scanned.ctx, None).await.unwrap();
-        join_securejoin(&scanner.ctx, &qr).await.unwrap();
+        self.exec_securejoin_qr(scanner, scanned, &qr).await;
+    }
+
+    /// Executes SecureJoin initiated by `scanner` scanning `qr` generated by `scanned`.
+    pub async fn exec_securejoin_qr(&self, scanner: &TestContext, scanned: &TestContext, qr: &str) {
+        join_securejoin(&scanner.ctx, qr).await.unwrap();
 
         loop {
             if let Some(sent) = scanner.pop_sent_msg_opt(Duration::ZERO).await {
@@ -472,6 +477,36 @@ impl TestContext {
         update_msg_state(&self.ctx, msg_id, MessageState::OutDelivered)
             .await
             .expect("failed to update message state");
+
+        let payload_headers = payload.split("\r\n\r\n").next().unwrap().lines();
+        let payload_header_names: Vec<_> = payload_headers
+            .map(|h| h.split(':').next().unwrap())
+            .collect();
+
+        // Check that we are sending exactly one From, Subject, Date, To, Message-ID, and MIME-Version header:
+        for header in &[
+            "From",
+            "Subject",
+            "Date",
+            "To",
+            "Message-ID",
+            "MIME-Version",
+        ] {
+            assert_eq!(
+                payload_header_names.iter().filter(|h| *h == header).count(),
+                1,
+                "This sent email should contain the header {header} exactly 1 time:\n{payload}"
+            );
+        }
+        // Check that we aren't sending any header twice:
+        let mut hash_set = HashSet::new();
+        for header_name in payload_header_names {
+            assert!(
+                hash_set.insert(header_name),
+                "This sent email shouldn't contain the header {header_name} multiple times:\n{payload}"
+            );
+        }
+
         Some(SentMessage {
             payload,
             sender_msg_id: msg_id,

src/tests/verified_chats.rs

@@ -881,7 +881,7 @@ async fn test_verified_member_added_reordering() -> Result<()> {
 }
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_no_unencrypted_name_if_verified() -> Result<()> {
+async fn test_no_unencrypted_name_if_encrypted() -> Result<()> {
     let mut tcm = TestContextManager::new();
     for verified in [false, true] {
         let alice = tcm.alice().await;
@@ -898,7 +898,7 @@ async fn test_no_unencrypted_name_if_verified() -> Result<()> {
         let chat_id = bob.create_chat(&alice).await.id;
         let msg = &bob.send_text(chat_id, "hi").await;
 
-        assert_eq!(msg.payload.contains("Bob Smith"), !verified);
+        assert_eq!(msg.payload.contains("Bob Smith"), false);
         assert!(msg.payload.contains("BEGIN PGP MESSAGE"));
 
         let msg = alice.recv_msg(msg).await;

standards.md

@@ -19,7 +19,7 @@ Authorization                    | OAuth2 ([RFC 6749][])
 End-to-end encryption            | [Autocrypt Level 1][], OpenPGP ([RFC 4880][]), Security Multiparts for MIME ([RFC 1847][]) and [“Mixed Up” Encryption repairing](https://tools.ietf.org/id/draft-dkg-openpgp-pgpmime-message-mangling-00.html)
 Detect/prevent active attacks    | [securejoin][] protocols
 Compare public keys              | [openpgp4fpr][] URI Scheme
-Header encryption                | [Protected Headers for Cryptographic E-mail](https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/)
+Header encryption                | [Header Protection for Cryptographically Protected E-mail](https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/)
 Configuration assistance         | [Autoconfigure](https://web.archive.org/web/20210402044801/https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration) and [Autodiscover][]
 Messenger functions              | [Chat-over-Email](https://github.com/deltachat/deltachat-core-rust/blob/master/spec.md#chat-mail-specification)
 Detect mailing list              | List-Id ([RFC 2919][]) and Precedence ([RFC 3834][])