feat: send vc- prefix instead of vg- in Secure-Join where accepted

This way we always send `Secure-Join: vc-request`,
even when joining the group,
and it is not visible to the server if we setup a new contact
or join a group/channel.

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ permissions: {}
 
 env:
   RUSTFLAGS: -Dwarnings
-  RUST_VERSION: 1.95.0
+  RUST_VERSION: 1.94.0
 
   # Minimum Supported Rust Version
   MSRV: 1.88.0

.github/workflows/deltachat-rpc-server.yml

@@ -382,7 +382,7 @@ jobs:
 
       - name: Publish deltachat-rpc-server to PyPI
         if: github.event_name == 'release'
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
 
   publish_npm_package:
     name: Build & Publish npm prebuilds and deltachat-rpc-server

.github/workflows/publish-deltachat-rpc-client-pypi.yml

@@ -47,4 +47,4 @@ jobs:
           name: python-package-distributions
           path: dist/
       - name: Publish deltachat-rpc-client to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e

.github/workflows/zizmor-scan.yml

@@ -23,4 +23,4 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

Cargo.lock

@@ -1360,7 +1360,7 @@ dependencies = [
  "proptest",
  "qrcodegen",
  "quick-xml",
- "rand 0.8.6",
+ "rand 0.8.5",
  "rand 0.9.4",
  "ratelimit",
  "regex",
@@ -2981,7 +2981,7 @@ dependencies = [
  "pin-project",
  "pkarr",
  "portmapper",
- "rand 0.8.6",
+ "rand 0.8.5",
  "rcgen",
  "reqwest",
  "ring",
@@ -3056,7 +3056,7 @@ dependencies = [
  "iroh-metrics",
  "n0-future",
  "postcard",
- "rand 0.8.6",
+ "rand 0.8.5",
  "rand_core 0.6.4",
  "serde",
  "serde-error",
@@ -3119,7 +3119,7 @@ checksum = "929d5d8fa77d5c304d3ee7cae9aede31f13908bd049f9de8c7c0094ad6f7c535"
 dependencies = [
  "bytes",
  "getrandom 0.2.16",
- "rand 0.8.6",
+ "rand 0.8.5",
  "ring",
  "rustc-hash",
  "rustls",
@@ -3172,7 +3172,7 @@ dependencies = [
  "pin-project",
  "pkarr",
  "postcard",
- "rand 0.8.6",
+ "rand 0.8.5",
  "reqwest",
  "rustls",
  "rustls-webpki 0.102.8",
@@ -3776,7 +3776,7 @@ dependencies = [
  "num-integer",
  "num-iter",
  "num-traits",
- "rand 0.8.6",
+ "rand 0.8.5",
  "serde",
  "smallvec",
  "zeroize",
@@ -3933,9 +3933,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "openssl"
-version = "0.10.78"
+version = "0.10.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222"
+checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
 dependencies = [
  "bitflags 2.11.0",
  "cfg-if",
@@ -3974,9 +3974,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.114"
+version = "0.9.107"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6"
+checksum = "8288979acd84749c744a9014b4382d42b8f7b2592847b5afb2ed29e5d16ede07"
 dependencies = [
  "cc",
  "libc",
@@ -4206,7 +4206,7 @@ dependencies = [
  "p256",
  "p384",
  "p521",
- "rand 0.8.6",
+ "rand 0.8.5",
  "regex",
  "replace_with",
  "ripemd",
@@ -4453,7 +4453,7 @@ dependencies = [
  "nested_enum_utils",
  "netwatch",
  "num_enum",
- "rand 0.8.6",
+ "rand 0.8.5",
  "serde",
  "smallvec",
  "snafu",
@@ -4776,9 +4776,9 @@ dependencies = [
 
 [[package]]
 name = "rand"
-version = "0.8.6"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
  "libc",
  "rand_chacha 0.3.1",
@@ -5164,7 +5164,7 @@ dependencies = [
  "once_cell",
  "ring",
  "rustls-pki-types",
- "rustls-webpki 0.103.13",
+ "rustls-webpki 0.103.12",
  "subtle",
  "zeroize",
 ]
@@ -5201,9 +5201,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.13"
+version = "0.103.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
+checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -5870,7 +5870,7 @@ dependencies = [
  "hex",
  "parking_lot",
  "pnet_packet",
- "rand 0.8.6",
+ "rand 0.8.5",
  "socket2 0.5.9",
  "thiserror 1.0.69",
  "tokio",

deltachat-ffi/deltachat.h

@@ -390,9 +390,27 @@ char*           dc_get_blobdir               (const dc_context_t* context);
 /**
  * Configure the context. The configuration is handled by key=value pairs as:
  *
- * - `configured_addr` = Email address in use.
+ * - `addr`         = Email address to use for configuration.
+ *                    If dc_configure() fails this is not the email address actually in use.
+ *                    Use `configured_addr` to find out the email address actually in use.
+ * - `configured_addr` = Email address actually in use.
  *                    Unless for testing, do not set this value using dc_set_config().
  *                    Instead, set `addr` and call dc_configure().
+ * - `mail_server`  = IMAP-server, guessed if left out
+ * - `mail_user`    = IMAP-username, guessed if left out
+ * - `mail_pw`      = IMAP-password (always needed)
+ * - `mail_port`    = IMAP-port, guessed if left out
+ * - `mail_security`= IMAP-socket, one of @ref DC_SOCKET, defaults to #DC_SOCKET_AUTO
+ * - `send_server`  = SMTP-server, guessed if left out
+ * - `send_user`    = SMTP-user, guessed if left out
+ * - `send_pw`      = SMTP-password, guessed if left out
+ * - `send_port`    = SMTP-port, guessed if left out
+ * - `send_security`= SMTP-socket, one of @ref DC_SOCKET, defaults to #DC_SOCKET_AUTO
+ * - `server_flags` = IMAP-/SMTP-flags as a combination of @ref DC_LP flags, guessed if left out
+ * - `proxy_enabled` = Proxy enabled. Disabled by default.
+ * - `proxy_url` = Proxy URL. May contain multiple URLs separated by newline, but only the first one is used.
+ * - `imap_certificate_checks` = how to check IMAP certificates, one of the @ref DC_CERTCK flags, defaults to #DC_CERTCK_AUTO (0)
+ * - `smtp_certificate_checks` = deprecated option, should be set to the same value as `imap_certificate_checks` but ignored by the new core
  * - `displayname`  = Own name to use when sending messages. MUAs are allowed to spread this way e.g. using CC, defaults to empty
  * - `selfstatus`   = Own status to display, e.g. in e-mail footers, defaults to empty
  * - `selfavatar`   = File containing avatar. Will immediately be copied to the 
@@ -495,27 +513,6 @@ char*           dc_get_blobdir               (const dc_context_t* context);
  *                       1 = Contacts (default, does not include contact requests),
  *                       2 = Nobody (calls never result in a notification).
  *
- * Also, there are configs that are only needed
- * if you want to use the deprecated dc_configure() API, such as:
- *
- * - `addr`         = Email address to use for configuration.
- *                    If dc_configure() fails this is not the email address actually in use.
- *                    Use `configured_addr` to find out the email address actually in use.
- * - `mail_server`  = IMAP-server, guessed if left out
- * - `mail_user`    = IMAP-username, guessed if left out
- * - `mail_pw`      = IMAP-password (always needed)
- * - `mail_port`    = IMAP-port, guessed if left out
- * - `mail_security`= IMAP-socket, one of @ref DC_SOCKET, defaults to #DC_SOCKET_AUTO
- * - `send_server`  = SMTP-server, guessed if left out
- * - `send_user`    = SMTP-user, guessed if left out
- * - `send_pw`      = SMTP-password, guessed if left out
- * - `send_port`    = SMTP-port, guessed if left out
- * - `send_security`= SMTP-socket, one of @ref DC_SOCKET, defaults to #DC_SOCKET_AUTO
- * - `server_flags` = IMAP-/SMTP-flags as a combination of @ref DC_LP flags, guessed if left out
- * - `proxy_enabled` = Proxy enabled. Disabled by default.
- * - `proxy_url` = Proxy URL. May contain multiple URLs separated by newline, but only the first one is used.
- * - `imap_certificate_checks` = how to check IMAP and SMTP certificates, one of the @ref DC_CERTCK flags, defaults to #DC_CERTCK_AUTO (0)
-
  * If you want to retrieve a value, use dc_get_config().
  *
  * @memberof dc_context_t
@@ -702,12 +699,6 @@ int              dc_get_push_state           (dc_context_t* context);
 
 /**
  * Configure a context.
- *
- * This way of configuring a context is deprecated,
- * and does not allow to configure multiple transports.
- * If you can, use the JSON-RPC API (../deltachat-jsonrpc/src/api.rs)
- * `add_or_update_transport()`/`addOrUpdateTransport()` instead.
- *
  * During configuration IO must not be started,
  * if needed stop IO using dc_accounts_stop_io() or dc_stop_io() first.
  * If the context is already configured,
@@ -4243,8 +4234,6 @@ char*             dc_msg_get_webxdc_blob      (const dc_msg_t* msg, const char*
  *   true if the Webxdc should get internet access;
  *   this is the case i.e. for experimental maps integration.
  * - self_addr: address to be used for `window.webxdc.selfAddr` in JS land.
- * - is_app_sender: Define if the local user is the one who initially shared the webxdc application in the chat.
- * - is_broadcast: Define if the app runs in a broadcasting context.
  * - send_update_interval: Milliseconds to wait before calling `sendUpdate()` again since the last call.
  *   Should be exposed to `webxdc.sendUpdateInterval` in JS land.
  * - send_update_max_size: Maximum number of bytes accepted for a serialized update object.
@@ -5813,7 +5802,7 @@ int64_t         dc_lot_get_timestamp     (const dc_lot_t* lot);
  * These constants configure TLS certificate checks for IMAP and SMTP connections.
  *
  * These constants are set via dc_set_config()
- * using key "imap_certificate_checks".
+ * using keys "imap_certificate_checks" and "smtp_certificate_checks".
  *
  * @addtogroup DC_CERTCK
  * @{

deltachat-jsonrpc/src/api.rs

@@ -318,15 +318,6 @@ impl CommandApi {
         Ok(())
     }
 
-    /// Requests to clear storage on all chatmail relays.
-    ///
-    /// I/O must be started for this request to take effect.
-    async fn clear_all_relay_storage(&self, account_id: u32) -> Result<()> {
-        let ctx = self.get_context(account_id).await?;
-        ctx.clear_all_relay_storage().await?;
-        Ok(())
-    }
-
     /// Get top-level info for an account.
     async fn get_account_info(&self, account_id: u32) -> Result<Account> {
         let context_option = self.accounts.read().await.get_account(account_id);
@@ -1877,6 +1868,20 @@ impl CommandApi {
         deltachat::contact::make_vcard(&ctx, &contacts).await
     }
 
+    /// Sets vCard containing the given contacts to the message draft.
+    async fn set_draft_vcard(
+        &self,
+        account_id: u32,
+        msg_id: u32,
+        contacts: Vec<u32>,
+    ) -> Result<()> {
+        let ctx = self.get_context(account_id).await?;
+        let contacts: Vec<_> = contacts.iter().map(|&c| ContactId::new(c)).collect();
+        let mut msg = Message::load_from_db(&ctx, MsgId::new(msg_id)).await?;
+        msg.make_vcard(&ctx, &contacts).await?;
+        msg.get_chat_id().set_draft(&ctx, Some(&mut msg)).await
+    }
+
     // ---------------------------------------------
     //                   chat
     // ---------------------------------------------

deltachat-jsonrpc/src/api/types/webxdc.rs

@@ -37,10 +37,6 @@ pub struct WebxdcMessageInfo {
     internet_access: bool,
     /// Address to be used for `window.webxdc.selfAddr` in JS land.
     self_addr: String,
-    /// Define if the local user is the one who initially shared the webxdc application in the chat.
-    is_app_sender: bool,
-    /// Define if the app runs in a broadcasting context.
-    is_broadcast: bool,
     /// Milliseconds to wait before calling `sendUpdate()` again since the last call.
     /// Should be exposed to `window.sendUpdateInterval` in JS land.
     send_update_interval: usize,
@@ -64,8 +60,6 @@ impl WebxdcMessageInfo {
             request_integration: _,
             internet_access,
             self_addr,
-            is_app_sender,
-            is_broadcast,
             send_update_interval,
             send_update_max_size,
         } = message.get_webxdc_info(context).await?;
@@ -78,8 +72,6 @@ impl WebxdcMessageInfo {
             source_code_url: maybe_empty_string_to_option(source_code_url),
             internet_access,
             self_addr,
-            is_app_sender,
-            is_broadcast,
             send_update_interval,
             send_update_max_size,
         })

deltachat-jsonrpc/src/lib.rs

@@ -85,7 +85,7 @@ mod tests {
             assert_eq!(result, response.to_owned());
         }
         {
-            let request = r#"{"jsonrpc":"2.0","method":"batch_set_config","id":2,"params":[1,{"addr":"","mail_user":"","mail_pw":"","mail_server":"","mail_port":"","mail_security":"","imap_certificate_checks":"","send_user":"","send_pw":"","send_server":"","send_port":"","send_security":""}]}"#;
+            let request = r#"{"jsonrpc":"2.0","method":"batch_set_config","id":2,"params":[1,{"addr":"","mail_user":"","mail_pw":"","mail_server":"","mail_port":"","mail_security":"","imap_certificate_checks":"","send_user":"","send_pw":"","send_server":"","send_port":"","send_security":"","smtp_certificate_checks":""}]}"#;
             let response = r#"{"jsonrpc":"2.0","id":2,"result":null}"#;
             session.handle_incoming(request).await;
             let result = receiver.recv().await?;

deltachat-rpc-client/tests/test_folders.py

@@ -1,8 +1,59 @@
+import logging
 import re
+import time
 
 from imap_tools import AND, U
 
-from deltachat_rpc_client import EventType
+from deltachat_rpc_client import Contact, EventType, Message
+
+
+def test_reactions_for_a_reordering_move(acfactory, direct_imap):
+    """When a batch of messages is moved from Inbox to another folder with a single MOVE command,
+    their UIDs may be reordered (e.g. Gmail is known for that) which led to that messages were
+    processed by receive_imf in the wrong order, and, particularly, reactions were processed before
+    messages they refer to and thus dropped.
+    """
+    (ac1,) = acfactory.get_online_accounts(1)
+
+    addr, password = acfactory.get_credentials()
+    ac2 = acfactory.get_unconfigured_account()
+    ac2.add_or_update_transport({"addr": addr, "password": password})
+    assert ac2.is_configured()
+
+    ac2.bring_online()
+    chat1 = acfactory.get_accepted_chat(ac1, ac2)
+    ac2.stop_io()
+
+    logging.info("sending message + reaction from ac1 to ac2")
+    msg1 = chat1.send_text("hi")
+    msg1.wait_until_delivered()
+    # It's is sad, but messages must differ in their INTERNALDATEs to be processed in the correct
+    # order by DC, and most (if not all) mail servers provide only seconds precision.
+    time.sleep(1.1)
+    react_str = "\N{THUMBS UP SIGN}"
+    msg1.send_reaction(react_str).wait_until_delivered()
+
+    logging.info("moving messages to ac2's movebox folder in the reverse order")
+    ac2_direct_imap = direct_imap(ac2)
+    ac2_direct_imap.create_folder("Movebox")
+    ac2_direct_imap.connect()
+    for uid in sorted([m.uid for m in ac2_direct_imap.get_all_messages()], reverse=True):
+        ac2_direct_imap.conn.move(uid, "Movebox")
+
+    logging.info("moving messages back")
+    ac2_direct_imap.select_folder("Movebox")
+    for uid in sorted([m.uid for m in ac2_direct_imap.get_all_messages()]):
+        ac2_direct_imap.conn.move(uid, "INBOX")
+
+    logging.info("receiving messages by ac2")
+    ac2.start_io()
+    msg2 = Message(ac2, ac2.wait_for_reactions_changed().msg_id)
+    assert msg2.get_snapshot().text == msg1.get_snapshot().text
+    reactions = msg2.get_reactions()
+    contacts = [Contact(ac2, int(i)) for i in reactions.reactions_by_contact]
+    assert len(contacts) == 1
+    assert contacts[0].get_snapshot().address == ac1.get_config("addr")
+    assert list(reactions.reactions_by_contact.values())[0] == [react_str]
 
 
 def test_moved_markseen(acfactory, direct_imap, log):

deltachat-rpc-client/tests/test_webxdc.py

@@ -18,8 +18,6 @@ def test_webxdc(acfactory) -> None:
         "sourceCodeUrl": None,
         "summary": None,
         "selfAddr": webxdc_info["selfAddr"],
-        "isAppSender": False,
-        "isBroadcast": False,
         "sendUpdateInterval": 1000,
         "sendUpdateMaxSize": 18874368,
     }

deny.toml

@@ -29,11 +29,13 @@ ignore = [
     "RUSTSEC-2026-0098",
     "RUSTSEC-2026-0099",
 
-    # Panic in CRL signature checks.
-    # We do not check CRL and cannot update rustls-webpki 0.102.8 
-    # which is a dependency of iroh 0.35.0.
-    # <https://rustsec.org/advisories/RUSTSEC-2026-0104>
-    "RUSTSEC-2026-0104"
+    # rand 0.8.x
+    # <https://rustsec.org/advisories/RUSTSEC-2026-0097>
+    # We already use rand 0.9,
+    # version 0.8 that cannot be upgraded
+    # is a dependency of iroh 0.35.0 and rPGP.
+    # rPGP upgrade is waiting for <https://github.com/rpgp/rpgp/pull/573>
+    "RUSTSEC-2026-0097"
 ]
 
 [bans]

python/src/deltachat/testplugin.py

@@ -433,6 +433,7 @@ class ACFactory:
         if self.pytestconfig.getoption("--strict-tls"):
             # Enable strict certificate checks for online accounts
             configdict["imap_certificate_checks"] = str(const.DC_CERTCK_STRICT)
+            configdict["smtp_certificate_checks"] = str(const.DC_CERTCK_STRICT)
 
         assert "addr" in configdict and "mail_pw" in configdict
         return configdict
@@ -504,6 +505,7 @@ class ACFactory:
                 "addr": cloned_from.get_config("addr"),
                 "mail_pw": cloned_from.get_config("mail_pw"),
                 "imap_certificate_checks": cloned_from.get_config("imap_certificate_checks"),
+                "smtp_certificate_checks": cloned_from.get_config("smtp_certificate_checks"),
             }
         configdict.update(kwargs)
         ac = self._get_cached_account(addr=configdict["addr"]) if cache else None

scripts/README.md

@@ -48,3 +48,19 @@ the build machine (ask your friendly sysadmin on #deltachat Libera Chat) to type
 
 This will **rsync** your current checkout to the remote build machine 
 (no need to commit before) and then run either rust or python tests. 
+
+# coredeps Dockerfile
+
+`coredeps/Dockerfile` specifies an image that contains all 
+of Delta Chat's core dependencies. It is used to
+build python wheels (binary packages for Python).
+
+You can build the docker images yourself locally
+to avoid the relatively large download:
+ 
+    cd scripts  # where all CI things are 
+    docker build -t deltachat/coredeps coredeps
+
+Additionally, you can install qemu and build arm64 docker image on x86\_64 machine:
+    apt-get install qemu binfmt-support qemu-user-static
+    docker build -t deltachat/coredeps-arm64 --build-arg BASEIMAGE=quay.io/pypa/manylinux2014_aarch64 coredeps

scripts/concourse/README.md

@@ -0,0 +1,26 @@
+# Concourse CI pipeline
+
+`docs_wheels.yml` is a pipeline for [Concourse CI](https://concourse-ci.org/)
+that builds C documentation, Python documentation, Python wheels for `x86_64`
+and `aarch64` and Python source packages, and uploads them.
+
+To setup the pipeline run
+```
+fly -t <your-target> set-pipeline -c docs_wheels.yml -p docs_wheels -l secret.yml
+```
+where `secret.yml` contains the following secrets:
+```
+c.delta.chat:
+  private_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+devpi:
+  login: dc
+  password: ...
+```
+
+Secrets can be read from the password manager:
+```
+fly -t b1 set-pipeline -c docs_wheels.yml -p docs_wheels -l <(pass show delta/b1.delta.chat/secret.yml)
+```

scripts/concourse/docs_wheels.yml

@@ -0,0 +1,305 @@
+resources:
+  - name: deltachat-core-rust
+    type: git
+    icon: github
+    source:
+      branch: main
+      uri: https://github.com/chatmail/core.git
+
+  - name: deltachat-core-rust-release
+    type: git
+    icon: github
+    source:
+      branch: main
+      uri: https://github.com/chatmail/core.git
+      tag_filter: "v*"
+
+jobs:
+  - name: python-x86_64
+    plan:
+      - get: deltachat-core-rust
+      - get: deltachat-core-rust-release
+        trigger: true
+
+      # Build manylinux image with additional dependencies
+      - task: build-coredeps
+        privileged: true
+        config:
+          inputs:
+            # Building the latest, not tagged coredeps
+            - name: deltachat-core-rust
+          image_resource:
+            source:
+              repository: concourse/oci-build-task
+            type: registry-image
+          outputs:
+            - name: coredeps-image
+              path: image
+          params:
+            CONTEXT: deltachat-core-rust/scripts/coredeps
+            UNPACK_ROOTFS: "true"
+            BUILD_ARG_BASEIMAGE: quay.io/pypa/manylinux2014_x86_64
+          platform: linux
+          caches:
+            - path: cache
+          run:
+            path: build
+
+      # Use built image to build python wheels
+      - task: build-wheels
+        image: coredeps-image
+        config:
+          inputs:
+            - name: deltachat-core-rust-release
+              path: .
+          outputs:
+            # Binary wheels
+            - name: py-wheels
+              path: ./python/.docker-tox/wheelhouse/
+          platform: linux
+          run:
+            path: bash
+            args:
+              - -exc
+              - |
+                scripts/run_all.sh
+
+      # Upload x86_64 wheels and source packages
+      - task: upload-wheels
+        config:
+          inputs:
+            - name: py-wheels
+          image_resource:
+            type: registry-image
+            source:
+              repository: debian
+          platform: linux
+          run:
+            path: sh
+            args:
+              - -ec
+              - |
+                apt-get update -y
+                apt-get install -y --no-install-recommends python3-pip python3-setuptools python3-venv
+                python3 -m venv env
+                env/bin/pip install --upgrade pip
+                env/bin/pip install devpi
+                env/bin/devpi use https://m.devpi.net/dc/master
+                env/bin/devpi login ((devpi.login)) --password ((devpi.password))
+                env/bin/devpi upload py-wheels/*manylinux201*
+
+  - name: python-aarch64
+    plan:
+      - get: deltachat-core-rust
+      - get: deltachat-core-rust-release
+        trigger: true
+
+      # Build manylinux image with additional dependencies
+      - task: build-coredeps
+        privileged: true
+        config:
+          inputs:
+            # Building the latest, not tagged coredeps
+            - name: deltachat-core-rust
+          image_resource:
+            source:
+              repository: concourse/oci-build-task
+            type: registry-image
+          outputs:
+            - name: coredeps-image
+              path: image
+          params:
+            CONTEXT: deltachat-core-rust/scripts/coredeps
+            UNPACK_ROOTFS: "true"
+            BUILD_ARG_BASEIMAGE: quay.io/pypa/manylinux2014_aarch64
+          platform: linux
+          caches:
+            - path: cache
+          run:
+            path: build
+
+      # Use built image to build python wheels
+      - task: build-wheels
+        image: coredeps-image
+        config:
+          inputs:
+            - name: deltachat-core-rust-release
+              path: .
+          outputs:
+            - name: py-wheels
+              path: ./python/.docker-tox/wheelhouse/
+          platform: linux
+          run:
+            path: bash
+            args:
+              - -exc
+              - |
+                scripts/run_all.sh
+
+      # Upload aarch64 wheels
+      - task: upload-wheels
+        config:
+          inputs:
+            - name: py-wheels
+          image_resource:
+            type: registry-image
+            source:
+              repository: debian
+          platform: linux
+          run:
+            path: sh
+            args:
+              - -ec
+              - |
+                apt-get update -y
+                apt-get install -y --no-install-recommends python3-pip python3-setuptools python3-venv
+                python3 -m venv env
+                env/bin/pip install --upgrade pip
+                env/bin/pip install devpi
+                env/bin/devpi use https://m.devpi.net/dc/master
+                env/bin/devpi login ((devpi.login)) --password ((devpi.password))
+                env/bin/devpi upload py-wheels/*manylinux201*
+
+  - name: python-musl-x86_64
+    plan:
+      - get: deltachat-core-rust
+      - get: deltachat-core-rust-release
+        trigger: true
+
+      # Build manylinux image with additional dependencies
+      - task: build-coredeps
+        privileged: true
+        config:
+          inputs:
+            # Building the latest, not tagged coredeps
+            - name: deltachat-core-rust
+          image_resource:
+            source:
+              repository: concourse/oci-build-task
+            type: registry-image
+          outputs:
+            - name: coredeps-image
+              path: image
+          params:
+            CONTEXT: deltachat-core-rust/scripts/coredeps
+            UNPACK_ROOTFS: "true"
+            BUILD_ARG_BASEIMAGE: quay.io/pypa/musllinux_1_1_x86_64
+          platform: linux
+          caches:
+            - path: cache
+          run:
+            path: build
+
+      # Use built image to build python wheels
+      - task: build-wheels
+        image: coredeps-image
+        config:
+          inputs:
+            - name: deltachat-core-rust-release
+              path: .
+          outputs:
+            - name: py-wheels
+              path: ./python/.docker-tox/wheelhouse/
+          platform: linux
+          run:
+            path: bash
+            args:
+              - -exc
+              - |
+                scripts/run_all.sh
+
+      # Upload musl x86_64 wheels
+      - task: upload-wheels
+        config:
+          inputs:
+            - name: py-wheels
+          image_resource:
+            type: registry-image
+            source:
+              repository: debian
+          platform: linux
+          run:
+            path: sh
+            args:
+              - -ec
+              - |
+                apt-get update -y
+                apt-get install -y --no-install-recommends python3-pip python3-setuptools python3-venv
+                python3 -m venv env
+                env/bin/pip install --upgrade pip
+                env/bin/pip install devpi
+                env/bin/devpi use https://m.devpi.net/dc/master
+                env/bin/devpi login ((devpi.login)) --password ((devpi.password))
+                env/bin/devpi upload py-wheels/*musllinux_1_1_x86_64*
+
+  - name: python-musl-aarch64
+    plan:
+      - get: deltachat-core-rust
+      - get: deltachat-core-rust-release
+        trigger: true
+
+      # Build manylinux image with additional dependencies
+      - task: build-coredeps
+        privileged: true
+        config:
+          inputs:
+            # Building the latest, not tagged coredeps
+            - name: deltachat-core-rust
+          image_resource:
+            source:
+              repository: concourse/oci-build-task
+            type: registry-image
+          outputs:
+            - name: coredeps-image
+              path: image
+          params:
+            CONTEXT: deltachat-core-rust/scripts/coredeps
+            UNPACK_ROOTFS: "true"
+            BUILD_ARG_BASEIMAGE: quay.io/pypa/musllinux_1_1_aarch64
+          platform: linux
+          caches:
+            - path: cache
+          run:
+            path: build
+
+      # Use built image to build python wheels
+      - task: build-wheels
+        image: coredeps-image
+        config:
+          inputs:
+            - name: deltachat-core-rust-release
+              path: .
+          outputs:
+            - name: py-wheels
+              path: ./python/.docker-tox/wheelhouse/
+          platform: linux
+          run:
+            path: bash
+            args:
+              - -exc
+              - |
+                scripts/run_all.sh
+
+      # Upload musl aarch64 wheels
+      - task: upload-wheels
+        config:
+          inputs:
+            - name: py-wheels
+          image_resource:
+            type: registry-image
+            source:
+              repository: debian
+          platform: linux
+          run:
+            path: sh
+            args:
+              - -ec
+              - |
+                apt-get update -y
+                apt-get install -y --no-install-recommends python3-pip python3-setuptools python3-venv
+                python3 -m venv env
+                env/bin/pip install --upgrade pip
+                env/bin/pip install devpi
+                env/bin/devpi use https://m.devpi.net/dc/master
+                env/bin/devpi login ((devpi.login)) --password ((devpi.password))
+                env/bin/devpi upload py-wheels/*musllinux_1_1_aarch64*

scripts/coredeps/Dockerfile

@@ -0,0 +1,9 @@
+ARG BASEIMAGE=quay.io/pypa/manylinux2014_x86_64
+#ARG BASEIMAGE=quay.io/pypa/musllinux_1_1_x86_64
+#ARG BASEIMAGE=quay.io/pypa/manylinux2014_aarch64
+
+FROM $BASEIMAGE
+RUN pipx install tox
+COPY install-rust.sh /scripts/
+RUN /scripts/install-rust.sh
+RUN if command -v yum; then yum install -y perl-IPC-Cmd; fi

scripts/coredeps/install-rust.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Install Rust
+#
+# Path from https://forge.rust-lang.org/infra/other-installation-methods.html
+#
+# Avoid using rustup here as it depends on reading /proc/self/exe and
+# has problems running under QEMU.
+RUST_VERSION=1.94.0
+
+ARCH="$(uname -m)"
+test -f "/lib/libc.musl-$ARCH.so.1" && LIBC=musl || LIBC=gnu
+
+curl "https://static.rust-lang.org/dist/rust-${RUST_VERSION}-$ARCH-unknown-linux-$LIBC.tar.gz" | tar xz
+cd "rust-${RUST_VERSION}-$ARCH-unknown-linux-$LIBC"
+./install.sh --prefix=/usr --components=rustc,cargo,"rust-std-$ARCH-unknown-linux-$LIBC"
+rustc --version
+cd ..
+rm -fr "rust-${RUST_VERSION}-$ARCH-unknown-linux-$LIBC"

scripts/update-provider-database.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 export TZ=UTC
 
 # Provider database revision.
-REV=ad097ee40579c884e7757de2d3bb0a51f481a32a
+REV=996c4bc82be5a7404f70b185ff062da33bfa98d9
 
 CORE_ROOT="$PWD"
 TMP="$(mktemp -d)"

src/chat.rs

@@ -23,9 +23,8 @@ use crate::chatlist_events;
 use crate::color::str_to_color;
 use crate::config::Config;
 use crate::constants::{
-    self, Blocked, Chattype, DC_CHAT_ID_ALLDONE_HINT, DC_CHAT_ID_ARCHIVED_LINK,
-    DC_CHAT_ID_LAST_SPECIAL, DC_CHAT_ID_TRASH, DC_RESEND_USER_AVATAR_DAYS, EDITED_PREFIX,
-    TIMESTAMP_SENT_TOLERANCE,
+    Blocked, Chattype, DC_CHAT_ID_ALLDONE_HINT, DC_CHAT_ID_ARCHIVED_LINK, DC_CHAT_ID_LAST_SPECIAL,
+    DC_CHAT_ID_TRASH, DC_RESEND_USER_AVATAR_DAYS, EDITED_PREFIX, TIMESTAMP_SENT_TOLERANCE,
 };
 use crate::contact::{self, Contact, ContactId, Origin};
 use crate::context::Context;
@@ -35,7 +34,7 @@ use crate::download::{
 };
 use crate::ephemeral::{Timer as EphemeralTimer, start_chat_ephemeral_timers};
 use crate::events::EventType;
-use crate::key::{Fingerprint, self_fingerprint};
+use crate::key::self_fingerprint;
 use crate::location;
 use crate::log::{LogExt, warn};
 use crate::logged_debug_assert;
@@ -1189,6 +1188,7 @@ SELECT id, rfc724_mid, pre_rfc724_mid, timestamp, ?, 1 FROM msgs WHERE chat_id=?
     /// prefer plaintext emails.
     ///
     /// To get more verbose summary for a contact, including its key fingerprint, use [`Contact::get_encrinfo`].
+    #[expect(clippy::arithmetic_side_effects)]
     pub async fn get_encryption_info(self, context: &Context) -> Result<String> {
         let chat = Chat::load_from_db(context, self).await?;
         if !chat.is_encrypted(context).await? {
@@ -1752,6 +1752,7 @@ impl Chat {
     ///
     /// If `update_msg_id` is set, that record is reused;
     /// if `update_msg_id` is None, a new record is created.
+    #[expect(clippy::arithmetic_side_effects)]
     async fn prepare_msg_raw(
         &mut self,
         context: &Context,
@@ -2947,19 +2948,17 @@ pub(crate) async fn create_send_msg_jobs(context: &Context, msg: &mut Message) -
             "
 UPDATE msgs SET
     timestamp=(
-        SELECT MAX(timestamp) FROM msgs INDEXED BY msgs_index7 WHERE
+        SELECT MAX(timestamp) FROM msgs WHERE
             -- From `InFresh` to `OutMdnRcvd` inclusive except `OutDraft`.
             state IN(10,13,16,18,20,24,26,28) AND
             hidden IN(0,1) AND
-            chat_id=? AND
-            id<=?
+            chat_id=?
     ),
     pre_rfc724_mid=?, subject=?, param=?
 WHERE id=?
             ",
             (
                 msg.chat_id,
-                msg.id,
                 &msg.pre_rfc724_mid,
                 &msg.subject,
                 msg.param.to_string(),
@@ -3024,6 +3023,7 @@ pub async fn send_text_msg(
 }
 
 /// Sends chat members a request to edit the given message's text.
+#[expect(clippy::arithmetic_side_effects)]
 pub async fn send_edit_request(context: &Context, msg_id: MsgId, new_text: String) -> Result<()> {
     let mut original_msg = Message::load_from_db(context, msg_id).await?;
     ensure!(
@@ -3128,8 +3128,7 @@ pub async fn get_chat_msgs(context: &Context, chat_id: ChatId) -> Result<Vec<Cha
     .await
 }
 
-/// Returns messages belonging to the chat according to the given options,
-/// sorted by oldest message first.
+/// Returns messages belonging to the chat according to the given options.
 #[expect(clippy::arithmetic_side_effects)]
 pub async fn get_chat_msgs_ex(
     context: &Context,
@@ -3140,7 +3139,6 @@ pub async fn get_chat_msgs_ex(
         info_only,
         add_daymarker,
     } = options;
-    // TODO: Remove `info_only` parameter; it's not used by anything
     let process_row = if info_only {
         |row: &rusqlite::Row| {
             // is_info logic taken from Message.is_info()
@@ -4014,47 +4012,9 @@ pub(crate) async fn add_contact_to_chat_ex(
     if sync.into() {
         chat.sync_contacts(context).await.log_err(context).ok();
     }
-    if chat.typ == Chattype::OutBroadcast {
-        resend_last_msgs(context, chat.id, &contact)
-            .await
-            .log_err(context)
-            .ok();
-    }
     Ok(true)
 }
 
-async fn resend_last_msgs(context: &Context, chat_id: ChatId, to_contact: &Contact) -> Result<()> {
-    let msgs: Vec<MsgId> = context
-        .sql
-        .query_map_vec(
-            "
-SELECT id
-FROM msgs
-WHERE chat_id=?
-    AND hidden=0
-    AND NOT ( -- Exclude info and system messages
-        param GLOB '*\nS=*' OR param GLOB 'S=*'
-        OR from_id=?
-        OR to_id=?
-    )
-    AND type!=?
-ORDER BY timestamp DESC, id DESC LIMIT ?",
-            (
-                chat_id,
-                ContactId::INFO,
-                ContactId::INFO,
-                Viewtype::Webxdc,
-                constants::N_MSGS_TO_NEW_BROADCAST_MEMBER,
-            ),
-            |row: &rusqlite::Row| Ok(row.get::<_, MsgId>(0)?),
-        )
-        .await?
-        .into_iter()
-        .rev()
-        .collect();
-    resend_msgs_ex(context, &msgs, to_contact.fingerprint()).await
-}
-
 /// Returns true if an avatar should be attached in the given chat.
 ///
 /// This function does not check if the avatar is set.
@@ -4652,6 +4612,7 @@ pub async fn save_msgs(context: &Context, msg_ids: &[MsgId]) -> Result<()> {
 /// the copy contains a reference to the original message
 /// as well as to the original chat in case the original message gets deleted.
 /// Returns data needed to add a `SaveMessage` sync item.
+#[expect(clippy::arithmetic_side_effects)]
 pub(crate) async fn save_copy_in_self_talk(
     context: &Context,
     src_msg_id: MsgId,
@@ -4718,26 +4679,10 @@ pub(crate) async fn save_copy_in_self_talk(
     Ok(msg.rfc724_mid)
 }
 
-/// Resends given messages to members of the corresponding chats.
+/// Resends given messages with the same Message-ID.
 ///
 /// This is primarily intended to make existing webxdcs available to new chat members.
 pub async fn resend_msgs(context: &Context, msg_ids: &[MsgId]) -> Result<()> {
-    resend_msgs_ex(context, msg_ids, None).await
-}
-
-/// Resends given messages to a contact with fingerprint `to_fingerprint` or, if it's `None`, to
-/// members of the corresponding chats.
-///
-/// NB: Actually `to_fingerprint` is only passed for `OutBroadcast` chats when a new member is
-/// added. Regarding webxdcs: It is not trivial to resend only the own status updates,
-/// and it is not trivial to resend them only to the newly-joined member,
-/// so that for now, [`resend_last_msgs`] does not automatically resend webxdcs at all.
-pub(crate) async fn resend_msgs_ex(
-    context: &Context,
-    msg_ids: &[MsgId],
-    to_fingerprint: Option<Fingerprint>,
-) -> Result<()> {
-    let to_fingerprint = to_fingerprint.map(|f| f.hex());
     let mut msgs: Vec<Message> = Vec::new();
     for msg_id in msg_ids {
         let msg = Message::load_from_db(context, *msg_id).await?;
@@ -4756,17 +4701,10 @@ pub(crate) async fn resend_msgs_ex(
             | MessageState::OutFailed
             | MessageState::OutDelivered
             | MessageState::OutMdnRcvd => {
-                // Broadcast owners shouldn't see spinners on messages being auto-re-sent to new
-                // subscribers (otherwise big channel owners will see spinners most of the time).
-                if to_fingerprint.is_none() {
-                    message::update_msg_state(context, msg.id, MessageState::OutPending).await?;
-                }
+                message::update_msg_state(context, msg.id, MessageState::OutPending).await?
             }
             msg_state => bail!("Unexpected message state {msg_state}"),
         }
-        if let Some(to_fingerprint) = &to_fingerprint {
-            msg.param.set(Param::Arg4, to_fingerprint.clone());
-        }
         if create_send_msg_jobs(context, &mut msg).await?.is_empty() {
             continue;
         }
@@ -4778,8 +4716,7 @@ pub(crate) async fn resend_msgs_ex(
             chat_id: msg.chat_id,
             msg_id: msg.id,
         });
-        // The event only matters if the message is last in the chat.
-        // But it's probably too expensive check, and UIs anyways need to debounce.
+        // note(treefit): only matters if it is the last message in chat (but probably to expensive to check, debounce also solves it)
         chatlist_events::emit_chatlist_item_changed(context, msg.chat_id);
 
         if msg.viewtype == Viewtype::Webxdc {

src/chat/chat_tests.rs

@@ -3,7 +3,7 @@ use std::sync::Arc;
 use super::*;
 use crate::Event;
 use crate::chatlist::get_archived_cnt;
-use crate::constants::{DC_GCL_ARCHIVED_ONLY, DC_GCL_NO_SPECIALS, N_MSGS_TO_NEW_BROADCAST_MEMBER};
+use crate::constants::{DC_GCL_ARCHIVED_ONLY, DC_GCL_NO_SPECIALS};
 use crate::ephemeral::Timer;
 use crate::headerdef::HeaderDef;
 use crate::imex::{ImexMode, has_backup, imex};
@@ -2692,49 +2692,6 @@ async fn test_resend_own_message() -> Result<()> {
     Ok(())
 }
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_resend_doesnt_resort_msg() -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-    let bob = &tcm.bob().await;
-    let alice_grp = create_group(alice, "").await?;
-    let sent1 = alice.send_text(alice_grp, "hi").await;
-    let sent1_ts = Message::load_from_db(alice, sent1.sender_msg_id)
-        .await?
-        .timestamp_sort;
-
-    SystemTime::shift(Duration::from_secs(60));
-    add_contact_to_chat(alice, alice_grp, alice.add_or_lookup_contact_id(bob).await).await?;
-    let sent2 = alice
-        .send_text(
-            alice_grp,
-            "Let's test resending, there are very few tests on it",
-        )
-        .await;
-    let resent_msg_id = sent1.sender_msg_id;
-    resend_msgs(alice, &[resent_msg_id]).await?;
-    assert_eq!(
-        resent_msg_id.get_state(alice).await?,
-        MessageState::OutPending
-    );
-    alice.pop_sent_msg().await;
-    assert_eq!(
-        resent_msg_id.get_state(alice).await?,
-        MessageState::OutDelivered
-    );
-    assert_eq!(
-        Message::load_from_db(alice, sent1.sender_msg_id)
-            .await?
-            .timestamp_sort,
-        sent1_ts
-    );
-    assert_eq!(
-        alice.get_last_msg_id_in(alice_grp).await,
-        sent2.sender_msg_id
-    );
-    Ok(())
-}
-
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn test_resend_foreign_message_fails() -> Result<()> {
     let mut tcm = TestContextManager::new();
@@ -2848,15 +2805,6 @@ async fn test_broadcast_members_cant_see_each_other() -> Result<()> {
             "alice@example.org charlie@example.net"
         );
 
-        // Check additionally that subscribers don't send "Chat-Group-Name*" headers.
-        let parsed = alice.parse_msg(&request_with_auth).await;
-        assert!(parsed.get_header(HeaderDef::ChatGroupName).is_none());
-        assert!(
-            parsed
-                .get_header(HeaderDef::ChatGroupNameTimestamp)
-                .is_none()
-        );
-
         alice.recv_msg_trash(&request_with_auth).await;
     }
 
@@ -2999,56 +2947,6 @@ async fn test_broadcast_change_name() -> Result<()> {
     Ok(())
 }
 
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_broadcast_resend_to_new_member() -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-    let bob = &tcm.bob().await;
-    let fiona = &tcm.fiona().await;
-
-    let alice_bc_id = create_broadcast(alice, "Channel".to_string()).await?;
-    let qr = get_securejoin_qr(alice, Some(alice_bc_id)).await.unwrap();
-
-    tcm.exec_securejoin_qr(bob, alice, &qr).await;
-    let mut alice_msg_ids = Vec::new();
-    for i in 0..(N_MSGS_TO_NEW_BROADCAST_MEMBER + 1) {
-        alice_msg_ids.push(
-            alice
-                .send_text(alice_bc_id, &i.to_string())
-                .await
-                .sender_msg_id,
-        );
-    }
-    let fiona_bc_id = tcm.exec_securejoin_qr(fiona, alice, &qr).await;
-    for msg_id in alice_msg_ids {
-        assert_eq!(msg_id.get_state(alice).await?, MessageState::OutDelivered);
-    }
-    for i in 0..N_MSGS_TO_NEW_BROADCAST_MEMBER {
-        let rev_order = false;
-        let resent_msg = alice
-            .pop_sent_msg_ex(rev_order, Duration::ZERO)
-            .await
-            .unwrap();
-        let fiona_msg = fiona.recv_msg(&resent_msg).await;
-        assert_eq!(fiona_msg.chat_id, fiona_bc_id);
-        assert_eq!(fiona_msg.text, (i + 1).to_string());
-        assert!(resent_msg.recipients.contains("fiona@example.net"));
-        assert!(!resent_msg.recipients.contains("bob@"));
-        // The message is undecryptable for Bob, he mustn't be able to know yet that somebody joined
-        // the broadcast even if he is a postman in this land. E.g. Fiona may leave after fetching
-        // the news, Bob won't know about that.
-        assert!(
-            MimeMessage::from_bytes(bob, resent_msg.payload().as_bytes())
-                .await?
-                .decryption_error
-                .is_some()
-        );
-        bob.recv_msg_trash(&resent_msg).await;
-    }
-    assert!(alice.pop_sent_msg_opt(Duration::ZERO).await.is_none());
-    Ok(())
-}
-
 /// - Alice has multiple devices
 /// - Alice creates a broadcast and sends a message into it
 /// - Alice's second device sees the broadcast

src/config.rs

@@ -42,85 +42,50 @@ use crate::{constants, stats};
 )]
 #[strum(serialize_all = "snake_case")]
 pub enum Config {
-    /// Deprecated(2026-04).
-    /// Use ConfiguredAddr, [`crate::login_param::EnteredLoginParam`],
-    /// or add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Email address, used in the `From:` field.
     Addr,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// IMAP server hostname.
     MailServer,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// IMAP server username.
     MailUser,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// IMAP server password.
     MailPw,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// IMAP server port.
     MailPort,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// IMAP server security (e.g. TLS, STARTTLS).
     MailSecurity,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// How to check TLS certificates.
     ///
     /// "IMAP" in the name is for compatibility,
     /// this actually applies to both IMAP and SMTP connections.
     ImapCertificateChecks,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// SMTP server hostname.
     SendServer,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// SMTP server username.
     SendUser,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// SMTP server password.
     SendPw,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// SMTP server port.
     SendPort,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// SMTP server security (e.g. TLS, STARTTLS).
     SendSecurity,
 
-    /// Deprecated(2026-04).
-    /// Use EnteredLoginParam and add_transport{from_qr}()/list_transports() instead.
+    /// Deprecated option for backwards compatibility.
     ///
+    /// Certificate checks for SMTP are actually controlled by `imap_certificate_checks` config.
+    SmtpCertificateChecks,
+
     /// Whether to use OAuth 2.
     ///
     /// Historically contained other bitflags, which are now deprecated.
@@ -220,47 +185,32 @@ pub enum Config {
     /// The primary email address.
     ConfiguredAddr,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// List of configured IMAP servers as a JSON array.
     ConfiguredImapServers,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured IMAP server hostname.
     ///
     /// This is replaced by `configured_imap_servers` for new configurations.
     ConfiguredMailServer,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured IMAP server port.
+    ///
+    /// This is replaced by `configured_imap_servers` for new configurations.
     ConfiguredMailPort,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured IMAP server security (e.g. TLS, STARTTLS).
+    ///
+    /// This is replaced by `configured_imap_servers` for new configurations.
     ConfiguredMailSecurity,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured IMAP server username.
+    ///
+    /// This is set if user has configured username manually.
     ConfiguredMailUser,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured IMAP server password.
     ConfiguredMailPw,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured TLS certificate checks.
     /// This option is saved on successful configuration
     /// and should not be modified manually.
@@ -269,53 +219,37 @@ pub enum Config {
     /// but has "IMAP" in the name for backwards compatibility.
     ConfiguredImapCertificateChecks,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// List of configured SMTP servers as a JSON array.
     ConfiguredSmtpServers,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured SMTP server hostname.
     ///
     /// This is replaced by `configured_smtp_servers` for new configurations.
     ConfiguredSendServer,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured SMTP server port.
     ///
     /// This is replaced by `configured_smtp_servers` for new configurations.
     ConfiguredSendPort,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured SMTP server security (e.g. TLS, STARTTLS).
     ///
     /// This is replaced by `configured_smtp_servers` for new configurations.
     ConfiguredSendSecurity,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured SMTP server username.
     ///
     /// This is set if user has configured username manually.
     ConfiguredSendUser,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
-    ///
     /// Configured SMTP server password.
     ConfiguredSendPw,
 
-    /// Deprecated(2026-04).
-    /// Use ConfiguredLoginParam and add_transport{from_qr}()/list_transports() instead.
+    /// Deprecated, stored for backwards compatibility.
     ///
+    /// ConfiguredImapCertificateChecks is actually used.
+    ConfiguredSmtpCertificateChecks,
+
     /// Whether OAuth 2 is used with configured provider.
     ConfiguredServerFlags,
 
@@ -328,9 +262,6 @@ pub enum Config {
     /// ID of the configured provider from the provider database.
     ConfiguredProvider,
 
-    /// Deprecated(2026-04).
-    /// Use [`Context::is_configured()`] instead.
-    ///
     /// True if account is configured.
     Configured,
 

src/configure.rs

@@ -76,7 +76,7 @@ impl Context {
     /// Deprecated since 2025-02; use `add_transport_from_qr()`
     /// or `add_or_update_transport()` instead.
     pub async fn configure(&self) -> Result<()> {
-        let mut param = EnteredLoginParam::load_legacy(self).await?;
+        let mut param = EnteredLoginParam::load(self).await?;
 
         self.add_transport_inner(&mut param).await
     }
@@ -150,7 +150,7 @@ impl Context {
             progress!(self, 0, Some(error_msg.clone()));
             bail!(error_msg);
         } else {
-            param.save_legacy(self).await?;
+            param.save(self).await?;
             progress!(self, 1000);
         }
 

src/constants.rs

@@ -244,9 +244,6 @@ Here is what to do:
 
 If you have any questions, please send an email to delta@merlinux.eu or ask at https://support.delta.chat/."#;
 
-/// How many recent messages should be re-sent to a new broadcast member.
-pub(crate) const N_MSGS_TO_NEW_BROADCAST_MEMBER: usize = 10;
-
 #[cfg(test)]
 mod tests {
     use num_traits::FromPrimitive;

src/contact.rs

@@ -2068,6 +2068,7 @@ pub(crate) async fn mark_contact_id_as_verified(
     Ok(())
 }
 
+#[expect(clippy::arithmetic_side_effects)]
 fn cat_fingerprint(ret: &mut String, name: &str, addr: &str, fingerprint: &str) {
     *ret += &format!("\n\n{name} ({addr}):\n{fingerprint}");
 }

src/context.rs

@@ -25,7 +25,7 @@ use crate::key::self_fingerprint;
 use crate::log::warn;
 use crate::logged_debug_assert;
 use crate::message::{self, MessageState, MsgId};
-use crate::net::tls::{SpkiHashStore, TlsSessionStore};
+use crate::net::tls::TlsSessionStore;
 use crate::peer_channels::Iroh;
 use crate::push::PushSubscriber;
 use crate::quota::QuotaInfo;
@@ -308,13 +308,6 @@ pub struct InnerContext {
     /// TLS session resumption cache.
     pub(crate) tls_session_store: TlsSessionStore,
 
-    /// Store for TLS SPKI hashes.
-    ///
-    /// Used to remember public keys
-    /// of TLS certificates to accept them
-    /// even after they expire.
-    pub(crate) spki_hash_store: SpkiHashStore,
-
     /// Iroh for realtime peer channels.
     pub(crate) iroh: Arc<RwLock<Option<Iroh>>>,
 
@@ -518,7 +511,6 @@ impl Context {
             push_subscriber,
             push_subscribed: AtomicBool::new(false),
             tls_session_store: TlsSessionStore::new(),
-            spki_hash_store: SpkiHashStore::new(),
             iroh: Arc::new(RwLock::new(None)),
             self_fingerprint: OnceLock::new(),
             self_public_key: Mutex::new(None),
@@ -568,15 +560,6 @@ impl Context {
         }
     }
 
-    /// Requests deletion of all messages from chatmail relays.
-    ///
-    /// Non-chatmail relays are excluded
-    /// to avoid accidentally deleting emails
-    /// from shared inboxes.
-    pub async fn clear_all_relay_storage(&self) -> Result<()> {
-        self.scheduler.clear_all_relay_storage().await
-    }
-
     /// Restarts the IO scheduler if it was running before
     /// when it is not running this is an no-op
     pub async fn restart_io_if_running(&self) {

src/context/context_tests.rs

@@ -284,6 +284,7 @@ async fn test_get_info_completeness() {
         "send_security",
         "server_flags",
         "skip_start_messages",
+        "smtp_certificate_checks",
         "proxy_url",      // May contain passwords, don't leak it to the logs.
         "socks5_enabled", // SOCKS5 options are deprecated.
         "socks5_host",

src/events/chatlist_events.rs

@@ -89,9 +89,13 @@ mod test_chatlist_events {
             .get_matching(|evt| match evt {
                 EventType::ChatlistItemChanged {
                     chat_id: Some(ev_chat_id),
-                } if ev_chat_id == &chat_id => {
-                    first_event_is_item.store(true, Ordering::Relaxed);
-                    true
+                } => {
+                    if ev_chat_id == &chat_id {
+                        first_event_is_item.store(true, Ordering::Relaxed);
+                        true
+                    } else {
+                        false
+                    }
                 }
                 EventType::ChatlistChanged => true,
                 _ => false,

src/html.rs

@@ -86,6 +86,7 @@ impl HtmlMsgParser {
     /// Function takes a raw mime-message string,
     /// searches for the main-text part
     /// and returns that as parser.html
+    #[expect(clippy::arithmetic_side_effects)]
     pub fn from_bytes<'a>(
         context: &Context,
         rawmime: &'a [u8],
@@ -119,6 +120,7 @@ impl HtmlMsgParser {
     /// Usually, there is at most one plain-text and one HTML-text part,
     /// multiple plain-text parts might be used for mailinglist-footers,
     /// therefore we use the first one.
+    #[expect(clippy::arithmetic_side_effects)]
     fn collect_texts_recursive<'a>(
         &'a mut self,
         context: &'a Context,

src/imap.rs

@@ -489,7 +489,7 @@ impl Imap {
         let session = match self.connect(context, configuring).await {
             Ok(session) => session,
             Err(err) => {
-                self.connectivity.set_err(context, format!("{err:#}"));
+                self.connectivity.set_err(context, &err);
                 return Err(err);
             }
         };
@@ -945,29 +945,6 @@ impl Session {
         Ok(())
     }
 
-    /// Deletes all messages from IMAP folder.
-    pub(crate) async fn delete_all_messages(
-        &mut self,
-        context: &Context,
-        folder: &str,
-    ) -> Result<()> {
-        let transport_id = self.transport_id();
-
-        if self.select_with_uidvalidity(context, folder).await? {
-            self.add_flag_finalized_with_set("1:*", "\\Deleted").await?;
-            self.selected_folder_needs_expunge = true;
-            context
-                .sql
-                .execute(
-                    "DELETE FROM imap WHERE transport_id=? AND folder=?",
-                    (transport_id, folder),
-                )
-                .await?;
-        }
-
-        Ok(())
-    }
-
     /// Moves batch of messages identified by their UID from the currently
     /// selected folder to the target folder.
     async fn move_message_batch(

src/imap/client.rs

@@ -220,8 +220,6 @@ impl Client {
             alpn(addr.port()),
             logging_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -284,8 +282,6 @@ impl Client {
             "",
             tcp_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;
@@ -314,8 +310,6 @@ impl Client {
             alpn(port),
             proxy_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await?;
         let buffered_stream = BufWriter::new(tls_stream);
@@ -379,8 +373,6 @@ impl Client {
             "",
             proxy_stream,
             &context.tls_session_store,
-            &context.spki_hash_store,
-            &context.sql,
         )
         .await
         .context("STARTTLS upgrade failed")?;

src/imap/session.rs

@@ -16,7 +16,7 @@ use crate::net::session::SessionStream;
 /// - Autocrypt-Setup-Message to check if a message is an autocrypt setup message,
 ///   not necessarily sent by Delta Chat.
 /// - Chat-Is-Post-Message to skip it in background fetch or when it is > `DownloadLimit`.
-const PREFETCH_FLAGS: &str = "(UID RFC822.SIZE BODY.PEEK[HEADER.FIELDS (\
+const PREFETCH_FLAGS: &str = "(UID INTERNALDATE RFC822.SIZE BODY.PEEK[HEADER.FIELDS (\
                               MESSAGE-ID \
                               DATE \
                               X-MICROSOFT-ORIGINAL-MESSAGE-ID \
@@ -124,7 +124,7 @@ impl Session {
     }
 
     /// Prefetch `n_uids` messages starting from `uid_next`. Returns a list of fetch results in the
-    /// order of ascending UIDs.
+    /// order of ascending delivery time to the server (INTERNALDATE).
     #[expect(clippy::arithmetic_side_effects)]
     pub(crate) async fn prefetch(
         &mut self,
@@ -142,10 +142,10 @@ impl Session {
         let mut msgs = BTreeMap::new();
         while let Some(msg) = list.try_next().await? {
             if let Some(msg_uid) = msg.uid {
-                msgs.insert(msg_uid, msg);
+                msgs.insert((msg.internal_date(), msg_uid), msg);
             }
         }
 
-        Ok(Vec::from_iter(msgs))
+        Ok(msgs.into_iter().map(|((_, uid), msg)| (uid, msg)).collect())
     }
 }

src/login_param.rs

@@ -138,11 +138,10 @@ pub struct EnteredLoginParam {
 }
 
 impl EnteredLoginParam {
-    /// Loads entered account settings
-    /// that were set by the deprecated `configured_*` configs.
+    /// Loads entered account settings.
     ///
-    /// This is only needed by tests and clients using the old CFFI API.
-    pub(crate) async fn load_legacy(context: &Context) -> Result<Self> {
+    /// This is a legacy API for loading from separate config parameters.
+    pub(crate) async fn load(context: &Context) -> Result<Self> {
         let addr = context
             .get_config(Config::Addr)
             .await?
@@ -179,7 +178,7 @@ impl EnteredLoginParam {
         // The setting is named `imap_certificate_checks`
         // for backwards compatibility,
         // but now it is a global setting applied to all protocols,
-        // while `smtp_certificate_checks` has been removed.
+        // while `smtp_certificate_checks` is ignored.
         let certificate_checks = if let Some(certificate_checks) = context
             .get_config_parsed::<i32>(Config::ImapCertificateChecks)
             .await?
@@ -242,10 +241,7 @@ impl EnteredLoginParam {
 
     /// Saves entered account settings,
     /// so that they can be prefilled if the user wants to configure the server again.
-    ///
-    /// This is needed in case a UI is not yet updated, and still uses `get_config("mail_pw")` etc.
-    /// in order to prefill the entered account settings.
-    pub(crate) async fn save_legacy(&self, context: &Context) -> Result<()> {
+    pub(crate) async fn save(&self, context: &Context) -> Result<()> {
         context.set_config(Config::Addr, Some(&self.addr)).await?;
 
         context
@@ -368,7 +364,7 @@ mod tests {
             .await?;
         t.set_config(Config::MailPw, Some("foobarbaz")).await?;
 
-        let param = EnteredLoginParam::load_legacy(t).await?;
+        let param = EnteredLoginParam::load(t).await?;
         assert_eq!(param.addr, "alice@example.org");
         assert_eq!(
             param.certificate_checks,
@@ -377,13 +373,13 @@ mod tests {
 
         t.set_config(Config::ImapCertificateChecks, Some("1"))
             .await?;
-        let param = EnteredLoginParam::load_legacy(t).await?;
+        let param = EnteredLoginParam::load(t).await?;
         assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict);
 
         // Fail to load invalid settings, but do not panic.
         t.set_config(Config::ImapCertificateChecks, Some("999"))
             .await?;
-        assert!(EnteredLoginParam::load_legacy(t).await.is_err());
+        assert!(EnteredLoginParam::load(t).await.is_err());
 
         Ok(())
     }
@@ -411,7 +407,7 @@ mod tests {
             certificate_checks: Default::default(),
             oauth2: false,
         };
-        param.save_legacy(&t).await?;
+        param.save(&t).await?;
         assert_eq!(
             t.get_config(Config::Addr).await?.unwrap(),
             "alice@example.org"
@@ -420,7 +416,7 @@ mod tests {
         assert_eq!(t.get_config(Config::SendPw).await?, None);
         assert_eq!(t.get_config_int(Config::SendPort).await?, 2947);
 
-        assert_eq!(EnteredLoginParam::load_legacy(&t).await?, param);
+        assert_eq!(EnteredLoginParam::load(&t).await?, param);
 
         Ok(())
     }

src/message.rs

@@ -199,6 +199,7 @@ SELECT ?1, rfc724_mid, pre_rfc724_mid, timestamp, ?, ? FROM msgs WHERE id=?1
     }
 
     /// Returns detailed message information in a multi-line text form.
+    #[expect(clippy::arithmetic_side_effects)]
     pub async fn get_info(self, context: &Context) -> Result<String> {
         let msg = Message::load_from_db(context, self).await?;
 
@@ -824,6 +825,7 @@ impl Message {
     ///
     /// Currently this includes `additional_text`, but this may change in future, when the UIs show
     /// the necessary info themselves.
+    #[expect(clippy::arithmetic_side_effects)]
     pub fn get_text(&self) -> String {
         self.text.clone() + &self.additional_text
     }

src/mimefactory.rs

@@ -194,7 +194,6 @@ fn new_address_with_name(name: &str, address: String) -> Address<'static> {
 }
 
 impl MimeFactory {
-    /// Returns `MimeFactory` for rendering `msg`.
     #[expect(clippy::arithmetic_side_effects)]
     pub async fn from_msg(context: &Context, msg: Message) -> Result<MimeFactory> {
         let now = time();
@@ -1395,7 +1394,10 @@ impl MimeFactory {
             }
         }
 
-        if chat.typ == Chattype::Group || chat.typ == Chattype::OutBroadcast {
+        if chat.typ == Chattype::Group
+            || chat.typ == Chattype::OutBroadcast
+            || chat.typ == Chattype::InBroadcast
+        {
             headers.push((
                 "Chat-Group-Name",
                 mail_builder::headers::text::Text::new(chat.name.to_string()).into(),
@@ -1406,11 +1408,7 @@ impl MimeFactory {
                     mail_builder::headers::text::Text::new(ts.to_string()).into(),
                 ));
             }
-        }
-        if chat.typ == Chattype::Group
-            || chat.typ == Chattype::OutBroadcast
-            || chat.typ == Chattype::InBroadcast
-        {
+
             match command {
                 SystemMessage::MemberRemovedFromGroup => {
                     let email_to_remove = msg.param.get(Param::Arg).unwrap_or_default();
@@ -1889,6 +1887,7 @@ impl MimeFactory {
     }
 
     /// Render an MDN
+    #[expect(clippy::arithmetic_side_effects)]
     fn render_mdn(&mut self) -> Result<MimePart<'static>> {
         // RFC 6522, this also requires the `report-type` parameter which is equal
         // to the MIME subtype of the second body part of the multipart/report
@@ -2227,18 +2226,18 @@ fn should_encrypt_symmetrically(msg: &Message, chat: &Chat) -> bool {
 /// rather than all recipients.
 /// This function returns the fingerprint of the recipient the message should be sent to.
 fn must_have_only_one_recipient<'a>(msg: &'a Message, chat: &Chat) -> Option<Result<&'a str>> {
-    if chat.typ != Chattype::OutBroadcast {
-        None
-    } else if let Some(fp) = msg.param.get(Param::Arg4) {
-        Some(Ok(fp))
-    } else if matches!(
-        msg.param.get_cmd(),
-        SystemMessage::MemberRemovedFromGroup | SystemMessage::MemberAddedToGroup
-    ) {
-        Some(Err(format_err!("Missing removed/added member")))
-    } else {
-        None
+    if chat.typ == Chattype::OutBroadcast
+        && matches!(
+            msg.param.get_cmd(),
+            SystemMessage::MemberRemovedFromGroup | SystemMessage::MemberAddedToGroup
+        )
+    {
+        let Some(fp) = msg.param.get(Param::Arg4) else {
+            return Some(Err(format_err!("Missing removed/added member")));
+        };
+        return Some(Ok(fp));
     }
+    None
 }
 
 async fn build_body_file(context: &Context, msg: &Message) -> Result<MimePart<'static>> {

src/mimeparser.rs

@@ -269,6 +269,7 @@ impl MimeMessage {
     ///
     /// This method has some side-effects,
     /// such as saving blobs and saving found public keys to the database.
+    #[expect(clippy::arithmetic_side_effects)]
     pub(crate) async fn from_bytes(context: &Context, body: &[u8]) -> Result<Self> {
         let mail = mailparse::parse_mail(body)?;
 

src/net.rs

@@ -12,7 +12,7 @@ use tokio_io_timeout::TimeoutStream;
 
 use crate::context::Context;
 use crate::net::session::SessionStream;
-use crate::net::tls::{SpkiHashStore, TlsSessionStore};
+use crate::net::tls::TlsSessionStore;
 use crate::sql::Sql;
 use crate::tools::time;
 
@@ -130,8 +130,6 @@ pub(crate) async fn connect_tls_inner(
     strict_tls: bool,
     alpn: &str,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'static> {
     let use_sni = true;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -143,8 +141,6 @@ pub(crate) async fn connect_tls_inner(
         alpn,
         tcp_stream,
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await?;
     Ok(tls_stream)

src/net/http.rs

@@ -87,8 +87,6 @@ where
                     "",
                     proxy_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)
@@ -101,8 +99,6 @@ where
                     "",
                     tcp_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 Box::new(tls_stream)

src/net/proxy.rs

@@ -171,6 +171,7 @@ pub enum ProxyConfig {
 }
 
 /// Constructs HTTP/1.1 `CONNECT` request for HTTP(S) proxy.
+#[expect(clippy::arithmetic_side_effects)]
 fn http_connect_request(host: &str, port: u16, auth: Option<(&str, &str)>) -> String {
     // According to <https://datatracker.ietf.org/doc/html/rfc7230#section-5.4>
     // clients MUST send `Host:` header in HTTP/1.1 requests,
@@ -319,6 +320,7 @@ impl ProxyConfig {
     /// config into `proxy_url` if `proxy_url` is unset or empty.
     ///
     /// Unsets `socks5_host`, `socks5_port`, `socks5_user` and `socks5_password` in any case.
+    #[expect(clippy::arithmetic_side_effects)]
     async fn migrate_socks_config(sql: &Sql) -> Result<()> {
         if sql.get_raw_config("proxy_url").await?.is_none() {
             // Load legacy SOCKS5 settings.
@@ -434,8 +436,6 @@ impl ProxyConfig {
                     "",
                     tcp_stream,
                     &context.tls_session_store,
-                    &context.spki_hash_store,
-                    &context.sql,
                 )
                 .await?;
                 let auth = if let Some((username, password)) = &https_config.user_password {

src/net/tls.rs

@@ -6,20 +6,13 @@ use std::sync::Arc;
 use anyhow::Result;
 
 use crate::net::session::SessionStream;
-use crate::sql::Sql;
-use crate::tools::time;
 
 use tokio_rustls::rustls;
 use tokio_rustls::rustls::client::ClientSessionStore;
-use tokio_rustls::rustls::server::ParsedCertificate;
 
 mod danger;
-use danger::CustomCertificateVerifier;
+use danger::NoCertificateVerification;
 
-mod spki;
-pub use spki::SpkiHashStore;
-
-#[expect(clippy::too_many_arguments)]
 pub async fn wrap_tls<'a>(
     strict_tls: bool,
     hostname: &str,
@@ -28,21 +21,10 @@ pub async fn wrap_tls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'static,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
     if strict_tls {
-        let tls_stream = wrap_rustls(
-            hostname,
-            port,
-            use_sni,
-            alpn,
-            stream,
-            tls_session_store,
-            spki_hash_store,
-            sql,
-        )
-        .await?;
+        let tls_stream =
+            wrap_rustls(hostname, port, use_sni, alpn, stream, tls_session_store).await?;
         let boxed_stream: Box<dyn SessionStream> = Box::new(tls_stream);
         Ok(boxed_stream)
     } else {
@@ -112,7 +94,6 @@ impl TlsSessionStore {
     }
 }
 
-#[expect(clippy::too_many_arguments)]
 pub async fn wrap_rustls<'a>(
     hostname: &str,
     port: u16,
@@ -120,11 +101,9 @@ pub async fn wrap_rustls<'a>(
     alpn: &str,
     stream: impl SessionStream + 'a,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<impl SessionStream + 'a> {
-    let root_cert_store =
-        rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+    let mut root_cert_store = rustls::RootCertStore::empty();
+    root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
 
     let mut config = rustls::ClientConfig::builder()
         .with_root_certificates(root_cert_store)
@@ -148,28 +127,20 @@ pub async fn wrap_rustls<'a>(
     config.resumption = resumption;
     config.enable_sni = use_sni;
 
-    config
-        .dangerous()
-        .set_certificate_verifier(Arc::new(CustomCertificateVerifier::new(
-            spki_hash_store.get_spki_hash(hostname, sql).await?,
-        )));
+    // Do not verify certificates for hostnames starting with `_`.
+    // They are used for servers with self-signed certificates, e.g. for local testing.
+    // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
+    // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
+    // explicitly state that domains should start with a letter, digit or hyphen:
+    // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
+    if hostname.starts_with("_") {
+        config
+            .dangerous()
+            .set_certificate_verifier(Arc::new(NoCertificateVerification::new()));
+    }
 
     let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
     let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned();
     let tls_stream = tls.connect(name, stream).await?;
-
-    // Successfully connected.
-    // Remember SPKI hash to accept it later if certificate expires.
-    let (_io, client_connection) = tls_stream.get_ref();
-    if let Some(end_entity) = client_connection
-        .peer_certificates()
-        .and_then(|certs| certs.first())
-    {
-        let now = time();
-        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
-        let spki = parsed_certificate.subject_public_key_info();
-        spki_hash_store.save_spki(hostname, &spki, sql, now).await?;
-    }
-
     Ok(tls_stream)
 }

src/net/tls/danger.rs

@@ -1,93 +1,26 @@
-//! Custom TLS verification.
-//!
-//! We want to accept expired certificates.
+//! Dangerous TLS implementation of accepting invalid certificates for Rustls.
 
-use rustls::RootCertStore;
-use rustls::client::{verify_server_cert_signed_by_trust_anchor, verify_server_name};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
-use rustls::server::ParsedCertificate;
 use tokio_rustls::rustls;
 
-use crate::net::tls::spki::spki_hash;
-
 #[derive(Debug)]
-pub(super) struct CustomCertificateVerifier {
-    /// Root certificates.
-    root_cert_store: RootCertStore,
+pub(super) struct NoCertificateVerification();
 
-    /// Expected SPKI hash as a base64 of SHA-256.
-    spki_hash: Option<String>,
-}
-
-impl CustomCertificateVerifier {
-    pub(super) fn new(spki_hash: Option<String>) -> Self {
-        let root_cert_store =
-            RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        Self {
-            root_cert_store,
-            spki_hash,
-        }
+impl NoCertificateVerification {
+    pub(super) fn new() -> Self {
+        Self()
     }
 }
 
-impl rustls::client::danger::ServerCertVerifier for CustomCertificateVerifier {
+impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
     fn verify_server_cert(
         &self,
-        end_entity: &CertificateDer<'_>,
-        intermediates: &[CertificateDer<'_>],
-        server_name: &ServerName<'_>,
-        // OCSP is a certificate revocation mechanism that is intentionally ignored.
-        // It is practically not used and is essentially deprecated
-        // in favor of Certificate Revocation Lists.
-        // Let's Encrypt has disabled OCSP responders in 2025:
-        // <https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life>.
-        // Theoretically checking of stapled OCSP responses could be implemented,
-        // but it is not interesting to implement it because it is not used
-        // by the servers: <https://github.com/rustls/webpki/issues/217>.
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
         _ocsp_response: &[u8],
-        now: UnixTime,
+        _now: UnixTime,
     ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
-        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
-
-        let spki = parsed_certificate.subject_public_key_info();
-
-        let provider = rustls::crypto::ring::default_provider();
-
-        if let ServerName::DnsName(dns_name) = server_name
-            && dns_name.as_ref().starts_with("_")
-        {
-            // Do not verify certificates for hostnames starting with `_`.
-            // They are used for servers with self-signed certificates, e.g. for local testing.
-            // Hostnames starting with `_` can have only self-signed TLS certificates or wildcard certificates.
-            // It is not possible to get valid non-wildcard TLS certificates because CA/Browser Forum requirements
-            // explicitly state that domains should start with a letter, digit or hyphen:
-            // https://github.com/cabforum/servercert/blob/24f38fd4765e019db8bb1a8c56bf63c7115ce0b0/docs/BR.md
-        } else if let Some(hash) = &self.spki_hash
-            && spki_hash(&spki) == *hash
-        {
-            // Last time we successfully connected to this hostname with TLS checks,
-            // SPKI had this hash.
-            // It does not matter if certificate has now expired.
-        } else {
-            // verify_server_cert_signed_by_trust_anchor does no revocation checking:
-            // <https://docs.rs/rustls/0.23.37/rustls/client/fn.verify_server_cert_signed_by_trust_anchor.html>
-            // We don't do it either.
-            verify_server_cert_signed_by_trust_anchor(
-                &parsed_certificate,
-                &self.root_cert_store,
-                intermediates,
-                now,
-                provider.signature_verification_algorithms.all,
-            )?;
-        }
-
-        // Verify server name unconditionally.
-        //
-        // We do this even for self-signed certificates when hostname starts with `_`
-        // so we don't try to connect to captive portals
-        // and fail on MITM certificates if they are generated once
-        // and reused for all hostnames.
-        verify_server_name(&parsed_certificate, server_name)?;
         Ok(rustls::client::danger::ServerCertVerified::assertion())
     }
 

src/net/tls/spki.rs

@@ -1,133 +0,0 @@
-//! SPKI hash storage.
-//!
-//! We store hashes of Subject Public Key Info from TLS certificates
-//! after successful connection to allow connecting when
-//! server certificate expires as long as the key is not changed.
-
-use std::collections::BTreeMap;
-
-use anyhow::Result;
-use base64::Engine as _;
-use parking_lot::RwLock;
-use sha2::{Digest, Sha256};
-use tokio_rustls::rustls::pki_types::SubjectPublicKeyInfoDer;
-
-use crate::sql::Sql;
-use crate::tools::time;
-
-/// Calculates Subject Public Key Info SHA-256 hash and returns it as base64.
-///
-/// This is the same format as used in <https://www.rfc-editor.org/rfc/rfc7469>.
-/// You can calculate the same hash for any remote host with
-/// ```sh
-/// openssl s_client -connect "$HOST:993" -servername "$HOST" </dev/null 2>/dev/null |
-/// openssl x509 -pubkey -noout |
-/// openssl pkey -pubin -outform der |
-/// openssl dgst -sha256 -binary |
-/// openssl enc -base64
-/// ```
-pub fn spki_hash(spki: &SubjectPublicKeyInfoDer) -> String {
-    let spki_hash = Sha256::digest(spki);
-    base64::engine::general_purpose::STANDARD.encode(spki_hash)
-}
-
-/// Write-through cache for SPKI hashes.
-#[derive(Debug)]
-pub struct SpkiHashStore {
-    /// Map from hostnames to base64 of SHA-256 hashes.
-    pub hash_store: RwLock<BTreeMap<String, String>>,
-}
-
-impl SpkiHashStore {
-    pub fn new() -> Self {
-        Self {
-            hash_store: RwLock::new(BTreeMap::new()),
-        }
-    }
-
-    /// Returns base64 of SPKI hash if we have previously successfully connected to given hostname.
-    pub async fn get_spki_hash(&self, hostname: &str, sql: &Sql) -> Result<Option<String>> {
-        if let Some(hash) = self.hash_store.read().get(hostname).cloned() {
-            return Ok(Some(hash));
-        }
-
-        match sql
-            .query_row_optional(
-                "SELECT spki_hash FROM tls_spki WHERE host=?",
-                (hostname,),
-                |row| {
-                    let spki_hash: String = row.get(0)?;
-                    Ok(spki_hash)
-                },
-            )
-            .await?
-        {
-            Some(hash) => {
-                self.hash_store
-                    .write()
-                    .insert(hostname.to_string(), hash.clone());
-                Ok(Some(hash))
-            }
-            None => Ok(None),
-        }
-    }
-
-    /// Saves SPKI hash after successful connection.
-    pub async fn save_spki(
-        &self,
-        hostname: &str,
-        spki: &SubjectPublicKeyInfoDer<'_>,
-        sql: &Sql,
-        timestamp: i64,
-    ) -> Result<()> {
-        let hash = spki_hash(spki);
-        self.hash_store
-            .write()
-            .insert(hostname.to_string(), hash.clone());
-        sql.execute(
-            "INSERT OR REPLACE INTO tls_spki (host, spki_hash, timestamp) VALUES (?, ?, ?)",
-            (hostname, hash, timestamp),
-        )
-        .await?;
-        Ok(())
-    }
-
-    /// Removes stale entries from SPKI storage.
-    pub async fn cleanup(&self, sql: &Sql) -> Result<()> {
-        let now = time();
-        let removed_hosts = sql
-            .transaction(|transaction| {
-                let mut stmt = transaction
-                    .prepare("DELETE FROM tls_spki WHERE ? > timestamp + ? RETURNING host")?;
-                let mut res = Vec::new();
-                for row in stmt.query_map((now, 30 * 24 * 60 * 60), |row| {
-                    let host: String = row.get(0)?;
-                    Ok(host)
-                })? {
-                    res.push(row?);
-                }
-
-                // Fix timestamps that happen to be in the future
-                // if we had clock set incorrectly when the timestamp was stored.
-                // Otherwise entry may take more than 30 days to expire.
-                transaction.execute(
-                    "UPDATE tls_spki SET timestamp = ?1 WHERE timestamp > ?1",
-                    (now,),
-                )?;
-
-                Ok(res)
-            })
-            .await?;
-
-        let mut lock = self.hash_store.write();
-        for host in removed_hosts {
-            // We may accidentally remove a host that was added
-            // to the cache after SQL query but before we got
-            // the write lock on `hash_store`.
-            // It is unlikely and will only result
-            // in additional SQL query next time.
-            lock.remove(&host);
-        }
-        Ok(())
-    }
-}

src/param.rs

@@ -136,10 +136,6 @@ pub enum Param {
     /// For "MemberAddedToGroup" and "MemberRemovedFromGroup",
     /// this is the fingerprint added to / removed from the group.
     ///
-    /// For messages resent when adding a new member to a broadcast channel,
-    /// this is the fingerprint of the added member;
-    /// the message must only be sent to this one member then.
-    ///
     /// For call messages, this is the end timsetamp.
     Arg4 = b'H',
 

src/plaintext.rs

@@ -24,6 +24,7 @@ pub struct PlainText {
 impl PlainText {
     /// Convert plain text to HTML.
     /// The function handles quotes, links, fixed and floating text paragraphs.
+    #[expect(clippy::arithmetic_side_effects)]
     pub fn to_html(&self) -> String {
         static LINKIFY_MAIL_RE: LazyLock<regex::Regex> =
             LazyLock::new(|| regex::Regex::new(r"\b([\w.\-+]+@[\w.\-]+)\b").unwrap());

src/provider/data.rs

@@ -234,6 +234,34 @@ static P_BLUEWIN_CH: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// buzon.uy.md: buzon.uy
+static P_BUZON_UY: Provider = Provider {
+    id: "buzon.uy",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/buzon-uy",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Starttls,
+            hostname: "mail.buzon.uy",
+            port: 143,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "mail.buzon.uy",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions::new(),
+    config_defaults: None,
+    oauth2_authorizer: None,
+};
+
 // chello.at.md: chello.at
 static P_CHELLO_AT: Provider = Provider {
     id: "chello.at",
@@ -275,6 +303,48 @@ static P_COMCAST: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// daleth.cafe.md: daleth.cafe
+static P_DALETH_CAFE: Provider = Provider {
+    id: "daleth.cafe",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/daleth-cafe",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "daleth.cafe",
+            port: 993,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Ssl,
+            hostname: "daleth.cafe",
+            port: 465,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Imap,
+            socket: Starttls,
+            hostname: "daleth.cafe",
+            port: 143,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "daleth.cafe",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions::new(),
+    config_defaults: None,
+    oauth2_authorizer: None,
+};
+
 // dismail.de.md: dismail.de
 static P_DISMAIL_DE: Provider = Provider {
     id: "dismail.de",
@@ -426,6 +496,22 @@ static P_FIREMAIL_DE: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// five.chat.md: five.chat
+static P_FIVE_CHAT: Provider = Provider {
+    id: "five.chat",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/five-chat",
+    server: &[],
+    opt: ProviderOptions::new(),
+    config_defaults: Some(&[ConfigDefault {
+        key: Config::BccSelf,
+        value: "1",
+    }]),
+    oauth2_authorizer: None,
+};
+
 // freenet.de.md: freenet.de
 static P_FREENET_DE: Provider = Provider {
     id: "freenet.de",
@@ -543,10 +629,16 @@ static P_HERMES_RADIO: Provider = Provider {
         strict_tls: false,
         ..ProviderOptions::new()
     },
-    config_defaults: Some(&[ConfigDefault {
-        key: Config::MdnsEnabled,
-        value: "0",
-    }]),
+    config_defaults: Some(&[
+        ConfigDefault {
+            key: Config::MdnsEnabled,
+            value: "0",
+        },
+        ConfigDefault {
+            key: Config::ShowEmails,
+            value: "2",
+        },
+    ]),
     oauth2_authorizer: None,
 };
 
@@ -827,6 +919,90 @@ static P_MAILO_COM: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// mehl.cloud.md: mehl.cloud
+static P_MEHL_CLOUD: Provider = Provider {
+    id: "mehl.cloud",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/mehl-cloud",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "mehl.cloud",
+            port: 443,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Ssl,
+            hostname: "mehl.cloud",
+            port: 443,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "mehl.cloud",
+            port: 993,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Ssl,
+            hostname: "mehl.cloud",
+            port: 465,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Imap,
+            socket: Starttls,
+            hostname: "mehl.cloud",
+            port: 143,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "mehl.cloud",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions::new(),
+    config_defaults: None,
+    oauth2_authorizer: None,
+};
+
+// mehl.store.md: mehl.store, ende.in.net, l2i.top, szh.homes, sls.post.in, ente.quest, ente.cfd, nein.jetzt
+static P_MEHL_STORE: Provider = Provider {
+    id: "mehl.store",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "This account provides 3GB storage for eMails and the possibility to access a NEXTCLOUD-instance by using the email-credits!",
+    overview_page: "https://providers.delta.chat/mehl-store",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "mail.ende.in.net",
+            port: 993,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "mail.ende.in.net",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions::new(),
+    config_defaults: None,
+    oauth2_authorizer: None,
+};
+
 // migadu.md: migadu.com
 static P_MIGADU: Provider = Provider {
     id: "migadu",
@@ -1074,8 +1250,8 @@ static P_OUVATON_COOP: Provider = Provider {
 // posteo.md: posteo.de, posteo.af, posteo.at, posteo.be, posteo.ca, posteo.ch, posteo.cl, posteo.co, posteo.co.uk, posteo.com, posteo.com.br, posteo.cr, posteo.cz, posteo.dk, posteo.ee, posteo.es, posteo.eu, posteo.fi, posteo.gl, posteo.gr, posteo.hn, posteo.hr, posteo.hu, posteo.ie, posteo.in, posteo.is, posteo.it, posteo.jp, posteo.la, posteo.li, posteo.lt, posteo.lu, posteo.me, posteo.mx, posteo.my, posteo.net, posteo.nl, posteo.no, posteo.nz, posteo.org, posteo.pe, posteo.pl, posteo.pm, posteo.pt, posteo.ro, posteo.ru, posteo.se, posteo.sg, posteo.si, posteo.tn, posteo.uk, posteo.us
 static P_POSTEO: Provider = Provider {
     id: "posteo",
-    status: Status::Preparation,
-    before_login_hint: "You must create an app-specific password before you can log in.",
+    status: Status::Ok,
+    before_login_hint: "",
     after_login_hint: "",
     overview_page: "https://providers.delta.chat/posteo",
     server: &[
@@ -1386,6 +1562,51 @@ static P_T_ONLINE: Provider = Provider {
     oauth2_authorizer: None,
 };
 
+// testrun.md: testrun.org
+static P_TESTRUN: Provider = Provider {
+    id: "testrun",
+    status: Status::Ok,
+    before_login_hint: "",
+    after_login_hint: "",
+    overview_page: "https://providers.delta.chat/testrun",
+    server: &[
+        Server {
+            protocol: Imap,
+            socket: Ssl,
+            hostname: "testrun.org",
+            port: 993,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Ssl,
+            hostname: "testrun.org",
+            port: 465,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Imap,
+            socket: Starttls,
+            hostname: "testrun.org",
+            port: 143,
+            username_pattern: Email,
+        },
+        Server {
+            protocol: Smtp,
+            socket: Starttls,
+            hostname: "testrun.org",
+            port: 587,
+            username_pattern: Email,
+        },
+    ],
+    opt: ProviderOptions::new(),
+    config_defaults: Some(&[ConfigDefault {
+        key: Config::BccSelf,
+        value: "1",
+    }]),
+    oauth2_authorizer: None,
+};
+
 // tiscali.it.md: tiscali.it
 static P_TISCALI_IT: Provider = Provider {
     id: "tiscali.it",
@@ -1783,7 +2004,7 @@ static P_ZOHO: Provider = Provider {
     oauth2_authorizer: None,
 };
 
-pub(crate) static PROVIDER_DATA: [(&str, &Provider); 521] = [
+pub(crate) static PROVIDER_DATA: [(&str, &Provider); 534] = [
     ("163.com", &P_163),
     ("aktivix.org", &P_AKTIVIX_ORG),
     ("aliyun.com", &P_ALIYUN),
@@ -1793,9 +2014,11 @@ pub(crate) static PROVIDER_DATA: [(&str, &Provider); 521] = [
     ("delta.blinzeln.de", &P_BLINDZELN_ORG),
     ("delta.blindzeln.org", &P_BLINDZELN_ORG),
     ("bluewin.ch", &P_BLUEWIN_CH),
+    ("buzon.uy", &P_BUZON_UY),
     ("chello.at", &P_CHELLO_AT),
     ("xfinity.com", &P_COMCAST),
     ("comcast.net", &P_COMCAST),
+    ("daleth.cafe", &P_DALETH_CAFE),
     ("dismail.de", &P_DISMAIL_DE),
     ("disroot.org", &P_DISROOT),
     ("e.email", &P_E_EMAIL),
@@ -1922,6 +2145,7 @@ pub(crate) static PROVIDER_DATA: [(&str, &Provider); 521] = [
     ("your-mail.com", &P_FASTMAIL),
     ("firemail.at", &P_FIREMAIL_DE),
     ("firemail.de", &P_FIREMAIL_DE),
+    ("five.chat", &P_FIVE_CHAT),
     ("freenet.de", &P_FREENET_DE),
     ("gmail.com", &P_GMAIL),
     ("googlemail.com", &P_GMAIL),
@@ -2144,6 +2368,15 @@ pub(crate) static PROVIDER_DATA: [(&str, &Provider); 521] = [
     ("mailbox.org", &P_MAILBOX_ORG),
     ("secure.mailbox.org", &P_MAILBOX_ORG),
     ("mailo.com", &P_MAILO_COM),
+    ("mehl.cloud", &P_MEHL_CLOUD),
+    ("mehl.store", &P_MEHL_STORE),
+    ("ende.in.net", &P_MEHL_STORE),
+    ("l2i.top", &P_MEHL_STORE),
+    ("szh.homes", &P_MEHL_STORE),
+    ("sls.post.in", &P_MEHL_STORE),
+    ("ente.quest", &P_MEHL_STORE),
+    ("ente.cfd", &P_MEHL_STORE),
+    ("nein.jetzt", &P_MEHL_STORE),
     ("migadu.com", &P_MIGADU),
     ("nauta.cu", &P_NAUTA_CU),
     ("naver.com", &P_NAVER),
@@ -2236,6 +2469,7 @@ pub(crate) static PROVIDER_DATA: [(&str, &Provider); 521] = [
     ("systemli.org", &P_SYSTEMLI_ORG),
     ("t-online.de", &P_T_ONLINE),
     ("magenta.de", &P_T_ONLINE),
+    ("testrun.org", &P_TESTRUN),
     ("tiscali.it", &P_TISCALI_IT),
     ("tutanota.com", &P_TUTANOTA),
     ("tutanota.de", &P_TUTANOTA),
@@ -2318,8 +2552,10 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
             ("autistici.org", &P_AUTISTICI_ORG),
             ("blindzeln.org", &P_BLINDZELN_ORG),
             ("bluewin.ch", &P_BLUEWIN_CH),
+            ("buzon.uy", &P_BUZON_UY),
             ("chello.at", &P_CHELLO_AT),
             ("comcast", &P_COMCAST),
+            ("daleth.cafe", &P_DALETH_CAFE),
             ("dismail.de", &P_DISMAIL_DE),
             ("disroot", &P_DISROOT),
             ("e.email", &P_E_EMAIL),
@@ -2327,6 +2563,7 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
             ("example.com", &P_EXAMPLE_COM),
             ("fastmail", &P_FASTMAIL),
             ("firemail.de", &P_FIREMAIL_DE),
+            ("five.chat", &P_FIVE_CHAT),
             ("freenet.de", &P_FREENET_DE),
             ("gmail", &P_GMAIL),
             ("gmx.net", &P_GMX_NET),
@@ -2344,6 +2581,8 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
             ("mail2tor", &P_MAIL2TOR),
             ("mailbox.org", &P_MAILBOX_ORG),
             ("mailo.com", &P_MAILO_COM),
+            ("mehl.cloud", &P_MEHL_CLOUD),
+            ("mehl.store", &P_MEHL_STORE),
             ("migadu", &P_MIGADU),
             ("nauta.cu", &P_NAUTA_CU),
             ("naver", &P_NAVER),
@@ -2363,6 +2602,7 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
             ("systemausfall.org", &P_SYSTEMAUSFALL_ORG),
             ("systemli.org", &P_SYSTEMLI_ORG),
             ("t-online", &P_T_ONLINE),
+            ("testrun", &P_TESTRUN),
             ("tiscali.it", &P_TISCALI_IT),
             ("tutanota", &P_TUTANOTA),
             ("ukr.net", &P_UKR_NET),
@@ -2382,4 +2622,4 @@ pub(crate) static PROVIDER_IDS: LazyLock<HashMap<&'static str, &'static Provider
     });
 
 pub static _PROVIDER_UPDATED: LazyLock<chrono::NaiveDate> =
-    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 4, 21).unwrap());
+    LazyLock::new(|| chrono::NaiveDate::from_ymd_opt(2026, 1, 28).unwrap());

src/qr.rs

@@ -714,6 +714,7 @@ fn decode_account(qr: &str) -> Result<Qr> {
 }
 
 /// scheme: `https://t.me/socks?server=foo&port=123` or `https://t.me/socks?server=1.2.3.4&port=123`
+#[expect(clippy::arithmetic_side_effects)]
 fn decode_tg_socks_proxy(_context: &Context, qr: &str) -> Result<Qr> {
     let url = url::Url::parse(qr).context("Invalid t.me/socks url")?;
 

src/qr/qr_tests.rs

@@ -709,7 +709,7 @@ async fn test_decode_dclogin_advanced_options() -> Result<()> {
     assert_eq!(param.smtp.security, Socket::Plain);
 
     // `sc` option is actually ignored and `ic` is used instead
-    // because `smtp_certificate_checks` has been removed.
+    // because `smtp_certificate_checks` is deprecated.
     assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict);
 
     Ok(())

src/qr_code_generator.rs

@@ -15,6 +15,7 @@ use crate::securejoin;
 use crate::stock_str::{self, backup_transfer_qr};
 
 /// Create a QR code from any input data.
+#[expect(clippy::arithmetic_side_effects)]
 pub fn create_qr_svg(qrcode_content: &str) -> Result<String> {
     let all_size = 512.0;
     let qr_code_size = 416.0;
@@ -175,6 +176,7 @@ async fn self_info(context: &Context) -> Result<(Option<Vec<u8>>, String, String
     Ok((avatar, displayname, addr, color))
 }
 
+#[expect(clippy::arithmetic_side_effects)]
 fn inner_generate_secure_join_qr_code(
     qrcode_description: &str,
     qrcode_content: &str,

src/scheduler.rs

@@ -250,16 +250,6 @@ impl SchedulerState {
         }
     }
 
-    pub(crate) async fn clear_all_relay_storage(&self) -> Result<()> {
-        let inner = self.inner.read().await;
-        if let InnerSchedulerState::Started(ref scheduler) = *inner {
-            scheduler.clear_all_relay_storage();
-            Ok(())
-        } else {
-            bail!("IO is not started");
-        }
-    }
-
     pub(crate) async fn interrupt_smtp(&self) {
         let inner = self.inner.read().await;
         if let InnerSchedulerState::Started(ref scheduler) = *inner {
@@ -358,7 +348,6 @@ async fn inbox_loop(
     let ImapConnectionHandlers {
         mut connection,
         stop_token,
-        clear_storage_request_receiver,
     } = inbox_handlers;
 
     let transport_id = connection.transport_id();
@@ -397,14 +386,7 @@ async fn inbox_loop(
                 }
             };
 
-            match inbox_fetch_idle(
-                &ctx,
-                &mut connection,
-                session,
-                &clear_storage_request_receiver,
-            )
-            .await
-            {
+            match inbox_fetch_idle(&ctx, &mut connection, session).await {
                 Err(err) => warn!(
                     ctx,
                     "Transport {transport_id}: Failed inbox fetch_idle: {err:#}."
@@ -425,29 +407,11 @@ async fn inbox_loop(
         .await;
 }
 
-async fn inbox_fetch_idle(
-    ctx: &Context,
-    imap: &mut Imap,
-    mut session: Session,
-    clear_storage_request_receiver: &Receiver<()>,
-) -> Result<Session> {
+async fn inbox_fetch_idle(ctx: &Context, imap: &mut Imap, mut session: Session) -> Result<Session> {
     let transport_id = session.transport_id();
 
-    // Clear IMAP storage on request.
-    //
-    // Only doing this for chatmail relays to avoid
-    // accidentally deleting all emails in a shared mailbox.
-    let should_clear_imap_storage =
-        clear_storage_request_receiver.try_recv().is_ok() && session.is_chatmail();
-    if should_clear_imap_storage {
-        info!(ctx, "Transport {transport_id}: Clearing IMAP storage.");
-        session.delete_all_messages(ctx, &imap.folder).await?;
-    }
-
     // Update quota no more than once a minute.
-    //
-    // Always update if we just cleared IMAP storage.
-    if (ctx.quota_needs_update(session.transport_id(), 60).await || should_clear_imap_storage)
+    if ctx.quota_needs_update(session.transport_id(), 60).await
         && let Err(err) = ctx.update_recent_quota(&mut session, &imap.folder).await
     {
         warn!(
@@ -631,7 +595,7 @@ async fn smtp_loop(
             info!(ctx, "SMTP fake idle started.");
             match &connection.last_send_error {
                 None => connection.connectivity.set_idle(&ctx),
-                Some(err) => connection.connectivity.set_err(&ctx, err.clone()),
+                Some(err) => connection.connectivity.set_err(&ctx, err),
             }
 
             // If send_smtp_messages() failed, we set a timeout for the fake-idle so that
@@ -773,12 +737,6 @@ impl Scheduler {
         }
     }
 
-    fn clear_all_relay_storage(&self) {
-        for b in &self.inboxes {
-            b.conn_state.clear_relay_storage();
-        }
-    }
-
     fn interrupt_smtp(&self) {
         self.smtp.interrupt();
     }
@@ -912,13 +870,6 @@ struct SmtpConnectionHandlers {
 #[derive(Debug)]
 pub(crate) struct ImapConnectionState {
     state: ConnectionState,
-
-    /// Channel to request clearing the folder.
-    ///
-    /// IMAP loop receiving this should clear the folder
-    /// on the next iteration if IMAP server is a chatmail relay
-    /// and otherwise ignore the request.
-    clear_storage_request_sender: Sender<()>,
 }
 
 impl ImapConnectionState {
@@ -930,13 +881,11 @@ impl ImapConnectionState {
     ) -> Result<(Self, ImapConnectionHandlers)> {
         let stop_token = CancellationToken::new();
         let (idle_interrupt_sender, idle_interrupt_receiver) = channel::bounded(1);
-        let (clear_storage_request_sender, clear_storage_request_receiver) = channel::bounded(1);
 
         let handlers = ImapConnectionHandlers {
             connection: Imap::new(context, transport_id, login_param, idle_interrupt_receiver)
                 .await?,
             stop_token: stop_token.clone(),
-            clear_storage_request_receiver,
         };
 
         let state = ConnectionState {
@@ -945,10 +894,7 @@ impl ImapConnectionState {
             connectivity: handlers.connection.connectivity.clone(),
         };
 
-        let conn = ImapConnectionState {
-            state,
-            clear_storage_request_sender,
-        };
+        let conn = ImapConnectionState { state };
 
         Ok((conn, handlers))
     }
@@ -962,19 +908,10 @@ impl ImapConnectionState {
     fn stop(&self) {
         self.state.stop();
     }
-
-    /// Requests clearing relay storage and interrupts the inbox.
-    fn clear_relay_storage(&self) {
-        self.clear_storage_request_sender.try_send(()).ok();
-        self.state.interrupt();
-    }
 }
 
 #[derive(Debug)]
 struct ImapConnectionHandlers {
     connection: Imap,
     stop_token: CancellationToken,
-
-    /// Channel receiver to get requests to clear IMAP storage.
-    pub(crate) clear_storage_request_receiver: Receiver<()>,
 }

src/scheduler/connectivity.rs

@@ -157,8 +157,8 @@ impl ConnectivityStore {
         context.emit_event(EventType::ConnectivityChanged);
     }
 
-    pub(crate) fn set_err(&self, context: &Context, e: String) {
-        self.set(context, DetailedConnectivity::Error(e));
+    pub(crate) fn set_err(&self, context: &Context, e: impl ToString) {
+        self.set(context, DetailedConnectivity::Error(e.to_string()));
     }
     pub(crate) fn set_connecting(&self, context: &Context) {
         self.set(context, DetailedConnectivity::Connecting);

src/securejoin.rs

@@ -491,19 +491,10 @@ pub(crate) async fn handle_securejoin_handshake(
             )
             .await?;
 
-            let prefix = mime_message
-                .get_header(HeaderDef::SecureJoin)
-                .and_then(|step| step.get(..2))
-                .unwrap_or("vc");
-
             // Alice -> Bob
-            send_alice_handshake_msg(
-                context,
-                autocrypt_contact_id,
-                &format!("{prefix}-auth-required"),
-            )
-            .await
-            .context("failed sending auth-required handshake message")?;
+            send_alice_handshake_msg(context, autocrypt_contact_id, "vc-auth-required")
+                .await
+                .context("Failed sending auth-required handshake message")?;
             Ok(HandshakeMessage::Done)
         }
         SecureJoinStep::AuthRequired => {

src/securejoin/bob.rs

@@ -29,7 +29,7 @@ use crate::{chatlist_events, mimefactory};
 /// If Bob already has Alice's key, he sends `AUTH` token
 /// and forgets about the invite.
 /// If Bob does not yet have Alice's key, he sends `vc-request`
-/// or `vg-request` message and stores a row in the `bobstate` table
+/// message and stores a row in the `bobstate` table
 /// so he can check Alice's key against the fingerprint
 /// and send `AUTH` token later.
 ///
@@ -332,7 +332,7 @@ pub(crate) async fn send_handshake_message(
     } else {
         let mut msg = Message {
             viewtype: Viewtype::Text,
-            text: step.body_text(invite),
+            text: step.body_text(),
             hidden: true,
             ..Default::default()
         };
@@ -340,7 +340,7 @@ pub(crate) async fn send_handshake_message(
         msg.param.set_cmd(SystemMessage::SecurejoinMessage);
 
         // Sends the step in Secure-Join header.
-        msg.param.set(Param::Arg, step.securejoin_header(invite));
+        msg.param.set(Param::Arg, step.securejoin_header());
 
         match step {
             BobHandshakeMsg::Request => {
@@ -378,9 +378,9 @@ pub(crate) async fn send_handshake_message(
 
 /// Identifies the SecureJoin handshake messages Bob can send.
 pub(crate) enum BobHandshakeMsg {
-    /// vc-request or vg-request
+    /// vc-request
     Request,
-    /// vc-request-with-auth or vg-request-with-auth
+    /// vc-request-with-auth
     RequestWithAuth,
 }
 
@@ -390,8 +390,8 @@ impl BobHandshakeMsg {
     /// This text has no significance to the protocol, but would be visible if users see
     /// this email message directly, e.g. when accessing their email without using
     /// DeltaChat.
-    fn body_text(&self, invite: &QrInvite) -> String {
-        format!("Secure-Join: {}", self.securejoin_header(invite))
+    fn body_text(&self) -> String {
+        format!("Secure-Join: {}", self.securejoin_header())
     }
 
     /// Returns the `Secure-Join` header value.
@@ -399,18 +399,10 @@ impl BobHandshakeMsg {
     /// This identifies the step this message is sending information about.  Most protocol
     /// steps include additional information into other headers, see
     /// [`send_handshake_message`] for these.
-    fn securejoin_header(&self, invite: &QrInvite) -> &'static str {
+    fn securejoin_header(&self) -> &'static str {
         match self {
-            Self::Request => match invite {
-                QrInvite::Contact { .. } => "vc-request",
-                QrInvite::Group { .. } => "vg-request",
-                QrInvite::Broadcast { .. } => "vg-request",
-            },
-            Self::RequestWithAuth => match invite {
-                QrInvite::Contact { .. } => "vc-request-with-auth",
-                QrInvite::Group { .. } => "vg-request-with-auth",
-                QrInvite::Broadcast { .. } => "vg-request-with-auth",
-            },
+            Self::Request => "vc-request",
+            Self::RequestWithAuth => "vc-request-with-auth",
         }
     }
 }
@@ -480,7 +472,7 @@ async fn joining_chat_id(
 /// This has an `From<JoinerProgress> for usize` impl yielding numbers between 0 and a 1000
 /// which can be shown as a progress bar.
 pub(crate) enum JoinerProgress {
-    /// vg-vc-request-with-auth sent.
+    /// vc-request-with-auth sent.
     ///
     /// Typically shows as "alice@addr verified, introducing myself."
     RequestWithAuthSent,

src/securejoin/securejoin_tests.rs

@@ -483,7 +483,7 @@ async fn test_secure_join_group_ex(v3: bool, remove_invite: bool) -> Result<()>
         if v3 {
             "vc-request-pubkey"
         } else {
-            "vg-request"
+            "vc-request"
         }
     );
     assert_eq!(msg.get_header(HeaderDef::SecureJoinAuth).is_some(), v3);
@@ -509,7 +509,7 @@ async fn test_secure_join_group_ex(v3: bool, remove_invite: bool) -> Result<()>
     assert!(msg.was_encrypted());
     assert_eq!(
         msg.get_header(HeaderDef::SecureJoin).unwrap(),
-        if v3 { "vc-pubkey" } else { "vg-auth-required" }
+        if v3 { "vc-pubkey" } else { "vc-auth-required" }
     );
 
     tcm.section("Step 4: Bob receives vc-pubkey or vg-auth-required, sends v*-request-with-auth");
@@ -546,7 +546,7 @@ async fn test_secure_join_group_ex(v3: bool, remove_invite: bool) -> Result<()>
     assert!(msg.was_encrypted());
     assert_eq!(
         msg.get_header(HeaderDef::SecureJoin).unwrap(),
-        "vg-request-with-auth"
+        "vc-request-with-auth"
     );
     assert!(msg.get_header(HeaderDef::SecureJoinAuth).is_some());
     let bob_fp = self_fingerprint(&bob).await?;

src/simplify.rs

@@ -9,6 +9,7 @@ use crate::tools::IsNoneOrEmpty;
 /// This escapes a bit more than actually needed by delta (e.g. also lines as "-- footer"),
 /// but for non-delta-compatibility, that seems to be better.
 /// (to be only compatible with delta, only "[\r\n|\n]-- {0,2}[\r\n|\n]" needs to be replaced)
+#[expect(clippy::arithmetic_side_effects)]
 pub fn escape_message_footer_marks(text: &str) -> String {
     if let Some(text) = text.strip_prefix("--") {
         "-\u{200B}-".to_string() + &text.replace("\n--", "\n-\u{200B}-")

src/smtp/connect.rs

@@ -11,12 +11,11 @@ use crate::log::warn;
 use crate::net::dns::{lookup_host_with_cache, update_connect_timestamp};
 use crate::net::proxy::ProxyConfig;
 use crate::net::session::SessionBufStream;
-use crate::net::tls::{SpkiHashStore, TlsSessionStore, wrap_tls};
+use crate::net::tls::{TlsSessionStore, wrap_tls};
 use crate::net::{
     connect_tcp_inner, connect_tls_inner, run_connection_attempts, update_connection_history,
 };
 use crate::oauth2::get_oauth2_access_token;
-use crate::sql::Sql;
 use crate::tools::time;
 use crate::transport::ConnectionCandidate;
 use crate::transport::ConnectionSecurity;
@@ -112,26 +111,10 @@ async fn connection_attempt(
     );
     let res = match security {
         ConnectionSecurity::Tls => {
-            connect_secure(
-                resolved_addr,
-                host,
-                strict_tls,
-                &context.tls_session_store,
-                &context.spki_hash_store,
-                &context.sql,
-            )
-            .await
+            connect_secure(resolved_addr, host, strict_tls, &context.tls_session_store).await
         }
         ConnectionSecurity::Starttls => {
-            connect_starttls(
-                resolved_addr,
-                host,
-                strict_tls,
-                &context.tls_session_store,
-                &context.spki_hash_store,
-                &context.sql,
-            )
-            .await
+            connect_starttls(resolved_addr, host, strict_tls, &context.tls_session_store).await
         }
         ConnectionSecurity::Plain => connect_insecure(resolved_addr).await,
     };
@@ -257,8 +240,6 @@ async fn connect_secure_proxy(
         alpn(port),
         proxy_stream,
         &context.tls_session_store,
-        &context.spki_hash_store,
-        &context.sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -292,8 +273,6 @@ async fn connect_starttls_proxy(
         "",
         tcp_stream,
         &context.tls_session_store,
-        &context.spki_hash_store,
-        &context.sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;
@@ -320,8 +299,6 @@ async fn connect_secure(
     hostname: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let tls_stream = connect_tls_inner(
         addr,
@@ -329,8 +306,6 @@ async fn connect_secure(
         strict_tls,
         alpn(addr.port()),
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await?;
     let mut buffered_stream = BufStream::new(tls_stream);
@@ -344,8 +319,6 @@ async fn connect_starttls(
     host: &str,
     strict_tls: bool,
     tls_session_store: &TlsSessionStore,
-    spki_hash_store: &SpkiHashStore,
-    sql: &Sql,
 ) -> Result<Box<dyn SessionBufStream>> {
     let use_sni = false;
     let tcp_stream = connect_tcp_inner(addr).await?;
@@ -363,8 +336,6 @@ async fn connect_starttls(
         "",
         tcp_stream,
         tls_session_store,
-        spki_hash_store,
-        sql,
     )
     .await
     .context("STARTTLS upgrade failed")?;

src/sql.rs

@@ -874,14 +874,6 @@ pub async fn housekeeping(context: &Context) -> Result<()> {
         .log_err(context)
         .ok();
 
-    context
-        .spki_hash_store
-        .cleanup(&context.sql)
-        .await
-        .context("Failed to prune SPKI store")
-        .log_err(context)
-        .ok();
-
     // Cleanup `imap` and `imap_sync` entries for deleted transports.
     //
     // Transports may be deleted directly or via sync messages,

src/sql/migrations.rs

@@ -1919,7 +1919,7 @@ CREATE INDEX gossip_timestamp_index ON gossip_timestamp (chat_id, fingerprint);
 
     inc_and_check(&mut migration_version, 131)?;
     if dbversion < migration_version {
-        let entered_param = EnteredLoginParam::load_legacy(context).await?;
+        let entered_param = EnteredLoginParam::load(context).await?;
         let configured_param = ConfiguredLoginParam::load_legacy(context).await?;
 
         sql.execute_migration_transaction(
@@ -2360,22 +2360,6 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
         .await?;
     }
 
-    inc_and_check(&mut migration_version, 151)?;
-    if dbversion < migration_version {
-        sql.execute_migration(
-            "CREATE TABLE tls_spki (
-               host TEXT NOT NULL UNIQUE,
-               spki_hash TEXT NOT NULL, -- base64 of SPKI SHA-256 hash
-               timestamp INTEGER NOT NULL -- timestamp of the last time we have seen this key
-             ) STRICT;
-             -- Index on host column is created implicitly because of UNIQUE constraint.
-             CREATE INDEX tls_spki_index_timestamp ON tls_spki (timestamp);
-            ",
-            migration_version,
-        )
-        .await?;
-    }
-
     let new_version = sql
         .get_raw_config_int(VERSION_CFG)
         .await?

src/test_utils.rs

@@ -275,17 +275,16 @@ impl TestContextManager {
 
         let chat_id = join_securejoin(&joiner.ctx, qr).await.unwrap();
 
-        for _ in 0..2 {
+        loop {
             let mut something_sent = false;
-            let rev_order = false;
-            if let Some(sent) = joiner.pop_sent_msg_ex(rev_order, Duration::ZERO).await {
+            if let Some(sent) = joiner.pop_sent_msg_opt(Duration::ZERO).await {
                 for inviter in inviters {
                     inviter.recv_msg_opt(&sent).await;
                 }
                 something_sent = true;
             }
             for inviter in inviters {
-                if let Some(sent) = inviter.pop_sent_msg_ex(rev_order, Duration::ZERO).await {
+                if let Some(sent) = inviter.pop_sent_msg_opt(Duration::ZERO).await {
                     joiner.recv_msg_opt(&sent).await;
                     something_sent = true;
                 }
@@ -624,35 +623,25 @@ impl TestContext {
     }
 
     pub async fn pop_sent_msg_opt(&self, timeout: Duration) -> Option<SentMessage<'_>> {
-        let rev_order = true;
-        self.pop_sent_msg_ex(rev_order, timeout).await
-    }
-
-    pub async fn pop_sent_msg_ex(
-        &self,
-        rev_order: bool,
-        timeout: Duration,
-    ) -> Option<SentMessage<'_>> {
         let start = Instant::now();
-        let mut query = "
-SELECT id, msg_id, mime, recipients
-FROM smtp
-ORDER BY id"
-            .to_string();
-        if rev_order {
-            query += " DESC";
-        }
         let (rowid, msg_id, payload, recipients) = loop {
             let row = self
                 .ctx
                 .sql
-                .query_row_optional(&query, (), |row| {
-                    let rowid: i64 = row.get(0)?;
-                    let msg_id: MsgId = row.get(1)?;
-                    let mime: String = row.get(2)?;
-                    let recipients: String = row.get(3)?;
-                    Ok((rowid, msg_id, mime, recipients))
-                })
+                .query_row_optional(
+                    r#"
+                    SELECT id, msg_id, mime, recipients
+                    FROM smtp
+                    ORDER BY id DESC"#,
+                    (),
+                    |row| {
+                        let rowid: i64 = row.get(0)?;
+                        let msg_id: MsgId = row.get(1)?;
+                        let mime: String = row.get(2)?;
+                        let recipients: String = row.get(3)?;
+                        Ok((rowid, msg_id, mime, recipients))
+                    },
+                )
                 .await
                 .expect("query_row_optional failed");
             if let Some(row) = row {
@@ -834,24 +823,17 @@ ORDER BY id"
         assert_eq!(received.chat_id, DC_CHAT_ID_TRASH);
     }
 
-    /// Gets the most recent message ID of a chat.
-    ///
-    /// Panics on errors or if the most recent message is a marker.
-    pub async fn get_last_msg_id_in(&self, chat_id: ChatId) -> MsgId {
-        let msgs = chat::get_chat_msgs(&self.ctx, chat_id).await.unwrap();
-        if let ChatItem::Message { msg_id } = msgs.last().unwrap() {
-            *msg_id
-        } else {
-            panic!("Wrong item type");
-        }
-    }
-
     /// Gets the most recent message of a chat.
     ///
     /// Panics on errors or if the most recent message is a marker.
     pub async fn get_last_msg_in(&self, chat_id: ChatId) -> Message {
-        let msg_id = self.get_last_msg_id_in(chat_id).await;
-        Message::load_from_db(&self.ctx, msg_id).await.unwrap()
+        let msgs = chat::get_chat_msgs(&self.ctx, chat_id).await.unwrap();
+        let msg_id = if let ChatItem::Message { msg_id } = msgs.last().unwrap() {
+            msg_id
+        } else {
+            panic!("Wrong item type");
+        };
+        Message::load_from_db(&self.ctx, *msg_id).await.unwrap()
     }
 
     /// Gets the most recent message over all chats.

src/tools.rs

@@ -687,6 +687,7 @@ fn extract_address_from_receive_header<'a>(header: &'a str, start: &str) -> Opti
     })
 }
 
+#[expect(clippy::arithmetic_side_effects)]
 pub(crate) fn parse_receive_header(header: &str) -> String {
     let header = header.replace(&['\r', '\n'][..], "");
     let mut hop_info = String::from("Hop: ");

src/transport/transport_tests.rs

@@ -118,6 +118,8 @@ async fn test_posteo_alias() -> Result<()> {
     t.set_config(Config::ConfiguredSendUser, Some(user)).await?;
     t.set_config(Config::ConfiguredSendPw, Some("foobarbaz"))
         .await?;
+    t.set_config(Config::ConfiguredSmtpCertificateChecks, Some("1"))
+        .await?; // Strict
     t.set_config(Config::ConfiguredServerFlags, Some("0"))
         .await?;
 
@@ -205,6 +207,8 @@ async fn test_empty_server_list_legacy() -> Result<()> {
         .await?; // Strict
     t.set_config(Config::ConfiguredSendPw, Some("foobarbaz"))
         .await?;
+    t.set_config(Config::ConfiguredSmtpCertificateChecks, Some("1"))
+        .await?; // Strict
     t.set_config(Config::ConfiguredServerFlags, Some("0"))
         .await?;
 

src/webxdc.rs

@@ -111,12 +111,6 @@ pub struct WebxdcInfo {
     /// Address to be used for `window.webxdc.selfAddr` in JS land.
     pub self_addr: String,
 
-    /// Define if the local user is the one who initially shared the webxdc application in the chat.
-    pub is_app_sender: bool,
-
-    /// Define if the app runs in a broadcasting context.
-    pub is_broadcast: bool,
-
     /// Milliseconds to wait before calling `sendUpdate()` again since the last call.
     /// Should be exposed to `window.sendUpdateInterval` in JS land.
     pub send_update_interval: usize,
@@ -929,11 +923,6 @@ impl Message {
         let internet_access = is_integrated;
 
         let self_addr = self.get_webxdc_self_addr(context).await?;
-        let is_app_sender = self.from_id == ContactId::SELF;
-        let chat = Chat::load_from_db(context, self.chat_id)
-            .await
-            .with_context(|| "Failed to load chat from the database")?;
-        let is_broadcast = chat.typ == Chattype::InBroadcast || chat.typ == Chattype::OutBroadcast;
 
         Ok(WebxdcInfo {
             name: if let Some(name) = manifest.name {
@@ -972,8 +961,6 @@ impl Message {
             request_integration,
             internet_access,
             self_addr,
-            is_app_sender,
-            is_broadcast,
             send_update_interval: context.ratelimit.read().await.update_interval(),
             send_update_max_size: RECOMMENDED_FILE_SIZE as usize,
         })

src/webxdc/webxdc_tests.rs

@@ -12,7 +12,6 @@ use crate::chatlist::Chatlist;
 use crate::config::Config;
 use crate::ephemeral;
 use crate::receive_imf::receive_imf;
-use crate::securejoin::get_securejoin_qr;
 use crate::test_utils::{E2EE_INFO_MSGS, TestContext, TestContextManager};
 use crate::tools::{self, SystemTime};
 use crate::{message, sql};
@@ -2196,42 +2195,3 @@ async fn test_self_addr_consistency() -> Result<()> {
     assert_eq!(db_msg.get_webxdc_self_addr(alice).await?, self_addr);
     Ok(())
 }
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_webxdc_info_app_sender() -> Result<()> {
-    let mut tcm = TestContextManager::new();
-    let alice = &tcm.alice().await;
-    let bob = &tcm.bob().await;
-
-    // Alice sends webxdc in a group chat
-    let alice_chat_id = alice.create_group_with_members("Group", &[bob]).await;
-    let alice_instance = send_webxdc_instance(alice, alice_chat_id).await?;
-    let sent1 = alice.pop_sent_msg().await;
-    let alice_info = alice_instance.get_webxdc_info(alice).await?;
-    assert!(alice_info.is_app_sender);
-    assert!(!alice_info.is_broadcast);
-
-    // Bob receives group webxdc
-    let bob_instance = bob.recv_msg(&sent1).await;
-    let bob_info = bob_instance.get_webxdc_info(bob).await?;
-    assert!(!bob_info.is_app_sender);
-    assert!(!bob_info.is_broadcast);
-
-    // Alice sends webxdc to broadcast channel
-    let alice_chat_id = create_broadcast(alice, "Broadcast".to_string()).await?;
-    let qr = get_securejoin_qr(alice, Some(alice_chat_id)).await.unwrap();
-    tcm.exec_securejoin_qr(bob, alice, &qr).await;
-    let alice_instance = send_webxdc_instance(alice, alice_chat_id).await?;
-    let sent2 = alice.pop_sent_msg().await;
-    let alice_info = alice_instance.get_webxdc_info(alice).await?;
-    assert!(alice_info.is_app_sender);
-    assert!(alice_info.is_broadcast);
-
-    // Bob receives broadcast webxdc
-    let bob_instance = bob.recv_msg(&sent2).await;
-    let bob_info = bob_instance.get_webxdc_info(bob).await?;
-    assert!(!bob_info.is_app_sender);
-    assert!(bob_info.is_broadcast);
-
-    Ok(())
-}