Merge branch 'release/v1.21.5'

Release v1.21.5
Chore: Update caniemail database
2026-03-03 04:07:00 +00:00 · 2024-11-26 22:24:41 +13:00 · 2024-11-26 22:24:40 +13:00 · 2024-11-26 22:17:04 +13:00 · 2024-11-26 22:16:16 +13:00 · 2024-11-26 22:14:08 +13:00
127 changed files with 12649 additions and 6206 deletions
--- a/.chglog/config.yml
+++ b/.chglog/config.yml
@@ -17,6 +17,24 @@ options:
      fix: Fix
    #   perf: Performance Improvements
    #   refactor: Code Refactoring
+    sort_by: Custom
+    title_order:
+      - Feature
+      - Chore
+      - UI
+      - API
+      - Libs
+      - Docker
+      - Security
+      - Fix
+      - Bugfix
+      - Docs
+      - Swagger
+      - Build
+      - Testing
+      - Test
+      - Tests
+      - Pull Requests
  header:
    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
    pattern_maps:
--- a/.github/workflows/build-docker-edge.yml
+++ b/.github/workflows/build-docker-edge.yml
@@ -16,19 +16,30 @@ jobs:
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

-    - name: Login to DockerHub
+    - name: Log into Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_ACCESS_TOKEN }}

+    - name: Log into GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ github.token }}
+
+    - uses: benjlevesque/short-sha@v3.0
+      id: short-sha
+
    - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
      with:
        context: .
        platforms: linux/386,linux/amd64,linux/arm64
        build-args: |
-          "VERSION=edge-${{ github.sha }}"
+          "VERSION=edge-${{ steps.short-sha.outputs.sha }}"
        push: true
        tags: |
          axllent/mailpit:edge
+          ghcr.io/${{ github.repository }}:edge
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -16,12 +16,19 @@ jobs:
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

-    - name: Login to DockerHub
+    - name: Log into Docker Hub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_ACCESS_TOKEN }}

+    - name: Log into GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ github.token }}
+
    - name: Parse semver
      id: semver_parser 
      uses: booxmedialtd/ws-action-parse-semver@v1.4.7
@@ -30,10 +37,9 @@ jobs:
        version_extractor_regex: 'v(.*)$'

    - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
      with:
        context: .
-        # platforms: linux/386,linux/amd64,linux/arm,linux/arm64
        platforms: linux/386,linux/amd64,linux/arm64
        build-args: |
          "VERSION=${{ github.ref_name }}"
@@ -42,3 +48,6 @@ jobs:
          axllent/mailpit:latest
          axllent/mailpit:${{ github.ref_name }}
          axllent/mailpit:v${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}
+          ghcr.io/${{ github.repository }}:latest
+          ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+          ghcr.io/${{ github.repository }}:v${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -12,12 +12,12 @@ jobs:
    steps:
      - uses: actions/stale@v9.0.0
        with:
-          days-before-issue-stale: 14
-          days-before-issue-close: 7
-          exempt-issue-labels: "enhancement,bug,javascript,docker"
+          days-before-issue-stale: 7
+          days-before-issue-close: 3
+          exempt-issue-labels: "enhancement,bug,awaiting feedback"
          stale-issue-label: "stale"
-          stale-issue-message: "This issue is stale because it has been open for 14 days with no activity."
-          close-issue-message: "This issue was closed because it has been inactive for 7 days since being marked as stale."
+          stale-issue-message: "This issue has been marked as stale because it has been open for 7 days with no activity."
+          close-issue-message: "This issue was closed because there has been no activity since being marked as stale."
          days-before-pr-stale: -1
          days-before-pr-close: -1
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -33,7 +33,7 @@ jobs:
    - run: npm run package

    # build the binaries
-    - uses: wangyoucao577/go-release-action@v1.49
+    - uses: wangyoucao577/go-release-action@v1
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        goos: ${{ matrix.goos }}
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -26,8 +26,8 @@ jobs:
        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-go-
-    - run: go test ./internal/storage ./server ./internal/tools ./internal/html2text -v
-    - run: go test ./internal/storage ./internal/html2text -bench=.
+    - run: go test -p 1 ./internal/storage ./server ./server/pop3 ./internal/tools ./internal/html2text ./internal/linkcheck -v
+    - run: go test -p 1 ./internal/storage ./internal/html2text -bench=.
    
    # build the assets
    - name: Build web UI
@@ -44,6 +44,6 @@ jobs:
    # validate the swagger file
    - name: Validate OpenAPI definition
      if: startsWith(matrix.os, 'ubuntu') == true
-      uses: char0n/swagger-editor-validate@v1
+      uses: swaggerexpert/swagger-editor-validate@v1
      with:
        definition-file: server/ui/api/v1/swagger.json
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/15
+++ b/15
@@ -1,4 +1,4 @@
-FROM golang:alpine as builder
+FROM golang:alpine AS builder

 ARG VERSION=dev

@@ -6,16 +6,25 @@ COPY . /app

 WORKDIR /app

-RUN apk add --no-cache git npm && \
+RUN  apk upgrade && apk add git npm && \
 npm install && npm run package && \
 CGO_ENABLED=0 go build -ldflags "-s -w -X github.com/axllent/mailpit/config.Version=${VERSION}" -o /mailpit

 FROM alpine:latest

+LABEL org.opencontainers.image.title="Mailpit" \
+  org.opencontainers.image.description="An email and SMTP testing tool with API for developers" \
+  org.opencontainers.image.source="https://github.com/axllent/mailpit" \
+  org.opencontainers.image.url="https://mailpit.axllent.org" \
+  org.opencontainers.image.documentation="https://mailpit.axllent.org/docs/" \
+  org.opencontainers.image.licenses="MIT"
+
 COPY --from=builder /mailpit /mailpit

-RUN apk add --no-cache tzdata
+RUN apk upgrade --no-cache && apk add --no-cache tzdata

 EXPOSE 1025/tcp 1110/tcp 8025/tcp

+HEALTHCHECK --interval=15s CMD /mailpit readyz
+
 ENTRYPOINT ["/mailpit"]
--- a/README.md
+++ b/README.md
@@ -32,31 +32,24 @@ Mailpit was originally **inspired** by MailHog which is [no longer maintained](h

 ## Features

- Runs entirely from a single [static binary](https://mailpit.axllent.org/docs/install/)
- Modern web UI to view emails (formatted HTML, highlighted HTML source, text, headers, raw source, and MIME attachments
-including image thumbnails), including optional [HTTPS](https://mailpit.axllent.org/docs/configuration/https/)
- Optional [basic authentication](https://mailpit.axllent.org/docs/configuration/frontend-authentication/) for web UI & API
+- Runs entirely from a single [static binary](https://mailpit.axllent.org/docs/install/) or multi-architecture [Docker images](https://mailpit.axllent.org/docs/install/docker/)
+- Modern web UI with advanced [mail search](https://mailpit.axllent.org/docs/usage/search-filters/) to view emails (formatted HTML, highlighted HTML source, text, headers, raw source, and MIME attachments
+including image thumbnails), including optional [HTTPS](https://mailpit.axllent.org/docs/configuration/http/) & [authentication](https://mailpit.axllent.org/docs/configuration/http/)
+- [SMTP server](https://mailpit.axllent.org/docs/configuration/smtp/) with optional STARTTLS or SSL/TLS, authentication (including an "accept any" mode)
+- A [REST API](https://mailpit.axllent.org/docs/api-v1/) for integration testing
+- Real-time web UI updates using web sockets for new mail & optional [browser notifications](https://mailpit.axllent.org/docs/usage/notifications/) when new mail is received
+- Optional [POP3 server](https://mailpit.axllent.org/docs/configuration/pop3/) to download captured message directly into your email client
 - [HTML check](https://mailpit.axllent.org/docs/usage/html-check/) to test & score mail client compatibility with HTML emails
 - [Link check](https://mailpit.axllent.org/docs/usage/link-check/) to test message links (HTML & text) & linked images
 - [Spam check](https://mailpit.axllent.org/docs/usage/spamassassin/) to test message "spamminess" using a running SpamAssassin server
 - [Create screenshots](https://mailpit.axllent.org/docs/usage/html-screenshots/) of HTML messages via web UI
- `List-Unsubscribe` syntax validation
 - Mobile and tablet HTML preview toggle in desktop mode
- Advanced [mail search](https://mailpit.axllent.org/docs/usage/search-filters/)
- [Message tagging](https://mailpit.axllent.org/docs/usage/tagging/)
- Real-time web UI updates using web sockets for new mail & optional browser notifications for new mail (when accessed
-via either HTTPS or `localhost` only)
- SMTP server with optional [STARTTLS & SMTP authentication](https://mailpit.axllent.org/docs/configuration/smtp-authentication/) (including an
-"accept any" mode)
- [SMTP relaying](https://mailpit.axllent.org/docs/configuration/smtp-relay/) (message release) - relay messages via a different SMTP server
-including an optional allowlist of accepted recipients
- Fast SMTP processing & storing - ingesting 100-200 emails per second depending on CPU, network speed & email size,
-easily handling tens of thousands of emails
- Optional [POP3 server](https://mailpit.axllent.org/docs/configuration/pop3/) to download captured message directly into your email client
- Configurable automatic email pruning (default keeps the most recent 500 emails)
- A simple [REST API](https://mailpit.axllent.org/docs/api-v1/) for integration testing
+- [Message tagging](https://mailpit.axllent.org/docs/usage/tagging/) including manual tagging or automated tagging using filtering and "plus addressing"
+- [SMTP relaying](https://mailpit.axllent.org/docs/configuration/smtp-relay/) (message release) - relay messages via a different SMTP server including an optional allowlist of accepted recipients
+- Fast message [storing & processing](https://mailpit.axllent.org/docs/configuration/email-storage/) - ingesting 100-200 emails per second over SMTP depending on CPU, network speed & email size,
+easily handling tens of thousands of emails, with automatic email pruning (by default keeping the most recent 500 emails)
+- `List-Unsubscribe` syntax validation
 - Optional [webhook](https://mailpit.axllent.org/docs/integration/webhook/) for received messages
- Multi-architecture [Docker images](https://mailpit.axllent.org/docs/install/docker/)


 ## Installation
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Reporting security vulnerabilities
+
+Your efforts to responsibly disclose your findings are appreciated.
+
+** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
+
+If you believe you have found a **security vulnerability**, then please report it to security@axllent.org so 
+your findings can be investigated, and if confirmed, fixed and released in a timely manner.
+
+Your report should include:
+
+- Mailpit version
+- A vulnerability description
+- Reproduction steps (if applicable)
+- Any other details you think are likely to be important
+
+You should receive an initial acknowledgement within 24 hours in most cases, and will kept updated throughout the process. 
+
+With your consent, your contributions will be publicly acknowledged.
--- a/cmd/ingest.go
+++ b/cmd/ingest.go
@@ -2,9 +2,9 @@ package cmd

 import (
 	"bytes"
+	"fmt"
 	"io"
 	"net/mail"
-	"net/smtp"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,8 +13,6 @@ import (
 	"github.com/axllent/mailpit/internal/logger"
 	sendmail "github.com/axllent/mailpit/sendmail/cmd"
 	"github.com/spf13/cobra"
-	"golang.org/x/text/language"
-	"golang.org/x/text/message"
 )

 var (
@@ -36,7 +34,6 @@ The --recent flag will only consider files with a modification date within the l
 		var count int
 		var total int
 		var per100start = time.Now()
-		p := message.NewPrinter(language.English)

 		for _, a := range args {
 			err := filepath.Walk(a,
@@ -49,9 +46,7 @@ The --recent flag will only consider files with a modification date within the l
 						return nil
 					}

-					info.ModTime()
-
-					if ingestRecent > 0 && time.Now().Sub(info.ModTime()) > time.Duration(ingestRecent)*24*time.Hour {
+					if ingestRecent > 0 && time.Since(info.ModTime()) > time.Duration(ingestRecent)*24*time.Hour {
 						return nil
 					}

@@ -110,7 +105,7 @@ The --recent flag will only consider files with a modification date within the l
 						}
 					}

-					err = smtp.SendMail(sendmail.SMTPAddr, nil, returnPath, recipients, body)
+					err = sendmail.Send(sendmail.SMTPAddr, returnPath, recipients, body)
 					if err != nil {
 						logger.Log().Errorf("error sending mail: %s (%s)", err.Error(), path)
 						return nil
@@ -119,8 +114,7 @@ The --recent flag will only consider files with a modification date within the l
 					count++
 					total++
 					if count%100 == 0 {
-						formatted := p.Sprintf("%d", total)
-						logger.Log().Infof("[%s] 100 messages in %s", formatted, time.Since(per100start))
+						logger.Log().Infof("[%s] 100 messages in %s", format(total), time.Since(per100start))

 						per100start = time.Now()
 					}
@@ -151,3 +145,29 @@ func isFile(path string) bool {

 	return true
 }
+
+// Format a an integer 10000 => 10,000
+func format(n int) string {
+	in := fmt.Sprintf("%d", n)
+	numOfDigits := len(in)
+	if n < 0 {
+		numOfDigits-- // First character is the - sign (not a digit)
+	}
+	numOfCommas := (numOfDigits - 1) / 3
+
+	out := make([]byte, len(in)+numOfCommas)
+	if n < 0 {
+		in, out[0] = in[1:], '-'
+	}
+
+	for i, j, k := len(in)-1, len(out)-1, 0; ; i, j = i-1, j-1 {
+		out[j] = in[i]
+		if i == 0 {
+			return string(out)
+		}
+		if k++; k == 3 {
+			j, k = j-1, 0
+			out[j] = ','
+		}
+	}
+}
--- a/cmd/readyz.go
+++ b/cmd/readyz.go
@@ -0,0 +1,76 @@
+package cmd
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/spf13/cobra"
+)
+
+var (
+	useHTTPS bool
+)
+
+// readyzCmd represents the healthcheck command
+var readyzCmd = &cobra.Command{
+	Use:   "readyz",
+	Short: "Run a healthcheck to test if Mailpit is running",
+	Long: `This command connects to the /readyz endpoint of a running Mailpit server
+and exits with a status of 0 if the connection is successful, else with a 
+status 1 if unhealthy.
+
+If running within Docker, it should automatically detect environment
+settings to determine the HTTP bind interface & port.
+`,
+	Run: func(cmd *cobra.Command, args []string) {
+		webroot := strings.TrimRight(path.Join("/", config.Webroot, "/"), "/") + "/"
+		proto := "http"
+		if useHTTPS {
+			proto = "https"
+		}
+
+		uri := fmt.Sprintf("%s://%s%sreadyz", proto, config.HTTPListen, webroot)
+
+		conf := &http.Transport{
+			IdleConnTimeout:       time.Second * 5,
+			ExpectContinueTimeout: time.Second * 5,
+			TLSHandshakeTimeout:   time.Second * 5,
+			// do not verify TLS in case this instance is using HTTPS
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec
+		}
+		client := &http.Client{Transport: conf}
+
+		res, err := client.Get(uri)
+		if err != nil || res.StatusCode != 200 {
+			os.Exit(1)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(readyzCmd)
+
+	if len(os.Getenv("MP_UI_BIND_ADDR")) > 0 {
+		config.HTTPListen = os.Getenv("MP_UI_BIND_ADDR")
+	}
+
+	if len(os.Getenv("MP_WEBROOT")) > 0 {
+		config.Webroot = os.Getenv("MP_WEBROOT")
+	}
+
+	config.UITLSCert = os.Getenv("MP_UI_TLS_CERT")
+
+	if config.UITLSCert != "" {
+		useHTTPS = true
+	}
+
+	readyzCmd.Flags().StringVarP(&config.HTTPListen, "listen", "l", config.HTTPListen, "Set the HTTP bind interface & port")
+	readyzCmd.Flags().StringVar(&config.Webroot, "webroot", config.Webroot, "Set the webroot for web UI & API")
+	readyzCmd.Flags().BoolVar(&useHTTPS, "https", useHTTPS, "Connect via HTTPS (ignores HTTPS validation)")
+}
--- a/cmd/reindex.go
+++ b/cmd/reindex.go
@@ -19,7 +19,7 @@ If you have several thousand messages in your mailbox, then it is advised to shu
 Mailpit while you reindex as this process will likely result in database locking issues.`,
 	Args: cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
-		config.DataFile = args[0]
+		config.Database = args[0]
 		config.MaxMessages = 0

 		if err := storage.InitDB(); err != nil {
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -17,8 +17,6 @@ import (
 	"github.com/spf13/cobra"
 )

-var cfgFile string
-
 // rootCmd represents the base command when called without any subcommands
 var rootCmd = &cobra.Command{
 	Use:   "mailpit",
@@ -36,14 +34,15 @@ Documentation:
 			os.Exit(1)
 		}
 		if err := storage.InitDB(); err != nil {
-			logger.Log().Error(err.Error())
+			logger.Log().Fatal(err.Error())
 			os.Exit(1)
 		}

 		go server.Listen()

 		if err := smtpd.Listen(); err != nil {
-			logger.Log().Error(err.Error())
+			storage.Close()
+			logger.Log().Fatal(err.Error())
 			os.Exit(1)
 		}
 	},
@@ -79,56 +78,71 @@ func init() {
 	// load and warn deprecated ENV vars
 	initDeprecatedConfigFromEnv()

-	// load ENV vars
+	// load environment variables
 	initConfigFromEnv()

-	rootCmd.Flags().StringVarP(&config.DataFile, "db-file", "d", config.DataFile, "Database file to store persistent data")
-	rootCmd.Flags().StringVarP(&config.SMTPListen, "smtp", "s", config.SMTPListen, "SMTP bind interface and port")
-	rootCmd.Flags().StringVarP(&config.HTTPListen, "listen", "l", config.HTTPListen, "HTTP bind interface and port for UI")
+	rootCmd.Flags().StringVarP(&config.Database, "database", "d", config.Database, "Database to store persistent data")
+	rootCmd.Flags().StringVar(&config.Label, "label", config.Label, "Optional label identify this Mailpit instance")
+	rootCmd.Flags().StringVar(&config.TenantID, "tenant-id", config.TenantID, "Database tenant ID to isolate data")
 	rootCmd.Flags().IntVarP(&config.MaxMessages, "max", "m", config.MaxMessages, "Max number of messages to store")
-	rootCmd.Flags().StringVar(&config.Webroot, "webroot", config.Webroot, "Set the webroot for web UI & API")
-	rootCmd.Flags().StringVar(&server.AccessControlAllowOrigin, "api-cors", server.AccessControlAllowOrigin, "Set API CORS Access-Control-Allow-Origin header")
+	rootCmd.Flags().StringVar(&config.MaxAge, "max-age", config.MaxAge, "Max age of messages in either (h)ours or (d)ays (eg: 3d)")
 	rootCmd.Flags().BoolVar(&config.UseMessageDates, "use-message-dates", config.UseMessageDates, "Use message dates as the received dates")
 	rootCmd.Flags().BoolVar(&config.IgnoreDuplicateIDs, "ignore-duplicate-ids", config.IgnoreDuplicateIDs, "Ignore duplicate messages (by Message-Id)")
-	rootCmd.Flags().BoolVar(&config.DisableHTMLCheck, "disable-html-check", config.DisableHTMLCheck, "Disable the HTML check functionality (web UI & API)")
-	rootCmd.Flags().BoolVar(&config.BlockRemoteCSSAndFonts, "block-remote-css-and-fonts", config.BlockRemoteCSSAndFonts, "Block access to remote CSS & fonts")
-	rootCmd.Flags().StringVar(&config.EnableSpamAssassin, "enable-spamassassin", config.EnableSpamAssassin, "Enable integration with SpamAssassin")
+	rootCmd.Flags().StringVar(&logger.LogFile, "log-file", logger.LogFile, "Log output to file instead of stdout")
+	rootCmd.Flags().BoolVarP(&logger.QuietLogging, "quiet", "q", logger.QuietLogging, "Quiet logging (errors only)")
+	rootCmd.Flags().BoolVarP(&logger.VerboseLogging, "verbose", "v", logger.VerboseLogging, "Verbose logging")

+	// Web UI / API
+	rootCmd.Flags().StringVarP(&config.HTTPListen, "listen", "l", config.HTTPListen, "HTTP bind interface & port for UI")
+	rootCmd.Flags().StringVar(&config.Webroot, "webroot", config.Webroot, "Set the webroot for web UI & API")
 	rootCmd.Flags().StringVar(&config.UIAuthFile, "ui-auth-file", config.UIAuthFile, "A password file for web UI & API authentication")
 	rootCmd.Flags().StringVar(&config.UITLSCert, "ui-tls-cert", config.UITLSCert, "TLS certificate for web UI (HTTPS) - requires ui-tls-key")
 	rootCmd.Flags().StringVar(&config.UITLSKey, "ui-tls-key", config.UITLSKey, "TLS key for web UI (HTTPS) - requires ui-tls-cert")
+	rootCmd.Flags().StringVar(&server.AccessControlAllowOrigin, "api-cors", server.AccessControlAllowOrigin, "Set API CORS Access-Control-Allow-Origin header")
+	rootCmd.Flags().BoolVar(&config.BlockRemoteCSSAndFonts, "block-remote-css-and-fonts", config.BlockRemoteCSSAndFonts, "Block access to remote CSS & fonts")
+	rootCmd.Flags().StringVar(&config.EnableSpamAssassin, "enable-spamassassin", config.EnableSpamAssassin, "Enable integration with SpamAssassin")
+	rootCmd.Flags().BoolVar(&config.AllowUntrustedTLS, "allow-untrusted-tls", config.AllowUntrustedTLS, "Do not verify HTTPS certificates (link checker & screenshots)")

+	// SMTP server
+	rootCmd.Flags().StringVarP(&config.SMTPListen, "smtp", "s", config.SMTPListen, "SMTP bind interface and port")
 	rootCmd.Flags().StringVar(&config.SMTPAuthFile, "smtp-auth-file", config.SMTPAuthFile, "A password file for SMTP authentication")
 	rootCmd.Flags().BoolVar(&config.SMTPAuthAcceptAny, "smtp-auth-accept-any", config.SMTPAuthAcceptAny, "Accept any SMTP username and password, including none")
 	rootCmd.Flags().StringVar(&config.SMTPTLSCert, "smtp-tls-cert", config.SMTPTLSCert, "TLS certificate for SMTP (STARTTLS) - requires smtp-tls-key")
 	rootCmd.Flags().StringVar(&config.SMTPTLSKey, "smtp-tls-key", config.SMTPTLSKey, "TLS key for SMTP (STARTTLS) - requires smtp-tls-cert")
-	rootCmd.Flags().BoolVar(&config.SMTPTLSRequired, "smtp-tls-required", config.SMTPTLSRequired, "Require TLS SMTP encryption")
+	rootCmd.Flags().BoolVar(&config.SMTPRequireSTARTTLS, "smtp-require-starttls", config.SMTPRequireSTARTTLS, "Require SMTP client use STARTTLS")
+	rootCmd.Flags().BoolVar(&config.SMTPRequireTLS, "smtp-require-tls", config.SMTPRequireTLS, "Require client use SSL/TLS")
 	rootCmd.Flags().BoolVar(&config.SMTPAuthAllowInsecure, "smtp-auth-allow-insecure", config.SMTPAuthAllowInsecure, "Allow insecure PLAIN & LOGIN SMTP authentication")
 	rootCmd.Flags().BoolVar(&config.SMTPStrictRFCHeaders, "smtp-strict-rfc-headers", config.SMTPStrictRFCHeaders, "Return SMTP error if message headers contain <CR><CR><LF>")
 	rootCmd.Flags().IntVar(&config.SMTPMaxRecipients, "smtp-max-recipients", config.SMTPMaxRecipients, "Maximum SMTP recipients allowed")
 	rootCmd.Flags().StringVar(&config.SMTPAllowedRecipients, "smtp-allowed-recipients", config.SMTPAllowedRecipients, "Only allow SMTP recipients matching a regular expression (default allow all)")
 	rootCmd.Flags().BoolVar(&smtpd.DisableReverseDNS, "smtp-disable-rdns", smtpd.DisableReverseDNS, "Disable SMTP reverse DNS lookups")

-	rootCmd.Flags().StringVar(&config.SMTPRelayConfigFile, "smtp-relay-config", config.SMTPRelayConfigFile, "SMTP configuration file to allow releasing messages")
-	rootCmd.Flags().BoolVar(&config.SMTPRelayAllIncoming, "smtp-relay-all", config.SMTPRelayAllIncoming, "Relay all incoming messages via external SMTP server (caution!)")
+	// SMTP relay
+	rootCmd.Flags().StringVar(&config.SMTPRelayConfigFile, "smtp-relay-config", config.SMTPRelayConfigFile, "SMTP relay configuration file to allow releasing messages")
+	rootCmd.Flags().BoolVar(&config.SMTPRelayAll, "smtp-relay-all", config.SMTPRelayAll, "Auto-relay all new messages via external SMTP server (caution!)")
+	rootCmd.Flags().StringVar(&config.SMTPRelayMatching, "smtp-relay-matching", config.SMTPRelayMatching, "Auto-relay new messages to only matching recipients (regular expression)")

+	// POP3 server
 	rootCmd.Flags().StringVar(&config.POP3Listen, "pop3", config.POP3Listen, "POP3 server bind interface and port")
 	rootCmd.Flags().StringVar(&config.POP3AuthFile, "pop3-auth-file", config.POP3AuthFile, "A password file for POP3 server authentication (enables POP3 server)")
 	rootCmd.Flags().StringVar(&config.POP3TLSCert, "pop3-tls-cert", config.POP3TLSCert, "Optional TLS certificate for POP3 server - requires pop3-tls-key")
 	rootCmd.Flags().StringVar(&config.POP3TLSKey, "pop3-tls-key", config.POP3TLSKey, "Optional TLS key for POP3 server - requires pop3-tls-cert")

+	// Tagging
+	rootCmd.Flags().StringVarP(&config.CLITagsArg, "tag", "t", config.CLITagsArg, "Tag new messages matching filters")
+	rootCmd.Flags().StringVar(&config.TagsConfig, "tags-config", config.TagsConfig, "Load tags filters from yaml configuration file")
+	rootCmd.Flags().BoolVar(&tools.TagsTitleCase, "tags-title-case", tools.TagsTitleCase, "TitleCase new tags generated from plus-addresses and X-Tags")
+	rootCmd.Flags().StringVar(&config.TagsDisable, "tags-disable", config.TagsDisable, "Disable auto-tagging, comma separated (eg: plus-addresses,x-tags)")
+
+	// Webhook
 	rootCmd.Flags().StringVar(&config.WebhookURL, "webhook-url", config.WebhookURL, "Send a webhook request for new messages")
 	rootCmd.Flags().IntVar(&webhook.RateLimit, "webhook-limit", webhook.RateLimit, "Limit webhook requests per second")

-	rootCmd.Flags().BoolVar(&config.AllowUntrustedTLS, "allow-untrusted-tls", config.AllowUntrustedTLS, "Do not verify HTTPS certificates (link checker & screenshots)")
+	// DEPRECATED FLAG 2024/04/12 - but will not be removed to maintain backwards compatibility
+	rootCmd.Flags().StringVar(&config.Database, "db-file", config.Database, "Database file to store persistent data")
+	rootCmd.Flags().Lookup("db-file").Hidden = true

-	rootCmd.Flags().StringVarP(&config.SMTPCLITags, "tag", "t", config.SMTPCLITags, "Tag new messages matching filters")
-	rootCmd.Flags().BoolVar(&tools.TagsTitleCase, "tags-title-case", tools.TagsTitleCase, "Convert new tags automatically to TitleCase")
-	rootCmd.Flags().StringVar(&logger.LogFile, "log-file", logger.LogFile, "Log output to file instead of stdout")
-	rootCmd.Flags().BoolVarP(&logger.QuietLogging, "quiet", "q", logger.QuietLogging, "Quiet logging (errors only)")
-	rootCmd.Flags().BoolVarP(&logger.VerboseLogging, "verbose", "v", logger.VerboseLogging, "Verbose logging")
-
-	// deprecated flags 2023/03/12
+	// DEPRECATED FLAGS 2023/03/12
 	rootCmd.Flags().StringVar(&config.UITLSCert, "ui-ssl-cert", config.UITLSCert, "SSL certificate for web UI - requires ui-ssl-key")
 	rootCmd.Flags().StringVar(&config.UITLSKey, "ui-ssl-key", config.UITLSKey, "SSL key for web UI - requires ui-ssl-cert")
 	rootCmd.Flags().StringVar(&config.SMTPTLSCert, "smtp-ssl-cert", config.SMTPTLSCert, "SSL certificate for SMTP - requires smtp-ssl-key")
@@ -141,43 +155,95 @@ func init() {
 	rootCmd.Flags().Lookup("smtp-ssl-cert").Deprecated = "use --smtp-tls-cert"
 	rootCmd.Flags().Lookup("smtp-ssl-key").Hidden = true
 	rootCmd.Flags().Lookup("smtp-ssl-key").Deprecated = "use --smtp-tls-key"
+
+	// DEPRECATED FLAGS 2024/03/16
+	rootCmd.Flags().BoolVar(&config.SMTPRequireSTARTTLS, "smtp-tls-required", config.SMTPRequireSTARTTLS, "smtp-require-starttls")
+	rootCmd.Flags().Lookup("smtp-tls-required").Hidden = true
+	rootCmd.Flags().Lookup("smtp-tls-required").Deprecated = "use --smtp-require-starttls"
+
+	// DEPRECATED FLAG 2024/04/13 - no longer used
+	rootCmd.Flags().BoolVar(&config.DisableHTMLCheck, "disable-html-check", config.DisableHTMLCheck, "Disable the HTML check functionality (web UI & API)")
+	rootCmd.Flags().Lookup("disable-html-check").Hidden = true
 }

 // Load settings from environment
 func initConfigFromEnv() {
-	// inherit from environment if provided
-	config.DataFile = os.Getenv("MP_DATA_FILE")
-	if len(os.Getenv("MP_SMTP_BIND_ADDR")) > 0 {
-		config.SMTPListen = os.Getenv("MP_SMTP_BIND_ADDR")
-	}
-	if len(os.Getenv("MP_UI_BIND_ADDR")) > 0 {
-		config.HTTPListen = os.Getenv("MP_UI_BIND_ADDR")
+	// General
+	if len(os.Getenv("MP_DATABASE")) > 0 {
+		config.Database = os.Getenv("MP_DATABASE")
 	}
+
+	config.TenantID = os.Getenv("MP_TENANT_ID")
+
+	config.Label = os.Getenv("MP_LABEL")
+
 	if len(os.Getenv("MP_MAX_MESSAGES")) > 0 {
 		config.MaxMessages, _ = strconv.Atoi(os.Getenv("MP_MAX_MESSAGES"))
 	}
+	if len(os.Getenv("MP_MAX_AGE")) > 0 {
+		config.MaxAge = os.Getenv("MP_MAX_AGE")
+	}
+	if getEnabledFromEnv("MP_USE_MESSAGE_DATES") {
+		config.UseMessageDates = true
+	}
+	if getEnabledFromEnv("MP_IGNORE_DUPLICATE_IDS") {
+		config.IgnoreDuplicateIDs = true
+	}
+	if len(os.Getenv("MP_LOG_FILE")) > 0 {
+		logger.LogFile = os.Getenv("MP_LOG_FILE")
+	}
+	if getEnabledFromEnv("MP_QUIET") {
+		logger.QuietLogging = true
+	}
+	if getEnabledFromEnv("MP_VERBOSE") {
+		logger.VerboseLogging = true
+	}

-	// UI
+	// Web UI & API
+	if len(os.Getenv("MP_UI_BIND_ADDR")) > 0 {
+		config.HTTPListen = os.Getenv("MP_UI_BIND_ADDR")
+	}
+	if len(os.Getenv("MP_WEBROOT")) > 0 {
+		config.Webroot = os.Getenv("MP_WEBROOT")
+	}
 	config.UIAuthFile = os.Getenv("MP_UI_AUTH_FILE")
 	if err := auth.SetUIAuth(os.Getenv("MP_UI_AUTH")); err != nil {
 		logger.Log().Errorf(err.Error())
 	}
 	config.UITLSCert = os.Getenv("MP_UI_TLS_CERT")
 	config.UITLSKey = os.Getenv("MP_UI_TLS_KEY")
+	if len(os.Getenv("MP_API_CORS")) > 0 {
+		server.AccessControlAllowOrigin = os.Getenv("MP_API_CORS")
+	}
+	if getEnabledFromEnv("MP_BLOCK_REMOTE_CSS_AND_FONTS") {
+		config.BlockRemoteCSSAndFonts = true
+	}
+	if len(os.Getenv("MP_ENABLE_SPAMASSASSIN")) > 0 {
+		config.EnableSpamAssassin = os.Getenv("MP_ENABLE_SPAMASSASSIN")
+	}
+	if getEnabledFromEnv("MP_ALLOW_UNTRUSTED_TLS") {
+		config.AllowUntrustedTLS = true
+	}

-	// SMTP
+	// SMTP server
+	if len(os.Getenv("MP_SMTP_BIND_ADDR")) > 0 {
+		config.SMTPListen = os.Getenv("MP_SMTP_BIND_ADDR")
+	}
 	config.SMTPAuthFile = os.Getenv("MP_SMTP_AUTH_FILE")
 	if err := auth.SetSMTPAuth(os.Getenv("MP_SMTP_AUTH")); err != nil {
 		logger.Log().Errorf(err.Error())
 	}
-	config.SMTPTLSCert = os.Getenv("MP_SMTP_TLS_CERT")
-	config.SMTPTLSKey = os.Getenv("MP_SMTP_TLS_KEY")
-	if getEnabledFromEnv("MP_SMTP_TLS_REQUIRED") {
-		config.SMTPTLSRequired = true
-	}
 	if getEnabledFromEnv("MP_SMTP_AUTH_ACCEPT_ANY") {
 		config.SMTPAuthAcceptAny = true
 	}
+	config.SMTPTLSCert = os.Getenv("MP_SMTP_TLS_CERT")
+	config.SMTPTLSKey = os.Getenv("MP_SMTP_TLS_KEY")
+	if getEnabledFromEnv("MP_SMTP_REQUIRE_STARTTLS") {
+		config.SMTPRequireSTARTTLS = true
+	}
+	if getEnabledFromEnv("MP_SMTP_REQUIRE_TLS") {
+		config.SMTPRequireTLS = true
+	}
 	if getEnabledFromEnv("MP_SMTP_AUTH_ALLOW_INSECURE") {
 		config.SMTPAuthAllowInsecure = true
 	}
@@ -194,13 +260,28 @@ func initConfigFromEnv() {
 		smtpd.DisableReverseDNS = true
 	}

-	// Relay server config
+	// SMTP relay
 	config.SMTPRelayConfigFile = os.Getenv("MP_SMTP_RELAY_CONFIG")
 	if getEnabledFromEnv("MP_SMTP_RELAY_ALL") {
-		config.SMTPRelayAllIncoming = true
+		config.SMTPRelayAll = true
 	}
+	config.SMTPRelayMatching = os.Getenv("MP_SMTP_RELAY_MATCHING")
+	config.SMTPRelayConfig = config.SMTPRelayConfigStruct{}
+	config.SMTPRelayConfig.Host = os.Getenv("MP_SMTP_RELAY_HOST")
+	if len(os.Getenv("MP_SMTP_RELAY_PORT")) > 0 {
+		config.SMTPRelayConfig.Port, _ = strconv.Atoi(os.Getenv("MP_SMTP_RELAY_PORT"))
+	}
+	config.SMTPRelayConfig.STARTTLS = getEnabledFromEnv("MP_SMTP_RELAY_STARTTLS")
+	config.SMTPRelayConfig.AllowInsecure = getEnabledFromEnv("MP_SMTP_RELAY_ALLOW_INSECURE")
+	config.SMTPRelayConfig.Auth = os.Getenv("MP_SMTP_RELAY_AUTH")
+	config.SMTPRelayConfig.Username = os.Getenv("MP_SMTP_RELAY_USERNAME")
+	config.SMTPRelayConfig.Password = os.Getenv("MP_SMTP_RELAY_PASSWORD")
+	config.SMTPRelayConfig.Secret = os.Getenv("MP_SMTP_RELAY_SECRET")
+	config.SMTPRelayConfig.ReturnPath = os.Getenv("MP_SMTP_RELAY_RETURN_PATH")
+	config.SMTPRelayConfig.AllowedRecipients = os.Getenv("MP_SMTP_RELAY_ALLOWED_RECIPIENTS")
+	config.SMTPRelayConfig.BlockedRecipients = os.Getenv("MP_SMTP_RELAY_BLOCKED_RECIPIENTS")

-	// POP3
+	// POP3 server
 	if len(os.Getenv("MP_POP3_BIND_ADDR")) > 0 {
 		config.POP3Listen = os.Getenv("MP_POP3_BIND_ADDR")
 	}
@@ -211,6 +292,12 @@ func initConfigFromEnv() {
 	config.POP3TLSCert = os.Getenv("MP_POP3_TLS_CERT")
 	config.POP3TLSKey = os.Getenv("MP_POP3_TLS_KEY")

+	// Tagging
+	config.CLITagsArg = os.Getenv("MP_TAG")
+	config.TagsConfig = os.Getenv("MP_TAGS_CONFIG")
+	tools.TagsTitleCase = getEnabledFromEnv("MP_TAGS_TITLE_CASE")
+	config.TagsDisable = os.Getenv("MP_TAGS_DISABLE")
+
 	// Webhook
 	if len(os.Getenv("MP_WEBHOOK_URL")) > 0 {
 		config.WebhookURL = os.Getenv("MP_WEBHOOK_URL")
@@ -219,50 +306,17 @@ func initConfigFromEnv() {
 		webhook.RateLimit, _ = strconv.Atoi(os.Getenv("MP_WEBHOOK_LIMIT"))
 	}

-	// Misc options
-	if len(os.Getenv("MP_WEBROOT")) > 0 {
-		config.Webroot = os.Getenv("MP_WEBROOT")
-	}
-	if len(os.Getenv("MP_API_CORS")) > 0 {
-		server.AccessControlAllowOrigin = os.Getenv("MP_API_CORS")
-	}
-	if getEnabledFromEnv("MP_USE_MESSAGE_DATES") {
-		config.UseMessageDates = true
-	}
-	if getEnabledFromEnv("MP_IGNORE_DUPLICATE_IDS") {
-		config.IgnoreDuplicateIDs = true
-	}
-	if getEnabledFromEnv("MP_DISABLE_HTML_CHECK") {
-		config.DisableHTMLCheck = true
-	}
-	if getEnabledFromEnv("MP_BLOCK_REMOTE_CSS_AND_FONTS") {
-		config.BlockRemoteCSSAndFonts = true
-	}
-	if len(os.Getenv("MP_ENABLE_SPAMASSASSIN")) > 0 {
-		config.EnableSpamAssassin = os.Getenv("MP_ENABLE_SPAMASSASSIN")
-	}
-	if getEnabledFromEnv("MP_ALLOW_UNTRUSTED_TLS") {
-		config.AllowUntrustedTLS = true
-	}
-	if len(os.Getenv("MP_TAG")) > 0 {
-		config.SMTPCLITags = os.Getenv("MP_TAG")
-	}
-	if getEnabledFromEnv("MP_TAGS_TITLE_CASE") {
-		tools.TagsTitleCase = getEnabledFromEnv("MP_TAGS_TITLE_CASE")
-	}
-	if len(os.Getenv("MP_LOG_FILE")) > 0 {
-		logger.LogFile = os.Getenv("MP_LOG_FILE")
-	}
-	if getEnabledFromEnv("MP_QUIET") {
-		logger.QuietLogging = true
-	}
-	if getEnabledFromEnv("MP_VERBOSE") {
-		logger.VerboseLogging = true
-	}
+	// Demo mode
+	config.DemoMode = getEnabledFromEnv("MP_DEMO_MODE")
 }

 // load deprecated settings from environment and warn
 func initDeprecatedConfigFromEnv() {
+	// deprecated 2024/04/12 - but will not be removed to maintain backwards compatibility
+	if len(os.Getenv("MP_DATA_FILE")) > 0 {
+		config.Database = os.Getenv("MP_DATA_FILE")
+	}
+
 	// deprecated 2023/03/12
 	if len(os.Getenv("MP_UI_SSL_CERT")) > 0 {
 		logger.Log().Warn("ENV MP_UI_SSL_CERT has been deprecated, use MP_UI_TLS_CERT")
@@ -288,6 +342,15 @@ func initDeprecatedConfigFromEnv() {
 		logger.Log().Warn("ENV MP_STRICT_RFC_HEADERS has been deprecated, use MP_SMTP_STRICT_RFC_HEADERS")
 		config.SMTPStrictRFCHeaders = true
 	}
+	// deprecated 2024/03.16
+	if getEnabledFromEnv("MP_SMTP_TLS_REQUIRED") {
+		logger.Log().Warn("ENV MP_SMTP_TLS_REQUIRED has been deprecated, use MP_SMTP_REQUIRE_STARTTLS")
+		config.SMTPRequireSTARTTLS = true
+	}
+	if getEnabledFromEnv("MP_DISABLE_HTML_CHECK") {
+		logger.Log().Warn("ENV MP_DISABLE_HTML_CHECK has been deprecated and is no longer used")
+		config.DisableHTMLCheck = true
+	}
 }

 // Wrapper to get a boolean from an environment variable
--- a/cmd/sendmail.go
+++ b/cmd/sendmail.go
@@ -12,13 +12,13 @@ var sendmailCmd = &cobra.Command{
 	Use:   "sendmail [flags] [recipients]",
 	Short: "A sendmail command replacement for Mailpit",
 	Run: func(_ *cobra.Command, _ []string) {
-
 		sendmail.Run()
 	},
 }

 func init() {
 	rootCmd.AddCommand(sendmailCmd)
+	var ignored string

 	// print out manual help screen
 	sendmailCmd.SetHelpTemplate(sendmail.HelpTemplate([]string{os.Args[0], "sendmail"}))
@@ -27,10 +27,13 @@ func init() {
 	// multi-letter single-dash variables (-bs)
 	sendmailCmd.Flags().StringVarP(&sendmail.FromAddr, "from", "f", sendmail.FromAddr, "SMTP sender")
 	sendmailCmd.Flags().StringVarP(&sendmail.SMTPAddr, "smtp-addr", "S", sendmail.SMTPAddr, "SMTP server address")
-	sendmailCmd.Flags().BoolVarP(&sendmail.UseB, "long-b", "b", false, "Handle SMTP commands on standard input (use as -bs)")
-	sendmailCmd.Flags().BoolVarP(&sendmail.UseS, "long-s", "s", false, "Handle SMTP commands on standard input (use as -bs)")
+	sendmailCmd.Flags().BoolVarP(&sendmail.UseB, "ignored-b", "b", false, "Handle SMTP commands on standard input (use as -bs)")
+	sendmailCmd.Flags().BoolVarP(&sendmail.UseS, "ignored-s", "s", false, "Handle SMTP commands on standard input (use as -bs)")
 	sendmailCmd.Flags().BoolP("verbose", "v", false, "Verbose mode (sends debug output to stderr)")
-	sendmailCmd.Flags().BoolP("long-i", "i", false, "Ignored")
-	sendmailCmd.Flags().BoolP("long-o", "o", false, "Ignored")
-	sendmailCmd.Flags().BoolP("long-t", "t", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-i", "i", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-o", "o", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-t", "t", false, "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-name", "F", "", "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-bits", "B", "", "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-errors", "e", "", "Ignored")
 }
--- a/config/config.go
+++ b/config/config.go
@@ -10,6 +10,7 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"

 	"github.com/axllent/mailpit/internal/auth"
@@ -26,12 +27,27 @@ var (
 	// HTTPListen to listen on <interface>:<port>
 	HTTPListen = "[::]:8025"

-	// DataFile for mail (optional)
-	DataFile string
+	// Database for mail (optional)
+	Database string
+
+	// TenantID is an optional prefix to be applied to all database tables,
+	// allowing multiple isolated instances of Mailpit to share a database.
+	TenantID string
+
+	// Label to identify this Mailpit instance (optional).
+	// This gets applied to web UI, SMTP and optional POP3 server.
+	Label string

 	// MaxMessages is the maximum number of messages a mailbox can have (auto-pruned every minute)
 	MaxMessages = 500

+	// MaxAge is the maximum age of messages (auto-pruned every hour).
+	// Value can be either <int>h for hours or <int>d for days
+	MaxAge string
+
+	// MaxAgeInHours is the maximum age of messages in hours, set with parseMaxAge() using MaxAge value
+	MaxAgeInHours int
+
 	// UseMessageDates sets the Created date using the message date, not the delivered date
 	UseMessageDates bool

@@ -53,10 +69,14 @@ var (
 	// SMTPTLSKey file
 	SMTPTLSKey string

-	// SMTPTLSRequired to enforce TLS
+	// SMTPRequireSTARTTLS to enforce the use of STARTTLS
 	// The only allowed commands are NOOP, EHLO, STARTTLS and QUIT (as specified in RFC 3207) until
 	// the connection is upgraded to TLS i.e. until STARTTLS is issued.
-	SMTPTLSRequired bool
+	SMTPRequireSTARTTLS bool
+
+	// SMTPRequireTLS to allow only SSL/TLS connections for all connections
+	//
+	SMTPRequireTLS bool

 	// SMTPAuthFile for SMTP authentication
 	SMTPAuthFile string
@@ -75,26 +95,30 @@ var (
 	// IgnoreDuplicateIDs will skip messages with the same ID
 	IgnoreDuplicateIDs bool

-	// DisableHTMLCheck used to disable the HTML check in bother the API and web UI
-	DisableHTMLCheck = false
-
 	// BlockRemoteCSSAndFonts used to disable remote CSS & fonts
 	BlockRemoteCSSAndFonts = false

-	// SMTPCLITags is used to map the CLI args
-	SMTPCLITags string
+	// CLITagsArg is used to map the CLI args
+	CLITagsArg string

 	// ValidTagRegexp represents a valid tag
 	ValidTagRegexp = regexp.MustCompile(`^([a-zA-Z0-9\-\ \_\.]){1,}$`)

-	// SMTPTags are expressions to apply tags to new mail
-	SMTPTags []AutoTag
+	// TagsConfig is a yaml file to pre-load tags
+	TagsConfig string
+
+	// TagFilters are used to apply tags to new mail
+	TagFilters []autoTag
+
+	// TagsDisable accepts a comma-separated list of tag types to disable
+	// including x-tags & plus-addresses
+	TagsDisable string

 	// SMTPRelayConfigFile to parse a yaml file and store config of relay SMTP server
 	SMTPRelayConfigFile string

 	// SMTPRelayConfig to parse a yaml file and store config of relay SMTP server
-	SMTPRelayConfig smtpRelayConfigStruct
+	SMTPRelayConfig SMTPRelayConfigStruct

 	// SMTPStrictRFCHeaders will return an error if the email headers contain <CR><CR><LF> (\r\r\n)
 	// @see https://github.com/axllent/mailpit/issues/87 & https://github.com/axllent/mailpit/issues/153
@@ -109,9 +133,15 @@ var (
 	// ReleaseEnabled is whether message releases are enabled, requires a valid SMTPRelayConfigFile
 	ReleaseEnabled = false

-	// SMTPRelayAllIncoming is whether to relay all incoming messages via pre-configured SMTP server.
+	// SMTPRelayAll is whether to relay all incoming messages via pre-configured SMTP server.
 	// Use with extreme caution!
-	SMTPRelayAllIncoming = false
+	SMTPRelayAll = false
+
+	// SMTPRelayMatching if set, will auto-release to recipients matching this regular expression
+	SMTPRelayMatching string
+
+	// SMTPRelayMatchingRegexp is the compiled version of SMTPRelayMatching
+	SMTPRelayMatchingRegexp *regexp.Regexp

 	// POP3Listen address - if set then Mailpit will start the POP3 server and listen on this address
 	POP3Listen = "[::]:1110"
@@ -145,27 +175,38 @@ var (

 	// RepoBinaryName on Github for updater
 	RepoBinaryName = "mailpit"
+
+	// DisableHTMLCheck DEPRECATED 2024/04/13 - kept here to display console warning only
+	DisableHTMLCheck = false
+
+	// DemoMode disables SMTP relay, link checking & HTTP send functionality
+	DemoMode = false
 )

 // AutoTag struct for auto-tagging
-type AutoTag struct {
-	Tag   string
+type autoTag struct {
 	Match string
+	Tags  []string
 }

 // SMTPRelayConfigStruct struct for parsing yaml & storing variables
-type smtpRelayConfigStruct struct {
-	Host                     string `yaml:"host"`
-	Port                     int    `yaml:"port"`
-	STARTTLS                 bool   `yaml:"starttls"`
-	AllowInsecure            bool   `yaml:"allow-insecure"`
-	Auth                     string `yaml:"auth"`                // none, plain, login, cram-md5
-	Username                 string `yaml:"username"`            // plain & cram-md5
-	Password                 string `yaml:"password"`            // plain
-	Secret                   string `yaml:"secret"`              // cram-md5
-	ReturnPath               string `yaml:"return-path"`         // allow overriding the bounce address
-	RecipientAllowlist       string `yaml:"recipient-allowlist"` // regex, if set needs to match for mails to be relayed
-	RecipientAllowlistRegexp *regexp.Regexp
+type SMTPRelayConfigStruct struct {
+	Host                    string         `yaml:"host"`
+	Port                    int            `yaml:"port"`
+	STARTTLS                bool           `yaml:"starttls"`
+	AllowInsecure           bool           `yaml:"allow-insecure"`
+	Auth                    string         `yaml:"auth"`               // none, plain, login, cram-md5
+	Username                string         `yaml:"username"`           // plain & cram-md5
+	Password                string         `yaml:"password"`           // plain
+	Secret                  string         `yaml:"secret"`             // cram-md5
+	ReturnPath              string         `yaml:"return-path"`        // allow overriding the bounce address
+	AllowedRecipients       string         `yaml:"allowed-recipients"` // regex, if set needs to match for mails to be relayed
+	AllowedRecipientsRegexp *regexp.Regexp // compiled regexp using AllowedRecipients
+	BlockedRecipients       string         `yaml:"blocked-recipients"` // regex, if set prevents relating to these addresses
+	BlockedRecipientsRegexp *regexp.Regexp // compiled regexp using BlockedRecipients
+
+	// DEPRECATED 2024/03/12
+	RecipientAllowlist string `yaml:"recipient-allowlist"`
 }

 // VerifyConfig wil do some basic checking
@@ -175,19 +216,33 @@ func VerifyConfig() error {
 		cssFontRestriction = "'self'"
 	}

+	// The default Content Security Policy is updates on every application page load to replace script-src 'self'
+	// with a random nonce ID to prevent XSS. This applies to the Mailpit app & API.
+	// See server.middleWareFunc()
 	ContentSecurityPolicy = fmt.Sprintf("default-src 'self'; script-src 'self'; style-src %s 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src %s data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';",
 		cssFontRestriction, cssFontRestriction,
 	)

-	if DataFile != "" && isDir(DataFile) {
-		DataFile = filepath.Join(DataFile, "mailpit.db")
+	if Database != "" && isDir(Database) {
+		Database = filepath.Join(Database, "mailpit.db")
+	}
+
+	Label = tools.Normalize(Label)
+
+	if err := parseMaxAge(); err != nil {
+		return err
+	}
+
+	TenantID = DBTenantID(TenantID)
+	if TenantID != "" {
+		logger.Log().Infof("[db] using tenant \"%s\"", TenantID)
 	}

 	re := regexp.MustCompile(`.*:\d+$`)
-	if !re.MatchString(SMTPListen) {
+	if _, _, isSocket := tools.UnixSocket(SMTPListen); !isSocket && !re.MatchString(SMTPListen) {
 		return errors.New("[smtp] bind should be in the format of <ip>:<port>")
 	}
-	if !re.MatchString(HTTPListen) {
+	if _, _, isSocket := tools.UnixSocket(HTTPListen); !isSocket && !re.MatchString(HTTPListen) {
 		return errors.New("[ui] HTTP bind should be in the format of <ip>:<port>")
 	}

@@ -195,7 +250,7 @@ func VerifyConfig() error {
 		UIAuthFile = filepath.Clean(UIAuthFile)

 		if !isFile(UIAuthFile) {
-			return fmt.Errorf("[ui] HTTP password file not found: %s", UIAuthFile)
+			return fmt.Errorf("[ui] HTTP password file not found or readable: %s", UIAuthFile)
 		}

 		b, err := os.ReadFile(UIAuthFile)
@@ -217,11 +272,11 @@ func VerifyConfig() error {
 		UITLSKey = filepath.Clean(UITLSKey)

 		if !isFile(UITLSCert) {
-			return fmt.Errorf("[ui] TLS certificate not found: %s", UITLSCert)
+			return fmt.Errorf("[ui] TLS certificate not found or readable: %s", UITLSCert)
 		}

 		if !isFile(UITLSKey) {
-			return fmt.Errorf("[ui] TLS key not found: %s", UITLSKey)
+			return fmt.Errorf("[ui] TLS key not found or readable: %s", UITLSKey)
 		}
 	}

@@ -234,25 +289,29 @@ func VerifyConfig() error {
 		SMTPTLSKey = filepath.Clean(SMTPTLSKey)

 		if !isFile(SMTPTLSCert) {
-			return fmt.Errorf("[smtp] TLS certificate not found: %s", SMTPTLSCert)
+			return fmt.Errorf("[smtp] TLS certificate not found or readable: %s", SMTPTLSCert)
 		}

 		if !isFile(SMTPTLSKey) {
-			return fmt.Errorf("[smtp] TLS key not found: %s", SMTPTLSKey)
+			return fmt.Errorf("[smtp] TLS key not found or readable: %s", SMTPTLSKey)
 		}
-	} else if SMTPTLSRequired {
+	} else if SMTPRequireTLS {
 		return errors.New("[smtp] TLS cannot be required without an SMTP TLS certificate and key")
+	} else if SMTPRequireSTARTTLS {
+		return errors.New("[smtp] STARTTLS cannot be required without an SMTP TLS certificate and key")
 	}
-
-	if SMTPTLSRequired && SMTPAuthAllowInsecure {
-		return errors.New("[smtp] TLS cannot be required while also allowing insecure authentication")
+	if SMTPRequireSTARTTLS && SMTPAuthAllowInsecure || SMTPRequireTLS && SMTPAuthAllowInsecure {
+		return errors.New("[smtp] TLS cannot be required with --smtp-auth-allow-insecure")
+	}
+	if SMTPRequireSTARTTLS && SMTPRequireTLS {
+		return errors.New("[smtp] TLS & STARTTLS cannot be required together")
 	}

 	if SMTPAuthFile != "" {
 		SMTPAuthFile = filepath.Clean(SMTPAuthFile)

 		if !isFile(SMTPAuthFile) {
-			return fmt.Errorf("[smtp] password file not found: %s", SMTPAuthFile)
+			return fmt.Errorf("[smtp] password file not found or readable: %s", SMTPAuthFile)
 		}

 		b, err := os.ReadFile(SMTPAuthFile)
@@ -263,6 +322,18 @@ func VerifyConfig() error {
 		if err := auth.SetSMTPAuth(string(b)); err != nil {
 			return err
 		}
+
+		if !SMTPAuthAllowInsecure {
+			// https://www.rfc-editor.org/rfc/rfc4954
+			// A server implementation MUST implement a configuration in which
+			// it does NOT permit any plaintext password mechanisms, unless either
+			// the STARTTLS [SMTP-TLS] command has been negotiated or some other
+			// mechanism that protects the session from password snooping has been
+			// provided.  Server sites SHOULD NOT use any configuration which
+			// permits a plaintext password mechanism without such a protection
+			// mechanism against password snooping.
+			SMTPRequireSTARTTLS = true
+		}
 	}

 	if auth.SMTPCredentials != nil && SMTPAuthAcceptAny {
@@ -270,7 +341,7 @@ func VerifyConfig() error {
 	}

 	if SMTPTLSCert == "" && (auth.SMTPCredentials != nil || SMTPAuthAcceptAny) && !SMTPAuthAllowInsecure {
-		return errors.New("[smtp] authentication requires TLS encryption, run with `--smtp-auth-allow-insecure` to allow insecure authentication")
+		return errors.New("[smtp] authentication requires STARTTLS or TLS encryption, run with `--smtp-auth-allow-insecure` to allow insecure authentication")
 	}

 	// POP3 server
@@ -279,11 +350,11 @@ func VerifyConfig() error {
 		POP3TLSKey = filepath.Clean(POP3TLSKey)

 		if !isFile(POP3TLSCert) {
-			return fmt.Errorf("[pop3] TLS certificate not found: %s", POP3TLSCert)
+			return fmt.Errorf("[pop3] TLS certificate not found or readable: %s", POP3TLSCert)
 		}

 		if !isFile(POP3TLSKey) {
-			return fmt.Errorf("[pop3] TLS key not found: %s", POP3TLSKey)
+			return fmt.Errorf("[pop3] TLS key not found or readable: %s", POP3TLSKey)
 		}
 	}
 	if POP3TLSCert != "" && POP3TLSKey == "" || POP3TLSCert == "" && POP3TLSKey != "" {
@@ -299,7 +370,7 @@ func VerifyConfig() error {
 		POP3AuthFile = filepath.Clean(POP3AuthFile)

 		if !isFile(POP3AuthFile) {
-			return fmt.Errorf("[pop3] password file not found: %s", POP3AuthFile)
+			return fmt.Errorf("[pop3] password file not found or readable: %s", POP3AuthFile)
 		}

 		b, err := os.ReadFile(POP3AuthFile)
@@ -325,6 +396,11 @@ func VerifyConfig() error {
 		return fmt.Errorf("webhook URL does not appear to be a valid URL (%s)", WebhookURL)
 	}

+	// DEPRECATED 2024/04/13
+	if DisableHTMLCheck {
+		logger.Log().Warn("--disable-html-check has been deprecated and is no longer used")
+	}
+
 	if EnableSpamAssassin != "" {
 		spamassassin.SetService(EnableSpamAssassin)
 		logger.Log().Infof("[spamassassin] enabled via %s", EnableSpamAssassin)
@@ -334,27 +410,16 @@ func VerifyConfig() error {
 		}
 	}

-	SMTPTags = []AutoTag{}
-
-	if SMTPCLITags != "" {
-		args := tools.ArgsParser(SMTPCLITags)
-
-		for _, a := range args {
-			t := strings.Split(a, "=")
-			if len(t) > 1 {
-				tag := tools.CleanTag(t[0])
-				if !ValidTagRegexp.MatchString(tag) || len(tag) == 0 {
-					return fmt.Errorf("[tag] invalid tag (%s) - can only contain spaces, letters, numbers, - & _", tag)
-				}
-				match := strings.TrimSpace(strings.ToLower(strings.Join(t[1:], "=")))
-				if len(match) == 0 {
-					return fmt.Errorf("[tag] invalid tag match (%s) - no search detected", tag)
-				}
-				SMTPTags = append(SMTPTags, AutoTag{Tag: tag, Match: match})
-			} else {
-				return fmt.Errorf("[tag] error parsing tags (%s)", a)
-			}
-		}
+	// load tag filters & options
+	TagFilters = []autoTag{}
+	if err := loadTagsFromArgs(CLITagsArg); err != nil {
+		return err
+	}
+	if err := loadTagsFromConfig(TagsConfig); err != nil {
+		return err
+	}
+	if err := parseTagsDisable(TagsDisable); err != nil {
+		return err
 	}

 	if SMTPAllowedRecipients != "" {
@@ -364,26 +429,85 @@ func VerifyConfig() error {
 		}

 		SMTPAllowedRecipientsRegexp = restrictRegexp
-		logger.Log().Infof("[smtp] only allowing recipients matching the following regexp: %s", SMTPAllowedRecipients)
+		logger.Log().Infof("[smtp] only allowing recipients matching regexp: %s", SMTPAllowedRecipients)
 	}

 	if err := parseRelayConfig(SMTPRelayConfigFile); err != nil {
 		return err
 	}

-	if !ReleaseEnabled && SMTPRelayAllIncoming {
-		return errors.New("[smtp] relay config must be set to relay all messages")
+	// separate relay config validation to account for environment variables
+	if err := validateRelayConfig(); err != nil {
+		return err
 	}

-	if SMTPRelayAllIncoming {
+	if !ReleaseEnabled && SMTPRelayAll || !ReleaseEnabled && SMTPRelayMatching != "" {
+		return errors.New("[relay] a relay configuration must be set to auto-relay any messages")
+	}
+
+	if SMTPRelayMatching != "" {
+		if SMTPRelayAll {
+			logger.Log().Warnf("[relay] ignoring smtp-relay-matching when smtp-relay-all is enabled")
+		} else {
+			re, err := regexp.Compile(SMTPRelayMatching)
+			if err != nil {
+				return fmt.Errorf("[relay] failed to compile smtp-relay-matching regexp: %s", err.Error())
+			}
+
+			SMTPRelayMatchingRegexp = re
+			logger.Log().Infof("[relay] auto-relaying new messages to recipients matching \"%s\" via %s:%d",
+				SMTPRelayMatching, SMTPRelayConfig.Host, SMTPRelayConfig.Port)
+		}
+	}
+
+	if SMTPRelayAll {
 		// this deserves a warning
-		logger.Log().Warnf("[smtp] enabling automatic relay of all new messages via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
+		logger.Log().Warnf("[relay] auto-relaying all new messages via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
+	}
+
+	if DemoMode {
+		MaxMessages = 1000
+		// this deserves a warning
+		logger.Log().Info("demo mode enabled")
 	}

 	return nil
 }

-// Parse & validate the SMTPRelayConfigFile (if set)
+// Parse the --max-age value (if set)
+func parseMaxAge() error {
+	if MaxAge == "" {
+		return nil
+	}
+
+	re := regexp.MustCompile(`^\d+(h|d)$`)
+	if !re.MatchString(MaxAge) {
+		return fmt.Errorf("max-age must be either <int>h for hours or <int>d for days: %s", MaxAge)
+	}
+
+	if strings.HasSuffix(MaxAge, "h") {
+		hours, err := strconv.Atoi(strings.TrimSuffix(MaxAge, "h"))
+		if err != nil {
+			return err
+		}
+
+		MaxAgeInHours = hours
+
+		return nil
+	}
+
+	days, err := strconv.Atoi(strings.TrimSuffix(MaxAge, "d"))
+	if err != nil {
+		return err
+	}
+
+	logger.Log().Debugf("[db] auto-deleting messages older than %s", MaxAge)
+
+	MaxAgeInHours = days * 24
+	return nil
+}
+
+// Parse the SMTPRelayConfigFile (if set)
 func parseRelayConfig(c string) error {
 	if c == "" {
 		return nil
@@ -392,7 +516,7 @@ func parseRelayConfig(c string) error {
 	c = filepath.Clean(c)

 	if !isFile(c) {
-		return fmt.Errorf("[smtp] relay configuration not found: %s", c)
+		return fmt.Errorf("[smtp] relay configuration not found or readable: %s", c)
 	}

 	data, err := os.ReadFile(c)
@@ -408,6 +532,23 @@ func parseRelayConfig(c string) error {
 		return errors.New("[smtp] relay host not set")
 	}

+	// DEPRECATED 2024/03/12
+	if SMTPRelayConfig.RecipientAllowlist != "" {
+		logger.Log().Warn("[smtp] relay 'recipient-allowlist' is deprecated, use 'allowed-recipients' instead")
+		if SMTPRelayConfig.AllowedRecipients == "" {
+			SMTPRelayConfig.AllowedRecipients = SMTPRelayConfig.RecipientAllowlist
+		}
+	}
+
+	return nil
+}
+
+// Validate the SMTPRelayConfig (if Host is set)
+func validateRelayConfig() error {
+	if SMTPRelayConfig.Host == "" {
+		return nil
+	}
+
 	if SMTPRelayConfig.Port == 0 {
 		SMTPRelayConfig.Port = 25 // default
 	}
@@ -418,17 +559,17 @@ func parseRelayConfig(c string) error {
 		SMTPRelayConfig.Auth = "none"
 	} else if SMTPRelayConfig.Auth == "plain" {
 		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
-			return fmt.Errorf("[smtp] relay host username or password not set for PLAIN authentication (%s)", c)
+			return fmt.Errorf("[smtp] relay host username or password not set for PLAIN authentication")
 		}
 	} else if SMTPRelayConfig.Auth == "login" {
 		SMTPRelayConfig.Auth = "login"
 		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
-			return fmt.Errorf("[smtp] relay host username or password not set for LOGIN authentication (%s)", c)
+			return fmt.Errorf("[smtp] relay host username or password not set for LOGIN authentication")
 		}
 	} else if strings.HasPrefix(SMTPRelayConfig.Auth, "cram") {
 		SMTPRelayConfig.Auth = "cram-md5"
 		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Secret == "" {
-			return fmt.Errorf("[smtp] relay host username or secret not set for CRAM-MD5 authentication (%s)", c)
+			return fmt.Errorf("[smtp] relay host username or secret not set for CRAM-MD5 authentication")
 		}
 	} else {
 		return fmt.Errorf("[smtp] relay authentication method not supported: %s", SMTPRelayConfig.Auth)
@@ -438,35 +579,40 @@ func parseRelayConfig(c string) error {

 	logger.Log().Infof("[smtp] enabling message relaying via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)

-	allowlistRegexp, err := regexp.Compile(SMTPRelayConfig.RecipientAllowlist)
-
-	if SMTPRelayConfig.RecipientAllowlist != "" {
+	if SMTPRelayConfig.AllowedRecipients != "" {
+		re, err := regexp.Compile(SMTPRelayConfig.AllowedRecipients)
 		if err != nil {
 			return fmt.Errorf("[smtp] failed to compile relay recipient allowlist regexp: %s", err.Error())
 		}

-		SMTPRelayConfig.RecipientAllowlistRegexp = allowlistRegexp
-		logger.Log().Infof("[smtp] relay recipient allowlist is active with the following regexp: %s", SMTPRelayConfig.RecipientAllowlist)
+		SMTPRelayConfig.AllowedRecipientsRegexp = re
+		logger.Log().Infof("[smtp] relay recipient allowlist is active with the following regexp: %s", SMTPRelayConfig.AllowedRecipients)
+	}

+	if SMTPRelayConfig.BlockedRecipients != "" {
+		re, err := regexp.Compile(SMTPRelayConfig.BlockedRecipients)
+		if err != nil {
+			return fmt.Errorf("[smtp] failed to compile relay recipient blocklist regexp: %s", err.Error())
+		}
+
+		SMTPRelayConfig.BlockedRecipientsRegexp = re
+		logger.Log().Infof("[smtp] relay recipient blocklist is active with the following regexp: %s", SMTPRelayConfig.BlockedRecipients)
 	}

 	return nil
 }

-// IsFile returns if a path is a file
+// IsFile returns whether a file exists and is readable
 func isFile(path string) bool {
-	info, err := os.Stat(path)
-	if os.IsNotExist(err) || !info.Mode().IsRegular() {
-		return false
-	}
-
-	return true
+	f, err := os.Open(filepath.Clean(path))
+	defer f.Close()
+	return err == nil
 }

 // IsDir returns whether a path is a directory
 func isDir(path string) bool {
 	info, err := os.Stat(path)
-	if os.IsNotExist(err) || !info.IsDir() {
+	if err != nil || os.IsNotExist(err) || !info.IsDir() {
 		return false
 	}

@@ -481,3 +627,17 @@ func isValidURL(s string) bool {

 	return strings.HasPrefix(u.Scheme, "http")
 }
+
+// DBTenantID converts a tenant ID to a DB-friendly value if set
+func DBTenantID(s string) string {
+	s = tools.Normalize(s)
+	if s != "" {
+		re := regexp.MustCompile(`[^a-zA-Z0-9\_]`)
+		s = re.ReplaceAllString(s, "_")
+		if !strings.HasSuffix(s, "_") {
+			s = s + "_"
+		}
+	}
+
+	return s
+}
--- a/config/tags.go
+++ b/config/tags.go
@@ -0,0 +1,111 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+	"gopkg.in/yaml.v3"
+)
+
+var (
+	// TagsDisablePlus disables message tagging using plus-addresses (user+tag@example.com) - set via verifyConfig()
+	TagsDisablePlus bool
+
+	// TagsDisableXTags disables message tagging via the X-Tags header - set via verifyConfig()
+	TagsDisableXTags bool
+)
+
+type yamlTags struct {
+	Filters []yamlTag `yaml:"filters"`
+}
+
+type yamlTag struct {
+	Match string `yaml:"match"`
+	Tags  string `yaml:"tags"`
+}
+
+// Load tags from a configuration from a file, if set
+func loadTagsFromConfig(c string) error {
+	if c == "" {
+		return nil // not set, ignore
+	}
+
+	c = filepath.Clean(c)
+
+	if !isFile(c) {
+		return fmt.Errorf("[tags] configuration file not found or unreadable: %s", c)
+	}
+
+	data, err := os.ReadFile(c)
+	if err != nil {
+		return fmt.Errorf("[tags] %s", err.Error())
+	}
+
+	conf := yamlTags{}
+
+	if err := yaml.Unmarshal(data, &conf); err != nil {
+		return err
+	}
+
+	if conf.Filters == nil {
+		return fmt.Errorf("[tags] missing tag: array in %s", c)
+	}
+
+	for _, t := range conf.Filters {
+		tags := strings.Split(t.Tags, ",")
+		TagFilters = append(TagFilters, autoTag{Match: t.Match, Tags: tags})
+	}
+
+	logger.Log().Debugf("[tags] loaded %s from config %s", tools.Plural(len(conf.Filters), "tag filter", "tag filters"), c)
+
+	return nil
+}
+
+func loadTagsFromArgs(c string) error {
+	if c == "" {
+		return nil // not set, ignore
+	}
+
+	args := tools.ArgsParser(c)
+
+	for _, a := range args {
+		t := strings.Split(a, "=")
+		if len(t) > 1 {
+			match := strings.TrimSpace(strings.ToLower(strings.Join(t[1:], "=")))
+			tags := strings.Split(t[0], ",")
+			TagFilters = append(TagFilters, autoTag{Match: match, Tags: tags})
+		} else {
+			return fmt.Errorf("[tag] error parsing tags (%s)", a)
+		}
+	}
+
+	logger.Log().Debugf("[tags] loaded %s from CLI args", tools.Plural(len(args), "tag filter", "tag filters"))
+
+	return nil
+}
+
+func parseTagsDisable(s string) error {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return nil
+	}
+
+	parts := strings.Split(strings.ToLower(s), ",")
+
+	for _, p := range parts {
+		switch strings.TrimSpace(p) {
+		case "x-tags", "xtags":
+			TagsDisableXTags = true
+		case "plus-addresses", "plus-addressing":
+			TagsDisablePlus = true
+		default:
+			return fmt.Errorf("[tags] invalid --tags-disable option: %s", p)
+		}
+	}
+
+	return nil
+}
--- a/esbuild.config.mjs
+++ b/esbuild.config.mjs
@@ -20,7 +20,13 @@ const ctx = await esbuild.context(
            '__VUE_PROD_HYDRATION_MISMATCH_DETAILS__': 'false',
        },
        outdir: "server/ui/dist/",
-        plugins: [pluginVue(), sassPlugin()],
+        plugins: [
+            pluginVue(),
+            sassPlugin({
+                silenceDeprecations: ['import'],
+                quietDeps: true,
+            })
+        ],
        loader: {
            ".svg": "file",
            ".woff": "file",
--- a/go.mod
+++ b/go.mod
@@ -1,39 +1,39 @@
 module github.com/axllent/mailpit

-go 1.20
+go 1.23
+
+toolchain go1.23.2

 require (
-	github.com/GuiaBolso/darwin v0.0.0-20191218124601-fd6d2aa3d244
-	github.com/PuerkitoBio/goquery v1.9.1
+	github.com/PuerkitoBio/goquery v1.10.0
+	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/axllent/semver v0.0.1
-	github.com/disintegration/imaging v1.6.2
-	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
+	github.com/gomarkdown/markdown v0.0.0-20241105142532-d03b89096d81
 	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/websocket v1.5.1
-	github.com/jhillyerd/enmime v1.2.0
-	github.com/klauspost/compress v1.17.7
+	github.com/gorilla/websocket v1.5.3
+	github.com/jhillyerd/enmime v1.3.0
+	github.com/klauspost/compress v1.17.11
+	github.com/kovidgoyal/imaging v1.6.3
 	github.com/leporo/sqlf v1.4.0
 	github.com/lithammer/shortuuid/v4 v4.0.0
-	github.com/mhale/smtpd v0.8.2
-	github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e
+	github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62
+	github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/tg123/go-htpasswd v1.2.2
-	github.com/vanng822/go-premailer v1.20.2
-	golang.org/x/net v0.21.0
-	golang.org/x/text v0.14.0
-	golang.org/x/time v0.5.0
+	github.com/tg123/go-htpasswd v1.2.3
+	github.com/vanng822/go-premailer v1.22.0
+	golang.org/x/net v0.31.0
+	golang.org/x/text v0.20.0
+	golang.org/x/time v0.8.0
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.29.2
+	modernc.org/sqlite v1.34.1
 )

 require (
-	github.com/DATA-DOG/go-sqlmock v1.5.0 // indirect
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
 	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
-	github.com/cznic/ql v1.2.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -43,7 +43,7 @@ require (
 	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -53,15 +53,15 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vanng822/css v1.0.1 // indirect
-	golang.org/x/crypto v0.20.0 // indirect
-	golang.org/x/image v0.15.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/tools v0.18.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/image v0.22.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
-	modernc.org/libc v1.41.0 // indirect
+	modernc.org/gc/v3 v3.0.0-20241004144649-1aea3fae8852 // indirect
+	modernc.org/libc v1.61.2 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.7.2 // indirect
+	modernc.org/memory v1.8.0 // indirect
 	modernc.org/strutil v1.2.0 // indirect
 	modernc.org/token v1.1.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,78 +1,54 @@
-github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
-github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
-github.com/GuiaBolso/darwin v0.0.0-20191218124601-fd6d2aa3d244 h1:dqzm54OhCqY8RinR/cx+Ppb0y56Ds5I3wwWhx4XybDg=
-github.com/GuiaBolso/darwin v0.0.0-20191218124601-fd6d2aa3d244/go.mod h1:3sqgkckuISJ5rs1EpOp6vCvwOUKe/z9vPmyuIlq8Q/A=
-github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
-github.com/PuerkitoBio/goquery v1.9.1 h1:mTL6XjbJTZdpfL+Gwl5U2h1l9yEkJjhmlTeV9VPW7UI=
-github.com/PuerkitoBio/goquery v1.9.1/go.mod h1:cW1n6TmIMDoORQU5IU/P1T3tGFunOeXEpGP2WHRwkbY=
-github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
+github.com/PuerkitoBio/goquery v1.9.2/go.mod h1:GHPCaP0ODyyxqcNoFGYlAprUFH81NuRPd0GX3Zu2Mvk=
+github.com/PuerkitoBio/goquery v1.10.0 h1:6fiXdLuUvYs2OJSvNRqlNPoBm6YABE226xrbavY5Wv4=
+github.com/PuerkitoBio/goquery v1.10.0/go.mod h1:TjZZl68Q3eGHNBA8CWaxAN7rOU1EbDz3CWuolcO5Yu4=
 github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
 github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
 github.com/axllent/semver v0.0.1 h1:QqF+KSGxgj8QZzSXAvKFqjGWE5792ksOnQhludToK8E=
 github.com/axllent/semver v0.0.1/go.mod h1:2xSPzvG8n9mRfdtxSvWvfTfQGWfHsMsHO1iZnKATMSc=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/ztvmWKFcI7UGb5/HQT7B+i3a2myKgI=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cznic/b v0.0.0-20180115125044-35e9bbe41f07 h1:UHFGPvSxX4C4YBApSPvmUfL8tTvWLj2ryqvT9K4Jcuk=
-github.com/cznic/b v0.0.0-20180115125044-35e9bbe41f07/go.mod h1:URriBxXwVq5ijiJ12C7iIZqlA69nTlI+LgI6/pwftG8=
-github.com/cznic/fileutil v0.0.0-20180108211300-6a051e75936f h1:7uSNgsgcarNk4oiN/nNkO0J7KAjlsF5Yv5Gf/tFdHas=
-github.com/cznic/fileutil v0.0.0-20180108211300-6a051e75936f/go.mod h1:8S58EK26zhXSxzv7NQFpnliaOQsmDUxvoQO3rt154Vg=
-github.com/cznic/golex v0.0.0-20170803123110-4ab7c5e190e4 h1:CVAqftqbj+exlab+8KJQrE+kNIVlQfJt58j4GxCMF1s=
-github.com/cznic/golex v0.0.0-20170803123110-4ab7c5e190e4/go.mod h1:+bmmJDNmKlhWNG+gwWCkaBoTy39Fs+bzRxVBzoTQbIc=
-github.com/cznic/internal v0.0.0-20180608152220-f44710a21d00 h1:FHpbUtp2K8X53/b4aFNj4my5n+i3x+CQCZWNuHWH/+E=
-github.com/cznic/internal v0.0.0-20180608152220-f44710a21d00/go.mod h1:olo7eAdKwJdXxb55TKGLiJ6xt1H0/tiiRCWKVLmtjY4=
-github.com/cznic/lldb v1.1.0 h1:AIA+ham6TSJ+XkMe8imQ/g8KPzMUVWAwqUQQdtuMsHs=
-github.com/cznic/lldb v1.1.0/go.mod h1:FIZVUmYUVhPwRiPzL8nD/mpFcJ/G7SSXjjXYG4uRI3A=
-github.com/cznic/mathutil v0.0.0-20180504122225-ca4c9f2c1369 h1:XNT/Zf5l++1Pyg08/HV04ppB0gKxAqtZQBRYiYrUuYk=
-github.com/cznic/mathutil v0.0.0-20180504122225-ca4c9f2c1369/go.mod h1:e6NPNENfs9mPDVNRekM7lKScauxd5kXTr1Mfyig6TDM=
-github.com/cznic/ql v1.2.0 h1:lcKp95ZtdF0XkWhGnVIXGF8dVD2X+ClS08tglKtf+ak=
-github.com/cznic/ql v1.2.0/go.mod h1:FbpzhyZrqr0PVlK6ury+PoW3T0ODUV22OeWIxcaOrSE=
-github.com/cznic/sortutil v0.0.0-20150617083342-4c7342852e65 h1:hxuZop6tSoOi0sxFzoGGYdRqNrPubyaIf9KoBG9tPiE=
-github.com/cznic/sortutil v0.0.0-20150617083342-4c7342852e65/go.mod h1:q2w6Bg5jeox1B+QkJ6Wp/+Vn0G/bo3f1uY7Fn3vivIQ=
-github.com/cznic/strutil v0.0.0-20171016134553-529a34b1c186 h1:0rkFMAbn5KBKNpJyHQ6Prb95vIKanmAe62KxsrN+sqA=
-github.com/cznic/strutil v0.0.0-20171016134553-529a34b1c186/go.mod h1:AHHPPPXTw0h6pVabbcbyGRK1DckRn7r/STdZEeIDzZc=
-github.com/cznic/zappy v0.0.0-20160723133515-2533cb5b45cc h1:YKKpTb2BrXN2GYyGaygIdis1vXbE7SSAG9axGWIMClg=
-github.com/cznic/zappy v0.0.0-20160723133515-2533cb5b45cc/go.mod h1:Y1SNZ4dRUOKXshKUbwUapqNncRrho4mkjQebgEHZLj8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
-github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/edsrzf/mmap-go v0.0.0-20170320065105-0bce6a688712 h1:aaQcKT9WumO6JEJcRyTqFVq4XUZiUcKR2/GI31TOcz8=
-github.com/edsrzf/mmap-go v0.0.0-20170320065105-0bce6a688712/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
-github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385/go.mod h1:0vRUJqYpeSZifjYj7uP3BG/gKcuzL9xWVV/Y+cK33KM=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
+github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
-github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47 h1:k4Tw0nt6lwro3Uin8eqoET7MDA4JnT8YgbCjc/g5E3k=
-github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
-github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
+github.com/gomarkdown/markdown v0.0.0-20241105142532-d03b89096d81 h1:5lyLWsV+qCkoYqsKUDuycESh9DEIPVKN6iCFeL7ag50=
+github.com/gomarkdown/markdown v0.0.0-20241105142532-d03b89096d81/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
+github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 h1:iCHtR9CQyktQ5+f3dMVZfwD2KWJUgm7M0gdL9NGr8KA=
 github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
-github.com/jhillyerd/enmime v1.2.0 h1:dIu1IPEymQgoT2dzuB//ttA/xcV40NMPpQtmd4wslHk=
-github.com/jhillyerd/enmime v1.2.0/go.mod h1:FRFuUPCLh8PByQv+8xRcLO9QHqaqTqreYhopv5eyk4I=
-github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
-github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/jhillyerd/enmime v1.3.0 h1:LV5kzfLidiOr8qRGIpYYmUZCnhrPbcFAnAFUnWn99rw=
+github.com/jhillyerd/enmime v1.3.0/go.mod h1:6c6jg5HdRRV2FtvVL69LjiX1M8oE0xDX9VEhV3oy4gs=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/kovidgoyal/imaging v1.6.3 h1:iNPpv7ygiaB/NOztc6APMT7yr9UwBS+rOZwIbAdtyY8=
+github.com/kovidgoyal/imaging v1.6.3/go.mod h1:sHvcLOOVhJuto2IoNdPLEqnAUoL5ZfHEF0PpNH+882g=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
@@ -87,12 +63,13 @@ github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQ
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
-github.com/mhale/smtpd v0.8.2 h1:rHKOMHeFoDvcq8Na9ErCbNcjlWTSyGtznOmJpWsOzuc=
-github.com/mhale/smtpd v0.8.2/go.mod h1:MQl+y2hwIEQCXtNhe5+55n0GZOjSmeqORDIXbqUL3x4=
+github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62 h1:XMG5DklHoioVYysfYglOB7vRBg/LOUJZy2mq2QyedLg=
+github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62/go.mod h1:niAM5cni0I/47IFA995xQfeK58Mkbb7FHJjacY4OGQg=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
@@ -103,20 +80,22 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/reiver/go-oi v1.0.0 h1:nvECWD7LF+vOs8leNGV/ww+F2iZKf3EYjYZ527turzM=
 github.com/reiver/go-oi v1.0.0/go.mod h1:RrDBct90BAhoDTxB1fenZwfykqeGvhI6LsNfStJoEkI=
-github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e h1:quuzZLi72kkJjl+f5AQ93FMcadG19WkS7MO6TXFOSas=
-github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e/go.mod h1:+5vNVvEWwEIx86DB9Ke/+a5wBI464eDRo3eF0LcfpWg=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d h1:c88ius/WcN19inn14R+X2EQCFjjAu92txgdxNNnGxDI=
+github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d/go.mod h1:xF/KoXmrRyahPfo5L7Szb5cAAUl53dMWBh9cMruGEZg=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
@@ -124,80 +103,118 @@ github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02n
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/tg123/go-htpasswd v1.2.2 h1:tmNccDsQ+wYsoRfiONzIhDm5OkVHQzN3w4FOBAlN6BY=
-github.com/tg123/go-htpasswd v1.2.2/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/FLWl7nx8A=
-github.com/unrolled/render v1.0.3/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tg123/go-htpasswd v1.2.3 h1:ALR6ZBIc2m9u70m+eAWUFt5p43ISbIvAvRFYzZPTOY8=
+github.com/tg123/go-htpasswd v1.2.3/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/FLWl7nx8A=
+github.com/unrolled/render v1.7.0/go.mod h1:LwQSeDhjml8NLjIO9GJO1/1qpFJxtfVIpzxXKjfVkoI=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/vanng822/css v1.0.1 h1:10yiXc4e8NI8ldU6mSrWmSWMuyWgPr9DZ63RSlsgDw8=
 github.com/vanng822/css v1.0.1/go.mod h1:tcnB1voG49QhCrwq1W0w5hhGasvOg+VQp9i9H1rCM1w=
-github.com/vanng822/go-premailer v1.20.2 h1:vKs4VdtfXDqL7IXC2pkiBObc1bXM9bYH3Wa+wYw2DnI=
-github.com/vanng822/go-premailer v1.20.2/go.mod h1:RAxbRFp6M/B171gsKu8dsyq+Y5NGsUUvYfg+WQWusbE=
+github.com/vanng822/go-premailer v1.22.0 h1:5gG92q3nG3BwcfUUDzrSDbYDbpwYC/lri4nba+vhdJQ=
+github.com/vanng822/go-premailer v1.22.0/go.mod h1:K7DxRBW6AxdZUTqmW9jU6041CtfAWiP9uSXm2WmMB1k=
 github.com/vanng822/r2router v0.0.0-20150523112421-1023140a4f30/go.mod h1:1BVq8p2jVr55Ost2PkZWDrG86PiJ/0lxqcXoAcGxvWU=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg=
-golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
-golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.15.0 h1:kOELfmgrmJlw4Cdb7g/QGuB3CvDrXbqEIww/pNtNBm8=
-golang.org/x/image v0.15.0/go.mod h1:HUYqC05R2ZcZ3ejNQsIHQDQiwWM4JBqmm6MKANTp4LE=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo=
+golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak=
+golang.org/x/image v0.22.0 h1:UtK5yLUzilVrkjMAZAZ34DXGpASN8i8pj8g+O+yd10g=
+golang.org/x/image v0.22.0/go.mod h1:9hPFhljd4zZ1GNSIZJ49sqbp45GKK9t6w+iXvGqZUz4=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
-golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
-golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o=
+golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -207,16 +224,28 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 h1:5D53IMaUuA5InSeMu9eJtlQXS2NxAhyWQvkKEgXZhHI=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
-modernc.org/libc v1.41.0 h1:g9YAc6BkKlgORsUWj+JwqoB1wU3o4DE3bM3yvA3k+Gk=
-modernc.org/libc v1.41.0/go.mod h1:w0eszPsiXoOnoMJgrXjglgLuDy/bt5RR4y3QzUUeodY=
+modernc.org/cc/v4 v4.23.1 h1:WqJoPL3x4cUufQVHkXpXX7ThFJ1C4ik80i2eXEXbhD8=
+modernc.org/cc/v4 v4.23.1/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
+modernc.org/ccgo/v4 v4.22.3 h1:C7AW89Zw3kygesTQWBzApwIn9ldM+cb/plrTIKq41Os=
+modernc.org/ccgo/v4 v4.22.3/go.mod h1:Dz7n0/UkBbH3pnYaxgi1mFSfF4REqUOZNziphZASx6k=
+modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
+modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
+modernc.org/gc/v2 v2.5.0 h1:bJ9ChznK1L1mUtAQtxi0wi5AtAs5jQuw4PrPHO5pb6M=
+modernc.org/gc/v2 v2.5.0/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
+modernc.org/gc/v3 v3.0.0-20241004144649-1aea3fae8852 h1:IYXPPTTjjoSHvUClZIYexDiO7g+4x+XveKT4gCIAwiY=
+modernc.org/gc/v3 v3.0.0-20241004144649-1aea3fae8852/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
+modernc.org/libc v1.61.2 h1:dkO4DlowfClcJYsvf/RiK6fUwvzCQTmB34bJLt0CAGQ=
+modernc.org/libc v1.61.2/go.mod h1:4QGjNyX3h+rn7V5oHpJY2yH0QN6frt1X+5BkXzwLPCo=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
 modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
-modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
-modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
-modernc.org/sqlite v1.29.2 h1:xgBSyA3gemwgP31PWFfFjtBorQNYpeypGdoSDjXhrgI=
-modernc.org/sqlite v1.29.2/go.mod h1:hG41jCYxOAOoO6BRK66AdRlmOcDzXf7qnwlwjUIOqa0=
+modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
+modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
+modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
+modernc.org/sqlite v1.34.1 h1:u3Yi6M0N8t9yKRDwhXcyp1eS5/ErhPTBggxWFuR6Hfk=
+modernc.org/sqlite v1.34.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
 modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/internal/html2text/html2text.go
+++ b/internal/html2text/html2text.go
@@ -78,5 +78,6 @@ func clean(text string) string {
 	}, text)

 	text = re.ReplaceAllString(text, " ")
+
 	return strings.TrimSpace(text)
 }
--- a/internal/htmlcheck/caniemail-data.json
+++ b/internal/htmlcheck/caniemail-data.json
--- a/internal/htmlcheck/main.go
+++ b/internal/htmlcheck/main.go
@@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/PuerkitoBio/goquery"
+	"github.com/axllent/mailpit/internal/tools"
 	"github.com/gomarkdown/markdown"
 	"github.com/gomarkdown/markdown/html"
 	"github.com/gomarkdown/markdown/parser"
@@ -136,12 +137,12 @@ func (c CanIEmail) getTest(k string) (Warning, error) {
 	var y, n, p float32

 	for family, stats := range found.Stats {
-		if len(LimitFamilies) != 0 && !inArray(family, LimitFamilies) {
+		if len(LimitFamilies) != 0 && !tools.InArray(family, LimitFamilies) {
 			continue
 		}

 		for platform, clients := range stats.(map[string]interface{}) {
-			if len(LimitPlatforms) != 0 && !inArray(platform, LimitPlatforms) {
+			if len(LimitPlatforms) != 0 && !tools.InArray(platform, LimitPlatforms) {
 				continue
 			}
 			for version, support := range clients.(map[string]interface{}) {
@@ -182,18 +183,6 @@ func (c CanIEmail) getTest(k string) (Warning, error) {
 	return warning, nil
 }

-func inArray(n string, h []string) bool {
-	n = strings.ToLower(n)
-
-	for _, v := range h {
-		if strings.ToLower(v) == n {
-			return true
-		}
-	}
-
-	return false
-}
-
 // Convert markdown to HTML, stripping <p> & </p>
 func mdToHTML(str string) string {
 	md := []byte(str)
--- a/internal/htmlcheck/platforms.go
+++ b/internal/htmlcheck/platforms.go
@@ -1,6 +1,10 @@
 package htmlcheck

-import "sort"
+import (
+	"sort"
+
+	"github.com/axllent/mailpit/internal/tools"
+)

 // Platforms returns all platforms with their respective email clients
 func Platforms() (map[string][]string, error) {
@@ -19,7 +23,7 @@ func Platforms() (map[string][]string, error) {
 				if !found {
 					data[platform] = []string{}
 				}
-				if !inArray(niceFamily, c) {
+				if !tools.InArray(niceFamily, c) {
 					c = append(c, niceFamily)
 					data[platform] = c
 				}
--- a/internal/linkcheck/linkcheck_test.go
+++ b/internal/linkcheck/linkcheck_test.go
@@ -0,0 +1,71 @@
+package linkcheck
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/axllent/mailpit/internal/storage"
+)
+
+var (
+	testHTML = `
+	<html>
+	<head>
+		<link rel=stylesheet href="http://remote-host/style.css"></link>
+		<script async src="https://www.googletagmanager.com/gtag/js?id=ignored"></script>
+	</head>
+	<body>
+		<div>
+			<p><a href="http://example.com">HTTP link</a></p>
+			<p><a href="https://example.com">HTTPS link</a></p>
+			<p><a href="HTTPS://EXAMPLE.COM">HTTPS link</a></p>
+			<p><a href="http://localhost">Localhost link</a> (ignored)</p>
+			<p><a href="https://localhost">Localhost link</a> (ignored)</p>
+			<p><a href='https://127.0.0.1'>Single quotes link</a> (ignored)</p>
+			<p><img src=https://example.com/image.jpg></p>
+			<p href="http://invalid-link.com">This should be ignored</p>
+			<p><a href="http://link with spaces">Link with spaces</a></p>
+			<p><a href="http://example.com/?blaah=yes&amp;test=true">URL-encoded characters</a></p>
+		</div>
+	</body>
+	</html>`
+
+	expectedHTMLLinks = []string{
+		"http://example.com", "https://example.com", "HTTPS://EXAMPLE.COM", "http://localhost", "https://localhost", "https://127.0.0.1", "http://link with spaces", "http://example.com/?blaah=yes&test=true",
+		"http://remote-host/style.css",  // css
+		"https://example.com/image.jpg", // images
+	}
+
+	testTextLinks = `This is a line with http://example.com https://example.com
+		HTTPS://EXAMPLE.COM
+		[http://localhost]
+		www.google.com < ignored
+		|||http://example.com/?some=query-string|||
+	`
+
+	expectedTextLinks = []string{
+		"http://example.com", "https://example.com", "HTTPS://EXAMPLE.COM", "http://localhost", "http://example.com/?some=query-string",
+	}
+)
+
+func TestLinkDetection(t *testing.T) {
+
+	t.Log("Testing HTML link detection")
+
+	m := storage.Message{}
+
+	m.Text = testTextLinks
+	m.HTML = testHTML
+
+	textLinks := extractTextLinks(&m)
+
+	if !reflect.DeepEqual(textLinks, expectedTextLinks) {
+		t.Fatalf("Failed to detect text links correctly")
+	}
+
+	htmlLinks := extractHTMLLinks(&m)
+
+	if !reflect.DeepEqual(htmlLinks, expectedHTMLLinks) {
+		t.Fatalf("Failed to detect HTML links correctly")
+	}
+}
--- a/internal/linkcheck/main.go
+++ b/internal/linkcheck/main.go
@@ -10,7 +10,7 @@ import (
 	"github.com/axllent/mailpit/internal/tools"
 )

-var linkRe = regexp.MustCompile(`(?m)\b(http|ftp|https):\/\/([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:'!\/~+#-]*[\w@?^=%&\/~+#-])`)
+var linkRe = regexp.MustCompile(`(?im)\b(http|https):\/\/([\-\w@:%_\+'!.~#?,&\/\/=;]+)`)

 // RunTests will run all tests on an HTML string
 func RunTests(msg *storage.Message, followRedirects bool) (Response, error) {
@@ -32,9 +32,7 @@ func RunTests(msg *storage.Message, followRedirects bool) (Response, error) {
 func extractTextLinks(msg *storage.Message) []string {
 	links := []string{}

-	for _, match := range linkRe.FindAllString(msg.Text, -1) {
-		links = append(links, match)
-	}
+	links = append(links, linkRe.FindAllString(msg.Text, -1)...)

 	return links
 }
--- a/internal/pop3client/client.go
+++ b/internal/pop3client/client.go
@@ -0,0 +1,453 @@
+// Package pop3client is borrowed directly from https://github.com/knadh/go-pop3 to reduce dependencies.
+// This is used solely for testing the POP3 server
+package pop3client
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Client implements a Client e-mail client.
+type Client struct {
+	opt    Opt
+	dialer Dialer
+}
+
+// Conn is a stateful connection with the POP3 server/
+type Conn struct {
+	conn net.Conn
+	r    *bufio.Reader
+	w    *bufio.Writer
+}
+
+// Opt represents the client configuration.
+type Opt struct {
+	// Host name
+	Host string `json:"host"`
+	// Port number
+	Port int `json:"port"`
+	// DialTimeout default is 3 seconds.
+	DialTimeout time.Duration `json:"dial_timeout"`
+	// Dialer
+	Dialer Dialer `json:"-"`
+	// TLSEnabled sets whether SLS is enabled
+	TLSEnabled bool `json:"tls_enabled"`
+	// TLSSkipVerify skips TLS verification (ie: self-signed)
+	TLSSkipVerify bool `json:"tls_skip_verify"`
+}
+
+// Dialer interface
+type Dialer interface {
+	Dial(network, address string) (net.Conn, error)
+}
+
+// MessageID contains the ID and size of an individual message.
+type MessageID struct {
+	// ID is the numerical index (non-unique) of the message.
+	ID int
+	// Size in bytes
+	Size int
+	// UID is only present if the response is to the UIDL command.
+	UID string
+}
+
+var (
+	lineBreak   = []byte("\r\n")
+	respOK      = []byte("+OK")   // `+OK` without additional info
+	respOKInfo  = []byte("+OK ")  // `+OK <info>`
+	respErr     = []byte("-ERR")  // `-ERR` without additional info
+	respErrInfo = []byte("-ERR ") // `-ERR <info>`
+)
+
+// New returns a new client object using an existing connection.
+func New(opt Opt) *Client {
+	if opt.DialTimeout < time.Millisecond {
+		opt.DialTimeout = time.Second * 3
+	}
+
+	c := &Client{
+		opt:    opt,
+		dialer: opt.Dialer,
+	}
+
+	if c.dialer == nil {
+		c.dialer = &net.Dialer{Timeout: opt.DialTimeout}
+	}
+
+	return c
+}
+
+// NewConn creates and returns live POP3 server connection.
+func (c *Client) NewConn() (*Conn, error) {
+	var (
+		addr = fmt.Sprintf("%s:%d", c.opt.Host, c.opt.Port)
+	)
+
+	conn, err := c.dialer.Dial("tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	// No TLS.
+	if c.opt.TLSEnabled {
+		// Skip TLS host verification.
+		tlsCfg := tls.Config{} // #nosec
+		if c.opt.TLSSkipVerify {
+			tlsCfg.InsecureSkipVerify = c.opt.TLSSkipVerify // #nosec
+		} else {
+			tlsCfg.ServerName = c.opt.Host
+		}
+
+		conn = tls.Client(conn, &tlsCfg)
+	}
+
+	pCon := &Conn{
+		conn: conn,
+		r:    bufio.NewReader(conn),
+		w:    bufio.NewWriter(conn),
+	}
+
+	// Verify the connection by reading the welcome +OK greeting.
+	if _, err := pCon.ReadOne(); err != nil {
+		return nil, err
+	}
+
+	return pCon, nil
+}
+
+// Send sends a POP3 command to the server. The given comand is suffixed with "\r\n".
+func (c *Conn) Send(b string) error {
+	if _, err := c.w.WriteString(b + "\r\n"); err != nil {
+		return err
+	}
+
+	return c.w.Flush()
+}
+
+// Cmd sends a command to the server. POP3 responses are either single line or multi-line.
+// The first line always with -ERR in case of an error or +OK in case of a successful operation.
+// OK+ is always followed by a response on the same line which is either the actual response data
+// in case of single line responses, or a help message followed by multiple lines of actual response
+// data in case of multiline responses.
+// See https://www.shellhacks.com/retrieve-email-pop3-server-command-line/ for examples.
+func (c *Conn) Cmd(cmd string, isMulti bool, args ...interface{}) (*bytes.Buffer, error) {
+	var cmdLine string
+
+	// Repeat a %v to format each arg.
+	if len(args) > 0 {
+		format := " " + strings.TrimRight(strings.Repeat("%v ", len(args)), " ")
+
+		// CMD arg1 argn ...\r\n
+		cmdLine = fmt.Sprintf(cmd+format, args...)
+	} else {
+		cmdLine = cmd
+	}
+
+	if err := c.Send(cmdLine); err != nil {
+		return nil, err
+	}
+
+	// Read the first line of response to get the +OK/-ERR status.
+	b, err := c.ReadOne()
+	if err != nil {
+		return nil, err
+	}
+
+	// Single line response.
+	if !isMulti {
+		return bytes.NewBuffer(b), err
+	}
+
+	buf, err := c.ReadAll()
+	return buf, err
+}
+
+// ReadOne reads a single line response from the conn.
+func (c *Conn) ReadOne() ([]byte, error) {
+	b, _, err := c.r.ReadLine()
+	if err != nil {
+		return nil, err
+	}
+
+	r, err := parseResp(b)
+	return r, err
+}
+
+// ReadAll reads all lines from the connection until the POP3 multiline terminator "." is encountered
+// and returns a bytes.Buffer of all the read lines.
+func (c *Conn) ReadAll() (*bytes.Buffer, error) {
+	buf := &bytes.Buffer{}
+
+	for {
+		b, _, err := c.r.ReadLine()
+		if err != nil {
+			return nil, err
+		}
+
+		// "." indicates the end of a multi-line response.
+		if bytes.Equal(b, []byte(".")) {
+			break
+		}
+
+		if _, err := buf.Write(b); err != nil {
+			return nil, err
+		}
+		if _, err := buf.Write(lineBreak); err != nil {
+			return nil, err
+		}
+	}
+
+	return buf, nil
+}
+
+// Auth authenticates the given credentials with the server.
+func (c *Conn) Auth(user, password string) error {
+	if err := c.User(user); err != nil {
+		return err
+	}
+
+	if err := c.Pass(password); err != nil {
+		return err
+	}
+
+	// Issue a NOOP to force the server to respond to the auth.
+	// Courtesy: github.com/TheCreeper/go-pop3
+	return c.Noop()
+}
+
+// User sends the username to the server.
+func (c *Conn) User(s string) error {
+	_, err := c.Cmd("USER", false, s)
+
+	return err
+}
+
+// Pass sends the password to the server.
+func (c *Conn) Pass(s string) error {
+	_, err := c.Cmd("PASS", false, s)
+
+	return err
+}
+
+// Stat returns the number of messages and their total size in bytes in the inbox.
+func (c *Conn) Stat() (int, int, error) {
+	b, err := c.Cmd("STAT", false)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	// count size
+	f := bytes.Fields(b.Bytes())
+
+	// Total number of messages.
+	count, err := strconv.Atoi(string(f[0]))
+	if err != nil {
+		return 0, 0, err
+	}
+	if count == 0 {
+		return 0, 0, nil
+	}
+
+	// Total size of all messages in bytes.
+	size, err := strconv.Atoi(string(f[1]))
+	if err != nil {
+		return 0, 0, err
+	}
+
+	return count, size, nil
+}
+
+// List returns a list of (message ID, message Size) pairs.
+// If the optional msgID > 0, then only that particular message is listed.
+// The message IDs are sequential, 1 to N.
+func (c *Conn) List(msgID int) ([]MessageID, error) {
+	var (
+		buf *bytes.Buffer
+		err error
+	)
+
+	if msgID <= 0 {
+		// Multiline response listing all messages.
+		buf, err = c.Cmd("LIST", true)
+	} else {
+		// Single line response listing one message.
+		buf, err = c.Cmd("LIST", false, msgID)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		out   []MessageID
+		lines = bytes.Split(buf.Bytes(), lineBreak)
+	)
+
+	for _, l := range lines {
+		// id size
+		f := bytes.Fields(l)
+		if len(f) == 0 {
+			break
+		}
+
+		id, err := strconv.Atoi(string(f[0]))
+		if err != nil {
+			return nil, err
+		}
+
+		size, err := strconv.Atoi(string(f[1]))
+		if err != nil {
+			return nil, err
+		}
+
+		out = append(out, MessageID{ID: id, Size: size})
+	}
+
+	return out, nil
+}
+
+// Uidl returns a list of (message ID, message UID) pairs. If the optional msgID
+// is > 0, then only that particular message is listed. It works like Top() but only works on
+// servers that support the UIDL command. Messages size field is not available in the UIDL response.
+func (c *Conn) Uidl(msgID int) ([]MessageID, error) {
+	var (
+		buf *bytes.Buffer
+		err error
+	)
+
+	if msgID <= 0 {
+		// Multiline response listing all messages.
+		buf, err = c.Cmd("UIDL", true)
+	} else {
+		// Single line response listing one message.
+		buf, err = c.Cmd("UIDL", false, msgID)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		out   []MessageID
+		lines = bytes.Split(buf.Bytes(), lineBreak)
+	)
+
+	for _, l := range lines {
+		// id size
+		f := bytes.Fields(l)
+		if len(f) == 0 {
+			break
+		}
+
+		id, err := strconv.Atoi(string(f[0]))
+		if err != nil {
+			return nil, err
+		}
+
+		out = append(out, MessageID{ID: id, UID: string(f[1])})
+	}
+
+	return out, nil
+}
+
+// Retr downloads a message by the given msgID, parses it and returns it as a *mail.Message.
+func (c *Conn) Retr(msgID int) (*mail.Message, error) {
+	b, err := c.Cmd("RETR", true, msgID)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := mail.ReadMessage(b)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// RetrRaw downloads a message by the given msgID and returns the raw []byte
+// of the entire message.
+func (c *Conn) RetrRaw(msgID int) (*bytes.Buffer, error) {
+	b, err := c.Cmd("RETR", true, msgID)
+	return b, err
+}
+
+// Top retrieves a message by its ID with full headers and numLines lines of the body.
+func (c *Conn) Top(msgID int, numLines int) (*mail.Message, error) {
+	b, err := c.Cmd("TOP", true, msgID, numLines)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := mail.ReadMessage(b)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// Dele deletes one or more messages. The server only executes the
+// deletions after a successful Quit().
+func (c *Conn) Dele(msgID ...int) error {
+	for _, id := range msgID {
+		_, err := c.Cmd("DELE", false, id)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Rset clears the messages marked for deletion in the current session.
+func (c *Conn) Rset() error {
+	_, err := c.Cmd("RSET", false)
+	return err
+}
+
+// Noop issues a do-nothing NOOP command to the server. This is useful for
+// prolonging open connections.
+func (c *Conn) Noop() error {
+	_, err := c.Cmd("NOOP", false)
+	return err
+}
+
+// Quit sends the QUIT command to server and gracefully closes the connection.
+// Message deletions (DELE command) are only executed by the server on a graceful
+// quit and close.
+func (c *Conn) Quit() error {
+	defer c.conn.Close()
+
+	if _, err := c.Cmd("QUIT", false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// parseResp checks if the response is an error that starts with `-ERR`
+// and returns an error with the message that succeeds the error indicator.
+// For success `+OK` messages, it returns the remaining response bytes.
+func parseResp(b []byte) ([]byte, error) {
+	if len(b) == 0 {
+		return nil, nil
+	}
+
+	if bytes.Equal(b, respOK) {
+		return nil, nil
+	} else if bytes.HasPrefix(b, respOKInfo) {
+		return bytes.TrimPrefix(b, respOKInfo), nil
+	} else if bytes.Equal(b, respErr) {
+		return nil, errors.New("unknown error (no info specified in response)")
+	} else if bytes.HasPrefix(b, respErrInfo) {
+		return nil, errors.New(string(bytes.TrimPrefix(b, respErrInfo)))
+	}
+
+	return nil, fmt.Errorf("unknown response: %s. Neither -ERR, nor +OK", string(b))
+}
--- a/internal/spamassassin/spamassassin.go
+++ b/internal/spamassassin/spamassassin.go
@@ -71,7 +71,7 @@ func Ping() error {
 	}

 	var client *spamc.Client
-	if strings.HasPrefix("unix:", service) {
+	if strings.HasPrefix(service, "unix:") {
 		client = spamc.NewUnix(strings.TrimLeft(service, "unix:"))
 	} else {
 		client = spamc.NewTCP(service, timeout)
@@ -112,7 +112,7 @@ func Check(msg []byte) (Result, error) {
 		}
 	} else {
 		var client *spamc.Client
-		if strings.HasPrefix("unix:", service) {
+		if strings.HasPrefix(service, "unix:") {
 			client = spamc.NewUnix(strings.TrimLeft(service, "unix:"))
 		} else {
 			client = spamc.NewTCP(service, timeout)
--- a/internal/spamassassin/spamc/spamc.go
+++ b/internal/spamassassin/spamc/spamc.go
@@ -13,6 +13,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/axllent/mailpit/internal/tools"
 )

 // ProtoVersion is the protocol version
@@ -81,6 +83,7 @@ func (c *Client) dial() (connection, error) {
 		}
 		return net.DialUnix("unix", nil, unixAddr)
 	}
+
 	panic("Client.net must be either \"tcp\" or \"unix\"")
 }

@@ -107,26 +110,25 @@ func (c *Client) report(email []byte) ([]string, error) {
 	}

 	bw := bufio.NewWriter(conn)
-	_, err = bw.WriteString("REPORT SPAMC/" + ProtoVersion + "\r\n")
-	if err != nil {
+	if _, err := bw.WriteString("REPORT SPAMC/" + ProtoVersion + "\r\n"); err != nil {
 		return nil, err
 	}
-	_, err = bw.WriteString("Content-length: " + strconv.Itoa(len(email)) + "\r\n\r\n")
-	if err != nil {
+
+	if _, err := bw.WriteString("Content-length: " + strconv.Itoa(len(email)) + "\r\n\r\n"); err != nil {
 		return nil, err
 	}
-	_, err = bw.Write(email)
-	if err != nil {
+
+	if _, err := bw.Write(email); err != nil {
 		return nil, err
 	}
-	err = bw.Flush()
-	if err != nil {
+
+	if err := bw.Flush(); err != nil {
 		return nil, err
 	}
+
 	// Client is supposed to close its writing side of the connection
 	// after sending its request.
-	err = conn.CloseWrite()
-	if err != nil {
+	if err := conn.CloseWrite(); err != nil {
 		return nil, err
 	}

@@ -134,6 +136,7 @@ func (c *Client) report(email []byte) ([]string, error) {
 		lines []string
 		br    = bufio.NewReader(conn)
 	)
+
 	for {
 		line, err := br.ReadString('\n')
 		if err == io.EOF {
@@ -171,11 +174,12 @@ func (c *Client) parseOutput(output []string) Result {
 				continue
 			}
 		}
+
 		// summary
 		if spamMainRe.MatchString(row) {
 			res := spamMainRe.FindStringSubmatch(row)
 			if len(res) == 4 {
-				if strings.ToLower(res[1]) == "true" || strings.ToLower(res[1]) == "yes" {
+				if tools.InArray(res[1], []string{"true", "yes"}) {
 					result.Spam = true
 				} else {
 					result.Spam = false
@@ -197,8 +201,8 @@ func (c *Client) parseOutput(output []string) Result {
 			reachedRules = true
 			continue
 		}
+
 		// details
-		// row = strings.Trim(row, " \t\r\n")
 		if reachedRules && spamDetailsRe.MatchString(row) {
 			res := spamDetailsRe.FindStringSubmatch(row)
 			if len(res) == 5 {
@@ -207,6 +211,7 @@ func (c *Client) parseOutput(output []string) Result {
 			}
 		}
 	}
+
 	return result
 }

@@ -222,12 +227,11 @@ func (c *Client) Ping() error {
 		return err
 	}

-	_, err = io.WriteString(conn, fmt.Sprintf("PING SPAMC/%s\r\n\r\n", ProtoVersion))
-	if err != nil {
+	if _, err := io.WriteString(conn, fmt.Sprintf("PING SPAMC/%s\r\n\r\n", ProtoVersion)); err != nil {
 		return err
 	}
-	err = conn.CloseWrite()
-	if err != nil {
+
+	if err := conn.CloseWrite(); err != nil {
 		return err
 	}

@@ -241,5 +245,6 @@ func (c *Client) Ping() error {
 			return err
 		}
 	}
+
 	return nil
 }
--- a/internal/stats/stats.go
+++ b/internal/stats/stats.go
@@ -2,7 +2,6 @@
 package stats

 import (
-	"os"
 	"runtime"
 	"sync"
 	"time"
@@ -21,10 +20,10 @@ var (

 	mu sync.RWMutex

-	smtpAccepted     int
-	smtpAcceptedSize int
-	smtpRejected     int
-	smtpIgnored      int
+	smtpAccepted     float64
+	smtpAcceptedSize float64
+	smtpRejected     float64
+	smtpIgnored      float64
 )

 // AppInformation struct
@@ -37,29 +36,29 @@ type AppInformation struct {
 	// Database path
 	Database string
 	// Database size in bytes
-	DatabaseSize int64
+	DatabaseSize float64
 	// Total number of messages in the database
-	Messages int
+	Messages float64
 	// Total number of messages in the database
-	Unread int
+	Unread float64
 	// Tags and message totals per tag
 	Tags map[string]int64
 	// Runtime statistics
 	RuntimeStats struct {
 		// Mailpit server uptime in seconds
-		Uptime int
+		Uptime float64
 		// Current memory usage in bytes
 		Memory uint64
 		// Database runtime messages deleted
-		MessagesDeleted int
+		MessagesDeleted float64
 		// Accepted runtime SMTP messages
-		SMTPAccepted int
+		SMTPAccepted float64
 		// Total runtime accepted messages size in bytes
-		SMTPAcceptedSize int
+		SMTPAcceptedSize float64
 		// Rejected runtime SMTP messages
-		SMTPRejected int
+		SMTPRejected float64
 		// Ignored runtime SMTP messages (when using --ignore-duplicate-ids)
-		SMTPIgnored int
+		SMTPIgnored float64
 	}
 }

@@ -72,8 +71,7 @@ func Load() AppInformation {
 	runtime.ReadMemStats(&m)

 	info.RuntimeStats.Memory = m.Sys - m.HeapReleased
-
-	info.RuntimeStats.Uptime = int(time.Since(startedAt).Seconds())
+	info.RuntimeStats.Uptime = time.Since(startedAt).Seconds()
 	info.RuntimeStats.MessagesDeleted = storage.StatsDeleted
 	info.RuntimeStats.SMTPAccepted = smtpAccepted
 	info.RuntimeStats.SMTPAcceptedSize = smtpAcceptedSize
@@ -96,16 +94,10 @@ func Load() AppInformation {
 		}
 	}

-	info.Database = config.DataFile
-
-	db, err := os.Stat(info.Database)
-	if err == nil {
-		info.DatabaseSize = db.Size()
-	}
-
+	info.Database = config.Database
+	info.DatabaseSize = storage.DbSize()
 	info.Messages = storage.CountTotal()
 	info.Unread = storage.CountUnread()
-
 	info.Tags = storage.GetAllTagsCount()

 	return info
@@ -120,7 +112,7 @@ func Track() {
 func LogSMTPAccepted(size int) {
 	mu.Lock()
 	smtpAccepted = smtpAccepted + 1
-	smtpAcceptedSize = smtpAcceptedSize + size
+	smtpAcceptedSize = smtpAcceptedSize + float64(size)
 	mu.Unlock()
 }

--- a/internal/storage/cron.go
+++ b/internal/storage/cron.go
@@ -9,6 +9,7 @@ import (

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
 	"github.com/axllent/mailpit/server/websockets"
 	"github.com/leporo/sqlf"
 )
@@ -27,10 +28,15 @@ func dbCron() {

 			if deletedSize > 0 {
 				total := totalMessagesSize()
-				deletedPercent := deletedSize * 100 / total
+				var deletedPercent float64
+				if total == 0 {
+					deletedPercent = 100
+				} else {
+					deletedPercent = deletedSize * 100 / total
+				}
 				// only vacuum the DB if at least 1% of mail storage size has been deleted
 				if deletedPercent >= 1 {
-					logger.Log().Debugf("[db] deleted messages is %d%% of total size, reclaim space", deletedPercent)
+					logger.Log().Debugf("[db] deleted messages is %f%% of total size, reclaim space", deletedPercent)
 					vacuumDb()
 				}
 			}
@@ -43,34 +49,74 @@ func dbCron() {
 // PruneMessages will auto-delete the oldest messages if messages > config.MaxMessages.
 // Set config.MaxMessages to 0 to disable.
 func pruneMessages() {
-	if config.MaxMessages < 1 {
+	if config.MaxMessages < 1 && config.MaxAgeInHours == 0 {
 		return
 	}

 	start := time.Now()

-	q := sqlf.Select("ID, Size").
-		From("mailbox").
-		OrderBy("Created DESC").
-		Limit(5000).
-		Offset(config.MaxMessages)
-
 	ids := []string{}
 	var prunedSize int64
-	var size int
-	if err := q.Query(nil, db, func(row *sql.Rows) {
-		var id string
+	var size float64

-		if err := row.Scan(&id, &size); err != nil {
+	// prune using `--max` if set
+	if config.MaxMessages > 0 {
+		total := CountTotal()
+		if total > float64(config.MaxAgeInHours) {
+			offset := config.MaxMessages
+			if config.DemoMode {
+				offset = 500
+			}
+			q := sqlf.Select("ID, Size").
+				From(tenant("mailbox")).
+				OrderBy("Created DESC").
+				Limit(5000).
+				Offset(offset)
+
+			if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+				var id string
+
+				if err := row.Scan(&id, &size); err != nil {
+					logger.Log().Errorf("[db] %s", err.Error())
+					return
+				}
+				ids = append(ids, id)
+				prunedSize = prunedSize + int64(size)
+
+			}); err != nil {
+				logger.Log().Errorf("[db] %s", err.Error())
+				return
+			}
+		}
+	}
+
+	// prune using `--max-age` if set
+	if config.MaxAgeInHours > 0 {
+		// now() minus the number of hours
+		ts := time.Now().Add(time.Duration(-config.MaxAgeInHours) * time.Hour).UnixMilli()
+
+		q := sqlf.Select("ID, Size").
+			From(tenant("mailbox")).
+			Where("Created < ?", ts).
+			Limit(5000)
+
+		if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+			var id string
+
+			if err := row.Scan(&id, &size); err != nil {
+				logger.Log().Errorf("[db] %s", err.Error())
+				return
+			}
+
+			if !tools.InArray(id, ids) {
+				ids = append(ids, id)
+				prunedSize = prunedSize + int64(size)
+			}
+
+		}); err != nil {
 			logger.Log().Errorf("[db] %s", err.Error())
 			return
 		}
-		ids = append(ids, id)
-		prunedSize = prunedSize + int64(size)
-
-	}); err != nil {
-		logger.Log().Errorf("[db] %s", err.Error())
-		return
 	}

 	if len(ids) == 0 {
@@ -88,19 +134,19 @@ func pruneMessages() {
 		args[i] = id
 	}

-	_, err = tx.Query(`DELETE FROM mailbox WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
+	_, err = tx.Exec(`DELETE FROM `+tenant("mailbox_data")+` WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return
 	}

-	_, err = tx.Query(`DELETE FROM mailbox_data WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
+	_, err = tx.Exec(`DELETE FROM `+tenant("message_tags")+` WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return
 	}

-	_, err = tx.Query(`DELETE FROM message_tags WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
+	_, err = tx.Exec(`DELETE FROM `+tenant("mailbox")+` WHERE ID IN (?`+strings.Repeat(",?", len(ids)-1)+`)`, args...) // #nosec
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return
@@ -127,11 +173,20 @@ func pruneMessages() {

 	logMessagesDeleted(len(ids))

+	if config.DemoMode {
+		vacuumDb()
+	}
+
 	websockets.Broadcast("prune", nil)
 }

 // Vacuum the database to reclaim space from deleted messages
 func vacuumDb() {
+	if sqlDriver == "rqlite" {
+		// let rqlite handle vacuuming
+		return
+	}
+
 	start := time.Now()

 	// set WAL file checkpoint
@@ -142,7 +197,7 @@ func vacuumDb() {

 	// vacuum database
 	if _, err := db.Exec("VACUUM"); err != nil {
-		logger.Log().Errorf("[db] %s", err.Error())
+		logger.Log().Errorf("[db] VACUUM: %s", err.Error())
 		return
 	}

@@ -157,5 +212,5 @@ func vacuumDb() {
 	}

 	elapsed := time.Since(start)
-	logger.Log().Debugf("[db] vacuumed database in %s", elapsed)
+	logger.Log().Debugf("[db] vacuum completed in %s", elapsed)
 }
--- a/internal/storage/database.go
+++ b/internal/storage/database.go
@@ -2,12 +2,14 @@
 package storage

 import (
+	"context"
 	"database/sql"
 	"fmt"
 	"os"
 	"os/signal"
 	"path"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"time"

@@ -16,63 +18,102 @@ import (
 	"github.com/klauspost/compress/zstd"
 	"github.com/leporo/sqlf"

-	// sqlite (native) - https://gitlab.com/cznic/sqlite
+	// sqlite - https://gitlab.com/cznic/sqlite
 	_ "modernc.org/sqlite"
+
+	// rqlite - https://github.com/rqlite/gorqlite | https://rqlite.io/
+	_ "github.com/rqlite/gorqlite/stdlib"
 )

 var (
 	db           *sql.DB
 	dbFile       string
-	dbIsTemp     bool
+	sqlDriver    string
 	dbLastAction time.Time

 	// zstd compression encoder & decoder
 	dbEncoder, _ = zstd.NewWriter(nil)
 	dbDecoder, _ = zstd.NewReader(nil)
+
+	temporaryFiles = []string{}
 )

 // InitDB will initialise the database
 func InitDB() error {
-	p := config.DataFile
+	var (
+		dsn string
+		err error
+	)
+
+	p := config.Database

 	if p == "" {
 		// when no path is provided then we create a temporary file
 		// which will get deleted on Close(), SIGINT or SIGTERM
 		p = fmt.Sprintf("%s-%d.db", path.Join(os.TempDir(), "mailpit"), time.Now().UnixNano())
-		dbIsTemp = true
+		// delete the Unix socket file on exit
+		AddTempFile(p)
+		sqlDriver = "sqlite"
+		dsn = p
 		logger.Log().Debugf("[db] using temporary database: %s", p)
+	} else if strings.HasPrefix(p, "http://") || strings.HasPrefix(p, "https://") {
+		sqlDriver = "rqlite"
+		dsn = p
+		logger.Log().Debugf("[db] opening rqlite database %s", p)
 	} else {
 		p = filepath.Clean(p)
+		sqlDriver = "sqlite"
+		dsn = fmt.Sprintf("file:%s?cache=shared", p)
+		logger.Log().Debugf("[db] opening database %s", p)
 	}

-	config.DataFile = p
+	config.Database = p

-	logger.Log().Debugf("[db] opening database %s", p)
+	if sqlDriver == "sqlite" {
+		if !isFile(p) {
+			// try create a file to ensure permissions
+			f, err := os.Create(p)
+			if err != nil {
+				return fmt.Errorf("[db] %s", err.Error())
+			}
+			_ = f.Close()
+		}
+	}

-	var err error
-
-	dsn := fmt.Sprintf("file:%s?cache=shared", p)
-
-	db, err = sql.Open("sqlite", dsn)
+	db, err = sql.Open(sqlDriver, dsn)
 	if err != nil {
 		return err
 	}

+	for i := 1; i < 6; i++ {
+		if err := Ping(); err != nil {
+			logger.Log().Errorf("[db] %s", err.Error())
+			logger.Log().Infof("[db] reconnecting in 5 seconds (attempt %d/5)", i)
+			time.Sleep(5 * time.Second)
+		} else {
+			continue
+		}
+	}
+
 	// prevent "database locked" errors
 	// @see https://github.com/mattn/go-sqlite3#faq
 	db.SetMaxOpenConns(1)

-	// SQLite performance tuning (https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)
-	_, err = db.Exec("PRAGMA journal_mode = WAL; PRAGMA synchronous = normal;")
-	if err != nil {
-		return err
+	if sqlDriver == "sqlite" {
+		// SQLite performance tuning (https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)
+		_, err = db.Exec("PRAGMA journal_mode = WAL; PRAGMA synchronous = normal;")
+		if err != nil {
+			return err
+		}
 	}

 	// create tables if necessary & apply migrations
-	if err := dbApplyMigrations(); err != nil {
+	if err := dbApplySchemas(); err != nil {
 		return err
 	}

+	LoadTagFilters()
+
 	dbFile = p
 	dbLastAction = time.Now()

@@ -98,20 +139,32 @@ func InitDB() error {
 	return nil
 }

-// Close will close the database, and delete if a temporary table
+// Tenant applies an optional prefix to the table name
+func tenant(table string) string {
+	return fmt.Sprintf("%s%s", config.TenantID, table)
+}
+
+// Close will close the database, and delete if temporary
 func Close() {
+	// on a fatal exit (eg: ports blocked), allow Mailpit to run migration tasks before closing the DB
+	time.Sleep(200 * time.Millisecond)
+
 	if db != nil {
 		if err := db.Close(); err != nil {
 			logger.Log().Warn("[db] error closing database, ignoring")
 		}
 	}

-	if dbIsTemp && isFile(dbFile) {
-		logger.Log().Debugf("[db] deleting temporary file %s", dbFile)
-		if err := os.Remove(dbFile); err != nil {
-			logger.Log().Errorf("[db] %s", err.Error())
-		}
-	}
+	// allow SQLite to finish closing DB & write WAL logs if local
+	time.Sleep(100 * time.Millisecond)
+
+	// delete all temporary files
+	deleteTempFiles()
+}
+
+// Ping the database connection and return an error if unsuccessful
+func Ping() error {
+	return db.Ping()
 }

 // StatsGet returns the total/unread statistics for a mailbox
@@ -132,53 +185,63 @@ func StatsGet() MailboxStats {
 }

 // CountTotal returns the number of emails in the database
-func CountTotal() int {
-	var total int
+func CountTotal() float64 {
+	var total float64

-	_ = sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
-		QueryRowAndClose(nil, db)
+		QueryRowAndClose(context.TODO(), db)

 	return total
 }

 // CountUnread returns the number of emails in the database that are unread.
-func CountUnread() int {
-	var total int
+func CountUnread() float64 {
+	var total float64

-	q := sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
-		Where("Read = ?", 0)
-
-	_ = q.QueryRowAndClose(nil, db)
+		Where("Read = ?", 0).
+		QueryRowAndClose(context.TODO(), db)

 	return total
 }

 // CountRead returns the number of emails in the database that are read.
-func CountRead() int {
-	var total int
+func CountRead() float64 {
+	var total float64

-	q := sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
-		Where("Read = ?", 1)
-
-	_ = q.QueryRowAndClose(nil, db)
+		Where("Read = ?", 1).
+		QueryRowAndClose(context.TODO(), db)

 	return total
 }

-// IsUnread returns the number of emails in the database that are unread.
-// If an ID is supplied, then it is just limited to that message.
+// DbSize returns the size of the SQLite database.
+func DbSize() float64 {
+	var total sql.NullFloat64
+
+	err := db.QueryRow("SELECT page_count * page_size AS size FROM pragma_page_count(), pragma_page_size()").Scan(&total)
+
+	if err != nil {
+		logger.Log().Errorf("[db] %s", err.Error())
+		return total.Float64
+	}
+
+	return total.Float64
+}
+
+// IsUnread returns whether a message is unread or not.
 func IsUnread(id string) bool {
 	var unread int

-	q := sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&unread).
 		Where("Read = ?", 0).
-		Where("ID = ?", id)
-
-	_ = q.QueryRowAndClose(nil, db)
+		Where("ID = ?", id).
+		QueryRowAndClose(context.TODO(), db)

 	return unread == 1
 }
@@ -187,11 +250,10 @@ func IsUnread(id string) bool {
 func MessageIDExists(id string) bool {
 	var total int

-	q := sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
-		Where("MessageID = ?", id)
-
-	_ = q.QueryRowAndClose(nil, db)
+		Where("MessageID = ?", id).
+		QueryRowAndClose(context.TODO(), db)

 	return total != 0
 }
--- a/internal/storage/messages.go
+++ b/internal/storage/messages.go
@@ -4,6 +4,8 @@ import (
 	"bytes"
 	"context"
 	"database/sql"
+	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -25,8 +27,10 @@ import (
 // Store will save an email to the database tables.
 // Returns the database ID of the saved message.
 func Store(body *[]byte) (string, error) {
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
 	// Parse message body with enmime
-	env, err := enmime.ReadEnvelope(bytes.NewReader(*body))
+	env, err := parser.ReadEnvelope(bytes.NewReader(*body))
 	if err != nil {
 		logger.Log().Warnf("[message] %s", err.Error())
 		return "", nil
@@ -48,7 +52,7 @@ func Store(body *[]byte) (string, error) {
 		ReplyTo: addressToSlice(env, "Reply-To"),
 	}

-	messageID := strings.Trim(env.Root.Header.Get("Message-ID"), "<>")
+	messageID := strings.Trim(env.GetHeader("Message-ID"), "<>")
 	created := time.Now()

 	// use message date instead of created date
@@ -69,13 +73,6 @@ func Store(body *[]byte) (string, error) {
 		return "", err
 	}

-	// extract tags from body matches based on --tag, plus addresses & X-Tags header
-	tagStr := findTagsInRawMessage(body) + "," +
-		obj.tagsFromPlusAddresses() + "," +
-		strings.TrimSpace(env.Root.Header.Get("X-Tags"))
-
-	tagData := uniqueTagsFromString(tagStr)
-
 	// begin a transaction to ensure both the message
 	// and data are stored successfully
 	ctx := context.Background()
@@ -88,21 +85,27 @@ func Store(body *[]byte) (string, error) {
 	defer tx.Rollback()

 	subject := env.GetHeader("Subject")
-	size := len(*body)
+	size := float64(len(*body))
 	inline := len(env.Inlines)
 	attachments := len(env.Attachments)
 	snippet := tools.CreateSnippet(env.Text, env.HTML)

+	sql := fmt.Sprintf(`INSERT INTO %s 
+		(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Snippet) 
+		VALUES(?,?,?,?,?,?,?,?,?,0,?)`,
+		tenant("mailbox"),
+	) // #nosec
+
 	// insert mail summary data
-	_, err = tx.Exec("INSERT INTO mailbox(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Snippet) values(?,?,?,?,?,?,?,?,?,0,?)",
-		created.UnixMilli(), id, messageID, subject, string(summaryJSON), size, inline, attachments, searchText, snippet)
+	_, err = tx.Exec(sql, created.UnixMilli(), id, messageID, subject, string(summaryJSON), size, inline, attachments, searchText, snippet)
 	if err != nil {
 		return "", err
 	}

 	// insert compressed raw message
-	compressed := dbEncoder.EncodeAll(*body, make([]byte, 0, size))
-	_, err = tx.Exec("INSERT INTO mailbox_data(ID, Email) values(?,?)", id, string(compressed))
+	encoded := dbEncoder.EncodeAll(*body, make([]byte, 0, int(size)))
+	hexStr := hex.EncodeToString(encoded)
+	_, err = tx.Exec(fmt.Sprintf(`INSERT INTO %s (ID, Email) VALUES(?, x'%s')`, tenant("mailbox_data"), hexStr), id) // #nosec
 	if err != nil {
 		return "", err
 	}
@@ -111,9 +114,29 @@ func Store(body *[]byte) (string, error) {
 		return "", err
 	}

-	if len(tagData) > 0 {
-		// set tags after tx.Commit()
-		if err := SetMessageTags(id, tagData); err != nil {
+	// extract tags using pre-set tag filters, empty slice if not set
+	tags := findTagsInRawMessage(body)
+
+	if !config.TagsDisableXTags {
+		xTagsHdr := env.GetHeader("X-Tags")
+		if xTagsHdr != "" {
+			// extract tags from X-Tags header
+			tags = append(tags, tools.SetTagCasing(strings.Split(strings.TrimSpace(xTagsHdr), ","))...)
+		}
+	}
+
+	if !config.TagsDisablePlus {
+		// get tags from plus-addresses
+		tags = append(tags, obj.tagsFromPlusAddresses()...)
+	}
+
+	// extract tags from search matches, and sort and extract unique tags
+	tags = sortedUniqueTags(append(tags, tagFilterMatches(id)...))
+
+	setTags := []string{}
+	if len(tags) > 0 {
+		setTags, err = SetMessageTags(id, tags)
+		if err != nil {
 			return "", err
 		}
 	}
@@ -129,7 +152,7 @@ func Store(body *[]byte) (string, error) {
 	c.Attachments = attachments
 	c.Subject = subject
 	c.Size = size
-	c.Tags = tagData
+	c.Tags = setTags
 	c.Snippet = snippet

 	websockets.Broadcast("new", c)
@@ -139,28 +162,34 @@ func Store(body *[]byte) (string, error) {

 	BroadcastMailboxStats()

+	logger.Log().Debugf("[db] saved message %s (%d bytes)", id, int64(size))
+
 	return id, nil
 }

 // List returns a subset of messages from the mailbox,
 // sorted latest to oldest
-func List(start, limit int) ([]MessageSummary, error) {
+func List(start int, beforeTS int64, limit int) ([]MessageSummary, error) {
 	results := []MessageSummary{}
 	tsStart := time.Now()

-	q := sqlf.From("mailbox m").
+	q := sqlf.From(tenant("mailbox") + " m").
 		Select(`m.Created, m.ID, m.MessageID, m.Subject, m.Metadata, m.Size, m.Attachments, m.Read, m.Snippet`).
 		OrderBy("m.Created DESC").
 		Limit(limit).
 		Offset(start)

-	if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
-		var created int64
+	if beforeTS > 0 {
+		q = q.Where("Created < ?", beforeTS)
+	}
+
+	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		var created float64
 		var id string
 		var messageID string
 		var subject string
 		var metadata string
-		var size int
+		var size float64
 		var attachments int
 		var read int
 		var snippet string
@@ -176,7 +205,7 @@ func List(start, limit int) ([]MessageSummary, error) {
 			return
 		}

-		em.Created = time.UnixMilli(created)
+		em.Created = time.UnixMilli(int64(created))
 		em.ID = id
 		em.MessageID = messageID
 		em.Subject = subject
@@ -218,7 +247,9 @@ func GetMessage(id string) (*Message, error) {

 	r := bytes.NewReader(raw)

-	env, err := enmime.ReadEnvelope(r)
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
+	env, err := parser.ReadEnvelope(r)
 	if err != nil {
 		return nil, err
 	}
@@ -241,12 +272,12 @@ func GetMessage(id string) (*Message, error) {
 	date, err := env.Date()
 	if err != nil {
 		// return received datetime when message does not contain a date header
-		q := sqlf.From("mailbox").
+		q := sqlf.From(tenant("mailbox")).
 			Select(`Created`).
 			Where(`ID = ?`, id)

-		if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
-			var created int64
+		if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+			var created float64

 			if err := row.Scan(&created); err != nil {
 				logger.Log().Errorf("[db] %s", err.Error())
@@ -255,7 +286,7 @@ func GetMessage(id string) (*Message, error) {

 			logger.Log().Debugf("[db] %s does not contain a date header, using received datetime", id)

-			date = time.UnixMilli(created)
+			date = time.UnixMilli(int64(created))
 		}); err != nil {
 			logger.Log().Errorf("[db] %s", err.Error())
 		}
@@ -273,7 +304,7 @@ func GetMessage(id string) (*Message, error) {
 		ReturnPath: returnPath,
 		Subject:    env.GetHeader("Subject"),
 		Tags:       getMessageTags(id),
-		Size:       len(raw),
+		Size:       float64(len(raw)),
 		Text:       env.Text,
 	}

@@ -327,11 +358,10 @@ func GetMessage(id string) (*Message, error) {
 func GetMessageRaw(id string) ([]byte, error) {
 	var i string
 	var msg string
-	q := sqlf.From("mailbox_data").
+	q := sqlf.From(tenant("mailbox_data")).
 		Select(`ID`).To(&i).
 		Select(`Email`).To(&msg).
 		Where(`ID = ?`, id)
-
 	err := q.QueryRowAndClose(context.Background(), db)
 	if err != nil {
 		return nil, err
@@ -341,7 +371,17 @@ func GetMessageRaw(id string) ([]byte, error) {
 		return nil, errors.New("message not found")
 	}

-	raw, err := dbDecoder.DecodeAll([]byte(msg), nil)
+	var data []byte
+	if sqlDriver == "rqlite" {
+		data, err = base64.StdEncoding.DecodeString(msg)
+		if err != nil {
+			return nil, fmt.Errorf("error decoding base64 message: %w", err)
+		}
+	} else {
+		data = []byte(msg)
+	}
+
+	raw, err := dbDecoder.DecodeAll(data, nil)
 	if err != nil {
 		return nil, fmt.Errorf("error decompressing message: %s", err.Error())
 	}
@@ -360,7 +400,9 @@ func GetAttachmentPart(id, partID string) (*enmime.Part, error) {

 	r := bytes.NewReader(raw)

-	env, err := enmime.ReadEnvelope(r)
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
+	env, err := parser.ReadEnvelope(r)
 	if err != nil {
 		return nil, err
 	}
@@ -388,6 +430,21 @@ func GetAttachmentPart(id, partID string) (*enmime.Part, error) {
 	return nil, errors.New("attachment not found")
 }

+// AttachmentSummary returns a summary of the attachment without any binary data
+func AttachmentSummary(a *enmime.Part) Attachment {
+	o := Attachment{}
+	o.PartID = a.PartID
+	o.FileName = a.FileName
+	if o.FileName == "" {
+		o.FileName = a.ContentID
+	}
+	o.ContentType = a.ContentType
+	o.ContentID = a.ContentID
+	o.Size = float64(len(a.Content))
+
+	return o
+}
+
 // LatestID returns the latest message ID
 //
 // If a query argument is set in the request the function will return the
@@ -398,12 +455,12 @@ func LatestID(r *http.Request) (string, error) {

 	search := strings.TrimSpace(r.URL.Query().Get("query"))
 	if search != "" {
-		messages, _, err = Search(search, 0, 1)
+		messages, _, err = Search(search, r.URL.Query().Get("tz"), 0, 0, 1)
 		if err != nil {
 			return "", err
 		}
 	} else {
-		messages, err = List(0, 1)
+		messages, err = List(0, 0, 1)
 		if err != nil {
 			return "", err
 		}
@@ -421,7 +478,7 @@ func MarkRead(id string) error {
 		return nil
 	}

-	_, err := sqlf.Update("mailbox").
+	_, err := sqlf.Update(tenant("mailbox")).
 		Set("Read", 1).
 		Where("ID = ?", id).
 		ExecAndClose(context.Background(), db)
@@ -432,6 +489,13 @@ func MarkRead(id string) error {

 	BroadcastMailboxStats()

+	d := struct {
+		ID   string
+		Read bool
+	}{ID: id, Read: true}
+
+	websockets.Broadcast("update", d)
+
 	return err
 }

@@ -442,7 +506,7 @@ func MarkAllRead() error {
 		total = CountUnread()
 	)

-	_, err := sqlf.Update("mailbox").
+	_, err := sqlf.Update(tenant("mailbox")).
 		Set("Read", 1).
 		Where("Read = ?", 0).
 		ExecAndClose(context.Background(), db)
@@ -451,7 +515,7 @@ func MarkAllRead() error {
 	}

 	elapsed := time.Since(start)
-	logger.Log().Debugf("[db] marked %d messages as read in %s", total, elapsed)
+	logger.Log().Debugf("[db] marked %v messages as read in %s", total, elapsed)

 	BroadcastMailboxStats()

@@ -467,7 +531,7 @@ func MarkAllUnread() error {
 		total = CountRead()
 	)

-	_, err := sqlf.Update("mailbox").
+	_, err := sqlf.Update(tenant("mailbox")).
 		Set("Read", 0).
 		Where("Read = ?", 1).
 		ExecAndClose(context.Background(), db)
@@ -476,7 +540,7 @@ func MarkAllUnread() error {
 	}

 	elapsed := time.Since(start)
-	logger.Log().Debugf("[db] marked %d messages as unread in %s", total, elapsed)
+	logger.Log().Debugf("[db] marked %v messages as unread in %s", total, elapsed)

 	BroadcastMailboxStats()

@@ -491,7 +555,7 @@ func MarkUnread(id string) error {
 		return nil
 	}

-	_, err := sqlf.Update("mailbox").
+	_, err := sqlf.Update(tenant("mailbox")).
 		Set("Read", 0).
 		Where("ID = ?", id).
 		ExecAndClose(context.Background(), db)
@@ -504,55 +568,110 @@ func MarkUnread(id string) error {

 	BroadcastMailboxStats()

+	d := struct {
+		ID   string
+		Read bool
+	}{ID: id, Read: false}
+
+	websockets.Broadcast("update", d)
+
 	return err
 }

-// DeleteOneMessage will delete a single message from a mailbox
-func DeleteOneMessage(id string) error {
-	m, err := GetMessageRaw(id)
+// DeleteMessages deletes one or more messages in bulk
+func DeleteMessages(ids []string) error {
+	if len(ids) == 0 {
+		return nil
+	}
+
+	start := time.Now()
+
+	args := make([]interface{}, len(ids))
+	for i, id := range ids {
+		args[i] = id
+	}
+
+	sql := fmt.Sprintf(`SELECT ID, Size FROM %s WHERE  ID IN (?%s)`, tenant("mailbox"), strings.Repeat(",?", len(args)-1)) // #nosec
+	rows, err := db.Query(sql, args...)
 	if err != nil {
 		return err
 	}
+	defer rows.Close()
+
+	toDelete := []string{}
+	var totalSize float64
+
+	for rows.Next() {
+		var id string
+		var size float64
+		if err := rows.Scan(&id, &size); err != nil {
+			return err
+		}
+		toDelete = append(toDelete, id)
+		totalSize = totalSize + size
+	}
+
+	if err = rows.Err(); err != nil {
+		return err
+	}
+
+	if len(toDelete) == 0 {
+		return nil // nothing to delete
+	}

-	size := len(m)
-	// begin a transaction to ensure both the message
-	// and data are deleted successfully
 	tx, err := db.BeginTx(context.Background(), nil)
 	if err != nil {
 		return err
 	}

-	// roll back if it fails
-	defer tx.Rollback()
-
-	_, err = tx.Exec("DELETE FROM mailbox WHERE ID  = ?", id)
-	if err != nil {
-		return err
+	args = make([]interface{}, len(toDelete))
+	for i, id := range toDelete {
+		args[i] = id
 	}

-	_, err = tx.Exec("DELETE FROM mailbox_data WHERE ID  = ?", id)
-	if err != nil {
-		return err
+	tables := []string{"mailbox", "mailbox_data", "message_tags"}
+
+	for _, t := range tables {
+		sql = fmt.Sprintf(`DELETE FROM %s WHERE ID IN (?%s)`, tenant(t), strings.Repeat(",?", len(ids)-1))
+
+		_, err = tx.Exec(sql, args...) // #nosec
+		if err != nil {
+			return err
+		}
 	}

-	err = tx.Commit()
-
-	if err == nil {
-		logger.Log().Debugf("[db] deleted message %s", id)
-	}
-
-	if err := DeleteAllMessageTags(id); err != nil {
+	if err := tx.Commit(); err != nil {
 		return err
 	}

 	dbLastAction = time.Now()
-	addDeletedSize(int64(size))
+	addDeletedSize(int64(totalSize))

-	logMessagesDeleted(1)
+	logMessagesDeleted(len(toDelete))
+
+	_ = pruneUnusedTags()
+
+	elapsed := time.Since(start)
+
+	messages := "messages"
+	if len(toDelete) == 1 {
+		messages = "message"
+	}
+
+	logger.Log().Debugf("[db] deleted %d %s in %s", len(toDelete), messages, elapsed)

 	BroadcastMailboxStats()

-	return err
+	// broadcast individual message deletions
+	for _, id := range toDelete {
+		d := struct {
+			ID string
+		}{ID: id}
+
+		websockets.Broadcast("delete", d)
+	}
+
+	return nil
 }

 // DeleteAllMessages will delete all messages from a mailbox
@@ -562,9 +681,9 @@ func DeleteAllMessages() error {
 		total int
 	)

-	_ = sqlf.From("mailbox").
+	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
-		QueryRowAndClose(nil, db)
+		QueryRowAndClose(context.TODO(), db)

 	// begin a transaction to ensure both the message
 	// summaries and data are deleted successfully
@@ -576,24 +695,14 @@ func DeleteAllMessages() error {
 	// roll back if it fails
 	defer tx.Rollback()

-	_, err = tx.Exec("DELETE FROM mailbox")
-	if err != nil {
-		return err
-	}
+	tables := []string{"mailbox", "mailbox_data", "tags", "message_tags"}

-	_, err = tx.Exec("DELETE FROM mailbox_data")
-	if err != nil {
-		return err
-	}
-
-	_, err = tx.Exec("DELETE FROM tags")
-	if err != nil {
-		return err
-	}
-
-	_, err = tx.Exec("DELETE FROM message_tags")
-	if err != nil {
-		return err
+	for _, t := range tables {
+		sql := fmt.Sprintf(`DELETE FROM %s`, tenant(t)) // #nosec
+		_, err := tx.Exec(sql)
+		if err != nil {
+			return err
+		}
 	}

 	if err := tx.Commit(); err != nil {
@@ -612,8 +721,9 @@ func DeleteAllMessages() error {

 	logMessagesDeleted(total)

-	websockets.Broadcast("prune", nil)
 	BroadcastMailboxStats()

+	websockets.Broadcast("truncate", nil)
+
 	return err
 }
--- a/internal/storage/messages_test.go
+++ b/internal/storage/messages_test.go
@@ -3,18 +3,18 @@ package storage
 import (
 	"testing"
 	"time"
+
+	"github.com/axllent/mailpit/config"
 )

 func TestTextEmailInserts(t *testing.T) {
-	setup()
+	setup("")
 	defer Close()

 	t.Log("Testing text email storage")

 	start := time.Now()

-	assertEqualStats(t, 0, 0)
-
 	for i := 0; i < testRuns; i++ {
 		if _, err := Store(&testTextEmail); err != nil {
 			t.Log("error ", err)
@@ -22,19 +22,17 @@ func TestTextEmailInserts(t *testing.T) {
 		}
 	}

-	assertEqual(t, CountTotal(), testRuns, "Incorrect number of text emails stored")
+	assertEqual(t, CountTotal(), float64(testRuns), "Incorrect number of text emails stored")

 	t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))

-	assertEqualStats(t, testRuns, testRuns)
-
 	delStart := time.Now()
 	if err := DeleteAllMessages(); err != nil {
 		t.Log("error ", err)
 		t.Fail()
 	}

-	assertEqual(t, CountTotal(), 0, "incorrect number of text emails deleted")
+	assertEqual(t, CountTotal(), float64(0), "incorrect number of text emails deleted")

 	t.Logf("deleted %d text emails in %s", testRuns, time.Since(delStart))

@@ -42,115 +40,140 @@ func TestTextEmailInserts(t *testing.T) {
 }

 func TestMimeEmailInserts(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing mime email storage")
+		setup(tenantID)

-	start := time.Now()
+		if tenantID == "" {
+			t.Log("Testing mime email storage")
+		} else {
+			t.Logf("Testing mime email storage (tenant %s)", tenantID)
+		}
+
+		start := time.Now()
+
+		for i := 0; i < testRuns; i++ {
+			if _, err := Store(&testMimeEmail); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		assertEqual(t, CountTotal(), float64(testRuns), "Incorrect number of mime emails stored")
+
+		t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))
+
+		delStart := time.Now()
+		if err := DeleteAllMessages(); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, CountTotal(), float64(0), "incorrect number of mime emails deleted")
+
+		t.Logf("Deleted %d mime emails in %s", testRuns, time.Since(delStart))
+
+		Close()
+	}
+}
+
+func TestRetrieveMimeEmail(t *testing.T) {
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)
+
+		setup(tenantID)
+
+		if tenantID == "" {
+			t.Log("Testing mime email retrieval")
+		} else {
+			t.Logf("Testing mime email retrieval (tenant %s)", tenantID)
+		}
+
+		id, err := Store(&testMimeEmail)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		msg, err := GetMessage(id)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
+		assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
+		assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
+		assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
+		assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
+		assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
+		assertEqual(t, len(msg.Attachments), 1, "incorrect number of attachments")
+		assertEqual(t, msg.Attachments[0].FileName, "Sample PDF.pdf", "attachment filename does not match")
+		assertEqual(t, len(msg.Inline), 1, "incorrect number of inline attachments")
+		assertEqual(t, msg.Inline[0].FileName, "inline-image.jpg", "inline attachment filename does not match")
+
+		attachmentData, err := GetAttachmentPart(id, msg.Attachments[0].PartID)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		assertEqual(t, float64(len(attachmentData.Content)), msg.Attachments[0].Size, "attachment size does not match")
+
+		inlineData, err := GetAttachmentPart(id, msg.Inline[0].PartID)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		assertEqual(t, float64(len(inlineData.Content)), msg.Inline[0].Size, "inline attachment size does not match")
+
+		Close()
+	}
+}
+
+func TestMessageSummary(t *testing.T) {
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)
+
+		setup(tenantID)
+
+		if tenantID == "" {
+			t.Log("Testing message summary")
+		} else {
+			t.Logf("Testing message summary (tenant %s)", tenantID)
+		}

-	for i := 0; i < testRuns; i++ {
 		if _, err := Store(&testMimeEmail); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+
+		summaries, err := List(0, 0, 1)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, len(summaries), 1, "Expected 1 result")
+
+		msg := summaries[0]
+
+		assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
+		assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
+		assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
+		assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
+		assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
+		assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
+		assertEqual(t, msg.Snippet, "Message with inline image and attachment:", "\"Snippet\" does does not match")
+		assertEqual(t, msg.Attachments, 1, "Expected 1 attachment")
+		assertEqual(t, msg.MessageID, "33af2ac1-c33d-9738-35e3-a6daf90bbd89@gmail.com", "\"MessageID\" does not match")
+
+		Close()
 	}
-
-	assertEqual(t, CountTotal(), testRuns, "Incorrect number of mime emails stored")
-
-	t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))
-
-	assertEqualStats(t, testRuns, testRuns)
-
-	delStart := time.Now()
-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, CountTotal(), 0, "incorrect number of mime emails deleted")
-
-	t.Logf("Deleted %d mime emails in %s", testRuns, time.Since(delStart))
-}
-
-func TestRetrieveMimeEmail(t *testing.T) {
-	setup()
-	defer Close()
-
-	t.Log("Testing mime email retrieval")
-
-	id, err := Store(&testMimeEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	msg, err := GetMessage(id)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
-	assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
-	assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
-	assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
-	assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
-	assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
-	assertEqual(t, len(msg.Attachments), 1, "incorrect number of attachments")
-	assertEqual(t, msg.Attachments[0].FileName, "Sample PDF.pdf", "attachment filename does not match")
-	assertEqual(t, len(msg.Inline), 1, "incorrect number of inline attachments")
-	assertEqual(t, msg.Inline[0].FileName, "inline-image.jpg", "inline attachment filename does not match")
-
-	attachmentData, err := GetAttachmentPart(id, msg.Attachments[0].PartID)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, len(attachmentData.Content), msg.Attachments[0].Size, "attachment size does not match")
-
-	inlineData, err := GetAttachmentPart(id, msg.Inline[0].PartID)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, len(inlineData.Content), msg.Inline[0].Size, "inline attachment size does not match")
-}
-
-func TestMessageSummary(t *testing.T) {
-	setup()
-	defer Close()
-
-	t.Log("Testing message summary")
-
-	if _, err := Store(&testMimeEmail); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	summaries, err := List(0, 1)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, len(summaries), 1, "Expected 1 result")
-
-	msg := summaries[0]
-
-	assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
-	assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
-	assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
-	assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
-	assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
-	assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
-	assertEqual(t, msg.Snippet, "Message with inline image and attachment:", "\"Snippet\" does does not match")
-	assertEqual(t, msg.Attachments, 1, "Expected 1 attachment")
-	assertEqual(t, msg.MessageID, "33af2ac1-c33d-9738-35e3-a6daf90bbd89@gmail.com", "\"MessageID\" does not match")
 }

 func BenchmarkImportText(b *testing.B) {
-	setup()
+	setup("")
 	defer Close()

 	for i := 0; i < b.N; i++ {
@@ -162,7 +185,7 @@ func BenchmarkImportText(b *testing.B) {
 }

 func BenchmarkImportMime(b *testing.B) {
-	setup()
+	setup("")
 	defer Close()

 	for i := 0; i < b.N; i++ {
--- a/internal/storage/migrations.go
+++ b/internal/storage/migrations.go
@@ -1,188 +0,0 @@
-package storage
-
-import (
-	"database/sql"
-	"encoding/json"
-
-	"github.com/GuiaBolso/darwin"
-	"github.com/axllent/mailpit/internal/logger"
-	"github.com/leporo/sqlf"
-)
-
-var (
-	dbMigrations = []darwin.Migration{
-		{
-			Version:     1.0,
-			Description: "Creating tables",
-			Script: `CREATE TABLE IF NOT EXISTS mailbox (
-				Sort INTEGER PRIMARY KEY AUTOINCREMENT,
-				ID TEXT NOT NULL,
-				Data BLOB,
-				Search TEXT,
-				Read INTEGER
-			);
-			CREATE INDEX IF NOT EXISTS idx_sort ON mailbox (Sort);
-			CREATE UNIQUE INDEX IF NOT EXISTS idx_id ON mailbox (ID);
-			CREATE INDEX IF NOT EXISTS idx_read ON mailbox (Read);
-			
-			CREATE TABLE IF NOT EXISTS mailbox_data (
-				ID TEXT KEY NOT NULL,
-				Email BLOB
-			);
-			CREATE UNIQUE INDEX IF NOT EXISTS idx_data_id ON mailbox_data (ID);`,
-		},
-		{
-			Version:     1.1,
-			Description: "Create tags column",
-			Script: `ALTER TABLE mailbox ADD COLUMN Tags Text  NOT NULL DEFAULT '[]';
-			CREATE INDEX IF NOT EXISTS idx_tags ON mailbox (Tags);`,
-		},
-		{
-			Version:     1.2,
-			Description: "Creating new mailbox format",
-			Script: `CREATE TABLE IF NOT EXISTS mailboxtmp (
-				Created INTEGER NOT NULL,
-				ID TEXT NOT NULL,
-				MessageID TEXT NOT NULL,
-				Subject TEXT NOT NULL,
-				Metadata TEXT,
-				Size INTEGER NOT NULL,
-				Inline INTEGER NOT NULL,
-				Attachments INTEGER NOT NULL,
-				Read INTEGER,
-				Tags TEXT,
-				SearchText TEXT
-			);
-			INSERT INTO mailboxtmp 
-				(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Tags) 
-			SELECT 
-				Sort, ID, '', json_extract(Data, '$.Subject'),Data, 
-				json_extract(Data, '$.Size'), json_extract(Data, '$.Inline'), json_extract(Data, '$.Attachments'), 
-				Search, Read, Tags
-			FROM mailbox;
-
-			DROP TABLE IF EXISTS mailbox;
-			ALTER TABLE mailboxtmp RENAME TO mailbox;
-			CREATE INDEX IF NOT EXISTS idx_created ON mailbox (Created);
-			CREATE UNIQUE INDEX IF NOT EXISTS idx_id ON mailbox (ID);
-			CREATE INDEX IF NOT EXISTS idx_message_id ON mailbox (MessageID);
-			CREATE INDEX IF NOT EXISTS idx_subject ON mailbox (Subject);
-			CREATE INDEX IF NOT EXISTS idx_size ON mailbox (Size);
-			CREATE INDEX IF NOT EXISTS idx_inline ON mailbox (Inline);
-			CREATE INDEX IF NOT EXISTS idx_attachments ON mailbox (Attachments);
-			CREATE INDEX IF NOT EXISTS idx_read ON mailbox (Read);
-			CREATE INDEX IF NOT EXISTS idx_tags ON mailbox (Tags);`,
-		},
-		{
-			Version:     1.3,
-			Description: "Create snippet column",
-			Script:      `ALTER TABLE mailbox ADD COLUMN Snippet Text NOT NULL DEFAULT '';`,
-		},
-		{
-			Version:     1.4,
-			Description: "Create tag tables",
-			Script: `CREATE TABLE IF NOT EXISTS tags (
-				ID INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-				Name TEXT COLLATE NOCASE
-			);
-			CREATE UNIQUE INDEX IF NOT EXISTS idx_tag_name ON tags (Name);
-
-			CREATE TABLE IF NOT EXISTS message_tags(
-				Key INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-				ID TEXT REFERENCES mailbox(ID),
-				TagID INT REFERENCES tags(ID)
-			);
-			CREATE INDEX IF NOT EXISTS idx_message_tag_id ON message_tags (ID);
-			CREATE INDEX IF NOT EXISTS idx_message_tag_tagid ON message_tags (TagID);`,
-		},
-		{
-			// assume deleted messages account for 50% of storage
-			// to handle previously-deleted messages
-			Version:     1.5,
-			Description: "Create settings table",
-			Script: `CREATE TABLE IF NOT EXISTS settings (
-				Key TEXT,
-				Value TEXT
-			);
-			CREATE UNIQUE INDEX IF NOT EXISTS idx_settings_key ON settings (Key);
-			INSERT INTO settings (Key, Value) VALUES("DeletedSize", (SELECT SUM(Size)/2 FROM mailbox));`,
-		},
-	}
-)
-
-// Create tables and apply migrations if required
-func dbApplyMigrations() error {
-	driver := darwin.NewGenericDriver(db, darwin.SqliteDialect{})
-
-	d := darwin.New(driver, dbMigrations, nil)
-
-	return d.Migrate()
-}
-
-// These functions are used to migrate data formats/structure on startup.
-func dataMigrations() {
-	// ensure DeletedSize has a value if empty
-	if SettingGet("DeletedSize") == "" {
-		_ = SettingPut("DeletedSize", "0")
-	}
-
-	migrateTagsToManyMany()
-}
-
-// Migrate tags to ManyMany structure
-// Migration task implemented 12/2023
-// Can be removed end 06/2024 and Tags column & index dropped from mailbox
-func migrateTagsToManyMany() {
-	toConvert := make(map[string][]string)
-	q := sqlf.
-		Select("ID, Tags").
-		From("mailbox").
-		Where("Tags != ?", "[]").
-		Where("Tags IS NOT NULL")
-
-	if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
-		var id string
-		var jsonTags string
-		if err := row.Scan(&id, &jsonTags); err != nil {
-			logger.Log().Errorf("[migration] %s", err.Error())
-			return
-		}
-
-		tags := []string{}
-
-		if err := json.Unmarshal([]byte(jsonTags), &tags); err != nil {
-			logger.Log().Errorf("[json] %s", err.Error())
-			return
-		}
-
-		toConvert[id] = tags
-	}); err != nil {
-		logger.Log().Errorf("[migration] %s", err.Error())
-	}
-
-	if len(toConvert) > 0 {
-		logger.Log().Infof("[migration] converting %d message tags", len(toConvert))
-		for id, tags := range toConvert {
-			if err := SetMessageTags(id, tags); err != nil {
-				logger.Log().Errorf("[migration] %s", err.Error())
-			} else {
-				if _, err := sqlf.Update("mailbox").
-					Set("Tags", nil).
-					Where("ID = ?", id).
-					ExecAndClose(nil, db); err != nil {
-					logger.Log().Errorf("[migration] %s", err.Error())
-				}
-			}
-		}
-
-		logger.Log().Info("[migration] tags conversion complete")
-	}
-
-	// set all legacy `[]` tags to NULL
-	if _, err := sqlf.Update("mailbox").
-		Set("Tags", nil).
-		Where("Tags = ?", "[]").
-		ExecAndClose(nil, db); err != nil {
-		logger.Log().Errorf("[migration] %s", err.Error())
-	}
-}
--- a/internal/storage/notifications.go
+++ b/internal/storage/notifications.go
@@ -24,8 +24,8 @@ func BroadcastMailboxStats() {
 		time.Sleep(250 * time.Millisecond)
 		bcStatsDelay = false
 		b := struct {
-			Total   int
-			Unread  int
+			Total   float64
+			Unread  float64
 			Version string
 		}{
 			Total:   CountTotal(),
--- a/internal/storage/reindex.go
+++ b/internal/storage/reindex.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"fmt"
 	"net/mail"
 	"os"

@@ -24,9 +25,9 @@ func ReindexAll() {
 	finished := 0

 	err := sqlf.Select("ID").To(&i).
-		From("mailbox").
+		From(tenant("mailbox")).
 		OrderBy("Created DESC").
-		QueryAndClose(nil, db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
 			ids = append(ids, i)
 		})

@@ -42,12 +43,18 @@ func ReindexAll() {
 	logger.Log().Infof("reindexing %d messages", total)

 	type updateStruct struct {
-		ID         string
+		// ID in database
+		ID string
+		// SearchText for searching
 		SearchText string
-		Snippet    string
-		Metadata   string
+		// Snippet for UI
+		Snippet string
+		// Metadata info
+		Metadata string
 	}

+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
 	for _, ids := range chunks {
 		updates := []updateStruct{}

@@ -60,7 +67,7 @@ func ReindexAll() {

 			r := bytes.NewReader(raw)

-			env, err := enmime.ReadEnvelope(r)
+			env, err := parser.ReadEnvelope(r)
 			if err != nil {
 				logger.Log().Errorf("[message] %s", err.Error())
 				continue
@@ -112,7 +119,7 @@ func ReindexAll() {

 		// insert mail summary data
 		for _, u := range updates {
-			_, err = tx.Exec("UPDATE mailbox SET SearchText = ?, Snippet = ?, Metadata = ? WHERE ID = ?", u.SearchText, u.Snippet, u.Metadata, u.ID)
+			_, err = tx.Exec(fmt.Sprintf(`UPDATE %s SET SearchText = ?, Snippet = ?, Metadata = ? WHERE ID = ?`, tenant("mailbox")), u.SearchText, u.Snippet, u.Metadata, u.ID)
 			if err != nil {
 				logger.Log().Errorf("[db] %s", err.Error())
 				continue
@@ -134,5 +141,6 @@ func chunkBy[T any](items []T, chunkSize int) (chunks [][]T) {
 	for chunkSize < len(items) {
 		items, chunks = items[chunkSize:], append(chunks, items[0:chunkSize:chunkSize])
 	}
+
 	return append(chunks, items)
 }
--- a/internal/storage/schemas.go
+++ b/internal/storage/schemas.go
@@ -0,0 +1,152 @@
+package storage
+
+import (
+	"bytes"
+	"embed"
+	"log"
+	"path"
+	"sort"
+	"strings"
+	"text/template"
+
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/semver"
+)
+
+//go:embed schemas/*
+var schemaScripts embed.FS
+
+// Create tables and apply schemas if required
+func dbApplySchemas() error {
+	if _, err := db.Exec(`CREATE TABLE IF NOT EXISTS ` + tenant("schemas") + ` (Version TEXT PRIMARY KEY NOT NULL)`); err != nil {
+		return err
+	}
+
+	var legacyMigrationTable int
+	err := db.QueryRow(`SELECT EXISTS(SELECT 1 FROM sqlite_master WHERE type='table' AND name=?)`, tenant("darwin_migrations")).Scan(&legacyMigrationTable)
+	if err != nil {
+		return err
+	}
+
+	if legacyMigrationTable == 1 {
+		rows, err := db.Query(`SELECT version FROM ` + tenant("darwin_migrations"))
+		if err != nil {
+			return err
+		}
+
+		legacySchemas := []string{}
+
+		for rows.Next() {
+			var oldID string
+			if err := rows.Scan(&oldID); err == nil {
+				legacySchemas = append(legacySchemas, semver.MajorMinor(oldID)+"."+semver.Patch(oldID))
+			}
+		}
+
+		legacySchemas = semver.SortMin(legacySchemas)
+
+		for _, v := range legacySchemas {
+			var migrated int
+			err := db.QueryRow(`SELECT EXISTS(SELECT 1 FROM `+tenant("schemas")+` WHERE Version = ?)`, v).Scan(&migrated)
+			if err != nil {
+				return err
+			}
+			if migrated == 0 {
+				// copy to tenant("schemas")
+				if _, err := db.Exec(`INSERT INTO `+tenant("schemas")+` (Version) VALUES (?)`, v); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	schemaFiles, err := schemaScripts.ReadDir("schemas")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	temp := template.New("")
+	temp.Funcs(
+		template.FuncMap{
+			"tenant": tenant,
+		},
+	)
+
+	type schema struct {
+		Name   string
+		Semver string
+	}
+
+	scripts := []schema{}
+
+	for _, s := range schemaFiles {
+		if !s.Type().IsRegular() || !strings.HasSuffix(s.Name(), ".sql") {
+			continue
+		}
+
+		schemaID := strings.TrimRight(s.Name(), ".sql")
+
+		if !semver.IsValid(schemaID) {
+			logger.Log().Warnf("[db] invalid schema name: %s", s.Name())
+			continue
+		}
+
+		script := schema{s.Name(), semver.MajorMinor(schemaID) + "." + semver.Patch(schemaID)}
+		scripts = append(scripts, script)
+	}
+
+	// sort schemas by semver, low to high
+	sort.Slice(scripts, func(i, j int) bool {
+		return semver.Compare(scripts[j].Semver, scripts[i].Semver) == 1
+	})
+
+	for _, s := range scripts {
+		var complete int
+		err := db.QueryRow(`SELECT EXISTS(SELECT 1 FROM `+tenant("schemas")+` WHERE Version = ?)`, s.Semver).Scan(&complete)
+		if err != nil {
+			return err
+		}
+
+		if complete == 1 {
+			// already completed, ignore
+			continue
+		}
+		// use path.Join for Windows compatibility, see https://github.com/golang/go/issues/44305
+		b, err := schemaScripts.ReadFile(path.Join("schemas", s.Name))
+		if err != nil {
+			return err
+		}
+
+		// parse import script
+		t1, err := temp.Parse(string(b))
+		if err != nil {
+			return err
+		}
+
+		buf := new(bytes.Buffer)
+
+		if err := t1.Execute(buf, nil); err != nil {
+			return err
+		}
+
+		if _, err := db.Exec(buf.String()); err != nil {
+			return err
+		}
+
+		if _, err := db.Exec(`INSERT INTO `+tenant("schemas")+` (Version) VALUES (?)`, s.Semver); err != nil {
+			return err
+		}
+
+		logger.Log().Debugf("[db] applied schema: %s", s.Name)
+	}
+
+	return nil
+}
+
+// These functions are used to migrate data formats/structure on startup.
+func dataMigrations() {
+	// ensure DeletedSize has a value if empty
+	if SettingGet("DeletedSize") == "" {
+		_ = SettingPut("DeletedSize", "0")
+	}
+}
--- a/internal/storage/schemas/1.0.0.sql
+++ b/internal/storage/schemas/1.0.0.sql
@@ -0,0 +1,19 @@
+-- CREATE TABLES
+CREATE TABLE IF NOT EXISTS {{ tenant "mailbox" }} (
+	Sort INTEGER PRIMARY KEY AUTOINCREMENT,
+	ID TEXT NOT NULL,
+	Data BLOB,
+	Search TEXT,
+	Read INTEGER
+);
+
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_sort" }} ON {{ tenant "mailbox" }} (Sort);
+CREATE UNIQUE INDEX IF NOT EXISTS {{ tenant "idx_id" }} ON {{ tenant "mailbox" }} (ID);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_read" }} ON {{ tenant "mailbox" }} (Read);
+
+CREATE TABLE IF NOT EXISTS {{ tenant "mailbox_data" }} (
+	ID TEXT KEY NOT NULL,
+	Email BLOB
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS {{ tenant "idx_data_id" }} ON {{ tenant "mailbox_data" }} (ID);
--- a/internal/storage/schemas/1.1.0.sql
+++ b/internal/storage/schemas/1.1.0.sql
@@ -0,0 +1,3 @@
+-- CREATE TAGS COLUMN
+ALTER TABLE {{ tenant "mailbox" }} ADD COLUMN Tags Text NOT NULL DEFAULT '[]';
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_tags" }} ON {{ tenant "mailbox" }} (Tags);
--- a/internal/storage/schemas/1.2.0.sql
+++ b/internal/storage/schemas/1.2.0.sql
@@ -0,0 +1,36 @@
+-- CREATING NEW MAILBOX FORMAT
+CREATE TABLE IF NOT EXISTS {{ tenant "mailboxtmp" }} (
+	Created INTEGER NOT NULL,
+	ID TEXT NOT NULL,
+	MessageID TEXT NOT NULL,
+	Subject TEXT NOT NULL,
+	Metadata TEXT,
+	Size INTEGER NOT NULL,
+	Inline INTEGER NOT NULL,
+	Attachments INTEGER NOT NULL,
+	Read INTEGER,
+	Tags TEXT,
+	SearchText TEXT
+);
+
+INSERT INTO {{ tenant "mailboxtmp" }}
+	(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Tags) 
+	SELECT 
+		Sort, ID, '', json_extract(Data, '$.Subject'),Data, 
+		json_extract(Data, '$.Size'), json_extract(Data, '$.Inline'), json_extract(Data, '$.Attachments'), 
+		Search, Read, Tags
+	FROM {{ tenant "mailbox" }};
+
+DROP TABLE IF EXISTS {{ tenant "mailbox" }};
+
+ALTER TABLE {{ tenant "mailboxtmp" }} RENAME TO {{ tenant "mailbox" }};
+
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_created" }} ON {{ tenant "mailbox" }} (Created);
+CREATE UNIQUE INDEX IF NOT EXISTS {{ tenant "idx_id" }} ON {{ tenant "mailbox" }} (ID);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_message_id" }} ON {{ tenant "mailbox" }} (MessageID);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_subject" }} ON {{ tenant "mailbox" }} (Subject);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_size" }} ON {{ tenant "mailbox" }} (Size);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_inline" }} ON {{ tenant "mailbox" }} (Inline);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_attachments" }} ON {{ tenant "mailbox" }} (Attachments);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_read" }} ON {{ tenant "mailbox" }} (Read);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_tags" }} ON {{ tenant "mailbox" }} (Tags);
--- a/internal/storage/schemas/1.21.2.sql
+++ b/internal/storage/schemas/1.21.2.sql
@@ -0,0 +1,6 @@
+-- DROP LEGACY MIGRATION TABLE
+DROP TABLE IF EXISTS {{ tenant "darwin_migrations" }};
+
+-- DROP LEGACY TAGS COLUMN
+DROP INDEX IF EXISTS {{ tenant "idx_tags" }};
+ALTER TABLE {{ tenant "mailbox" }} DROP COLUMN Tags;
--- a/internal/storage/schemas/1.3.0.sql
+++ b/internal/storage/schemas/1.3.0.sql
@@ -0,0 +1,2 @@
+-- CREATE SNIPPET COLUMN
+ALTER TABLE {{ tenant "mailbox" }} ADD COLUMN Snippet TEXT NOT NULL DEFAULT '';
--- a/internal/storage/schemas/1.4.0.sql
+++ b/internal/storage/schemas/1.4.0.sql
@@ -0,0 +1,16 @@
+-- CREATE TAG TABLES
+CREATE TABLE IF NOT EXISTS {{ tenant "tags" }} (
+	ID INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	Name TEXT COLLATE NOCASE
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS {{ tenant "idx_tag_name" }} ON {{ tenant "tags" }} (Name);
+
+CREATE TABLE IF NOT EXISTS {{ tenant "message_tags" }} (
+	Key INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	ID TEXT REFERENCES {{ tenant "mailbox" }} (ID),
+	TagID INT REFERENCES {{ tenant "tags" }} (ID)
+);
+
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_message_tag_id" }} ON {{ tenant "message_tags" }} (ID);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_message_tag_tagid" }} ON {{ tenant "message_tags" }} (TagID);
--- a/internal/storage/schemas/1.5.0.sql
+++ b/internal/storage/schemas/1.5.0.sql
@@ -0,0 +1,7 @@
+-- CREATE SETTINGS TABLE
+CREATE TABLE IF NOT EXISTS {{ tenant "settings" }} (
+	Key TEXT,
+	Value TEXT
+);
+CREATE UNIQUE INDEX IF NOT EXISTS {{ tenant "idx_settings_key" }} ON {{ tenant "settings" }} (Key);
+INSERT INTO {{ tenant "settings" }} (Key, Value) VALUES ("DeletedSize", (SELECT SUM(Size)/2 FROM {{ tenant "mailbox" }}));
--- a/internal/storage/schemas/README.md
+++ b/internal/storage/schemas/README.md
@@ -0,0 +1,5 @@
+# Migration scripts
+
+- Scripts should be named using semver and have the `.sql` extension.
+- Inline comments should be prefixed with a `--`
+- All references to tables and indexes should be wrapped with a `{{ tenant "<name>" }}`
--- a/internal/storage/search.go
+++ b/internal/storage/search.go
@@ -4,10 +4,13 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"

+	"github.com/araddon/dateparse"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
 	"github.com/leporo/sqlf"
@@ -17,7 +20,7 @@ import (
 // The search is broken up by segments (exact phrases can be quoted), and interprets specific terms such as:
 // is:read, is:unread, has:attachment, to:<term>, from:<term> & subject:<term>
 // Negative searches also also included by prefixing the search term with a `-` or `!`
-func Search(search string, start, limit int) ([]MessageSummary, int, error) {
+func Search(search, timezone string, start int, beforeTS int64, limit int) ([]MessageSummary, int, error) {
 	results := []MessageSummary{}
 	allResults := []MessageSummary{}
 	tsStart := time.Now()
@@ -26,16 +29,21 @@ func Search(search string, start, limit int) ([]MessageSummary, int, error) {
 		limit = 50
 	}

-	q := searchQueryBuilder(search)
+	q := searchQueryBuilder(search, timezone)
+
+	if beforeTS > 0 {
+		q = q.Where(`Created < ?`, beforeTS)
+	}
+
 	var err error

-	if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
-		var created int64
+	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		var created float64
 		var id string
 		var messageID string
 		var subject string
 		var metadata string
-		var size int
+		var size float64
 		var attachments int
 		var snippet string
 		var read int
@@ -52,7 +60,7 @@ func Search(search string, start, limit int) ([]MessageSummary, int, error) {
 			return
 		}

-		em.Created = time.UnixMilli(created)
+		em.Created = time.UnixMilli(int64(created))
 		em.ID = id
 		em.MessageID = messageID
 		em.Subject = subject
@@ -95,21 +103,20 @@ func Search(search string, start, limit int) ([]MessageSummary, int, error) {
 // The search is broken up by segments (exact phrases can be quoted), and interprets specific terms such as:
 // is:read, is:unread, has:attachment, to:<term>, from:<term> & subject:<term>
 // Negative searches also also included by prefixing the search term with a `-` or `!`
-func DeleteSearch(search string) error {
-	q := searchQueryBuilder(search)
+func DeleteSearch(search, timezone string) error {
+	q := searchQueryBuilder(search, timezone)

 	ids := []string{}
-	deleteSize := 0
+	deleteSize := float64(0)

-	if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
-		var created int64
+	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		var created float64
 		var id string
 		var messageID string
 		var subject string
 		var metadata string
-		var size int
+		var size float64
 		var attachments int
-		// var tags string
 		var read int
 		var snippet string
 		var ignore string
@@ -160,21 +167,21 @@ func DeleteSearch(search string) error {
 				delIDs[i] = id
 			}

-			sqlDelete1 := `DELETE FROM mailbox WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec
+			sqlDelete1 := `DELETE FROM ` + tenant("mailbox") + ` WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec

 			_, err = tx.Exec(sqlDelete1, delIDs...)
 			if err != nil {
 				return err
 			}

-			sqlDelete2 := `DELETE FROM mailbox_data WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec
+			sqlDelete2 := `DELETE FROM ` + tenant("mailbox_data") + ` WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec

 			_, err = tx.Exec(sqlDelete2, delIDs...)
 			if err != nil {
 				return err
 			}

-			sqlDelete3 := `DELETE FROM message_tags WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec
+			sqlDelete3 := `DELETE FROM ` + tenant("message_tags") + ` WHERE ID IN (?` + strings.Repeat(",?", len(ids)-1) + `)` // #nosec

 			_, err = tx.Exec(sqlDelete3, delIDs...)
 			if err != nil {
@@ -193,6 +200,7 @@ func DeleteSearch(search string) error {
 		}

 		dbLastAction = time.Now()
+
 		addDeletedSize(int64(deleteSize))

 		logMessagesDeleted(total)
@@ -204,11 +212,20 @@ func DeleteSearch(search string) error {
 }

 // SearchParser returns the SQL syntax for the database search based on the search arguments
-func searchQueryBuilder(searchString string) *sqlf.Stmt {
+func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {
 	// group strings with quotes as a single argument and remove quotes
 	args := tools.ArgsParser(searchString)

-	q := sqlf.From("mailbox m").
+	if timezone != "" {
+		loc, err := time.LoadLocation(timezone)
+		if err != nil {
+			logger.Log().Warnf("ignoring invalid timezone:\"%s\"", timezone)
+		} else {
+			time.Local = loc
+		}
+	}
+
+	q := sqlf.From(tenant("mailbox") + " m").
 		Select(`m.Created, m.ID, m.MessageID, m.Subject, m.Metadata, m.Size, m.Attachments, m.Read,
 			m.Snippet,
 			IFNULL(json_extract(Metadata, '$.To'), '{}') as ToJSON,
@@ -285,6 +302,16 @@ func searchQueryBuilder(searchString string) *sqlf.Stmt {
 					q.Where("ReplyToJSON LIKE ?", "%"+escPercentChar(w)+"%")
 				}
 			}
+		} else if strings.HasPrefix(lw, "addressed:") {
+			w = cleanString(w[10:])
+			arg := "%" + escPercentChar(w) + "%"
+			if w != "" {
+				if exclude {
+					q.Where("(ToJSON NOT LIKE ? AND FromJSON NOT LIKE ? AND CcJSON NOT LIKE ? AND BccJSON NOT LIKE ? AND ReplyToJSON NOT LIKE ?)", arg, arg, arg, arg, arg)
+				} else {
+					q.Where("(ToJSON LIKE ? OR FromJSON LIKE ? OR CcJSON LIKE ? OR BccJSON LIKE ? OR ReplyToJSON LIKE ?)", arg, arg, arg, arg, arg)
+				}
+			}
 		} else if strings.HasPrefix(lw, "subject:") {
 			w = w[8:]
 			if w != "" {
@@ -307,9 +334,9 @@ func searchQueryBuilder(searchString string) *sqlf.Stmt {
 			w = cleanString(w[4:])
 			if w != "" {
 				if exclude {
-					q.Where(`m.ID NOT IN (SELECT mt.ID FROM message_tags mt JOIN tags t ON mt.TagID = t.ID WHERE t.Name = ?)`, w)
+					q.Where(`m.ID NOT IN (SELECT mt.ID FROM `+tenant("message_tags")+` mt JOIN `+tenant("tags")+` t ON mt.TagID = t.ID WHERE t.Name = ?)`, w)
 				} else {
-					q.Where(`m.ID IN (SELECT mt.ID FROM message_tags mt JOIN tags t ON mt.TagID = t.ID WHERE t.Name = ?)`, w)
+					q.Where(`m.ID IN (SELECT mt.ID FROM `+tenant("message_tags")+` mt JOIN `+tenant("tags")+` t ON mt.TagID = t.ID WHERE t.Name = ?)`, w)
 				}
 			}
 		} else if lw == "is:read" {
@@ -326,9 +353,15 @@ func searchQueryBuilder(searchString string) *sqlf.Stmt {
 			}
 		} else if lw == "is:tagged" {
 			if exclude {
-				q.Where(`m.ID NOT IN (SELECT DISTINCT mt.ID FROM message_tags mt JOIN tags t ON mt.TagID = t.ID)`)
+				q.Where(`m.ID NOT IN (SELECT DISTINCT mt.ID FROM ` + tenant("message_tags") + ` mt JOIN tags t ON mt.TagID = t.ID)`)
 			} else {
-				q.Where(`m.ID IN (SELECT DISTINCT mt.ID FROM message_tags mt JOIN tags t ON mt.TagID = t.ID)`)
+				q.Where(`m.ID IN (SELECT DISTINCT mt.ID FROM ` + tenant("message_tags") + ` mt JOIN tags t ON mt.TagID = t.ID)`)
+			}
+		} else if lw == "has:inline" || lw == "has:inlines" {
+			if exclude {
+				q.Where("Inline = 0")
+			} else {
+				q.Where("Inline > 0")
 			}
 		} else if lw == "has:attachment" || lw == "has:attachments" {
 			if exclude {
@@ -336,6 +369,52 @@ func searchQueryBuilder(searchString string) *sqlf.Stmt {
 			} else {
 				q.Where("Attachments > 0")
 			}
+		} else if strings.HasPrefix(lw, "after:") {
+			w = cleanString(w[6:])
+			if w != "" {
+				t, err := dateparse.ParseLocal(w)
+				if err != nil {
+					logger.Log().Warnf("ignoring invalid after: date \"%s\"", w)
+				} else {
+					timestamp := t.UnixMilli()
+					if exclude {
+						q.Where(`m.Created <= ?`, timestamp)
+					} else {
+						q.Where(`m.Created >= ?`, timestamp)
+					}
+				}
+			}
+		} else if strings.HasPrefix(lw, "before:") {
+			w = cleanString(w[7:])
+			if w != "" {
+				t, err := dateparse.ParseLocal(w)
+				if err != nil {
+					logger.Log().Warnf("ignoring invalid before: date \"%s\"", w)
+				} else {
+					timestamp := t.UnixMilli()
+					if exclude {
+						q.Where(`m.Created >= ?`, timestamp)
+					} else {
+						q.Where(`m.Created <= ?`, timestamp)
+					}
+				}
+			}
+		} else if strings.HasPrefix(lw, "larger:") && sizeToBytes(cleanString(w[7:])) > 0 {
+			w = cleanString(w[7:])
+			size := sizeToBytes(w)
+			if exclude {
+				q.Where("Size < ?", size)
+			} else {
+				q.Where("Size > ?", size)
+			}
+		} else if strings.HasPrefix(lw, "smaller:") && sizeToBytes(cleanString(w[8:])) > 0 {
+			w = cleanString(w[8:])
+			size := sizeToBytes(w)
+			if exclude {
+				q.Where("Size > ?", size)
+			} else {
+				q.Where("Size < ?", size)
+			}
 		} else {
 			// search text
 			if exclude {
@@ -348,3 +427,39 @@ func searchQueryBuilder(searchString string) *sqlf.Stmt {

 	return q
 }
+
+// Simple function to return a size in bytes, eg 2kb, 4MB or 1.5m.
+//
+// K, k, Kb, KB, kB and kb are treated as Kilobytes.
+// M, m, Mb, MB and mb are treated as Megabytes.
+func sizeToBytes(v string) int64 {
+	v = strings.ToLower(v)
+	re := regexp.MustCompile(`^(\d+)(\.\d+)?\s?([a-z]{1,2})?$`)
+
+	m := re.FindAllStringSubmatch(v, -1)
+	if len(m) == 0 {
+		return 0
+	}
+
+	val := fmt.Sprintf("%s%s", m[0][1], m[0][2])
+	unit := m[0][3]
+
+	i, err := strconv.ParseFloat(strings.TrimSpace(val), 64)
+	if err != nil {
+		return 0
+	}
+
+	if unit == "" {
+		return int64(i)
+	}
+
+	if unit == "k" || unit == "kb" {
+		return int64(i * 1024)
+	}
+
+	if unit == "m" || unit == "mb" {
+		return int64(i * 1024 * 1024)
+	}
+
+	return 0
+}
--- a/internal/storage/search_test.go
+++ b/internal/storage/search_test.go
@@ -6,133 +6,154 @@ import (
 	"math/rand"
 	"testing"

+	"github.com/axllent/mailpit/config"
 	"github.com/jhillyerd/enmime"
 )

 func TestSearch(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing search")
-	for i := 0; i < testRuns; i++ {
-		msg := enmime.Builder().
-			From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
-			CC(fmt.Sprintf("CC %d", i), fmt.Sprintf("cc-%d@example.com", i)).
-			CC(fmt.Sprintf("CC2 %d", i), fmt.Sprintf("cc2-%d@example.com", i)).
-			Subject(fmt.Sprintf("Subject line %d end", i)).
-			Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
-			To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i)).
-			To(fmt.Sprintf("To2 %d", i), fmt.Sprintf("to2-%d@example.com", i)).
-			ReplyTo(fmt.Sprintf("Reply To %d", i), fmt.Sprintf("reply-to-%d@example.com", i))
+		setup(tenantID)

-		env, err := msg.Build()
+		if tenantID == "" {
+			t.Log("Testing search")
+		} else {
+			t.Logf("Testing search (tenant %s)", tenantID)
+		}
+
+		for i := 0; i < testRuns; i++ {
+			msg := enmime.Builder().
+				From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
+				CC(fmt.Sprintf("CC %d", i), fmt.Sprintf("cc-%d@example.com", i)).
+				CC(fmt.Sprintf("CC2 %d", i), fmt.Sprintf("cc2-%d@example.com", i)).
+				Subject(fmt.Sprintf("Subject line %d end", i)).
+				Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
+				To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i)).
+				To(fmt.Sprintf("To2 %d", i), fmt.Sprintf("to2-%d@example.com", i)).
+				ReplyTo(fmt.Sprintf("Reply To %d", i), fmt.Sprintf("reply-to-%d@example.com", i))
+
+			env, err := msg.Build()
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			buf := new(bytes.Buffer)
+
+			if err := env.Encode(buf); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			bufBytes := buf.Bytes()
+
+			if _, err := Store(&bufBytes); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		for i := 1; i < 51; i++ {
+			// search a random something that will return a single result
+			uniqueSearches := []string{
+				fmt.Sprintf("from-%d@example.com", i),
+				fmt.Sprintf("from:from-%d@example.com", i),
+				fmt.Sprintf("to-%d@example.com", i),
+				fmt.Sprintf("to:to-%d@example.com", i),
+				fmt.Sprintf("to2-%d@example.com", i),
+				fmt.Sprintf("to:to2-%d@example.com", i),
+				fmt.Sprintf("cc-%d@example.com", i),
+				fmt.Sprintf("cc:cc-%d@example.com", i),
+				fmt.Sprintf("cc2-%d@example.com", i),
+				fmt.Sprintf("cc:cc2-%d@example.com", i),
+				fmt.Sprintf("reply-to-%d@example.com", i),
+				fmt.Sprintf("reply-to:\"reply-to-%d@example.com\"", i),
+				fmt.Sprintf("\"Subject line %d end\"", i),
+				fmt.Sprintf("subject:\"Subject line %d end\"", i),
+				fmt.Sprintf("\"the email body %d jdsauk dwqmdqw\"", i),
+			}
+			searchIdx := rand.Intn(len(uniqueSearches))
+
+			search := uniqueSearches[searchIdx]
+
+			summaries, _, err := Search(search, "", 0, 0, 100)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			assertEqual(t, len(summaries), 1, "search result expected")
+
+			assertEqual(t, summaries[0].From.Name, fmt.Sprintf("From %d", i), "\"From\" name does not match")
+			assertEqual(t, summaries[0].From.Address, fmt.Sprintf("from-%d@example.com", i), "\"From\" address does not match")
+			assertEqual(t, summaries[0].To[0].Name, fmt.Sprintf("To %d", i), "\"To\" name does not match")
+			assertEqual(t, summaries[0].To[0].Address, fmt.Sprintf("to-%d@example.com", i), "\"To\" address does not match")
+			assertEqual(t, summaries[0].Subject, fmt.Sprintf("Subject line %d end", i), "\"Subject\" does not match")
+		}
+
+		// search something that will return 200 results
+		summaries, _, err := Search("This is the email body", "", 0, 0, testRuns)
 		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+		assertEqual(t, len(summaries), testRuns, "search results expected")

-		buf := new(bytes.Buffer)
-
-		if err := env.Encode(buf); err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
-
-		bufBytes := buf.Bytes()
-
-		if _, err := Store(&bufBytes); err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
+		Close()
 	}
-
-	for i := 1; i < 51; i++ {
-		// search a random something that will return a single result
-		uniqueSearches := []string{
-			fmt.Sprintf("from-%d@example.com", i),
-			fmt.Sprintf("from:from-%d@example.com", i),
-			fmt.Sprintf("to-%d@example.com", i),
-			fmt.Sprintf("to:to-%d@example.com", i),
-			fmt.Sprintf("to2-%d@example.com", i),
-			fmt.Sprintf("to:to2-%d@example.com", i),
-			fmt.Sprintf("cc-%d@example.com", i),
-			fmt.Sprintf("cc:cc-%d@example.com", i),
-			fmt.Sprintf("cc2-%d@example.com", i),
-			fmt.Sprintf("cc:cc2-%d@example.com", i),
-			fmt.Sprintf("reply-to-%d@example.com", i),
-			fmt.Sprintf("reply-to:\"reply-to-%d@example.com\"", i),
-			fmt.Sprintf("\"Subject line %d end\"", i),
-			fmt.Sprintf("subject:\"Subject line %d end\"", i),
-			fmt.Sprintf("\"the email body %d jdsauk dwqmdqw\"", i),
-		}
-		searchIdx := rand.Intn(len(uniqueSearches))
-
-		search := uniqueSearches[searchIdx]
-
-		summaries, _, err := Search(search, 0, 100)
-		if err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
-
-		assertEqual(t, len(summaries), 1, "search result expected")
-
-		assertEqual(t, summaries[0].From.Name, fmt.Sprintf("From %d", i), "\"From\" name does not match")
-		assertEqual(t, summaries[0].From.Address, fmt.Sprintf("from-%d@example.com", i), "\"From\" address does not match")
-		assertEqual(t, summaries[0].To[0].Name, fmt.Sprintf("To %d", i), "\"To\" name does not match")
-		assertEqual(t, summaries[0].To[0].Address, fmt.Sprintf("to-%d@example.com", i), "\"To\" address does not match")
-		assertEqual(t, summaries[0].Subject, fmt.Sprintf("Subject line %d end", i), "\"Subject\" does not match")
-	}
-
-	// search something that will return 200 results
-	summaries, _, err := Search("This is the email body", 0, testRuns)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, len(summaries), testRuns, "search results expected")
 }

 func TestSearchDelete100(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing search delete of 100 messages")
-	for i := 0; i < 100; i++ {
-		if _, err := Store(&testTextEmail); err != nil {
+		setup(tenantID)
+
+		if tenantID == "" {
+			t.Log("Testing search delete of 100 messages")
+		} else {
+			t.Logf("Testing search delete of 100 messages (tenant %s)", tenantID)
+		}
+
+		for i := 0; i < 100; i++ {
+			if _, err := Store(&testTextEmail); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			if _, err := Store(&testMimeEmail); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		_, total, err := Search("from:sender@example.com", "", 0, 0, 100)
+		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
-		if _, err := Store(&testMimeEmail); err != nil {
+
+		assertEqual(t, total, 100, "100 search results expected")
+
+		if err := DeleteSearch("from:sender@example.com", ""); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+
+		_, total, err = Search("from:sender@example.com", "", 0, 0, 100)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, total, 0, "0 search results expected")
+
+		Close()
 	}
-
-	_, total, err := Search("from:sender@example.com", 0, 100)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, total, 100, "100 search results expected")
-
-	if err := DeleteSearch("from:sender@example.com"); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	_, total, err = Search("from:sender@example.com", 0, 100)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, total, 0, "0 search results expected")
 }

 func TestSearchDelete1100(t *testing.T) {
-	setup()
+	setup("")
 	defer Close()

 	t.Log("Testing search delete of 1100 messages")
@@ -143,7 +164,7 @@ func TestSearchDelete1100(t *testing.T) {
 		}
 	}

-	_, total, err := Search("from:sender@example.com", 0, 100)
+	_, total, err := Search("from:sender@example.com", "", 0, 0, 100)
 	if err != nil {
 		t.Log("error ", err)
 		t.Fail()
@@ -151,12 +172,12 @@ func TestSearchDelete1100(t *testing.T) {

 	assertEqual(t, total, 1100, "100 search results expected")

-	if err := DeleteSearch("from:sender@example.com"); err != nil {
+	if err := DeleteSearch("from:sender@example.com", ""); err != nil {
 		t.Log("error ", err)
 		t.Fail()
 	}

-	_, total, err = Search("from:sender@example.com", 0, 100)
+	_, total, err = Search("from:sender@example.com", "", 0, 0, 100)
 	if err != nil {
 		t.Log("error ", err)
 		t.Fail()
@@ -180,3 +201,25 @@ func TestEscPercentChar(t *testing.T) {
 		assertEqual(t, res, expected, "no match")
 	}
 }
+
+func TestSizeToBytes(t *testing.T) {
+	tests := map[string]int64{}
+	tests["1m"] = 1048576
+	tests["1mb"] = 1048576
+	tests["1 M"] = 1048576
+	tests["1 MB"] = 1048576
+	tests["1k"] = 1024
+	tests["1kb"] = 1024
+	tests["1 K"] = 1024
+	tests["1 kB"] = 1024
+	tests["1.5M"] = 1572864
+	tests["1234567890"] = 1234567890
+	tests["invalid"] = 0
+	tests["1.2.3"] = 0
+	tests["1.2.3M"] = 0
+
+	for search, expected := range tests {
+		res := sizeToBytes(search)
+		assertEqual(t, res, expected, "size does not match")
+	}
+}
--- a/internal/storage/settings.go
+++ b/internal/storage/settings.go
@@ -1,6 +1,7 @@
 package storage

 import (
+	"context"
 	"database/sql"

 	"github.com/axllent/mailpit/internal/logger"
@@ -10,11 +11,11 @@ import (
 // SettingGet returns a setting string value, blank is it does not exist
 func SettingGet(k string) string {
 	var result sql.NullString
-	err := sqlf.From("settings").
+	err := sqlf.From(tenant("settings")).
 		Select("Value").To(&result).
 		Where("Key = ?", k).
 		Limit(1).
-		QueryAndClose(nil, db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return ""
@@ -25,7 +26,7 @@ func SettingGet(k string) string {

 // SettingPut sets a setting string value, inserting if new
 func SettingPut(k, v string) error {
-	_, err := db.Exec("INSERT INTO settings (Key, Value) VALUES(?, ?) ON CONFLICT(Key) DO UPDATE SET Value = ?", k, v, v)
+	_, err := db.Exec(`INSERT INTO `+tenant("settings")+` (Key, Value) VALUES(?, ?) ON CONFLICT(Key) DO UPDATE SET Value = ?`, k, v, v)
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}
@@ -34,42 +35,42 @@ func SettingPut(k, v string) error {
 }

 // The total deleted message size as an int64 value
-func getDeletedSize() int64 {
-	var result sql.NullInt64
-	err := sqlf.From("settings").
+func getDeletedSize() float64 {
+	var result sql.NullFloat64
+	err := sqlf.From(tenant("settings")).
 		Select("Value").To(&result).
 		Where("Key = ?", "DeletedSize").
 		Limit(1).
-		QueryAndClose(nil, db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return 0
 	}

-	return result.Int64
+	return result.Float64
 }

 // The total raw non-compressed messages size in bytes of all messages in the database
-func totalMessagesSize() int64 {
-	var result sql.NullInt64
-	err := sqlf.From("mailbox").
+func totalMessagesSize() float64 {
+	var result sql.NullFloat64
+	err := sqlf.From(tenant("mailbox")).
 		Select("SUM(Size)").To(&result).
-		QueryAndClose(nil, db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return 0
 	}

-	return result.Int64
+	return result.Float64
 }

 // AddDeletedSize will add the value to the DeletedSize setting
 func addDeletedSize(v int64) {
-	if _, err := db.Exec("INSERT OR IGNORE INTO settings (Key, Value) VALUES(?, ?)", "DeletedSize", 0); err != nil {
+	if _, err := db.Exec(`INSERT OR IGNORE INTO `+tenant("settings")+` (Key, Value) VALUES(?, ?)`, "DeletedSize", 0); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}

-	if _, err := db.Exec("UPDATE settings SET Value = Value + ? WHERE Key = ?", v, "DeletedSize"); err != nil {
+	if _, err := db.Exec(`UPDATE `+tenant("settings")+` SET Value = Value + ? WHERE Key = ?`, v, "DeletedSize"); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}
 }
--- a/internal/storage/structs.go
+++ b/internal/storage/structs.go
@@ -3,8 +3,6 @@ package storage
 import (
 	"net/mail"
 	"time"
-
-	"github.com/jhillyerd/enmime"
 )

 // Message data excluding physical attachments
@@ -41,7 +39,7 @@ type Message struct {
 	// Message body HTML
 	HTML string
 	// Message size in bytes
-	Size int
+	Size float64
 	// Inline message attachments
 	Inline []Attachment
 	// Message attachments
@@ -61,7 +59,7 @@ type Attachment struct {
 	// Content ID
 	ContentID string
 	// Size in bytes
-	Size int
+	Size float64
 }

 // MessageSummary struct for frontend messages
@@ -91,7 +89,7 @@ type MessageSummary struct {
 	// Message tags
 	Tags []string
 	// Message size in bytes (total)
-	Size int
+	Size float64
 	// Whether the message has any attachments
 	Attachments int
 	// Message snippet includes up to 250 characters
@@ -100,8 +98,8 @@ type MessageSummary struct {

 // MailboxStats struct for quick mailbox total/read lookups
 type MailboxStats struct {
-	Total  int
-	Unread int
+	Total  float64
+	Unread float64
 	Tags   []string
 }

@@ -114,21 +112,6 @@ type DBMailSummary struct {
 	ReplyTo []*mail.Address
 }

-// AttachmentSummary returns a summary of the attachment without any binary data
-func AttachmentSummary(a *enmime.Part) Attachment {
-	o := Attachment{}
-	o.PartID = a.PartID
-	o.FileName = a.FileName
-	if o.FileName == "" {
-		o.FileName = a.ContentID
-	}
-	o.ContentType = a.ContentType
-	o.ContentID = a.ContentID
-	o.Size = len(a.Content)
-
-	return o
-}
-
 // ListUnsubscribe contains a summary of List-Unsubscribe & List-Unsubscribe-Post headers
 // including validation of the link structure
 type ListUnsubscribe struct {
--- a/internal/storage/tagfilters.go
+++ b/internal/storage/tagfilters.go
@@ -0,0 +1,87 @@
+package storage
+
+import (
+	"context"
+	"database/sql"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/leporo/sqlf"
+)
+
+// TagFilter struct
+type TagFilter struct {
+	// Match is the user-defined match
+	Match string
+	// SQL represents the SQL equivalent of Match
+	SQL *sqlf.Stmt
+	// Tags to add on match
+	Tags []string
+}
+
+var tagFilters = []TagFilter{}
+
+// LoadTagFilters loads tag filters from the config and pre-generates the SQL query
+func LoadTagFilters() {
+	tagFilters = []TagFilter{}
+
+	for _, t := range config.TagFilters {
+		match := strings.TrimSpace(t.Match)
+		if match == "" {
+			logger.Log().Warnf("[tags] ignoring tag item with missing 'match'")
+			continue
+		}
+		if t.Tags == nil || len(t.Tags) == 0 {
+			logger.Log().Warnf("[tags] ignoring tag items with missing 'tags' array")
+			continue
+		}
+
+		validTags := []string{}
+		for _, tag := range t.Tags {
+			tagName := tools.CleanTag(tag)
+			if !config.ValidTagRegexp.MatchString(tagName) || len(tagName) == 0 {
+				logger.Log().Warnf("[tags] invalid tag (%s) - can only contain spaces, letters, numbers, - & _", tagName)
+				continue
+			}
+			validTags = append(validTags, tagName)
+		}
+
+		if len(validTags) == 0 {
+			continue
+		}
+
+		tagFilters = append(tagFilters, TagFilter{Match: match, Tags: validTags, SQL: searchQueryBuilder(match, "")})
+	}
+}
+
+// TagFilterMatches returns a slice of matching tags from a message
+func tagFilterMatches(id string) []string {
+	tags := []string{}
+
+	if len(tagFilters) == 0 {
+		return tags
+	}
+
+	for _, f := range tagFilters {
+		var matchID string
+		q := f.SQL.Clone().Where("ID = ?", id)
+		if err := q.QueryAndClose(context.Background(), db, func(row *sql.Rows) {
+			var ignore sql.NullString
+
+			if err := row.Scan(&ignore, &matchID, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore); err != nil {
+				logger.Log().Errorf("[db] %s", err.Error())
+				return
+			}
+		}); err != nil {
+			logger.Log().Errorf("[db] %s", err.Error())
+			return tags
+		}
+		if matchID == id {
+			tags = append(tags, f.Tags...)
+		}
+	}
+
+	return tags
+}
--- a/internal/storage/tags.go
+++ b/internal/storage/tags.go
@@ -1,130 +1,137 @@
 package storage

 import (
+	"bytes"
+	"context"
 	"database/sql"
+	"fmt"
 	"regexp"
 	"sort"
 	"strings"
+	"sync"

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/websockets"
 	"github.com/leporo/sqlf"
 )

 var (
 	addressPlusRe = regexp.MustCompile(`(?U)^(.*){1,}\+(.*)@`)
+	addTagMutex   sync.RWMutex
 )

-// SetMessageTags will set the tags for a given database ID
-func SetMessageTags(id string, tags []string) error {
+// SetMessageTags will set the tags for a given database ID, removing any not in the array
+func SetMessageTags(id string, tags []string) ([]string, error) {
 	applyTags := []string{}
 	for _, t := range tags {
 		t = tools.CleanTag(t)
-		if t != "" && config.ValidTagRegexp.MatchString(t) && !inArray(t, applyTags) {
+		if t != "" && config.ValidTagRegexp.MatchString(t) && !tools.InArray(t, applyTags) {
 			applyTags = append(applyTags, t)
 		}
 	}

+	tagNames := []string{}
 	currentTags := getMessageTags(id)
 	origTagCount := len(currentTags)

 	for _, t := range applyTags {
-		t = tools.CleanTag(t)
-		if t == "" || !config.ValidTagRegexp.MatchString(t) || inArray(t, currentTags) {
+		if t == "" || !config.ValidTagRegexp.MatchString(t) || tools.InArray(t, currentTags) {
 			continue
 		}

-		if err := AddMessageTag(id, t); err != nil {
-			return err
+		name, err := addMessageTag(id, t)
+		if err != nil {
+			return []string{}, err
 		}
+
+		tagNames = append(tagNames, name)
 	}

 	if origTagCount > 0 {
 		currentTags = getMessageTags(id)

 		for _, t := range currentTags {
-			if !inArray(t, applyTags) {
-				if err := DeleteMessageTag(id, t); err != nil {
-					return err
+			if !tools.InArray(t, applyTags) {
+				if err := deleteMessageTag(id, t); err != nil {
+					return []string{}, err
 				}
 			}
 		}
 	}

-	return nil
+	d := struct {
+		ID   string
+		Tags []string
+	}{ID: id, Tags: applyTags}
+
+	websockets.Broadcast("update", d)
+
+	return tagNames, nil
 }

 // AddMessageTag adds a tag to a message
-func AddMessageTag(id, name string) error {
-	var tagID int
+func addMessageTag(id, name string) (string, error) {
+	// prevent two identical tags being added at the same time
+	addTagMutex.Lock()

-	q := sqlf.From("tags").
+	var tagID int
+	var foundName sql.NullString
+
+	q := sqlf.From(tenant("tags")).
 		Select("ID").To(&tagID).
+		Select("Name").To(&foundName).
 		Where("Name = ?", name)

-	// tag exists - add tag to message
-	if err := q.QueryRowAndClose(nil, db); err == nil {
+	// if tag exists - add tag to message
+	if err := q.QueryRowAndClose(context.TODO(), db); err == nil {
+		addTagMutex.Unlock()
 		// check message does not already have this tag
-		var count int
-		if _, err := sqlf.From("message_tags").
-			Select("COUNT(ID)").To(&count).
+		var exists int
+
+		if err := sqlf.From(tenant("message_tags")).
+			Select("COUNT(ID)").To(&exists).
 			Where("ID = ?", id).
 			Where("TagID = ?", tagID).
-			ExecAndClose(nil, db); err != nil {
-			return err
+			QueryRowAndClose(context.Background(), db); err != nil {
+			return "", err
 		}
-		if count != 0 {
+		if exists > 0 {
 			// already exists
-			return nil
+			return foundName.String, nil
 		}

 		logger.Log().Debugf("[tags] adding tag \"%s\" to %s", name, id)

-		_, err := sqlf.InsertInto("message_tags").
+		_, err := sqlf.InsertInto(tenant("message_tags")).
 			Set("ID", id).
 			Set("TagID", tagID).
-			ExecAndClose(nil, db)
-		return err
+			ExecAndClose(context.TODO(), db)
+
+		return foundName.String, err
 	}

-	logger.Log().Debugf("[tags] adding tag \"%s\" to %s", name, id)
-
-	// tag dos not exist, add new one
-	if err := sqlf.InsertInto("tags").
+	// new tag, add to the database
+	if _, err := sqlf.InsertInto(tenant("tags")).
 		Set("Name", name).
-		Returning("ID").To(&tagID).
-		QueryRowAndClose(nil, db); err != nil {
-		return err
+		ExecAndClose(context.TODO(), db); err != nil {
+		addTagMutex.Unlock()
+		return name, err
 	}

-	// check message does not already have this tag
-	var count int
-	if _, err := sqlf.From("message_tags").
-		Select("COUNT(ID)").To(&count).
-		Where("ID = ?", id).
-		Where("TagID = ?", tagID).
-		ExecAndClose(nil, db); err != nil {
-		return err
-	}
-	if count != 0 {
-		return nil // already exists
-	}
+	addTagMutex.Unlock()

-	// add tag to message
-	_, err := sqlf.InsertInto("message_tags").
-		Set("ID", id).
-		Set("TagID", tagID).
-		ExecAndClose(nil, db)
-	return err
+	// add tag to the message
+	return addMessageTag(id, name)
 }

-// DeleteMessageTag deleted a tag from a message
-func DeleteMessageTag(id, name string) error {
-	if _, err := sqlf.DeleteFrom("message_tags").
-		Where("message_tags.ID = ?", id).
-		Where(`message_tags.Key IN (SELECT Key FROM message_tags LEFT JOIN tags ON TagID=tags.ID WHERE Name = ?)`, name).
-		ExecAndClose(nil, db); err != nil {
+// DeleteMessageTag deletes a tag from a message
+func deleteMessageTag(id, name string) error {
+	if _, err := sqlf.DeleteFrom(tenant("message_tags")).
+		Where(tenant("message_tags.ID")+" = ?", id).
+		Where(tenant("message_tags.Key")+` IN (SELECT Key FROM `+tenant("message_tags")+` LEFT JOIN `+tenant("tags")+` ON TagID=`+tenant("tags.ID")+` WHERE Name = ?)`, name).
+		ExecAndClose(context.TODO(), db); err != nil {
 		return err
 	}

@@ -133,9 +140,9 @@ func DeleteMessageTag(id, name string) error {

 // DeleteAllMessageTags deleted all tags from a message
 func DeleteAllMessageTags(id string) error {
-	if _, err := sqlf.DeleteFrom("message_tags").
-		Where("message_tags.ID = ?", id).
-		ExecAndClose(nil, db); err != nil {
+	if _, err := sqlf.DeleteFrom(tenant("message_tags")).
+		Where(tenant("message_tags.ID")+" = ?", id).
+		ExecAndClose(context.TODO(), db); err != nil {
 		return err
 	}

@@ -149,9 +156,9 @@ func GetAllTags() []string {

 	if err := sqlf.
 		Select(`DISTINCT Name`).
-		From("tags").To(&name).
+		From(tenant("tags")).To(&name).
 		OrderBy("Name").
-		QueryAndClose(nil, db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
 			tags = append(tags, name)
 		}); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
@@ -168,14 +175,13 @@ func GetAllTagsCount() map[string]int64 {

 	if err := sqlf.
 		Select(`Name`).To(&name).
-		Select(`COUNT(message_tags.TagID) as total`).To(&total).
-		From("tags").
-		LeftJoin("message_tags", "tags.ID = message_tags.TagID").
-		GroupBy("message_tags.TagID").
+		Select(`COUNT(`+tenant("message_tags.TagID")+`) as total`).To(&total).
+		From(tenant("tags")).
+		LeftJoin(tenant("message_tags"), tenant("tags.ID")+" = "+tenant("message_tags.TagID")).
+		GroupBy(tenant("message_tags.TagID")).
 		OrderBy("Name").
-		QueryAndClose(nil, db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
 			tags[name] = total
-			// tags = append(tags, name)
 		}); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}
@@ -183,16 +189,89 @@ func GetAllTagsCount() map[string]int64 {
 	return tags
 }

+// RenameTag renames a tag
+func RenameTag(from, to string) error {
+	to = tools.CleanTag(to)
+	if to == "" || !config.ValidTagRegexp.MatchString(to) {
+		return fmt.Errorf("invalid tag name: %s", to)
+	}
+
+	if from == to {
+		return nil // ignore
+	}
+
+	var id, existsID int
+
+	q := sqlf.From(tenant("tags")).
+		Select(`ID`).To(&id).
+		Where(`Name = ?`, from).
+		Limit(1)
+	err := q.QueryRowAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("tag not found: %s", from)
+	}
+
+	// check if another tag by this name already exists
+	q = sqlf.From(tenant("tags")).
+		Select("ID").To(&existsID).
+		Where(`Name = ?`, to).
+		Where(`ID != ?`, id).
+		Limit(1)
+	err = q.QueryRowAndClose(context.Background(), db)
+	if err == nil || existsID != 0 {
+		return fmt.Errorf("tag already exists: %s", to)
+	}
+
+	q = sqlf.Update(tenant("tags")).
+		Set("Name", to).
+		Where("ID = ?", id)
+	_, err = q.ExecAndClose(context.Background(), db)
+
+	return err
+}
+
+// DeleteTag deleted a tag and removed all references to the tag
+func DeleteTag(tag string) error {
+	var id int
+
+	q := sqlf.From(tenant("tags")).
+		Select(`ID`).To(&id).
+		Where(`Name = ?`, tag).
+		Limit(1)
+	err := q.QueryRowAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("tag not found: %s", tag)
+	}
+
+	// delete all references
+	q = sqlf.DeleteFrom(tenant("message_tags")).
+		Where(`TagID = ?`, id)
+	_, err = q.ExecAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("error deleting tag references: %s", err.Error())
+	}
+
+	// delete tag
+	q = sqlf.DeleteFrom(tenant("tags")).
+		Where(`ID = ?`, id)
+	_, err = q.ExecAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("error deleting tag: %s", err.Error())
+	}
+
+	return nil
+}
+
 // PruneUnusedTags will delete all unused tags from the database
 func pruneUnusedTags() error {
-	q := sqlf.From("tags").
-		Select("tags.ID, tags.Name, COUNT(message_tags.ID) as COUNT").
-		LeftJoin("message_tags", "tags.ID = message_tags.TagID").
-		GroupBy("tags.ID")
+	q := sqlf.From(tenant("tags")).
+		Select(tenant("tags.ID")+", "+tenant("tags.Name")+", COUNT("+tenant("message_tags.ID")+") as COUNT").
+		LeftJoin(tenant("message_tags"), tenant("tags.ID")+" = "+tenant("message_tags.TagID")).
+		GroupBy(tenant("tags.ID"))

 	toDel := []int{}

-	if err := q.QueryAndClose(nil, db, func(row *sql.Rows) {
+	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
 		var n string
 		var id int
 		var c int
@@ -212,9 +291,9 @@ func pruneUnusedTags() error {

 	if len(toDel) > 0 {
 		for _, id := range toDel {
-			if _, err := sqlf.DeleteFrom("tags").
+			if _, err := sqlf.DeleteFrom(tenant("tags")).
 				Where("ID = ?", id).
-				ExecAndClose(nil, db); err != nil {
+				ExecAndClose(context.TODO(), db); err != nil {
 				return err
 			}
 		}
@@ -223,51 +302,53 @@ func pruneUnusedTags() error {
 	return nil
 }

-// Find tags set via --tags in raw message.
+// Find tags set via --tags in raw message, useful for matching all headers etc.
+// This function is largely superseded by the database searching, however this
+// includes literally everything and is kept for backwards compatibility.
 // Returns a comma-separated string.
-func findTagsInRawMessage(message *[]byte) string {
-	tagStr := ""
-	if len(config.SMTPTags) == 0 {
-		return tagStr
+func findTagsInRawMessage(message *[]byte) []string {
+	tags := []string{}
+	if len(tagFilters) == 0 {
+		return tags
 	}

-	str := strings.ToLower(string(*message))
-	for _, t := range config.SMTPTags {
-		if strings.Contains(str, t.Match) {
-			tagStr += "," + t.Tag
+	str := bytes.ToLower(*message)
+	for _, t := range tagFilters {
+		if bytes.Contains(str, []byte(t.Match)) {
+			tags = append(tags, t.Tags...)
 		}
 	}

-	return tagStr
+	return tags
 }

 // Returns tags found in email plus addresses (eg: test+tagname@example.com)
-func (d DBMailSummary) tagsFromPlusAddresses() string {
+func (d DBMailSummary) tagsFromPlusAddresses() []string {
 	tags := []string{}
 	for _, c := range d.To {
-		matches := addressPlusRe.FindAllStringSubmatch(c.String(), 1)
+		matches := addressPlusRe.FindAllStringSubmatch(c.Address, 1)
 		if len(matches) == 1 {
 			tags = append(tags, strings.Split(matches[0][2], "+")...)
 		}
 	}
 	for _, c := range d.Cc {
-		matches := addressPlusRe.FindAllStringSubmatch(c.String(), 1)
+		matches := addressPlusRe.FindAllStringSubmatch(c.Address, 1)
 		if len(matches) == 1 {
 			tags = append(tags, strings.Split(matches[0][2], "+")...)
 		}
 	}
 	for _, c := range d.Bcc {
-		matches := addressPlusRe.FindAllStringSubmatch(c.String(), 1)
+		matches := addressPlusRe.FindAllStringSubmatch(c.Address, 1)
 		if len(matches) == 1 {
 			tags = append(tags, strings.Split(matches[0][2], "+")...)
 		}
 	}
-	matches := addressPlusRe.FindAllStringSubmatch(d.From.String(), 1)
+	matches := addressPlusRe.FindAllStringSubmatch(d.From.Address, 1)
 	if len(matches) == 1 {
 		tags = append(tags, strings.Split(matches[0][2], "+")...)
 	}

-	return strings.Join(tags, ",")
+	return tools.SetTagCasing(tags)
 }

 // Get message tags from the database for a given database ID
@@ -278,11 +359,11 @@ func getMessageTags(id string) []string {

 	if err := sqlf.
 		Select(`Name`).To(&name).
-		From("Tags").
-		LeftJoin("message_tags", "Tags.ID=message_tags.TagID").
-		Where(`message_tags.ID = ?`, id).
+		From(tenant("Tags")).
+		LeftJoin(tenant("message_tags"), tenant("Tags.ID")+"="+tenant("message_tags.TagID")).
+		Where(tenant("message_tags.ID")+` = ?`, id).
 		OrderBy("Name").
-		QueryAndClose(nil, db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
 			tags = append(tags, name)
 		}); err != nil {
 		logger.Log().Errorf("[tags] %s", err.Error())
@@ -292,24 +373,27 @@ func getMessageTags(id string) []string {
 	return tags
 }

-// UniqueTagsFromString will split a string with commas, and extract a unique slice of formatted tags
-func uniqueTagsFromString(s string) []string {
+// SortedUniqueTags will return a unique slice of normalised tags
+func sortedUniqueTags(s []string) []string {
 	tags := []string{}
+	added := make(map[string]bool)

-	if s == "" {
+	if len(s) == 0 {
 		return tags
 	}

-	parts := strings.Split(s, ",")
-	for _, p := range parts {
+	for _, p := range s {
 		w := tools.CleanTag(p)
 		if w == "" {
 			continue
 		}
+		lc := strings.ToLower(w)
+		if _, exists := added[lc]; exists {
+			continue
+		}
 		if config.ValidTagRegexp.MatchString(w) {
-			if !inArray(w, tags) {
-				tags = append(tags, w)
-			}
+			added[lc] = true
+			tags = append(tags, w)
 		} else {
 			logger.Log().Debugf("[tags] ignoring invalid tag: %s", w)
 		}
--- a/internal/storage/tags_test.go
+++ b/internal/storage/tags_test.go
@@ -4,127 +4,140 @@ import (
 	"fmt"
 	"strings"
 	"testing"
+
+	"github.com/axllent/mailpit/config"
 )

 func TestTags(t *testing.T) {
-	setup()
-	defer Close()

-	t.Log("Testing tags")
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	ids := []string{}
+		setup(tenantID)

-	for i := 0; i < 10; i++ {
+		if tenantID == "" {
+			t.Log("Testing tags")
+		} else {
+			t.Logf("Testing tags (tenant %s)", tenantID)
+		}
+
+		ids := []string{}
+
+		for i := 0; i < 10; i++ {
+			id, err := Store(&testMimeEmail)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			ids = append(ids, id)
+		}
+
+		for i := 0; i < 10; i++ {
+			if _, err := SetMessageTags(ids[i], []string{fmt.Sprintf("Tag-%d", i)}); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		for i := 0; i < 10; i++ {
+			message, err := GetMessage(ids[i])
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			if len(message.Tags) != 1 || message.Tags[0] != fmt.Sprintf("Tag-%d", i) {
+				t.Fatal("Message tags do not match")
+			}
+		}
+
+		if err := DeleteAllMessages(); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// test 20 tags
 		id, err := Store(&testMimeEmail)
 		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
-		ids = append(ids, id)
-	}
-
-	for i := 0; i < 10; i++ {
-		if err := SetMessageTags(ids[i], []string{fmt.Sprintf("Tag-%d", i)}); err != nil {
+		newTags := []string{}
+		for i := 0; i < 20; i++ {
+			// pad number with 0 to ensure they are returned alphabetically
+			newTags = append(newTags, fmt.Sprintf("AnotherTag %02d", i))
+		}
+		if _, err := SetMessageTags(id, newTags); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
-	}
+		returnedTags := getMessageTags(id)
+		assertEqual(t, strings.Join(newTags, "|"), strings.Join(returnedTags, "|"), "Message tags do not match")

-	for i := 0; i < 10; i++ {
-		message, err := GetMessage(ids[i])
+		// remove first tag
+		if err := deleteMessageTag(id, newTags[0]); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, strings.Join(newTags[1:], "|"), strings.Join(returnedTags, "|"), "Message tags do not match after deleting 1")
+
+		// remove all tags
+		if err := DeleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "", strings.Join(returnedTags, "|"), "Message tags should be empty")
+
+		// apply the same tag twice
+		if _, err := SetMessageTags(id, []string{"Duplicate Tag", "Duplicate Tag"}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "Duplicate Tag", strings.Join(returnedTags, "|"), "Message tags should be duplicated")
+		if err := DeleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// apply tag with invalid characters
+		if _, err := SetMessageTags(id, []string{"Dirty! \"Tag\""}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "Dirty Tag", strings.Join(returnedTags, "|"), "Dirty message tag did not clean as expected")
+		if err := DeleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// Check deleted message tags also prune the tags database
+		allTags := GetAllTags()
+		assertEqual(t, "", strings.Join(allTags, "|"), "Tags did not delete as expected")
+
+		if err := DeleteAllMessages(); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// test 20 tags
+		id, err = Store(&testTagEmail)
 		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}

-		if len(message.Tags) != 1 || message.Tags[0] != fmt.Sprintf("Tag-%d", i) {
-			t.Fatal("Message tags do not match")
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "BccTag|CcTag|FromFag|ToTag|X-tag1|X-tag2", strings.Join(returnedTags, "|"), "Tags not detected correctly")
+		if err := DeleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
 		}
+
+		Close()
 	}

-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// test 20 tags
-	id, err := Store(&testMimeEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	newTags := []string{}
-	for i := 0; i < 20; i++ {
-		// pad number with 0 to ensure they are returned alphabetically
-		newTags = append(newTags, fmt.Sprintf("AnotherTag %02d", i))
-	}
-	if err := SetMessageTags(id, newTags); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags := getMessageTags(id)
-	assertEqual(t, strings.Join(newTags, "|"), strings.Join(returnedTags, "|"), "Message tags do not match")
-
-	// remove first tag
-	if err := DeleteMessageTag(id, newTags[0]); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, strings.Join(newTags[1:], "|"), strings.Join(returnedTags, "|"), "Message tags do not match after deleting 1")
-
-	// remove all tags
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "", strings.Join(returnedTags, "|"), "Message tags should be empty")
-
-	// apply the same tag twice
-	if err := SetMessageTags(id, []string{"Duplicate Tag", "Duplicate Tag"}); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "Duplicate Tag", strings.Join(returnedTags, "|"), "Message tags should be duplicated")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// apply tag with invalid characters
-	if err := SetMessageTags(id, []string{"Dirty! \"Tag\""}); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "Dirty Tag", strings.Join(returnedTags, "|"), "Dirty message tag did not clean as expected")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// Check deleted message tags also prune the tags database
-	allTags := GetAllTags()
-	assertEqual(t, "", strings.Join(allTags, "|"), "Tags did not delete as expected")
-
-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// test 20 tags
-	id, err = Store(&testTagEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "BccTag|CcTag|FromFag|ToTag|X-tag1|X-tag2", strings.Join(returnedTags, "|"), "Tags not detected correctly")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
 }
--- a/internal/storage/testing.go
+++ b/internal/storage/testing.go
@@ -16,10 +16,11 @@ var (
 	testRuns      = 100
 )

-func setup() {
+func setup(tenantID string) {
 	logger.NoLogging = true
 	config.MaxMessages = 0
-	config.DataFile = ""
+	config.Database = os.Getenv("MP_DATABASE")
+	config.TenantID = config.DBTenantID(tenantID)

 	if err := InitDB(); err != nil {
 		panic(err)
@@ -27,6 +28,11 @@ func setup() {

 	var err error

+	// ensure DB is empty
+	if err := DeleteAllMessages(); err != nil {
+		panic(err)
+	}
+
 	testTextEmail, err = os.ReadFile("testdata/plain-text.eml")
 	if err != nil {
 		panic(err)
@@ -53,11 +59,11 @@ func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {

 func assertEqualStats(t *testing.T, total int, unread int) {
 	s := StatsGet()
-	if total != s.Total {
-		t.Fatalf("Incorrect total mailbox stats: \"%d\" != \"%d\"", total, s.Total)
+	if float64(total) != s.Total {
+		t.Fatalf("Incorrect total mailbox stats: \"%v\" != \"%v\"", total, s.Total)
 	}

-	if unread != s.Unread {
-		t.Fatalf("Incorrect unread mailbox stats: \"%d\" != \"%d\"", unread, s.Unread)
+	if float64(unread) != s.Unread {
+		t.Fatalf("Incorrect unread mailbox stats: \"%v\" != \"%v\"", unread, s.Unread)
 	}
 }
--- a/internal/storage/utils.go
+++ b/internal/storage/utils.go
@@ -8,6 +8,7 @@ import (
 	"sync"

 	"github.com/axllent/mailpit/internal/html2text"
+	"github.com/axllent/mailpit/internal/logger"
 	"github.com/jhillyerd/enmime"
 )

@@ -15,9 +16,23 @@ var (
 	// for stats to prevent import cycle
 	mu sync.RWMutex
 	// StatsDeleted for counting the number of messages deleted
-	StatsDeleted int
+	StatsDeleted float64
 )

+// AddTempFile adds a file to the slice of files to delete on exit
+func AddTempFile(s string) {
+	temporaryFiles = append(temporaryFiles, s)
+}
+
+// DeleteTempFiles will delete files added via AddTempFiles
+func deleteTempFiles() {
+	for _, f := range temporaryFiles {
+		if err := os.Remove(f); err == nil {
+			logger.Log().Debugf("removed temporary file: %s", f)
+		}
+	}
+}
+
 // Return a header field as a []*mail.Address, or "null" is not found/empty
 func addressToSlice(env *enmime.Envelope, key string) []*mail.Address {
 	data, err := env.AddressList(key)
@@ -73,7 +88,7 @@ func cleanString(str string) string {
 // LogMessagesDeleted logs the number of messages deleted
 func logMessagesDeleted(n int) {
 	mu.Lock()
-	StatsDeleted = StatsDeleted + n
+	StatsDeleted = StatsDeleted + float64(n)
 	mu.Unlock()
 }

@@ -87,58 +102,7 @@ func isFile(path string) bool {
 	return true
 }

-// Tests if a string is within an array. It is not case sensitive.
-func inArray(k string, arr []string) bool {
-	k = strings.ToLower(k)
-	for _, v := range arr {
-		if strings.ToLower(v) == k {
-			return true
-		}
-	}
-
-	return false
-}
-
 // Convert `%` to `%%` for SQL searches
 func escPercentChar(s string) string {
 	return strings.ReplaceAll(s, "%", "%%")
 }
-
-// Escape certain characters in search phrases
-func escSearch(str string) string {
-	dest := make([]byte, 0, 2*len(str))
-	var escape byte
-	for i := 0; i < len(str); i++ {
-		c := str[i]
-
-		escape = 0
-
-		switch c {
-		case 0: /* Must be escaped for 'mysql' */
-			escape = '0'
-			break
-		case '\n': /* Must be escaped for logs */
-			escape = 'n'
-			break
-		case '\r':
-			escape = 'r'
-			break
-		case '\\':
-			escape = '\\'
-			break
-		case '\'':
-			escape = '\''
-			break
-		case '\032': //十进制26,八进制32,十六进制1a, /* This gives problems on Win32 */
-			escape = 'Z'
-		}
-
-		if escape != 0 {
-			dest = append(dest, '\\', escape)
-		} else {
-			dest = append(dest, c)
-		}
-	}
-
-	return string(dest)
-}
--- a/internal/tools/headers.go
+++ b/internal/tools/headers.go
--- a/internal/tools/tags.go
+++ b/internal/tools/tags.go
@@ -19,18 +19,29 @@ var (
 	TagsTitleCase bool
 )

-// CleanTag returns a clean tag, removing whitespace and invalid characters
+// CleanTag returns a clean tag, trimming whitespace and replacing invalid characters
 func CleanTag(s string) string {
-	s = strings.TrimSpace(
+	return strings.TrimSpace(
 		multiSpaceRe.ReplaceAllString(
 			tagsInvalidChars.ReplaceAllString(s, " "),
 			" ",
 		),
 	)
+}

-	if TagsTitleCase {
-		return cases.Title(language.Und, cases.NoLower).String(s)
+// SetTagCasing returns the slice of tags, title-casing if set
+func SetTagCasing(s []string) []string {
+	if !TagsTitleCase {
+		return s
 	}

-	return s
+	titleTags := []string{}
+
+	c := cases.Title(language.Und, cases.NoLower)
+
+	for _, t := range s {
+		titleTags = append(titleTags, c.String(t))
+	}
+
+	return titleTags
 }
--- a/internal/tools/unixsocket.go
+++ b/internal/tools/unixsocket.go
@@ -0,0 +1,49 @@
+package tools
+
+import (
+	"fmt"
+	"io/fs"
+	"net"
+	"os"
+	"path"
+	"regexp"
+	"strconv"
+)
+
+// UnixSocket returns a path and a FileMode if the address is in
+// the format of unix:<path>:<permission>
+func UnixSocket(address string) (string, fs.FileMode, bool) {
+	re := regexp.MustCompile(`^unix:(.*):(\d\d\d\d?)$`)
+
+	var f fs.FileMode
+
+	if !re.MatchString(address) {
+		return "", f, false
+	}
+
+	m := re.FindAllStringSubmatch(address, 1)
+
+	modeVal, err := strconv.ParseUint(m[0][2], 8, 32)
+
+	if err != nil {
+		return "", f, false
+	}
+
+	return path.Clean(m[0][1]), fs.FileMode(modeVal), true
+}
+
+// PrepareSocket returns an error if an active socket file already exists
+func PrepareSocket(address string) error {
+	address = path.Clean(address)
+	if _, err := os.Stat(address); os.IsNotExist(err) {
+		// does not exist, OK
+		return nil
+	}
+
+	if _, err := net.Dial("unix", address); err == nil {
+		// socket is listening
+		return fmt.Errorf("socket already in use: %s", address)
+	}
+
+	return os.Remove(address)
+}
--- a/internal/tools/utils.go
+++ b/internal/tools/utils.go
@@ -0,0 +1,38 @@
+package tools
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Plural returns a singular or plural of a word together with the total
+func Plural(total int, singular, plural string) string {
+	if total == 1 {
+		return fmt.Sprintf("%d %s", total, singular)
+	}
+
+	return fmt.Sprintf("%d %s", total, plural)
+}
+
+// InArray tests if a string is within an array. It is not case sensitive.
+func InArray(k string, arr []string) bool {
+	for _, v := range arr {
+		if strings.EqualFold(v, k) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Normalize will remove any extra spaces, remove newlines, and trim leading and trailing spaces
+func Normalize(s string) string {
+	nlRe := regexp.MustCompile(`\r?\r`)
+	re := regexp.MustCompile(`\s+`)
+
+	s = nlRe.ReplaceAllString(s, " ")
+	s = re.ReplaceAllString(s, " ")
+
+	return strings.TrimSpace(s)
+}
--- a/internal/updater/targz.go
+++ b/internal/updater/targz.go
@@ -98,53 +98,6 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
 	return inputFilePath, outputFilePath, err
 }

-// Write path without the prefix in subPath to tar writer.
-func writeTarGz(path string, tarWriter *tar.Writer, fileInfo os.FileInfo, subPath string) error {
-	file, err := os.Open(filepath.Clean(path))
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		if err := file.Close(); err != nil {
-			fmt.Printf("Error closing file: %s\n", err)
-		}
-	}()
-
-	evaledPath, err := filepath.EvalSymlinks(path)
-	if err != nil {
-		return err
-	}
-
-	subPath, err = filepath.EvalSymlinks(subPath)
-	if err != nil {
-		return err
-	}
-
-	link := ""
-	if evaledPath != path {
-		link = evaledPath
-	}
-
-	header, err := tar.FileInfoHeader(fileInfo, link)
-	if err != nil {
-		return err
-	}
-	header.Name = evaledPath[len(subPath):]
-
-	err = tarWriter.WriteHeader(header)
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(tarWriter, file)
-	if err != nil {
-		return err
-	}
-
-	return err
-}
-
 // Extract the file in filePath to directory.
 func extract(filePath string, directory string) error {
 	file, err := os.Open(filepath.Clean(filePath))
@@ -200,7 +153,7 @@ func extract(filePath string, directory string) error {

 			// set file ownership (if allowed)
 			// Chtimes() && Chmod() only set after once extraction is complete
-			os.Chown(filename, header.Uid, header.Gid) // #nosec
+			_ = os.Chown(filename, header.Uid, header.Gid)

 			// add directory info to slice to process afterwards
 			postExtraction = append(postExtraction, DirInfo{filename, header})
@@ -249,15 +202,15 @@ func extract(filePath string, directory string) error {
 		}

 		// set file permissions, timestamps & uid/gid
-		os.Chmod(filename, os.FileMode(header.Mode))            // #nosec
-		os.Chtimes(filename, header.AccessTime, header.ModTime) // #nosec
-		os.Chown(filename, header.Uid, header.Gid)              // #nosec
+		_ = os.Chmod(filename, os.FileMode(header.Mode)) // #nosec
+		_ = os.Chtimes(filename, header.AccessTime, header.ModTime)
+		_ = os.Chown(filename, header.Uid, header.Gid)
 	}

 	if len(postExtraction) > 0 {
 		for _, dir := range postExtraction {
-			os.Chtimes(dir.Path, dir.Header.AccessTime, dir.Header.ModTime) // #nosec
-			os.Chmod(dir.Path, dir.Header.FileInfo().Mode().Perm())         // #nosec
+			_ = os.Chtimes(dir.Path, dir.Header.AccessTime, dir.Header.ModTime)
+			_ = os.Chmod(dir.Path, dir.Header.FileInfo().Mode().Perm())
 		}
 	}

--- a/internal/updater/unzip.go
+++ b/internal/updater/unzip.go
@@ -35,14 +35,14 @@ func Unzip(src string, dest string) ([]string, error) {

 		if f.FileInfo().IsDir() {
 			// Make Folder
-			if err := os.MkdirAll(fpath, os.ModePerm); err != nil {
+			if err := os.MkdirAll(fpath, os.ModePerm); /* #nosec */ err != nil {
 				return filenames, err
 			}
 			continue
 		}

 		// Make File
-		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
+		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); /* #nosec */ err != nil {
 			return filenames, err
 		}

@@ -71,5 +71,6 @@ func Unzip(src string, dest string) ([]string, error) {
 			return filenames, err
 		}
 	}
+
 	return filenames, nil
 }
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -23,6 +23,7 @@ var (
 	// AllowPrereleases defines whether pre-releases may be included
 	AllowPrereleases = false

+	// temporary directory
 	tempDir string
 )

@@ -329,22 +330,12 @@ func getTempDir() string {
 // MkDirIfNotExists will create a directory if it doesn't exist
 func mkDirIfNotExists(path string) error {
 	if !isDir(path) {
-		return os.MkdirAll(path, os.ModePerm)
+		return os.MkdirAll(path, os.ModePerm) // #nosec
 	}

 	return nil
 }

-// IsFile returns if a path is a file
-func isFile(path string) bool {
-	info, err := os.Stat(path)
-	if os.IsNotExist(err) || !info.Mode().IsRegular() {
-		return false
-	}
-
-	return true
-}
-
 // IsDir returns if a path is a directory
 func isDir(path string) bool {
 	info, err := os.Stat(path)
--- a/main.go
+++ b/main.go
@@ -16,10 +16,11 @@ func main() {
 	}

 	// running directly
-	if normalize(filepath.Base(exec)) == normalize(filepath.Base(os.Args[0])) {
+	if normalize(filepath.Base(exec)) == normalize(filepath.Base(os.Args[0])) ||
+		!strings.Contains(filepath.Base(os.Args[0]), "sendmail") {
 		cmd.Execute()
 	} else {
-		// symlinked
+		// symlinked as "*sendmail*"
 		sendmail.Run()
 	}
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -14,10 +14,14 @@
    "bootstrap-icons": "^1.9.1",
    "bootstrap5-tags": "^1.6.1",
    "color-hash": "^2.0.2",
+    "dayjs": "^1.11.10",
+    "dompurify": "^3.1.6",
+    "ical.js": "^2.0.1",
+    "mitt": "^3.0.1",
    "modern-screenshot": "^4.4.30",
-    "moment": "^2.29.4",
    "prismjs": "^1.29.0",
    "rapidoc": "^9.3.4",
+    "timezones-list": "^3.0.3",
    "vue": "^3.2.13",
    "vue-css-donut-chart": "^2.0.0",
    "vue-router": "^4.2.4"
@@ -27,7 +31,7 @@
    "@types/bootstrap": "^5.2.7",
    "@types/tinycon": "^0.6.3",
    "@vue/compiler-sfc": "^3.2.37",
-    "esbuild": "^0.20.0",
+    "esbuild": "^0.24.0",
    "esbuild-plugin-vue-next": "^0.1.4",
    "esbuild-sass-plugin": "^3.0.0"
  }
--- a/sendmail/cmd/cmd.go
+++ b/sendmail/cmd/cmd.go
@@ -18,14 +18,15 @@ import (
 	"fmt"
 	"io"
 	"net/mail"
-	"net/smtp"
 	"os"
 	"os/user"
+	"path"
+	"regexp"
 	"strings"

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
-	"github.com/reiver/go-telnet"
+	"github.com/mneis/go-telnet"
 	flag "github.com/spf13/pflag"
 )

@@ -34,7 +35,6 @@ var (
 	SMTPAddr = "localhost:1025"
 	// FromAddr email address
 	FromAddr string
-
 	// UseB - used to set from `-bs`
 	UseB bool
 	// UseS - used to set from `-bs`
@@ -42,15 +42,19 @@ var (
 )

 func init() {
+	// ensure only valid characters are used, ie: windows
+	re := regexp.MustCompile(`[^a-zA-Z\-\.\_]`)
 	host, err := os.Hostname()
 	if err != nil {
 		host = "localhost"
+	} else {
+		host = re.ReplaceAllString(host, "-")
 	}

 	username := "nobody"
 	user, err := user.Current()
 	if err == nil && user != nil && len(user.Username) > 0 {
-		username = user.Username
+		username = re.ReplaceAllString(user.Username, "-")
 	}

 	if FromAddr == "" {
@@ -62,7 +66,7 @@ func init() {
 func Run() {
 	var recipients []string

-	// defaults from envars if provided
+	// defaults from env vars if provided
 	if len(os.Getenv("MP_SENDMAIL_SMTP_ADDR")) > 0 {
 		SMTPAddr = os.Getenv("MP_SENDMAIL_SMTP_ADDR")
 	}
@@ -78,6 +82,9 @@ func Run() {
 	flag.BoolP("long-i", "i", false, "Ignored")
 	flag.BoolP("long-o", "o", false, "Ignored")
 	flag.BoolP("long-t", "t", false, "Ignored")
+	flag.StringP("from-name", "F", "", "Ignored")
+	flag.StringP("bits", "B", "", "Ignored")
+	flag.StringP("errors", "e", "", "Ignored")

 	// set the default help
 	flag.Usage = func() {
@@ -109,14 +116,23 @@ func Run() {
 		os.Exit(1)
 	}

+	socketAddr, isSocket := socketAddress(SMTPAddr)
+
 	// handles `sendmail -bs`
+	// telnet directly to SMTP
 	if UseB && UseS {
 		var caller telnet.Caller = telnet.StandardCaller

-		// telnet directly to SMTP
-		if err := telnet.DialToAndCall(SMTPAddr, caller); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
+		if isSocket {
+			if err := telnet.DialToAndCallUnix(socketAddr, caller); err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+		} else {
+			if err := telnet.DialToAndCall(SMTPAddr, caller); err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
 		}

 		return
@@ -163,8 +179,7 @@ func Run() {
 		os.Exit(11)
 	}

-	err = smtp.SendMail(SMTPAddr, nil, from.Address, addresses, body)
-	if err != nil {
+	if err := Send(SMTPAddr, from.Address, addresses, body); err != nil {
 		fmt.Fprintln(os.Stderr, "error sending mail")
 		logger.Log().Fatal(err)
 	}
@@ -186,5 +201,22 @@ Flags:
  -i          Ignored
  -o          Ignored
  -v          Ignored
+  -F  string  Ignored
+  -B  string  Ignored
+  -e  string  Ignored
 `, config.Version, strings.Join(args, " "), FromAddr)
 }
+
+// SocketAddress returns a path and a FileMode if the address is in
+// the format of unix:<path>
+func socketAddress(address string) (string, bool) {
+	re := regexp.MustCompile(`^unix:(.*)$`)
+
+	if !re.MatchString(address) {
+		return "", false
+	}
+
+	m := re.FindAllStringSubmatch(address, 1)
+
+	return path.Clean(m[0][1]), true
+}
--- a/sendmail/cmd/smtp.go
+++ b/sendmail/cmd/smtp.go
@@ -0,0 +1,71 @@
+// Package cmd is a wrapper library to send mail
+package cmd
+
+import (
+	"fmt"
+	"net"
+	"net/mail"
+	"net/smtp"
+	"os"
+
+	"github.com/axllent/mailpit/internal/logger"
+)
+
+// Send is a wrapper for smtp.SendMail() which also supports sending via unix sockets.
+// Unix sockets must be set as unix:/path/to/socket
+// It does not support authentication.
+func Send(addr string, from string, to []string, msg []byte) error {
+	socketPath, isSocket := socketAddress(addr)
+
+	fromAddress, err := mail.ParseAddress(from)
+	if err != nil {
+		return fmt.Errorf("invalid from address: %s", from)
+	}
+
+	if len(to) == 0 {
+		return fmt.Errorf("no To addresses specified")
+	}
+
+	if !isSocket {
+		return smtp.SendMail(addr, nil, fromAddress.Address, to, msg)
+	}
+
+	conn, err := net.Dial("unix", socketPath)
+	if err != nil {
+		return fmt.Errorf("error connecting to %s", addr)
+	}
+
+	client, err := smtp.NewClient(conn, "")
+	if err != nil {
+		return err
+	}
+
+	// Set the sender
+	if err := client.Mail(fromAddress.Address); err != nil {
+		fmt.Fprintln(os.Stderr, "error sending mail")
+		logger.Log().Fatal(err)
+	}
+
+	// Set the recipient
+	for _, a := range to {
+		if err := client.Rcpt(a); err != nil {
+			return err
+		}
+	}
+
+	wc, err := client.Data()
+	if err != nil {
+		return err
+	}
+
+	_, err = wc.Write(msg)
+	if err != nil {
+		return err
+	}
+	err = wc.Close()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/server/apiv1/api.go
+++ b/server/apiv1/api.go
@@ -2,876 +2,16 @@
 package apiv1

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/mail"
 	"strconv"
-	"strings"
-	"time"

+	"github.com/araddon/dateparse"
 	"github.com/axllent/mailpit/config"
-	"github.com/axllent/mailpit/internal/htmlcheck"
-	"github.com/axllent/mailpit/internal/linkcheck"
 	"github.com/axllent/mailpit/internal/logger"
-	"github.com/axllent/mailpit/internal/spamassassin"
-	"github.com/axllent/mailpit/internal/storage"
-	"github.com/axllent/mailpit/internal/tools"
-	"github.com/axllent/mailpit/server/smtpd"
-	"github.com/gorilla/mux"
-	"github.com/lithammer/shortuuid/v4"
 )

-// GetMessages returns a paginated list of messages as JSON
-func GetMessages(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/messages messages GetMessages
-	//
-	// # List messages
-	//
-	// Returns messages from the mailbox ordered from newest to oldest.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: start
-	//	    in: query
-	//	    description: Pagination offset
-	//	    required: false
-	//	    type: integer
-	//	    default: 0
-	//	  + name: limit
-	//	    in: query
-	//	    description: Limit results
-	//	    required: false
-	//	    type: integer
-	//	    default: 50
-	//
-	//	Responses:
-	//		200: MessagesSummaryResponse
-	//		default: ErrorResponse
-	start, limit := getStartLimit(r)
-
-	messages, err := storage.List(start, limit)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	stats := storage.StatsGet()
-
-	var res MessagesSummary
-
-	res.Start = start
-	res.Messages = messages
-	res.Count = len(messages) // legacy - now undocumented in API specs
-	res.Total = stats.Total
-	res.Unread = stats.Unread
-	res.Tags = stats.Tags
-	res.MessagesCount = stats.Total
-
-	bytes, _ := json.Marshal(res)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// Search returns the latest messages as JSON
-func Search(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/search messages MessagesSummary
-	//
-	// # Search messages
-	//
-	// Returns the latest messages matching a search.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: query
-	//	    in: query
-	//	    description: Search query
-	//	    required: true
-	//	    type: string
-	//	  + name: start
-	//	    in: query
-	//	    description: Pagination offset
-	//	    required: false
-	//	    type: integer
-	//	    default: 0
-	//	  + name: limit
-	//	    in: query
-	//	    description: Limit results
-	//	    required: false
-	//	    type: integer
-	//	    default: 50
-	//
-	//	Responses:
-	//		200: MessagesSummaryResponse
-	//		default: ErrorResponse
-	search := strings.TrimSpace(r.URL.Query().Get("query"))
-	if search == "" {
-		httpError(w, "Error: no search query")
-		return
-	}
-
-	start, limit := getStartLimit(r)
-
-	messages, results, err := storage.Search(search, start, limit)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	stats := storage.StatsGet()
-
-	var res MessagesSummary
-
-	res.Start = start
-	res.Messages = messages
-	res.Count = len(messages) // legacy - now undocumented in API specs
-	res.Total = stats.Total   // total messages in mailbox
-	res.MessagesCount = results
-	res.Unread = stats.Unread
-	res.Tags = stats.Tags
-
-	bytes, _ := json.Marshal(res)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// DeleteSearch will delete all messages matching a search
-func DeleteSearch(w http.ResponseWriter, r *http.Request) {
-	// swagger:route DELETE /api/v1/search messages DeleteSearch
-	//
-	// # Delete messages by search
-	//
-	// Delete all messages matching a search.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: query
-	//	    in: query
-	//	    description: Search query
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: OKResponse
-	//		default: ErrorResponse
-	search := strings.TrimSpace(r.URL.Query().Get("query"))
-	if search == "" {
-		httpError(w, "Error: no search query")
-		return
-	}
-
-	if err := storage.DeleteSearch(search); err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	w.Header().Add("Content-Type", "text/plain")
-	_, _ = w.Write([]byte("ok"))
-}
-
-// GetMessage (method: GET) returns the Message as JSON
-func GetMessage(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID} message Message
-	//
-	// # Get message summary
-	//
-	// Returns the summary of a message, marking the message as read.
-	//
-	// The ID can be set to `latest` to return the latest message.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Message database ID or "latest"
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: Message
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessage(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	bytes, _ := json.Marshal(msg)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// DownloadAttachment (method: GET) returns the attachment data
-func DownloadAttachment(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/part/{PartID} message Attachment
-	//
-	// # Get message attachment
-	//
-	// This will return the attachment part using the appropriate Content-Type.
-	//
-	//	Produces:
-	//	- application/*
-	//	- image/*
-	//	- text/*
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Message database ID
-	//	    required: true
-	//	    type: string
-	//	  + name: PartID
-	//	    in: path
-	//	    description: Attachment part ID
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: BinaryResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-	partID := vars["partID"]
-
-	a, err := storage.GetAttachmentPart(id, partID)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-	fileName := a.FileName
-	if fileName == "" {
-		fileName = a.ContentID
-	}
-
-	w.Header().Add("Content-Type", a.ContentType)
-	w.Header().Set("Content-Disposition", "filename=\""+fileName+"\"")
-	_, _ = w.Write(a.Content)
-}
-
-// GetHeaders (method: GET) returns the message headers as JSON
-func GetHeaders(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/headers message Headers
-	//
-	// # Get message headers
-	//
-	// Returns the message headers as an array.
-	//
-	// The ID can be set to `latest` to return the latest message headers.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Message database ID or "latest"
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//	  200: MessageHeaders
-	//	  default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	data, err := storage.GetMessageRaw(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	reader := bytes.NewReader(data)
-	m, err := mail.ReadMessage(reader)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	bytes, _ := json.Marshal(m.Header)
-
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// DownloadRaw (method: GET) returns the full email source as plain text
-func DownloadRaw(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/raw message Raw
-	//
-	// # Get message source
-	//
-	// Returns the full email source as plain text.
-	//
-	// The ID can be set to `latest` to return the latest message source.
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Message database ID or "latest"
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: TextResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-	dl := r.FormValue("dl")
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	data, err := storage.GetMessageRaw(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	if dl == "1" {
-		w.Header().Set("Content-Disposition", "attachment; filename=\""+id+".eml\"")
-	}
-	_, _ = w.Write(data)
-}
-
-// DeleteMessages (method: DELETE) deletes all messages matching IDS.
-func DeleteMessages(w http.ResponseWriter, r *http.Request) {
-	// swagger:route DELETE /api/v1/messages messages DeleteMessages
-	//
-	// # Delete messages
-	//
-	// Delete individual or all messages. If no IDs are provided then all messages are deleted.
-	//
-	//	Consumes:
-	//	- application/json
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: OKResponse
-	//		default: ErrorResponse
-
-	decoder := json.NewDecoder(r.Body)
-	var data struct {
-		IDs []string
-	}
-	err := decoder.Decode(&data)
-	if err != nil || len(data.IDs) == 0 {
-		if err := storage.DeleteAllMessages(); err != nil {
-			httpError(w, err.Error())
-			return
-		}
-	} else {
-		for _, id := range data.IDs {
-			if err := storage.DeleteOneMessage(id); err != nil {
-				httpError(w, err.Error())
-				return
-			}
-		}
-	}
-
-	w.Header().Add("Content-Type", "application/plain")
-	_, _ = w.Write([]byte("ok"))
-}
-
-// SetReadStatus (method: PUT) will update the status to Read/Unread for all provided IDs
-// If no IDs are provided then all messages are updated.
-func SetReadStatus(w http.ResponseWriter, r *http.Request) {
-	// swagger:route PUT /api/v1/messages messages SetReadStatus
-	//
-	// # Set read status
-	//
-	// If no IDs are provided then all messages are updated.
-	//
-	//	Consumes:
-	//	- application/json
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: OKResponse
-	//		default: ErrorResponse
-
-	decoder := json.NewDecoder(r.Body)
-
-	var data struct {
-		Read bool
-		IDs  []string
-	}
-
-	err := decoder.Decode(&data)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	ids := data.IDs
-
-	if len(ids) == 0 {
-		if data.Read {
-			err := storage.MarkAllRead()
-			if err != nil {
-				httpError(w, err.Error())
-				return
-			}
-		} else {
-			err := storage.MarkAllUnread()
-			if err != nil {
-				httpError(w, err.Error())
-				return
-			}
-		}
-	} else {
-		if data.Read {
-			for _, id := range ids {
-				if err := storage.MarkRead(id); err != nil {
-					httpError(w, err.Error())
-					return
-				}
-			}
-		} else {
-			for _, id := range ids {
-				if err := storage.MarkUnread(id); err != nil {
-					httpError(w, err.Error())
-					return
-				}
-			}
-		}
-	}
-
-	w.Header().Add("Content-Type", "text/plain")
-	_, _ = w.Write([]byte("ok"))
-}
-
-// GetAllTags (method: GET) will get all tags currently in use
-func GetAllTags(w http.ResponseWriter, _ *http.Request) {
-	// swagger:route GET /api/v1/tags tags GetAllTags
-	//
-	// # Get all current tags
-	//
-	// Returns a JSON array of all unique message tags.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: ArrayResponse
-	//		default: ErrorResponse
-
-	tags := storage.GetAllTags()
-
-	data, err := json.Marshal(tags)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(data)
-}
-
-// SetMessageTags (method: PUT) will set the tags for all provided IDs
-func SetMessageTags(w http.ResponseWriter, r *http.Request) {
-	// swagger:route PUT /api/v1/tags tags SetTags
-	//
-	// # Set message tags
-	//
-	// This will overwrite any existing tags for selected message database IDs. To remove all tags from a message, pass an empty tags array.
-	//
-	//	Consumes:
-	//	- application/json
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: OKResponse
-	//		default: ErrorResponse
-
-	decoder := json.NewDecoder(r.Body)
-
-	var data struct {
-		Tags []string
-		IDs  []string
-	}
-
-	err := decoder.Decode(&data)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	ids := data.IDs
-
-	if len(ids) > 0 {
-		for _, id := range ids {
-			if err := storage.SetMessageTags(id, data.Tags); err != nil {
-				httpError(w, err.Error())
-				return
-			}
-		}
-	}
-
-	w.Header().Add("Content-Type", "text/plain")
-	_, _ = w.Write([]byte("ok"))
-}
-
-// ReleaseMessage (method: POST) will release a message via a pre-configured external SMTP server.
-func ReleaseMessage(w http.ResponseWriter, r *http.Request) {
-	// swagger:route POST /api/v1/message/{ID}/release message ReleaseMessage
-	//
-	// # Release message
-	//
-	// Release a message via a pre-configured external SMTP server. This is only enabled if message relaying has been configured.
-	//
-	//	Consumes:
-	//	- application/json
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: OKResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-
-	msg, err := storage.GetMessageRaw(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	decoder := json.NewDecoder(r.Body)
-
-	data := releaseMessageRequestBody{}
-
-	if err := decoder.Decode(&data); err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	tos := data.To
-	if len(tos) == 0 {
-		httpError(w, "No valid addresses found")
-		return
-	}
-
-	for _, to := range tos {
-		address, err := mail.ParseAddress(to)
-
-		if err != nil {
-			httpError(w, "Invalid email address: "+to)
-			return
-		}
-
-		if config.SMTPRelayConfig.RecipientAllowlistRegexp != nil && !config.SMTPRelayConfig.RecipientAllowlistRegexp.MatchString(address.Address) {
-			httpError(w, "Mail address does not match allowlist: "+to)
-			return
-		}
-	}
-
-	reader := bytes.NewReader(msg)
-	m, err := mail.ReadMessage(reader)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	froms, err := m.Header.AddressList("From")
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	from := froms[0].Address
-
-	// if sender is used, then change from to the sender
-	if senders, err := m.Header.AddressList("Sender"); err == nil {
-		from = senders[0].Address
-	}
-
-	msg, err = tools.RemoveMessageHeaders(msg, []string{"Bcc"})
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	// set the Return-Path and SMTP mfrom
-	if config.SMTPRelayConfig.ReturnPath != "" {
-		if m.Header.Get("Return-Path") != "<"+config.SMTPRelayConfig.ReturnPath+">" {
-			msg, err = tools.RemoveMessageHeaders(msg, []string{"Return-Path"})
-			if err != nil {
-				httpError(w, err.Error())
-				return
-			}
-			msg = append([]byte("Return-Path: <"+config.SMTPRelayConfig.ReturnPath+">\r\n"), msg...)
-		}
-
-		from = config.SMTPRelayConfig.ReturnPath
-	}
-
-	// update message date
-	msg, err = tools.UpdateMessageHeader(msg, "Date", time.Now().Format(time.RFC1123Z))
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	// generate unique ID
-	uid := shortuuid.New() + "@mailpit"
-	// update Message-Id with unique ID
-	msg, err = tools.UpdateMessageHeader(msg, "Message-Id", "<"+uid+">")
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	if err := smtpd.Send(from, tos, msg); err != nil {
-		logger.Log().Errorf("[smtp] error sending message: %s", err.Error())
-		httpError(w, "SMTP error: "+err.Error())
-		return
-	}
-
-	w.Header().Add("Content-Type", "text/plain")
-	_, _ = w.Write([]byte("ok"))
-}
-
-// HTMLCheck returns a summary of the HTML client support
-func HTMLCheck(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/html-check Other HTMLCheck
-	//
-	// # HTML check (beta)
-	//
-	// Returns the summary of the message HTML checker.
-	//
-	// NOTE: This feature is currently in beta and is documented for reference only.
-	// Please do not integrate with it (yet) as there may be changes.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: HTMLCheckResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessage(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	if msg.HTML == "" {
-		httpError(w, "message does not contain HTML")
-		return
-	}
-
-	checks, err := htmlcheck.RunTests(msg.HTML)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	bytes, _ := json.Marshal(checks)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// LinkCheck returns a summary of links in the email
-func LinkCheck(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/link-check Other LinkCheck
-	//
-	// # Link check (beta)
-	//
-	// Returns the summary of the message Link checker.
-	//
-	// NOTE: This feature is currently in beta and is documented for reference only.
-	// Please do not integrate with it (yet) as there may be changes.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: LinkCheckResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessage(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	f := r.URL.Query().Get("follow")
-	followRedirects := f == "true" || f == "1"
-
-	summary, err := linkcheck.RunTests(msg, followRedirects)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	bytes, _ := json.Marshal(summary)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
-// SpamAssassinCheck returns a summary of SpamAssassin results (if enabled)
-func SpamAssassinCheck(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/sa-check Other SpamAssassinCheck
-	//
-	// # SpamAssassin check (beta)
-	//
-	// Returns the SpamAssassin (if enabled) summary of the message.
-	//
-	// NOTE: This feature is currently in beta and is documented for reference only.
-	// Please do not integrate with it (yet) as there may be changes.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: SpamAssassinResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessageRaw(id)
-	if err != nil {
-		fourOFour(w)
-		return
-	}
-
-	summary, err := spamassassin.Check(msg)
-	if err != nil {
-		httpError(w, err.Error())
-		return
-	}
-
-	bytes, _ := json.Marshal(summary)
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
-
 // FourOFour returns a basic 404 message
 func fourOFour(w http.ResponseWriter) {
 	w.Header().Set("Referrer-Policy", "no-referrer")
@@ -890,10 +30,26 @@ func httpError(w http.ResponseWriter, msg string) {
 	fmt.Fprint(w, msg)
 }

+// httpJSONError returns a basic error message (400 response) in JSON format
+func httpJSONError(w http.ResponseWriter, msg string) {
+	w.Header().Set("Referrer-Policy", "no-referrer")
+	w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
+	w.WriteHeader(http.StatusBadRequest)
+	e := JSONErrorMessage{
+		Error: msg,
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(e); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
 // Get the start and limit based on query params. Defaults to 0, 50
-func getStartLimit(req *http.Request) (start int, limit int) {
+func getStartLimit(req *http.Request) (start int, beforeTS int64, limit int) {
 	start = 0
 	limit = 50
+	beforeTS = 0 // timestamp

 	s := req.URL.Query().Get("start")
 	if n, err := strconv.Atoi(s); err == nil && n > 0 {
@@ -905,7 +61,17 @@ func getStartLimit(req *http.Request) (start int, limit int) {
 		limit = n
 	}

-	return start, limit
+	b := req.URL.Query().Get("before")
+	if b != "" {
+		t, err := dateparse.ParseLocal(b)
+		if err != nil {
+			logger.Log().Warnf("ignoring invalid before: date \"%s\"", b)
+		} else {
+			beforeTS = t.UnixMilli()
+		}
+	}
+
+	return start, beforeTS, limit
 }

 // GetOptions returns a blank response
--- a/server/apiv1/application.go
+++ b/server/apiv1/application.go
@@ -0,0 +1,121 @@
+package apiv1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/stats"
+)
+
+// Application information
+// swagger:response AppInfoResponse
+type appInfoResponse struct {
+	// Application information
+	//
+	// in: body
+	Body stats.AppInformation
+}
+
+// AppInfo returns some basic details about the running app, and latest release.
+func AppInfo(w http.ResponseWriter, _ *http.Request) {
+	// swagger:route GET /api/v1/info application AppInformation
+	//
+	// # Get application information
+	//
+	// Returns basic runtime information, message totals and latest release version.
+	//
+	//	Produces:
+	//	- application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//		200: AppInfoResponse
+	//		400: ErrorResponse
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(stats.Load()); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// Response includes global web UI settings
+//
+// swagger:model WebUIConfiguration
+type webUIConfiguration struct {
+	// Optional label to identify this Mailpit instance
+	Label string
+	// Message Relay information
+	MessageRelay struct {
+		// Whether message relaying (release) is enabled
+		Enabled bool
+		// The configured SMTP server address
+		SMTPServer string
+		// Enforced Return-Path (if set) for relay bounces
+		ReturnPath string
+		// Only allow relaying to these recipients (regex)
+		AllowedRecipients string
+		// Block relaying to these recipients (regex)
+		BlockedRecipients string
+		// DEPRECATED 2024/03/12
+		// swagger:ignore
+		RecipientAllowlist string
+	}
+
+	// Whether SpamAssassin is enabled
+	SpamAssassin bool
+
+	// Whether messages with duplicate IDs are ignored
+	DuplicatesIgnored bool
+}
+
+// Web UI configuration response
+// swagger:response WebUIConfigurationResponse
+type webUIConfigurationResponse struct {
+	// Web UI configuration settings
+	//
+	// in: body
+	Body webUIConfiguration
+}
+
+// WebUIConfig returns configuration settings for the web UI.
+func WebUIConfig(w http.ResponseWriter, _ *http.Request) {
+	// swagger:route GET /api/v1/webui application WebUIConfiguration
+	//
+	// # Get web UI configuration
+	//
+	// Returns configuration settings for the web UI.
+	// Intended for web UI only!
+	//
+	//	Produces:
+	//	 - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: WebUIConfigurationResponse
+	//	  400: ErrorResponse
+
+	conf := webUIConfiguration{}
+
+	conf.Label = config.Label
+	conf.MessageRelay.Enabled = config.ReleaseEnabled
+	if config.ReleaseEnabled {
+		conf.MessageRelay.SMTPServer = fmt.Sprintf("%s:%d", config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
+		conf.MessageRelay.ReturnPath = config.SMTPRelayConfig.ReturnPath
+		conf.MessageRelay.AllowedRecipients = config.SMTPRelayConfig.AllowedRecipients
+		conf.MessageRelay.BlockedRecipients = config.SMTPRelayConfig.BlockedRecipients
+		// DEPRECATED 2024/03/12
+		conf.MessageRelay.RecipientAllowlist = config.SMTPRelayConfig.AllowedRecipients
+	}
+
+	conf.SpamAssassin = config.EnableSpamAssassin != ""
+	conf.DuplicatesIgnored = config.IgnoreDuplicateIDs
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(conf); err != nil {
+		httpError(w, err.Error())
+	}
+}
--- a/server/apiv1/info.go
+++ b/server/apiv1/info.go
@@ -1,33 +0,0 @@
-package apiv1
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"github.com/axllent/mailpit/internal/stats"
-)
-
-// AppInfo returns some basic details about the running app, and latest release.
-func AppInfo(w http.ResponseWriter, _ *http.Request) {
-	// swagger:route GET /api/v1/info application AppInformation
-	//
-	// # Get application information
-	//
-	// Returns basic runtime information, message totals and latest release version.
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: InfoResponse
-	//		default: ErrorResponse
-
-	info := stats.Load()
-
-	bytes, _ := json.Marshal(info)
-
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
--- a/server/apiv1/message.go
+++ b/server/apiv1/message.go
@@ -0,0 +1,247 @@
+package apiv1
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/mail"
+
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/gorilla/mux"
+)
+
+// swagger:parameters GetMessageParams
+type getMessageParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// GetMessage (method: GET) returns the Message as JSON
+func GetMessage(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID} message GetMessageParams
+	//
+	// # Get message summary
+	//
+	// Returns the summary of a message, marking the message as read.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: Message
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	msg, err := storage.GetMessage(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(msg); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters GetHeadersParams
+type getHeadersParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// Message headers
+// swagger:model MessageHeadersResponse
+type messageHeaders map[string][]string
+
+// GetHeaders (method: GET) returns the message headers as JSON
+func GetHeaders(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/headers message GetHeadersParams
+	//
+	// # Get message headers
+	//
+	// Returns the message headers as an array. Note that header keys are returned alphabetically.
+	//
+	// The ID can be set to `latest` to return the latest message headers.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: MessageHeadersResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	data, err := storage.GetMessageRaw(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	reader := bytes.NewReader(data)
+	m, err := mail.ReadMessage(reader)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(m.Header); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters AttachmentParams
+type attachmentParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+
+	// Attachment part ID
+	//
+	// in: path
+	// required: true
+	PartID string
+}
+
+// DownloadAttachment (method: GET) returns the attachment data
+func DownloadAttachment(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/part/{PartID} message AttachmentParams
+	//
+	// # Get message attachment
+	//
+	// This will return the attachment part using the appropriate Content-Type.
+	//
+	// The ID can be set to `latest` to reference the latest message.
+	//
+	//	Produces:
+	//	  - application/*
+	//	  - image/*
+	//	  - text/*
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: BinaryResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+	partID := vars["partID"]
+
+	a, err := storage.GetAttachmentPart(id, partID)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+	fileName := a.FileName
+	if fileName == "" {
+		fileName = a.ContentID
+	}
+
+	w.Header().Add("Content-Type", a.ContentType)
+	w.Header().Set("Content-Disposition", "filename=\""+fileName+"\"")
+	_, _ = w.Write(a.Content)
+}
+
+// swagger:parameters DownloadRawParams
+type downloadRawParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// DownloadRaw (method: GET) returns the full email source as plain text
+func DownloadRaw(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/raw message DownloadRawParams
+	//
+	// # Get message source
+	//
+	// Returns the full email source as plain text.
+	//
+	// The ID can be set to `latest` to return the latest message source.
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: TextResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+	dl := r.FormValue("dl")
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	data, err := storage.GetMessageRaw(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	if dl == "1" {
+		w.Header().Set("Content-Disposition", "attachment; filename=\""+id+".eml\"")
+	}
+	_, _ = w.Write(data)
+}
--- a/server/apiv1/messages.go
+++ b/server/apiv1/messages.go
@@ -0,0 +1,382 @@
+package apiv1
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/storage"
+)
+
+// swagger:parameters GetMessagesParams
+type getMessagesParams struct {
+	// Pagination offset
+	//
+	// in: query
+	// name: start
+	// required: false
+	// default: 0
+	// type: integer
+	Start int `json:"start"`
+
+	// Limit number of results
+	//
+	// in: query
+	// name: limit
+	// required: false
+	// default: 50
+	// type: integer
+	Limit int `json:"limit"`
+}
+
+// Summary of messages
+// swagger:response MessagesSummaryResponse
+type messagesSummaryResponse struct {
+	// The messages summary
+	// in: body
+	Body MessagesSummary
+}
+
+// MessagesSummary is a summary of a list of messages
+type MessagesSummary struct {
+	// Total number of messages in mailbox
+	Total float64 `json:"total"`
+
+	// Total number of unread messages in mailbox
+	Unread float64 `json:"unread"`
+
+	// Legacy - now undocumented in API specs but left for backwards compatibility.
+	// Removed from API documentation 2023-07-12
+	// swagger:ignore
+	Count float64 `json:"count"`
+
+	// Total number of messages matching current query
+	MessagesCount float64 `json:"messages_count"`
+
+	// Pagination offset
+	Start int `json:"start"`
+
+	// All current tags
+	Tags []string `json:"tags"`
+
+	// Messages summary
+	// in: body
+	Messages []storage.MessageSummary `json:"messages"`
+}
+
+// GetMessages returns a paginated list of messages as JSON
+func GetMessages(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/messages messages GetMessagesParams
+	//
+	// # List messages
+	//
+	// Returns messages from the mailbox ordered from newest to oldest.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: MessagesSummaryResponse
+	//    400: ErrorResponse
+
+	start, beforeTS, limit := getStartLimit(r)
+
+	messages, err := storage.List(start, beforeTS, limit)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	stats := storage.StatsGet()
+
+	var res MessagesSummary
+
+	res.Start = start
+	res.Messages = messages
+	res.Count = float64(len(messages)) // legacy - now undocumented in API specs
+	res.Total = stats.Total
+	res.Unread = stats.Unread
+	res.Tags = stats.Tags
+	res.MessagesCount = stats.Total
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(res); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters SetReadStatusParams
+type setReadStatusParams struct {
+	// in: body
+	Body struct {
+		// Read status
+		//
+		// required: false
+		// default: false
+		// example: true
+		Read bool
+
+		// Array of message database IDs
+		//
+		// required: false
+		// example: ["4oRBnPtCXgAqZniRhzLNmS", "hXayS6wnCgNnt6aFTvmOF6"]
+		IDs []string
+	}
+}
+
+// SetReadStatus (method: PUT) will update the status to Read/Unread for all provided IDs
+// If no IDs are provided then all messages are updated.
+func SetReadStatus(w http.ResponseWriter, r *http.Request) {
+	// swagger:route PUT /api/v1/messages messages SetReadStatusParams
+	//
+	// # Set read status
+	//
+	// If no IDs are provided then all messages are updated.
+	//
+	//	Consumes:
+	//	  - application/json
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	decoder := json.NewDecoder(r.Body)
+
+	var data struct {
+		Read bool
+		IDs  []string
+	}
+
+	err := decoder.Decode(&data)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	ids := data.IDs
+
+	if len(ids) == 0 {
+		if data.Read {
+			err := storage.MarkAllRead()
+			if err != nil {
+				httpError(w, err.Error())
+				return
+			}
+		} else {
+			err := storage.MarkAllUnread()
+			if err != nil {
+				httpError(w, err.Error())
+				return
+			}
+		}
+	} else {
+		if data.Read {
+			for _, id := range ids {
+				if err := storage.MarkRead(id); err != nil {
+					httpError(w, err.Error())
+					return
+				}
+			}
+		} else {
+			for _, id := range ids {
+				if err := storage.MarkUnread(id); err != nil {
+					httpError(w, err.Error())
+					return
+				}
+			}
+		}
+	}
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
+
+// swagger:parameters DeleteMessagesParams
+type deleteMessagesParams struct {
+	// Delete request
+	// in: body
+	Body struct {
+		// Array of message database IDs
+		//
+		// required: false
+		// example: ["4oRBnPtCXgAqZniRhzLNmS", "hXayS6wnCgNnt6aFTvmOF6"]
+		IDs []string
+	}
+}
+
+// DeleteMessages (method: DELETE) deletes all messages matching IDS.
+func DeleteMessages(w http.ResponseWriter, r *http.Request) {
+	// swagger:route DELETE /api/v1/messages messages DeleteMessagesParams
+	//
+	// # Delete messages
+	//
+	// Delete individual or all messages. If no IDs are provided then all messages are deleted.
+	//
+	//	Consumes:
+	//	  - application/json
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	decoder := json.NewDecoder(r.Body)
+	var data struct {
+		IDs []string
+	}
+	err := decoder.Decode(&data)
+	if err != nil || len(data.IDs) == 0 {
+		if err := storage.DeleteAllMessages(); err != nil {
+			httpError(w, err.Error())
+			return
+		}
+	} else {
+		if err := storage.DeleteMessages(data.IDs); err != nil {
+			httpError(w, err.Error())
+			return
+		}
+	}
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
+
+// swagger:parameters SearchParams
+type searchParams struct {
+	// Search query
+	//
+	// in: query
+	// required: true
+	// type: string
+	Query string `json:"query"`
+
+	// Pagination offset
+	//
+	// in: query
+	// required: false
+	// type integer
+	Start string `json:"start"`
+
+	// Limit results
+	//
+	// in: query
+	// required: false
+	// type integer
+	Limit string `json:"limit"`
+
+	// [Timezone identifier](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) used only for `before:` & `after:` searches (eg: "Pacific/Auckland").
+	//
+	// in: query
+	// required: false
+	// type string
+	TZ string `json:"tz"`
+}
+
+// Search returns the latest messages as JSON
+func Search(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/search messages SearchParams
+	//
+	// # Search messages
+	//
+	// Returns messages matching [a search](https://mailpit.axllent.org/docs/usage/search-filters/), sorted by received date (descending).
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: MessagesSummaryResponse
+	//    400: ErrorResponse
+
+	search := strings.TrimSpace(r.URL.Query().Get("query"))
+	if search == "" {
+		httpError(w, "Error: no search query")
+		return
+	}
+
+	start, beforeTS, limit := getStartLimit(r)
+
+	messages, results, err := storage.Search(search, r.URL.Query().Get("tz"), start, beforeTS, limit)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	stats := storage.StatsGet()
+
+	var res MessagesSummary
+
+	res.Start = start
+	res.Messages = messages
+	res.Count = float64(len(messages)) // legacy - now undocumented in API specs
+	res.Total = stats.Total            // total messages in mailbox
+	res.MessagesCount = float64(results)
+	res.Unread = stats.Unread
+	res.Tags = stats.Tags
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(res); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters DeleteSearchParams
+type deleteSearchParams struct {
+	// Search query
+	//
+	// in: query
+	// required: true
+	// type: string
+	Query string `json:"query"`
+
+	// [Timezone identifier](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) used only for `before:` & `after:` searches (eg: "Pacific/Auckland").
+	//
+	// in: query
+	// required: false
+	// type string
+	TZ string `json:"tz"`
+}
+
+// DeleteSearch will delete all messages matching a search
+func DeleteSearch(w http.ResponseWriter, r *http.Request) {
+	// swagger:route DELETE /api/v1/search messages DeleteSearchParams
+	//
+	// # Delete messages by search
+	//
+	// Delete all messages matching [a search](https://mailpit.axllent.org/docs/usage/search-filters/).
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	search := strings.TrimSpace(r.URL.Query().Get("query"))
+	if search == "" {
+		httpError(w, "Error: no search query")
+		return
+	}
+
+	if err := storage.DeleteSearch(search, r.URL.Query().Get("tz")); err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
--- a/server/apiv1/other.go
+++ b/server/apiv1/other.go
@@ -0,0 +1,234 @@
+package apiv1
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/htmlcheck"
+	"github.com/axllent/mailpit/internal/linkcheck"
+	"github.com/axllent/mailpit/internal/spamassassin"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/gorilla/mux"
+	"github.com/jhillyerd/enmime"
+)
+
+// swagger:parameters HTMLCheckParams
+type htmlCheckParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// description: Message database ID or "latest"
+	// required: true
+	ID string
+}
+
+// HTMLCheckResponse summary response
+type HTMLCheckResponse = htmlcheck.Response
+
+// HTMLCheck returns a summary of the HTML client support
+func HTMLCheck(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/html-check Other HTMLCheckParams
+	//
+	// # HTML check
+	//
+	// Returns the summary of the message HTML checker.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: HTMLCheckResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			fourOFour(w)
+			return
+		}
+	}
+
+	raw, err := storage.GetMessageRaw(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	e := bytes.NewReader(raw)
+
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
+	msg, err := parser.ReadEnvelope(e)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	if msg.HTML == "" {
+		httpError(w, "message does not contain HTML")
+		return
+	}
+
+	checks, err := htmlcheck.RunTests(msg.HTML)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(checks); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters LinkCheckParams
+type linkCheckParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+
+	// Follow redirects
+	//
+	// in: query
+	// required: false
+	// default: false
+	Follow string `json:"follow"`
+}
+
+// LinkCheckResponse summary response
+type LinkCheckResponse = linkcheck.Response
+
+// LinkCheck returns a summary of links in the email
+func LinkCheck(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/link-check Other LinkCheckParams
+	//
+	// # Link check
+	//
+	// Returns the summary of the message Link checker.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: LinkCheckResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	if config.DemoMode {
+		httpError(w, "this functionality has been disabled for demonstration purposes")
+		return
+	}
+
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			fourOFour(w)
+			return
+		}
+	}
+
+	msg, err := storage.GetMessage(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	f := r.URL.Query().Get("follow")
+	followRedirects := f == "true" || f == "1"
+
+	summary, err := linkcheck.RunTests(msg, followRedirects)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(summary); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters SpamAssassinCheckParams
+type spamAssassinCheckParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// SpamAssassinResponse summary response
+type SpamAssassinResponse = spamassassin.Result
+
+// SpamAssassinCheck returns a summary of SpamAssassin results (if enabled)
+func SpamAssassinCheck(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /api/v1/message/{ID}/sa-check Other SpamAssassinCheckParams
+	//
+	// # SpamAssassin check
+	//
+	// Returns the SpamAssassin summary (if enabled) of the message.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: SpamAssassinResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	msg, err := storage.GetMessageRaw(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	summary, err := spamassassin.Check(msg)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(summary); err != nil {
+		httpError(w, err.Error())
+	}
+}
--- a/server/apiv1/release.go
+++ b/server/apiv1/release.go
@@ -0,0 +1,196 @@
+package apiv1
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/mail"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/smtpd"
+	"github.com/gorilla/mux"
+	"github.com/lithammer/shortuuid/v4"
+)
+
+// swagger:parameters ReleaseMessageParams
+type releaseMessageParams struct {
+	// Message database ID
+	//
+	// in: path
+	// description: Message database ID
+	// required: true
+	ID string
+
+	// in: body
+	Body struct {
+		// Array of email addresses to relay the message to
+		//
+		// required: true
+		// example: ["user1@example.com", "user2@example.com"]
+		To []string
+	}
+}
+
+// ReleaseMessage (method: POST) will release a message via a pre-configured external SMTP server.
+func ReleaseMessage(w http.ResponseWriter, r *http.Request) {
+	// swagger:route POST /api/v1/message/{ID}/release message ReleaseMessageParams
+	//
+	// # Release message
+	//
+	// Release a message via a pre-configured external SMTP server. This is only enabled if message relaying has been configured.
+	//
+	// The ID can be set to `latest` to reference the latest message.
+	//
+	//	Consumes:
+	//	  - application/json
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+	//    404: NotFoundResponse
+
+	if config.DemoMode {
+		httpError(w, "this functionality has been disabled for demonstration purposes")
+		return
+	}
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+
+	msg, err := storage.GetMessageRaw(id)
+	if err != nil {
+		fourOFour(w)
+		return
+	}
+
+	decoder := json.NewDecoder(r.Body)
+
+	var data struct {
+		To []string
+	}
+
+	if err := decoder.Decode(&data); err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	blocked := []string{}
+	notAllowed := []string{}
+
+	for _, to := range data.To {
+		address, err := mail.ParseAddress(to)
+
+		if err != nil {
+			httpError(w, "Invalid email address: "+to)
+			return
+		}
+
+		if config.SMTPRelayConfig.AllowedRecipientsRegexp != nil && !config.SMTPRelayConfig.AllowedRecipientsRegexp.MatchString(address.Address) {
+			notAllowed = append(notAllowed, to)
+			continue
+		}
+
+		if config.SMTPRelayConfig.BlockedRecipientsRegexp != nil && config.SMTPRelayConfig.BlockedRecipientsRegexp.MatchString(address.Address) {
+			blocked = append(blocked, to)
+			continue
+		}
+	}
+
+	if len(notAllowed) > 0 {
+		addr := tools.Plural(len(notAllowed), "Address", "Addresses")
+		httpError(w, "Failed: "+addr+" do not match the allowlist: "+strings.Join(notAllowed, ", "))
+		return
+	}
+
+	if len(blocked) > 0 {
+		addr := tools.Plural(len(blocked), "Address", "Addresses")
+		httpError(w, "Failed: "+addr+" found on blocklist: "+strings.Join(blocked, ", "))
+		return
+	}
+
+	if len(data.To) == 0 {
+		httpError(w, "No valid addresses found")
+		return
+	}
+
+	reader := bytes.NewReader(msg)
+	m, err := mail.ReadMessage(reader)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	fromAddresses, err := m.Header.AddressList("From")
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	if len(fromAddresses) == 0 {
+		httpError(w, "No From header found")
+		return
+	}
+
+	from := fromAddresses[0].Address
+
+	// if sender is used, then change from to the sender
+	if senders, err := m.Header.AddressList("Sender"); err == nil {
+		from = senders[0].Address
+	}
+
+	msg, err = tools.RemoveMessageHeaders(msg, []string{"Bcc"})
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	// set the Return-Path and SMTP from
+	if config.SMTPRelayConfig.ReturnPath != "" {
+		if m.Header.Get("Return-Path") != "<"+config.SMTPRelayConfig.ReturnPath+">" {
+			msg, err = tools.RemoveMessageHeaders(msg, []string{"Return-Path"})
+			if err != nil {
+				httpError(w, err.Error())
+				return
+			}
+			msg = append([]byte("Return-Path: <"+config.SMTPRelayConfig.ReturnPath+">\r\n"), msg...)
+		}
+
+		from = config.SMTPRelayConfig.ReturnPath
+	}
+
+	// update message date
+	msg, err = tools.UpdateMessageHeader(msg, "Date", time.Now().Format(time.RFC1123Z))
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	// generate unique ID
+	uid := shortuuid.New() + "@mailpit"
+	// update Message-Id with unique ID
+	msg, err = tools.UpdateMessageHeader(msg, "Message-Id", "<"+uid+">")
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	if err := smtpd.Relay(from, data.To, msg); err != nil {
+		logger.Log().Errorf("[smtp] error sending message: %s", err.Error())
+		httpError(w, "SMTP error: "+err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
--- a/server/apiv1/send.go
+++ b/server/apiv1/send.go
@@ -0,0 +1,290 @@
+package apiv1
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/mail"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/smtpd"
+	"github.com/jhillyerd/enmime"
+)
+
+// swagger:parameters SendMessageParams
+type sendMessageParams struct {
+	// in: body
+	Body *SendRequest
+}
+
+// SendRequest to send a message via HTTP
+// swagger:model SendRequest
+type SendRequest struct {
+	// "From" recipient
+	// required: true
+	From struct {
+		// Optional name
+		// example: John Doe
+		Name string
+		// Email address
+		// example: john@example.com
+		// required: true
+		Email string
+	}
+
+	// "To" recipients
+	To []struct {
+		// Optional name
+		// example: Jane Doe
+		Name string
+		// Email address
+		// example: jane@example.com
+		// required: true
+		Email string
+	}
+
+	// Cc recipients
+	Cc []struct {
+		// Optional name
+		// example: Manager
+		Name string
+		// Email address
+		// example: manager@example.com
+		// required: true
+		Email string
+	}
+
+	// Bcc recipients email addresses only
+	// example: ["jack@example.com"]
+	Bcc []string
+
+	// Optional Reply-To recipients
+	ReplyTo []struct {
+		// Optional name
+		// example: Secretary
+		Name string
+		// Email address
+		// example: secretary@example.com
+		// required: true
+		Email string
+	}
+
+	// Subject
+	// example: Mailpit message via the HTTP API
+	Subject string
+
+	// Message body (text)
+	// example: This is the text body
+	Text string
+
+	// Message body (HTML)
+	// example: <p style="font-family: arial">Mailpit is <b>awesome</b>!</p>
+	HTML string
+
+	// Attachments
+	Attachments []struct {
+		// Base64-encoded string of the file content
+		// required: true
+		// example: VGhpcyBpcyBhIHBsYWluIHRleHQgYXR0YWNobWVudA==
+		Content string
+		// Filename
+		// required: true
+		// example: AttachedFile.txt
+		Filename string
+	}
+
+	// Mailpit tags
+	// example: ["Tag 1","Tag 2"]
+	Tags []string
+
+	// Optional headers in {"key":"value"} format
+	// example: {"X-IP":"1.2.3.4"}
+	Headers map[string]string
+}
+
+// JSONErrorMessage struct
+type JSONErrorMessage struct {
+	// Error message
+	// example: invalid format
+	Error string
+}
+
+// Confirmation message for HTTP send API
+// swagger:response sendMessageResponse
+type sendMessageResponse struct {
+	// Response for sending messages via the HTTP API
+	//
+	// in: body
+	Body SendMessageConfirmation
+}
+
+// SendMessageConfirmation struct
+type SendMessageConfirmation struct {
+	// Database ID
+	// example: iAfZVVe2UQfNSG5BAjgYwa
+	ID string
+}
+
+// SendMessageHandler handles HTTP requests to send a new message
+func SendMessageHandler(w http.ResponseWriter, r *http.Request) {
+	// swagger:route POST /api/v1/send message SendMessageParams
+	//
+	// # Send a message
+	//
+	// Send a message via the HTTP API.
+	//
+	//	Consumes:
+	//	  - application/json
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: sendMessageResponse
+	//	  400: jsonErrorResponse
+
+	if config.DemoMode {
+		httpJSONError(w, "this functionality has been disabled for demonstration purposes")
+		return
+	}
+
+	decoder := json.NewDecoder(r.Body)
+
+	data := SendRequest{}
+
+	if err := decoder.Decode(&data); err != nil {
+		httpJSONError(w, err.Error())
+		return
+	}
+
+	id, err := data.Send(r.RemoteAddr)
+
+	if err != nil {
+		httpJSONError(w, err.Error())
+		return
+	}
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(SendMessageConfirmation{ID: id}); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// Send will validate the message structure and attempt to send to Mailpit.
+// It returns a sending summary or an error.
+func (d SendRequest) Send(remoteAddr string) (string, error) {
+	ip, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		return "", fmt.Errorf("error parsing request RemoteAddr: %s", err.Error())
+	}
+
+	ipAddr := &net.IPAddr{IP: net.ParseIP(ip)}
+
+	addresses := []string{}
+
+	msg := enmime.Builder().
+		From(d.From.Name, d.From.Email).
+		Subject(d.Subject).
+		Text([]byte(d.Text))
+
+	if d.HTML != "" {
+		msg = msg.HTML([]byte(d.HTML))
+	}
+
+	if len(d.To) > 0 {
+		for _, a := range d.To {
+			if _, err := mail.ParseAddress(a.Email); err == nil {
+				msg = msg.To(a.Name, a.Email)
+				addresses = append(addresses, a.Email)
+			} else {
+				return "", fmt.Errorf("invalid To address: %s", a.Email)
+			}
+		}
+	}
+
+	if len(d.Cc) > 0 {
+		for _, a := range d.Cc {
+			if _, err := mail.ParseAddress(a.Email); err == nil {
+				msg = msg.CC(a.Name, a.Email)
+				addresses = append(addresses, a.Email)
+			} else {
+				return "", fmt.Errorf("invalid Cc address: %s", a.Email)
+			}
+		}
+	}
+
+	if len(d.Bcc) > 0 {
+		for _, e := range d.Bcc {
+			if _, err := mail.ParseAddress(e); err == nil {
+				msg = msg.BCC("", e)
+				addresses = append(addresses, e)
+			} else {
+				return "", fmt.Errorf("invalid Bcc address: %s", e)
+			}
+		}
+	}
+
+	if len(d.ReplyTo) > 0 {
+		for _, a := range d.ReplyTo {
+			if _, err := mail.ParseAddress(a.Email); err == nil {
+				msg = msg.ReplyTo(a.Name, a.Email)
+			} else {
+				return "", fmt.Errorf("invalid Reply-To address: %s", a.Email)
+			}
+		}
+	}
+
+	restrictedHeaders := []string{"To", "From", "Cc", "Bcc", "Reply-To", "Date", "Subject", "Content-Type", "Mime-Version"}
+
+	if len(d.Tags) > 0 {
+		msg = msg.Header("X-Tags", strings.Join(d.Tags, ", "))
+		restrictedHeaders = append(restrictedHeaders, "X-Tags")
+	}
+
+	if len(d.Headers) > 0 {
+		for k, v := range d.Headers {
+			// check header isn't in "restricted" headers
+			if tools.InArray(k, restrictedHeaders) {
+				return "", fmt.Errorf("cannot overwrite header: \"%s\"", k)
+			}
+			msg = msg.Header(k, v)
+		}
+	}
+
+	if len(d.Attachments) > 0 {
+		for _, a := range d.Attachments {
+			// workaround: split string because JS readAsDataURL() returns the base64 string
+			// with the mime type prefix eg: data:image/png;base64,<base64String>
+			parts := strings.Split(a.Content, ",")
+			content := parts[len(parts)-1]
+			b, err := base64.StdEncoding.DecodeString(content)
+			if err != nil {
+				return "", fmt.Errorf("error decoding base64 attachment \"%s\": %s", a.Filename, err.Error())
+			}
+
+			mimeType := http.DetectContentType(b)
+			msg = msg.AddAttachment(b, mimeType, a.Filename)
+		}
+	}
+
+	part, err := msg.Build()
+	if err != nil {
+		return "", fmt.Errorf("error building message: %s", err.Error())
+	}
+
+	var buff bytes.Buffer
+
+	if err := part.Encode(io.Writer(&buff)); err != nil {
+		return "", fmt.Errorf("error building message: %s", err.Error())
+	}
+
+	return smtpd.SaveToDatabase(ipAddr, d.From.Email, addresses, buff.Bytes())
+}
--- a/server/apiv1/structs.go
+++ b/server/apiv1/structs.go
@@ -1,39 +1,9 @@
 package apiv1

 import (
-	"github.com/axllent/mailpit/internal/htmlcheck"
-	"github.com/axllent/mailpit/internal/linkcheck"
-	"github.com/axllent/mailpit/internal/spamassassin"
 	"github.com/axllent/mailpit/internal/storage"
 )

-// MessagesSummary is a summary of a list of messages
-type MessagesSummary struct {
-	// Total number of messages in mailbox
-	Total int `json:"total"`
-
-	// Total number of unread messages in mailbox
-	Unread int `json:"unread"`
-
-	// Legacy - now undocumented in API specs but left for backwards compatibility.
-	// Removed from API documentation 2023-07-12
-	// swagger:ignore
-	Count int `json:"count"`
-
-	// Total number of messages matching current query
-	MessagesCount int `json:"messages_count"`
-
-	// Pagination offset
-	Start int `json:"start"`
-
-	// All current tags
-	Tags []string `json:"tags"`
-
-	// Messages summary
-	// in: body
-	Messages []storage.MessageSummary `json:"messages"`
-}
-
 // The following structs & aliases are provided for easy import
 // and understanding of the JSON structure.

@@ -45,12 +15,3 @@ type Message = storage.Message

 // Attachment summary
 type Attachment = storage.Attachment
-
-// HTMLCheckResponse summary
-type HTMLCheckResponse = htmlcheck.Response
-
-// LinkCheckResponse summary
-type LinkCheckResponse = linkcheck.Response
-
-// SpamAssassinResponse summary
-type SpamAssassinResponse = spamassassin.Result
--- a/server/apiv1/swagger.go
+++ b/server/apiv1/swagger.go
@@ -1,162 +1,8 @@
 package apiv1

-import "github.com/axllent/mailpit/internal/stats"
-
 // These structs are for the purpose of defining swagger HTTP parameters & responses

-// Application information
-// swagger:response InfoResponse
-type infoResponse struct {
-	// Application information
-	//
-	// in: body
-	Body stats.AppInformation
-}
-
-// Web UI configuration
-// swagger:response WebUIConfigurationResponse
-type webUIConfigurationResponse struct {
-	// Web UI configuration settings
-	//
-	// in: body
-	Body webUIConfiguration
-}
-
-// Message summary
-// swagger:response MessagesSummaryResponse
-type messagesSummaryResponse struct {
-	// The message summary
-	// in: body
-	Body MessagesSummary
-}
-
-// Message headers
-// swagger:model MessageHeaders
-type messageHeaders map[string][]string
-
-// swagger:parameters DeleteMessages
-type deleteMessagesParams struct {
-	// in: body
-	Body *deleteMessagesRequestBody
-}
-
-// Delete request
-// swagger:model DeleteRequest
-type deleteMessagesRequestBody struct {
-	// Array of message database IDs
-	//
-	// required: false
-	// example: ["5dec4247-812e-4b77-9101-e25ad406e9ea", "8ac66bbc-2d9a-4c41-ad99-00aa75fa674e"]
-	IDs []string `json:"ids"`
-}
-
-// swagger:parameters SetReadStatus
-type setReadStatusParams struct {
-	// in: body
-	Body *setReadStatusRequestBody
-}
-
-// Set read status request
-// swagger:model setReadStatusRequestBody
-type setReadStatusRequestBody struct {
-	// Read status
-	//
-	// required: false
-	// default: false
-	// example: true
-	Read bool `json:"read"`
-
-	// Array of message database IDs
-	//
-	// required: false
-	// example: ["5dec4247-812e-4b77-9101-e25ad406e9ea", "8ac66bbc-2d9a-4c41-ad99-00aa75fa674e"]
-	IDs []string `json:"ids"`
-}
-
-// swagger:parameters SetTags
-type setTagsParams struct {
-	// in: body
-	Body *setTagsRequestBody
-}
-
-// Set tags request
-// swagger:model setTagsRequestBody
-type setTagsRequestBody struct {
-	// Array of tag names to set
-	//
-	// required: true
-	// example: ["Tag 1", "Tag 2"]
-	Tags []string `json:"tags"`
-
-	// Array of message database IDs
-	//
-	// required: true
-	// example: ["5dec4247-812e-4b77-9101-e25ad406e9ea", "8ac66bbc-2d9a-4c41-ad99-00aa75fa674e"]
-	IDs []string `json:"ids"`
-}
-
-// swagger:parameters ReleaseMessage
-type releaseMessageParams struct {
-	// Message database ID
-	//
-	// in: path
-	// description: Message database ID
-	// required: true
-	ID string
-
-	// in: body
-	Body *releaseMessageRequestBody
-}
-
-// Release request
-// swagger:model releaseMessageRequestBody
-type releaseMessageRequestBody struct {
-	// Array of email addresses to relay the message to
-	//
-	// required: true
-	// example: ["user1@example.com", "user2@example.com"]
-	To []string `json:"to"`
-}
-
-// swagger:parameters HTMLCheck
-type htmlCheckParams struct {
-	// Message database ID or "latest"
-	//
-	// in: path
-	// description: Message database ID or "latest"
-	// required: true
-	ID string
-}
-
-// swagger:parameters LinkCheck
-type linkCheckParams struct {
-	// Message database ID or "latest"
-	//
-	// in: path
-	// description: Message database ID or "latest"
-	// required: true
-	ID string
-
-	// Follow redirects
-	//
-	// in: query
-	// description: Follow redirects
-	// required: false
-	// default: false
-	Follow string `json:"follow"`
-}
-
-// swagger:parameters SpamAssassinCheck
-type spamAssassinCheckParams struct {
-	// Message database ID or "latest"
-	//
-	// in: path
-	// description: Message database ID or "latest"
-	// required: true
-	ID string
-}
-
-// Binary data response inherits the attachment's content type
+// Binary data response which inherits the attachment's content type.
 // swagger:response BinaryResponse
 type binaryResponse string

@@ -168,10 +14,15 @@ type textResponse string
 // swagger:response HTMLResponse
 type htmlResponse string

-// HTTP error response will return with a >= 400 response code
+// Server error will return with a 400 status code
+// with the error message in the body
 // swagger:response ErrorResponse
 type errorResponse string

+// Not found error will return a 404 status code
+// swagger:response NotFoundResponse
+type notFoundResponse string
+
 // Plain text "ok" response
 // swagger:response OKResponse
 type okResponse string
@@ -179,3 +30,12 @@ type okResponse string
 // Plain JSON array response
 // swagger:response ArrayResponse
 type arrayResponse []string
+
+// JSON error response
+// swagger:response jsonErrorResponse
+type jsonErrorResponse struct {
+	// A JSON-encoded error response
+	//
+	// in: body
+	Body JSONErrorMessage
+}
--- a/server/apiv1/tags.go
+++ b/server/apiv1/tags.go
@@ -0,0 +1,203 @@
+package apiv1
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/server/websockets"
+	"github.com/gorilla/mux"
+)
+
+// GetAllTags (method: GET) will get all tags currently in use
+func GetAllTags(w http.ResponseWriter, _ *http.Request) {
+	// swagger:route GET /api/v1/tags tags GetAllTags
+	//
+	// # Get all current tags
+	//
+	// Returns a JSON array of all unique message tags.
+	//
+	//	Produces:
+	//	  - application/json
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: ArrayResponse
+	//    400: ErrorResponse
+
+	w.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(storage.GetAllTags()); err != nil {
+		httpError(w, err.Error())
+	}
+}
+
+// swagger:parameters SetTagsParams
+type setTagsParams struct {
+	// in: body
+	Body struct {
+		// Array of tag names to set
+		//
+		// required: true
+		// example: ["Tag 1", "Tag 2"]
+		Tags []string
+
+		// Array of message database IDs
+		//
+		// required: true
+		// example: ["4oRBnPtCXgAqZniRhzLNmS", "hXayS6wnCgNnt6aFTvmOF6"]
+		IDs []string
+	}
+}
+
+// SetMessageTags (method: PUT) will set the tags for all provided IDs
+func SetMessageTags(w http.ResponseWriter, r *http.Request) {
+	// swagger:route PUT /api/v1/tags tags SetTagsParams
+	//
+	// # Set message tags
+	//
+	// This will overwrite any existing tags for selected message database IDs. To remove all tags from a message, pass an empty tags array.
+	//
+	//	Consumes:
+	//	  - application/json
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	decoder := json.NewDecoder(r.Body)
+
+	var data struct {
+		Tags []string
+		IDs  []string
+	}
+
+	err := decoder.Decode(&data)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	ids := data.IDs
+
+	if len(ids) > 0 {
+		for _, id := range ids {
+			if _, err := storage.SetMessageTags(id, data.Tags); err != nil {
+				httpError(w, err.Error())
+				return
+			}
+		}
+	}
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
+
+// swagger:parameters RenameTagParams
+type renameTagParams struct {
+	// The url-encoded tag name to rename
+	//
+	// in: path
+	// required: true
+	// type: string
+	Tag string
+
+	// in: body
+	Body struct {
+		// New name
+		//
+		// required: true
+		// example: New name
+		Name string
+	}
+}
+
+// RenameTag (method: PUT) used to rename a tag
+func RenameTag(w http.ResponseWriter, r *http.Request) {
+	// swagger:route PUT /api/v1/tags/{Tag} tags RenameTagParams
+	//
+	// # Rename a tag
+	//
+	// Renames an existing tag.
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	vars := mux.Vars(r)
+
+	tag := vars["tag"]
+
+	decoder := json.NewDecoder(r.Body)
+
+	var data struct {
+		Name string
+	}
+
+	err := decoder.Decode(&data)
+	if err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	if err := storage.RenameTag(tag, data.Name); err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	websockets.Broadcast("prune", nil)
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
+
+// swagger:parameters DeleteTagParams
+type deleteTagParams struct {
+	// The url-encoded tag name to delete
+	//
+	// in: path
+	// required: true
+	Tag string
+}
+
+// DeleteTag (method: DELETE) used to delete a tag
+func DeleteTag(w http.ResponseWriter, r *http.Request) {
+	// swagger:route DELETE /api/v1/tags/{Tag} tags DeleteTagParams
+	//
+	// # Delete a tag
+	//
+	// Deletes a tag. This will not delete any messages with the tag, but will remove the tag from any messages containing the tag.
+	//
+	//	Produces:
+	//	  - text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//	  200: OKResponse
+	//    400: ErrorResponse
+
+	vars := mux.Vars(r)
+
+	tag := vars["tag"]
+
+	if err := storage.DeleteTag(tag); err != nil {
+		httpError(w, err.Error())
+		return
+	}
+
+	websockets.Broadcast("prune", nil)
+
+	w.Header().Add("Content-Type", "text/plain")
+	_, _ = w.Write([]byte("ok"))
+}
--- a/server/apiv1/testing.go
+++ b/server/apiv1/testing.go
@@ -0,0 +1,157 @@
+package apiv1
+
+import (
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/gorilla/mux"
+)
+
+// swagger:parameters GetMessageHTMLParams
+type getMessageHTMLParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// GetMessageHTML (method: GET) returns a rendered version of a message's HTML part
+func GetMessageHTML(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /view/{ID}.html testing GetMessageHTMLParams
+	//
+	// # Render message HTML part
+	//
+	// Renders just the message's HTML part which can be used for UI integration testing.
+	// Attached inline images are modified to link to the API provided they exist.
+	// Note that is the message does not contain a HTML part then an 404 error is returned.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	- text/html
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//		200: HTMLResponse
+	//		400: ErrorResponse
+	//      404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	msg, err := storage.GetMessage(id)
+	if err != nil {
+		w.WriteHeader(404)
+		fmt.Fprint(w, "Message not found")
+		return
+	}
+	if msg.HTML == "" {
+		w.WriteHeader(404)
+		fmt.Fprint(w, "This message does not contain a HTML part")
+		return
+	}
+
+	html := linkInlineImages(msg)
+	w.Header().Add("Content-Type", "text/html; charset=utf-8")
+	_, _ = w.Write([]byte(html))
+}
+
+// swagger:parameters GetMessageTextParams
+type getMessageTextParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+}
+
+// GetMessageText (method: GET) returns a message's text part
+func GetMessageText(w http.ResponseWriter, r *http.Request) {
+	// swagger:route GET /view/{ID}.txt testing GetMessageTextParams
+	//
+	// # Render message text part
+	//
+	// Renders just the message's text part which can be used for UI integration testing.
+	//
+	// The ID can be set to `latest` to return the latest message.
+	//
+	//	Produces:
+	//	- text/plain
+	//
+	//	Schemes: http, https
+	//
+	//	Responses:
+	//		200: TextResponse
+	//		400: ErrorResponse
+	//      404: NotFoundResponse
+
+	vars := mux.Vars(r)
+
+	id := vars["id"]
+
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
+	msg, err := storage.GetMessage(id)
+	if err != nil {
+		w.WriteHeader(404)
+		fmt.Fprint(w, "Message not found")
+		return
+	}
+
+	w.Header().Add("Content-Type", "text/plain; charset=utf-8")
+	_, _ = w.Write([]byte(msg.Text))
+}
+
+// This will rewrite all inline image paths to API URLs
+func linkInlineImages(msg *storage.Message) string {
+	html := msg.HTML
+
+	for _, a := range msg.Inline {
+		if a.ContentID != "" {
+			re := regexp.MustCompile(`(?i)(=["\']?)(cid:` + regexp.QuoteMeta(a.ContentID) + `)(["|\'|\\s|\\/|>|;])`)
+			u := config.Webroot + "api/v1/message/" + msg.ID + "/part/" + a.PartID
+			matches := re.FindAllStringSubmatch(html, -1)
+			for _, m := range matches {
+				html = strings.ReplaceAll(html, m[0], m[1]+u+m[3])
+			}
+		}
+	}
+
+	for _, a := range msg.Attachments {
+		if a.ContentID != "" {
+			re := regexp.MustCompile(`(?i)(=["\']?)(cid:` + regexp.QuoteMeta(a.ContentID) + `)(["|\'|\\s|\\/|>|;])`)
+			u := config.Webroot + "api/v1/message/" + msg.ID + "/part/" + a.PartID
+			matches := re.FindAllStringSubmatch(html, -1)
+			for _, m := range matches {
+				html = strings.ReplaceAll(html, m[0], m[1]+u+m[3])
+			}
+		}
+	}
+
+	return html
+}
--- a/server/apiv1/thumbnails.go
+++ b/server/apiv1/thumbnails.go
@@ -12,9 +12,9 @@ import (

 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
-	"github.com/disintegration/imaging"
 	"github.com/gorilla/mux"
 	"github.com/jhillyerd/enmime"
+	"github.com/kovidgoyal/imaging"
 )

 var (
@@ -22,35 +22,41 @@ var (
 	thumbHeight = 120
 )

+// swagger:parameters ThumbnailParams
+type thumbnailParams struct {
+	// Message database ID or "latest"
+	//
+	// in: path
+	// required: true
+	ID string
+
+	// Attachment part ID
+	//
+	// in: path
+	// required: true
+	PartID string
+}
+
 // Thumbnail returns a thumbnail image for an attachment (images only)
 func Thumbnail(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /api/v1/message/{ID}/part/{PartID}/thumb message Thumbnail
+	// swagger:route GET /api/v1/message/{ID}/part/{PartID}/thumb message ThumbnailParams
 	//
 	// # Get an attachment image thumbnail
 	//
 	// This will return a cropped 180x120 JPEG thumbnail of an image attachment.
 	// If the image is smaller than 180x120 then the image is padded. If the attachment is not an image then a blank image is returned.
 	//
+	// The ID can be set to `latest` to return the latest message.
+	//
 	//	Produces:
-	//	- image/jpeg
+	//	  - image/jpeg
 	//
 	//	Schemes: http, https
 	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Database ID
-	//	    required: true
-	//	    type: string
-	//	  + name: PartID
-	//	    in: path
-	//	    description: Attachment part ID
-	//	    required: true
-	//	    type: string
-	//
 	//	Responses:
-	//		200: BinaryResponse
-	//		default: ErrorResponse
+	//	  200: BinaryResponse
+	//    400: ErrorResponse
+
 	vars := mux.Vars(r)

 	id := vars["id"]
@@ -74,7 +80,7 @@ func Thumbnail(w http.ResponseWriter, r *http.Request) {

 	buf := bytes.NewBuffer(a.Content)

-	img, err := imaging.Decode(buf)
+	img, err := imaging.Decode(buf, imaging.AutoOrientation(true))
 	if err != nil {
 		// it's not an image, return default
 		logger.Log().Warnf("[image] %s", err.Error())
@@ -114,7 +120,7 @@ func blankImage(a *enmime.Part, w http.ResponseWriter) {
 	rect := image.Rect(0, 0, thumbWidth, thumbHeight)
 	img := image.NewRGBA(rect)
 	background := color.RGBA{255, 255, 255, 255}
-	draw.Draw(img, img.Bounds(), &image.Uniform{background}, image.ZP, draw.Src)
+	draw.Draw(img, img.Bounds(), &image.Uniform{background}, image.Point{}, draw.Src)
 	var b bytes.Buffer
 	foo := bufio.NewWriter(&b)
 	dstImageFill := imaging.Fill(img, thumbWidth, thumbHeight, imaging.Center, imaging.Lanczos)
--- a/server/apiv1/webui.go
+++ b/server/apiv1/webui.go
@@ -1,71 +0,0 @@
-package apiv1
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/axllent/mailpit/config"
-)
-
-// Response includes global web UI settings
-//
-// swagger:model WebUIConfiguration
-type webUIConfiguration struct {
-	// Message Relay information
-	MessageRelay struct {
-		// Whether message relaying (release) is enabled
-		Enabled bool
-		// The configured SMTP server address
-		SMTPServer string
-		// Enforced Return-Path (if set) for relay bounces
-		ReturnPath string
-		// Allowlist of accepted recipients
-		RecipientAllowlist string
-	}
-
-	// Whether the HTML check has been globally disabled
-	DisableHTMLCheck bool
-
-	// Whether SpamAssassin is enabled
-	SpamAssassin bool
-
-	// Whether messages with duplicate IDs are ignored
-	DuplicatesIgnored bool
-}
-
-// WebUIConfig returns configuration settings for the web UI.
-func WebUIConfig(w http.ResponseWriter, _ *http.Request) {
-	// swagger:route GET /api/v1/webui application WebUIConfiguration
-	//
-	// # Get web UI configuration
-	//
-	// Returns configuration settings for the web UI.
-	// Intended for web UI only!
-	//
-	//	Produces:
-	//	- application/json
-	//
-	//	Schemes: http, https
-	//
-	//	Responses:
-	//		200: WebUIConfigurationResponse
-	//		default: ErrorResponse
-	conf := webUIConfiguration{}
-
-	conf.MessageRelay.Enabled = config.ReleaseEnabled
-	if config.ReleaseEnabled {
-		conf.MessageRelay.SMTPServer = fmt.Sprintf("%s:%d", config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
-		conf.MessageRelay.ReturnPath = config.SMTPRelayConfig.ReturnPath
-		conf.MessageRelay.RecipientAllowlist = config.SMTPRelayConfig.RecipientAllowlist
-	}
-
-	conf.DisableHTMLCheck = config.DisableHTMLCheck
-	conf.SpamAssassin = config.EnableSpamAssassin != ""
-	conf.DuplicatesIgnored = config.IgnoreDuplicateIDs
-
-	bytes, _ := json.Marshal(conf)
-
-	w.Header().Add("Content-Type", "application/json")
-	_, _ = w.Write(bytes)
-}
--- a/server/handlers/k8sready.go
+++ b/server/handlers/k8sready.go
@@ -3,12 +3,14 @@ package handlers
 import (
 	"net/http"
 	"sync/atomic"
+
+	"github.com/axllent/mailpit/internal/storage"
 )

 // ReadyzHandler is a ready probe that signals k8s to be able to retrieve traffic
 func ReadyzHandler(isReady *atomic.Value) http.HandlerFunc {
 	return func(w http.ResponseWriter, _ *http.Request) {
-		if isReady == nil || !isReady.Load().(bool) {
+		if isReady == nil || !isReady.Load().(bool) || storage.Ping() != nil {
 			http.Error(w, http.StatusText(http.StatusServiceUnavailable), http.StatusServiceUnavailable)
 			return
 		}
--- a/server/handlers/messages.go
+++ b/server/handlers/messages.go
@@ -1,15 +1,12 @@
 package handlers

 import (
-	"fmt"
 	"net/http"
 	"net/url"
-	"regexp"
 	"strings"

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/storage"
-	"github.com/gorilla/mux"
 )

 // RedirectToLatestMessage (method: GET) redirects the web UI to the latest message
@@ -19,13 +16,13 @@ func RedirectToLatestMessage(w http.ResponseWriter, r *http.Request) {

 	search := strings.TrimSpace(r.URL.Query().Get("query"))
 	if search != "" {
-		messages, _, err = storage.Search(search, 0, 1)
+		messages, _, err = storage.Search(search, "", 0, 0, 1)
 		if err != nil {
 			httpError(w, err.Error())
 			return
 		}
 	} else {
-		messages, err = storage.List(0, 1)
+		messages, err = storage.List(0, 0, 1)
 		if err != nil {
 			httpError(w, err.Error())
 			return
@@ -44,142 +41,3 @@ func RedirectToLatestMessage(w http.ResponseWriter, r *http.Request) {

 	http.Redirect(w, r, uri, 302)
 }
-
-// GetMessageHTML (method: GET) returns a rendered version of a message's HTML part
-func GetMessageHTML(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /view/{ID}.html testing GetMessageHTML
-	//
-	// # Render message HTML part
-	//
-	// Renders just the message's HTML part which can be used for UI integration testing.
-	// Attached inline images are modified to link to the API provided they exist.
-	// Note that is the message does not contain a HTML part then an 404 error is returned.
-	//
-	// The ID can be set to `latest` to return the latest message.
-	//
-	//	Produces:
-	//	- text/html
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Database ID or latest
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: HTMLResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessage(id)
-	if err != nil {
-		w.WriteHeader(404)
-		fmt.Fprint(w, "Message not found")
-		return
-	}
-	if msg.HTML == "" {
-		w.WriteHeader(404)
-		fmt.Fprint(w, "This message does not contain a HTML part")
-		return
-	}
-
-	html := linkInlineImages(msg)
-	w.Header().Add("Content-Type", "text/html; charset=utf-8")
-	_, _ = w.Write([]byte(html))
-}
-
-// GetMessageText (method: GET) returns a message's text part
-func GetMessageText(w http.ResponseWriter, r *http.Request) {
-	// swagger:route GET /view/{ID}.txt testing GetMessageText
-	//
-	// # Render message text part
-	//
-	// Renders just the message's text part which can be used for UI integration testing.
-	//
-	// The ID can be set to `latest` to return the latest message.
-	//
-	//	Produces:
-	//	- text/plain
-	//
-	//	Schemes: http, https
-	//
-	//	Parameters:
-	//	  + name: ID
-	//	    in: path
-	//	    description: Database ID or latest
-	//	    required: true
-	//	    type: string
-	//
-	//	Responses:
-	//		200: TextResponse
-	//		default: ErrorResponse
-
-	vars := mux.Vars(r)
-
-	id := vars["id"]
-
-	if id == "latest" {
-		var err error
-		id, err = storage.LatestID(r)
-		if err != nil {
-			w.WriteHeader(404)
-			fmt.Fprint(w, err.Error())
-			return
-		}
-	}
-
-	msg, err := storage.GetMessage(id)
-	if err != nil {
-		w.WriteHeader(404)
-		fmt.Fprint(w, "Message not found")
-		return
-	}
-
-	w.Header().Add("Content-Type", "text/plain; charset=utf-8")
-	_, _ = w.Write([]byte(msg.Text))
-}
-
-// This will rewrite all inline image paths to API URLs
-func linkInlineImages(msg *storage.Message) string {
-	html := msg.HTML
-
-	for _, a := range msg.Inline {
-		if a.ContentID != "" {
-			re := regexp.MustCompile(`(?i)(=["\']?)(cid:` + regexp.QuoteMeta(a.ContentID) + `)(["|\'|\\s|\\/|>|;])`)
-			u := config.Webroot + "api/v1/message/" + msg.ID + "/part/" + a.PartID
-			matches := re.FindAllStringSubmatch(html, -1)
-			for _, m := range matches {
-				html = strings.ReplaceAll(html, m[0], m[1]+u+m[3])
-			}
-		}
-	}
-
-	for _, a := range msg.Attachments {
-		if a.ContentID != "" {
-			re := regexp.MustCompile(`(?i)(=["\']?)(cid:` + regexp.QuoteMeta(a.ContentID) + `)(["|\'|\\s|\\/|>|;])`)
-			u := config.Webroot + "api/v1/message/" + msg.ID + "/part/" + a.PartID
-			matches := re.FindAllStringSubmatch(html, -1)
-			for _, m := range matches {
-				html = strings.ReplaceAll(html, m[0], m[1]+u+m[3])
-			}
-		}
-	}
-
-	return html
-}
--- a/server/pop3/functions.go
+++ b/server/pop3/functions.go
@@ -9,6 +9,7 @@ import (
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/server/websockets"
 )

 func authUser(username, password string) bool {
@@ -19,6 +20,11 @@ func authUser(username, password string) bool {
 func sendResponse(c net.Conn, m string) {
 	fmt.Fprintf(c, "%s\r\n", m)
 	logger.Log().Debugf("[pop3] response: %s", m)
+
+	if strings.HasPrefix(m, "-ERR ") {
+		sub, _ := strings.CutPrefix(m, "-ERR ")
+		websockets.BroadCastClientError("error", "pop3", c.RemoteAddr().String(), sub)
+	}
 }

 // Send a response without debug logging (for data)
@@ -26,9 +32,10 @@ func sendData(c net.Conn, m string) {
 	fmt.Fprintf(c, "%s\r\n", m)
 }

+// Get the latest 100 messages
 func getMessages() ([]message, error) {
 	messages := []message{}
-	list, err := storage.List(0, 100)
+	list, err := storage.List(0, 0, 100)
 	if err != nil {
 		return messages, err
 	}
@@ -72,5 +79,6 @@ func getSafeArg(args []string, nr int) (string, error) {
 	if nr < len(args) {
 		return args[nr], nil
 	}
-	return "", errors.New("Out of range")
+
+	return "", errors.New("-ERR out of range")
 }
--- a/server/pop3/pop3.go
+++ b/server/pop3/pop3.go
@@ -1,314 +0,0 @@
-// Package pop3 is a simple POP3 server for Mailpit.
-// By default it is disabled unless password credentials have been loaded.
-//
-// References: https://github.com/r0stig/golang-pop3 | https://github.com/inbucket/inbucket
-// See RFC: https://datatracker.ietf.org/doc/html/rfc1939
-package pop3
-
-import (
-	"bufio"
-	"crypto/tls"
-	"fmt"
-	"net"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/axllent/mailpit/config"
-	"github.com/axllent/mailpit/internal/auth"
-	"github.com/axllent/mailpit/internal/logger"
-	"github.com/axllent/mailpit/internal/storage"
-	"github.com/axllent/mailpit/server/websockets"
-)
-
-const (
-	// UNAUTHORIZED state
-	UNAUTHORIZED = 1
-	// TRANSACTION state
-	TRANSACTION = 2
-	// UPDATE state
-	UPDATE = 3
-)
-
-// Run will start the pop3 server if enabled
-func Run() {
-	if auth.POP3Credentials == nil || config.POP3Listen == "" {
-		// POP3 server is disabled without authentication
-		return
-	}
-
-	var listener net.Listener
-	var err error
-
-	if config.POP3TLSCert != "" {
-		cer, err := tls.LoadX509KeyPair(config.POP3TLSCert, config.POP3TLSKey)
-		if err != nil {
-			logger.Log().Errorf("[pop3] %s", err.Error())
-			return
-		}
-
-		tlsConfig := &tls.Config{
-			Certificates: []tls.Certificate{cer},
-			MinVersion:   tls.VersionTLS12,
-		}
-
-		listener, err = tls.Listen("tcp", config.POP3Listen, tlsConfig)
-	} else {
-		// unencrypted
-		listener, err = net.Listen("tcp", config.POP3Listen)
-	}
-
-	if err != nil {
-		logger.Log().Errorf("[pop3] %s", err.Error())
-		return
-	}
-
-	logger.Log().Infof("[pop3] starting on %s", config.POP3Listen)
-
-	for {
-		conn, err := listener.Accept()
-		if err != nil {
-			continue
-		}
-
-		// run as goroutine
-		go handleClient(conn)
-	}
-}
-
-type message struct {
-	ID   string
-	Size int
-}
-
-func handleClient(conn net.Conn) {
-
-	var (
-		user     = ""
-		state    = 1
-		toDelete = []string{}
-	)
-
-	defer func() {
-		if state == UPDATE {
-			for _, id := range toDelete {
-				_ = storage.DeleteOneMessage(id)
-			}
-			if len(toDelete) > 0 {
-				// update web UI to remove deleted messages
-				websockets.Broadcast("prune", nil)
-			}
-		}
-
-		if err := conn.Close(); err != nil {
-			logger.Log().Errorf("[pop3] %s", err.Error())
-		}
-	}()
-
-	reader := bufio.NewReader(conn)
-
-	messages := []message{}
-
-	// State
-	// 1 = Unauthorized
-	// 2 = Transaction mode
-	// 3 = update mode
-
-	logger.Log().Debugf("[pop3] connection opened by %s", conn.RemoteAddr().String())
-
-	// First welcome the new connection
-	sendResponse(conn, "+OK Mailpit POP3 server")
-
-	timeoutDuration := 30 * time.Second
-
-	for {
-		// POP3 server enforced a timeout of 30 seconds
-		if err := conn.SetDeadline(time.Now().Add(timeoutDuration)); err != nil {
-			logger.Log().Errorf("[pop3] %s", err.Error())
-			return
-		}
-
-		// Reads a line from the client
-		rawLine, err := reader.ReadString('\n')
-		if err != nil {
-			logger.Log().Errorf("[pop3] %s", err.Error())
-			return
-		}
-
-		// Parses the command
-		cmd, args := getCommand(rawLine)
-
-		logger.Log().Debugf("[pop3] received: %s (%s)", strings.TrimSpace(rawLine), conn.RemoteAddr().String())
-
-		if cmd == "CAPA" {
-			// List our capabilities per RFC2449
-			sendResponse(conn, "+OK Capability list follows")
-			sendResponse(conn, "TOP")
-			sendResponse(conn, "USER")
-			sendResponse(conn, "UIDL")
-			sendResponse(conn, "IMPLEMENTATION Mailpit")
-			sendResponse(conn, ".")
-			continue
-		} else if cmd == "USER" && state == UNAUTHORIZED {
-			if len(args) != 1 {
-				sendResponse(conn, "-ERR must supply a user")
-				return
-			}
-			// always true - stash for PASS
-			sendResponse(conn, "+OK")
-			user = args[0]
-
-		} else if cmd == "PASS" && state == UNAUTHORIZED {
-			if len(args) != 1 {
-				sendResponse(conn, "-ERR must supply a password")
-				return
-			}
-
-			pass := args[0]
-			if authUser(user, pass) {
-				sendResponse(conn, "+OK signed in")
-				messages, err = getMessages()
-				if err != nil {
-					logger.Log().Errorf("[pop3] %s", err.Error())
-				}
-				state = 2
-			} else {
-				sendResponse(conn, "-ERR invalid password")
-				logger.Log().Warnf("[pop3] failed login: %s", user)
-			}
-
-		} else if cmd == "STAT" && state == TRANSACTION {
-			totalSize := 0
-			for _, m := range messages {
-				totalSize = totalSize + m.Size
-			}
-
-			sendResponse(conn, fmt.Sprintf("+OK %d %d", len(messages), totalSize))
-
-		} else if cmd == "LIST" && state == TRANSACTION {
-			totalSize := 0
-			for _, m := range messages {
-				totalSize = totalSize + m.Size
-			}
-			sendData(conn, fmt.Sprintf("+OK %d messages (%d octets)", len(messages), totalSize))
-
-			// print all sizes
-			for row, m := range messages {
-				sendData(conn, fmt.Sprintf("%d %d", row+1, m.Size))
-			}
-			// end
-			sendData(conn, ".")
-
-		} else if cmd == "UIDL" && state == TRANSACTION {
-			totalSize := 0
-			for _, m := range messages {
-				totalSize = totalSize + m.Size
-			}
-
-			sendData(conn, "+OK unique-id listing follows")
-
-			// print all message IDS
-			for row, m := range messages {
-				sendData(conn, fmt.Sprintf("%d %s", row+1, m.ID))
-			}
-			// end
-			sendData(conn, ".")
-
-		} else if cmd == "RETR" && state == TRANSACTION {
-			if len(args) != 1 {
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-
-			nr, err := strconv.Atoi(args[0])
-			if err != nil {
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-
-			if nr < 1 || nr > len(messages) {
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-
-			m := messages[nr-1]
-			raw, err := storage.GetMessageRaw(m.ID)
-			if err != nil {
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-
-			size := len(raw)
-			sendData(conn, fmt.Sprintf("+OK %d octets", size))
-			sendData(conn, string(raw))
-			sendData(conn, ".")
-
-		} else if cmd == "TOP" && state == TRANSACTION {
-			arg, err := getSafeArg(args, 0)
-			if err != nil {
-				sendResponse(conn, "-ERR TOP requires two arguments")
-				return
-			}
-			nr, err := strconv.Atoi(arg)
-			if err != nil {
-				sendResponse(conn, "-ERR TOP requires two arguments")
-				return
-			}
-
-			if nr < 1 || nr > len(messages) {
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-			arg2, err := getSafeArg(args, 1)
-			if err != nil {
-				sendResponse(conn, "-ERR TOP requires two arguments")
-				return
-			}
-
-			lines, err := strconv.Atoi(arg2)
-			if err != nil {
-				sendResponse(conn, "-ERR TOP requires two arguments")
-				return
-			}
-
-			m := messages[nr-1]
-			headers, body, err := getTop(m.ID, lines)
-
-			sendData(conn, "+OK Top of message follows")
-			sendData(conn, headers+"\r\n")
-			sendData(conn, body)
-			sendData(conn, ".")
-
-		} else if cmd == "NOOP" && state == TRANSACTION {
-			sendData(conn, "+OK")
-		} else if cmd == "DELE" && state == TRANSACTION {
-			arg, _ := getSafeArg(args, 0)
-			nr, err := strconv.Atoi(arg)
-			if err != nil {
-				logger.Log().Warnf("[pop3] -ERR invalid DELETE integer: %s", arg)
-				sendResponse(conn, "-ERR invalid integer")
-				return
-			}
-
-			if nr < 1 || nr > len(messages) {
-				logger.Log().Warnf("[pop3] -ERR no such message")
-				sendResponse(conn, "-ERR no such message")
-				return
-			}
-			toDelete = append(toDelete, messages[nr-1].ID)
-
-			sendResponse(conn, "+OK")
-
-		} else if cmd == "RSET" && state == TRANSACTION {
-			toDelete = []string{}
-			sendData(conn, "+OK")
-
-		} else if cmd == "QUIT" {
-			state = UPDATE
-			return
-		} else {
-			logger.Log().Warnf("[pop3] -ERR %s not implemented", cmd)
-			sendResponse(conn, fmt.Sprintf("-ERR %s not implemented", cmd))
-		}
-	}
-}
--- a/server/pop3/pop3_test.go
+++ b/server/pop3/pop3_test.go
@@ -0,0 +1,365 @@
+package pop3
+
+import (
+	"bytes"
+	"fmt"
+	"math/rand/v2"
+	"net"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/auth"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/pop3client"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/jhillyerd/enmime"
+)
+
+var (
+	testingPort int
+)
+
+func TestPOP3(t *testing.T) {
+	t.Log("Testing POP3 server")
+	setup()
+	defer storage.Close()
+
+	// connect with bad password
+	t.Log("Testing invalid login")
+	c, err := connectBadAuth()
+	if err == nil {
+		t.Error("invalid login gained access")
+		return
+	}
+
+	t.Log("Testing valid login")
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	count, size, err := c.Stat()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 0, "incorrect message count")
+	assertEqual(t, size, 0, "incorrect size")
+
+	// quit else we get old data
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	t.Log("Inserting 50 messages")
+
+	insertEmailData(t) // insert 50 messages
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 50, "incorrect message count")
+
+	t.Log("Fetching 20 messages")
+
+	for i := 1; i <= 20; i++ {
+		_, err := c.Retr(i)
+		if err != nil {
+			t.Errorf(err.Error())
+			return
+		}
+	}
+
+	t.Log("Deleting 25 messages")
+
+	for i := 1; i <= 25; i++ {
+		if err := c.Dele(i); err != nil {
+			t.Errorf(err.Error())
+			return
+		}
+	}
+
+	// messages get deleted after a QUIT
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	t.Log("Fetching message count")
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 25, "incorrect message count")
+
+	// messages get deleted after a QUIT
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	t.Log("Deleting 25 messages")
+
+	for i := 1; i <= 25; i++ {
+		if err := c.Dele(i); err != nil {
+			t.Errorf(err.Error())
+			return
+		}
+	}
+
+	t.Log("Undeleting messages")
+
+	if err := c.Rset(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 25, "incorrect message count")
+
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+}
+
+func TestAuthentication(t *testing.T) {
+	// commands only allowed after authentication
+	authCommands := make(map[string]bool)
+	authCommands["STAT"] = false
+	authCommands["LIST"] = true
+	authCommands["NOOP"] = false
+	authCommands["RSET"] = false
+	authCommands["RETR 1"] = true
+
+	t.Log("Testing authenticated commands while not logged in")
+	setup()
+	defer storage.Close()
+
+	insertEmailData(t) // insert 50 messages
+
+	// non-authenticated connection
+	c, err := connect()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	for cmd, multi := range authCommands {
+		if _, err := c.Cmd(cmd, multi); err == nil {
+			t.Errorf("%s should require authentication", cmd)
+			return
+		}
+
+		if _, err := c.Cmd(strings.ToLower(cmd), multi); err == nil {
+			t.Errorf("%s should require authentication", cmd)
+			return
+		}
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	t.Log("Testing authenticated commands while logged in")
+
+	// authenticated connection
+	c, err = connectAuth()
+	if err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	for cmd, multi := range authCommands {
+		if _, err := c.Cmd(cmd, multi); err != nil {
+			t.Errorf("%s should work when authenticated", cmd)
+			return
+		}
+
+		if _, err := c.Cmd(strings.ToLower(cmd), multi); err != nil {
+			t.Errorf("%s should work when authenticated", cmd)
+			return
+		}
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+}
+
+func setup() {
+	auth.SetPOP3Auth("username:password")
+	logger.NoLogging = true
+	config.MaxMessages = 0
+	config.Database = os.Getenv("MP_DATABASE")
+	var foundPort bool
+	for !foundPort {
+		testingPort = randRange(1111, 2000)
+		if portFree(testingPort) {
+			foundPort = true
+		}
+	}
+
+	config.POP3Listen = fmt.Sprintf("localhost:%d", testingPort)
+
+	if err := storage.InitDB(); err != nil {
+		panic(err)
+	}
+
+	if err := storage.DeleteAllMessages(); err != nil {
+		panic(err)
+	}
+
+	go Run()
+
+	time.Sleep(time.Second)
+}
+
+// connect and authenticate
+func connectAuth() (*pop3client.Conn, error) {
+	c, err := connect()
+	if err != nil {
+		return c, err
+	}
+
+	err = c.Auth("username", "password")
+
+	return c, err
+}
+
+// connect and authenticate
+func connectBadAuth() (*pop3client.Conn, error) {
+	c, err := connect()
+	if err != nil {
+		return c, err
+	}
+
+	err = c.Auth("username", "notPassword")
+
+	return c, err
+}
+
+// connect but do not authenticate
+func connect() (*pop3client.Conn, error) {
+	p := pop3client.New(pop3client.Opt{
+		Host:       "localhost",
+		Port:       testingPort,
+		TLSEnabled: false,
+	})
+
+	c, err := p.NewConn()
+	if err != nil {
+		return c, err
+	}
+
+	return c, err
+}
+
+func portFree(port int) bool {
+	ln, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
+	if err != nil {
+		return false
+	}
+
+	if err := ln.Close(); err != nil {
+		panic(err)
+	}
+
+	return true
+}
+
+func randRange(min, max int) int {
+	return rand.IntN(max-min) + min
+}
+
+func insertEmailData(t *testing.T) {
+	for i := 0; i < 50; i++ {
+		msg := enmime.Builder().
+			From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
+			Subject(fmt.Sprintf("Subject line %d end", i)).
+			Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
+			To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i))
+
+		env, err := msg.Build()
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		buf := new(bytes.Buffer)
+
+		if err := env.Encode(buf); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		bufBytes := buf.Bytes()
+
+		id, err := storage.Store(&bufBytes)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		if _, err := storage.SetMessageTags(id, []string{fmt.Sprintf("Test tag %03d", i)}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+	}
+}
+
+func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a == b {
+		return
+	}
+	message = fmt.Sprintf("%s: \"%v\" != \"%v\"", message, a, b)
+	t.Fatal(message)
+}
--- a/server/pop3/server.go
+++ b/server/pop3/server.go
@@ -0,0 +1,319 @@
+// Package pop3 is a simple POP3 server for Mailpit.
+// By default it is disabled unless password credentials have been loaded.
+//
+// References: https://github.com/r0stig/golang-pop3 | https://github.com/inbucket/inbucket
+// See RFC: https://datatracker.ietf.org/doc/html/rfc1939
+package pop3
+
+import (
+	"bufio"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/auth"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/server/websockets"
+)
+
+const (
+	// AUTHORIZATION is the initial state
+	AUTHORIZATION = 1
+	// TRANSACTION is the state after login
+	TRANSACTION = 2
+	// UPDATE is the state before closing
+	UPDATE = 3
+)
+
+// Run will start the POP3 server if enabled
+func Run() {
+	if auth.POP3Credentials == nil || config.POP3Listen == "" {
+		// POP3 server is disabled without authentication
+		return
+	}
+
+	var listener net.Listener
+	var err error
+
+	if config.POP3TLSCert != "" {
+		cer, err2 := tls.LoadX509KeyPair(config.POP3TLSCert, config.POP3TLSKey)
+		if err2 != nil {
+			logger.Log().Errorf("[pop3] %s", err2.Error())
+			return
+		}
+
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cer},
+			MinVersion:   tls.VersionTLS12,
+		}
+
+		listener, err = tls.Listen("tcp", config.POP3Listen, tlsConfig)
+	} else {
+		// unencrypted
+		listener, err = net.Listen("tcp", config.POP3Listen)
+	}
+
+	if err != nil {
+		logger.Log().Errorf("[pop3] %s", err.Error())
+		return
+	}
+
+	logger.Log().Infof("[pop3] starting on %s", config.POP3Listen)
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			logger.Log().Errorf("[pop3] accept error: %s", err.Error())
+			continue
+		}
+
+		// run as goroutine
+		go handleClient(conn)
+	}
+}
+
+type message struct {
+	ID   string
+	Size float64
+}
+
+func handleClient(conn net.Conn) {
+	var (
+		user     = ""
+		state    = AUTHORIZATION // Start with AUTHORIZATION state
+		toDelete []string        // Track messages marked for deletion
+		messages []message
+	)
+
+	defer func() {
+		if state == UPDATE {
+			if len(toDelete) > 0 {
+				if err := storage.DeleteMessages(toDelete); err != nil {
+					logger.Log().Errorf("[pop3] error deleting: %s", err.Error())
+				}
+				// Update web UI to remove deleted messages
+				websockets.Broadcast("prune", nil)
+			}
+		}
+
+		if err := conn.Close(); err != nil {
+			logger.Log().Errorf("[pop3] %s", err.Error())
+		}
+	}()
+
+	reader := bufio.NewReader(conn)
+
+	logger.Log().Debugf("[pop3] connection opened by %s", conn.RemoteAddr().String())
+
+	// First welcome the new connection
+	serverName := "Mailpit"
+	if config.Label != "" {
+		serverName = fmt.Sprintf("Mailpit (%s)", config.Label)
+	}
+	sendResponse(conn, fmt.Sprintf("+OK %s POP3 server", serverName))
+
+	// Set 10 minutes timeout according to RFC1939
+	timeoutDuration := 600 * time.Second
+
+	for {
+		// Set read deadline
+		if err := conn.SetReadDeadline(time.Now().Add(timeoutDuration)); err != nil {
+			logger.Log().Errorf("[pop3] %s", err.Error())
+			return
+		}
+
+		// Reads a line from the client
+		rawLine, err := reader.ReadString('\n')
+		if err != nil {
+			if err == io.EOF {
+				logger.Log().Debugf("[pop3] client disconnected: %s", conn.RemoteAddr().String())
+			} else {
+				logger.Log().Errorf("[pop3] read error: %s", err.Error())
+			}
+			return
+		}
+
+		// Parses the command
+		cmd, args := getCommand(rawLine)
+		cmd = strings.ToUpper(cmd) // Commands in the POP3 are case-insensitive
+
+		logger.Log().Debugf("[pop3] received: %s (%s)", strings.TrimSpace(rawLine), conn.RemoteAddr().String())
+
+		switch cmd {
+		case "CAPA":
+			// List our capabilities per RFC2449
+			sendResponse(conn, "+OK capability list follows")
+			sendResponse(conn, "TOP")
+			sendResponse(conn, "USER")
+			sendResponse(conn, "UIDL")
+			sendResponse(conn, "IMPLEMENTATION Mailpit")
+			sendResponse(conn, ".")
+		case "USER":
+			if state == AUTHORIZATION {
+				if len(args) != 1 {
+					sendResponse(conn, "-ERR must supply a user")
+					return
+				}
+				sendResponse(conn, "+OK")
+				user = args[0]
+			} else {
+				sendResponse(conn, "-ERR user already specified")
+			}
+		case "PASS":
+			if state == AUTHORIZATION {
+				if user == "" {
+					sendResponse(conn, "-ERR must supply a user")
+					return
+				}
+				if len(args) != 1 {
+					sendResponse(conn, "-ERR must supply a password")
+					return
+				}
+
+				pass := args[0]
+				if authUser(user, pass) {
+					sendResponse(conn, "+OK signed in")
+					var err error
+					messages, err = getMessages()
+					if err != nil {
+						logger.Log().Errorf("[pop3] %s", err.Error())
+					}
+					state = TRANSACTION
+				} else {
+					sendResponse(conn, "-ERR invalid password")
+					logger.Log().Warnf("[pop3] failed login: %s", user)
+				}
+			} else {
+				sendResponse(conn, "-ERR user not specified")
+			}
+		case "STAT", "LIST", "UIDL", "RETR", "TOP", "NOOP", "DELE", "RSET":
+			if state == TRANSACTION {
+				handleTransactionCommand(conn, cmd, args, messages, &toDelete)
+			} else {
+				sendResponse(conn, "-ERR user not authenticated")
+			}
+		case "QUIT":
+			sendResponse(conn, "+OK goodbye")
+			state = UPDATE
+			return
+		default:
+			sendResponse(conn, "-ERR unknown command")
+		}
+	}
+}
+
+func handleTransactionCommand(conn net.Conn, cmd string, args []string, messages []message, toDelete *[]string) {
+	switch cmd {
+	case "STAT":
+		totalSize := float64(0)
+		for _, m := range messages {
+			totalSize += m.Size
+		}
+		sendResponse(conn, fmt.Sprintf("+OK %d %d", len(messages), int64(totalSize)))
+	case "LIST":
+		totalSize := float64(0)
+		for _, m := range messages {
+			totalSize += m.Size
+		}
+		sendResponse(conn, fmt.Sprintf("+OK %d messages (%d octets)", len(messages), int64(totalSize)))
+
+		for row, m := range messages {
+			sendResponse(conn, fmt.Sprintf("%d %d", row+1, int64(m.Size))) // Convert Size to int64 when printing
+		}
+		sendResponse(conn, ".")
+	case "UIDL":
+		sendResponse(conn, "+OK unique-id listing follows")
+		for row, m := range messages {
+			sendResponse(conn, fmt.Sprintf("%d %s", row+1, m.ID))
+		}
+		sendResponse(conn, ".")
+	case "RETR":
+		if len(args) != 1 {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		nr, err := strconv.Atoi(args[0])
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		m := messages[nr-1]
+		raw, err := storage.GetMessageRaw(m.ID)
+		if err != nil {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+		size := len(raw)
+		sendResponse(conn, fmt.Sprintf("+OK %d octets", size))
+
+		// When all lines of the response have been sent, a
+		// final line is sent, consisting of a termination octet (decimal code
+		// 046, ".") and a CRLF pair. If any line of the multi-line response
+		// begins with the termination octet, the line is "byte-stuffed" by
+		// pre-pending the termination octet to that line of the response.
+		// @see: https://www.ietf.org/rfc/rfc1939.txt
+		sendData(conn, strings.Replace(string(raw), "\n.", "\n..", -1))
+		sendResponse(conn, ".")
+	case "TOP":
+		arg, err := getSafeArg(args, 0)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+		nr, err := strconv.Atoi(arg)
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		arg2, err := getSafeArg(args, 1)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+
+		lines, err := strconv.Atoi(arg2)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+
+		m := messages[nr-1]
+		headers, body, err := getTop(m.ID, lines)
+		if err != nil {
+			sendResponse(conn, err.Error())
+			return
+		}
+
+		sendResponse(conn, "+OK top of message follows")
+		sendData(conn, headers+"\r\n")
+		sendData(conn, body)
+		sendResponse(conn, ".")
+	case "NOOP":
+		sendResponse(conn, "+OK")
+	case "DELE":
+		arg, _ := getSafeArg(args, 0)
+		nr, err := strconv.Atoi(arg)
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		m := messages[nr-1]
+		*toDelete = append(*toDelete, m.ID)
+		sendResponse(conn, "+OK message marked for deletion")
+	case "RSET":
+		*toDelete = []string{}
+		sendResponse(conn, "+OK")
+	default:
+		sendResponse(conn, "-ERR unknown command")
+	}
+}
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"net"
 	"net/http"
 	"os"
 	"strings"
@@ -20,11 +21,13 @@ import (
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/stats"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
 	"github.com/axllent/mailpit/server/apiv1"
 	"github.com/axllent/mailpit/server/handlers"
 	"github.com/axllent/mailpit/server/pop3"
 	"github.com/axllent/mailpit/server/websockets"
 	"github.com/gorilla/mux"
+	"github.com/lithammer/shortuuid/v4"
 )

 //go:embed ui
@@ -75,11 +78,11 @@ func Listen() {
 	}

 	// UI shortcut
-	r.HandleFunc(config.Webroot+"view/latest", handlers.RedirectToLatestMessage).Methods("GET")
+	r.HandleFunc(config.Webroot+"view/latest", middleWareFunc(handlers.RedirectToLatestMessage)).Methods("GET")

 	// frontend testing
-	r.HandleFunc(config.Webroot+"view/{id}.html", handlers.GetMessageHTML).Methods("GET")
-	r.HandleFunc(config.Webroot+"view/{id}.txt", handlers.GetMessageText).Methods("GET")
+	r.HandleFunc(config.Webroot+"view/{id}.html", middleWareFunc(apiv1.GetMessageHTML)).Methods("GET")
+	r.HandleFunc(config.Webroot+"view/{id}.txt", middleWareFunc(apiv1.GetMessageText)).Methods("GET")

 	// web UI via virtual index.html
 	r.PathPrefix(config.Webroot + "view/").Handler(middleWareFunc(index)).Methods("GET")
@@ -96,8 +99,6 @@ func Listen() {
 	// Mark the application here as ready
 	isReady.Store(true)

-	logger.Log().Infof("[http] starting on %s", config.HTTPListen)
-
 	server := &http.Server{
 		Addr:         config.HTTPListen,
 		ReadTimeout:  30 * time.Second,
@@ -105,11 +106,51 @@ func Listen() {
 	}

 	if config.UITLSCert != "" && config.UITLSKey != "" {
+		logger.Log().Infof("[http] starting on %s (TLS)", config.HTTPListen)
 		logger.Log().Infof("[http] accessible via https://%s%s", logger.CleanHTTPIP(config.HTTPListen), config.Webroot)
-		logger.Log().Fatal(server.ListenAndServeTLS(config.UITLSCert, config.UITLSKey))
+		if err := server.ListenAndServeTLS(config.UITLSCert, config.UITLSKey); err != nil {
+			storage.Close()
+			logger.Log().Fatal(err)
+		}
+
 	} else {
-		logger.Log().Infof("[http] accessible via http://%s%s", logger.CleanHTTPIP(config.HTTPListen), config.Webroot)
-		logger.Log().Fatal(server.ListenAndServe())
+		socketAddr, perm, isSocket := tools.UnixSocket(config.HTTPListen)
+
+		if isSocket {
+			if err := tools.PrepareSocket(socketAddr); err != nil {
+				storage.Close()
+				logger.Log().Fatal(err)
+			}
+
+			// delete the Unix socket file on exit
+			storage.AddTempFile(socketAddr)
+
+			ln, err := net.Listen("unix", socketAddr)
+			if err != nil {
+				storage.Close()
+				logger.Log().Fatal(err)
+			}
+
+			if err := os.Chmod(socketAddr, perm); err != nil {
+				storage.Close()
+				logger.Log().Fatal(err)
+			}
+
+			logger.Log().Infof("[http] starting on %s", config.HTTPListen)
+
+			if err := server.Serve(ln); err != nil {
+				storage.Close()
+				logger.Log().Fatal(err)
+			}
+
+		} else {
+			logger.Log().Infof("[http] starting on %s", config.HTTPListen)
+			logger.Log().Infof("[http] accessible via http://%s%s", logger.CleanHTTPIP(config.HTTPListen), config.Webroot)
+			if err := server.ListenAndServe(); err != nil {
+				storage.Close()
+				logger.Log().Fatal(err)
+			}
+		}
 	}
 }

@@ -120,18 +161,19 @@ func apiRoutes() *mux.Router {
 	r.HandleFunc(config.Webroot+"api/v1/messages", middleWareFunc(apiv1.GetMessages)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/messages", middleWareFunc(apiv1.SetReadStatus)).Methods("PUT")
 	r.HandleFunc(config.Webroot+"api/v1/messages", middleWareFunc(apiv1.DeleteMessages)).Methods("DELETE")
-	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.GetAllTags)).Methods("GET")
-	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.SetMessageTags)).Methods("PUT")
 	r.HandleFunc(config.Webroot+"api/v1/search", middleWareFunc(apiv1.Search)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/search", middleWareFunc(apiv1.DeleteSearch)).Methods("DELETE")
+	r.HandleFunc(config.Webroot+"api/v1/send", middleWareFunc(apiv1.SendMessageHandler)).Methods("POST")
+	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.GetAllTags)).Methods("GET")
+	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.SetMessageTags)).Methods("PUT")
+	r.HandleFunc(config.Webroot+"api/v1/tags/{tag}", middleWareFunc(apiv1.RenameTag)).Methods("PUT")
+	r.HandleFunc(config.Webroot+"api/v1/tags/{tag}", middleWareFunc(apiv1.DeleteTag)).Methods("DELETE")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/part/{partID}", middleWareFunc(apiv1.DownloadAttachment)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/part/{partID}/thumb", middleWareFunc(apiv1.Thumbnail)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/headers", middleWareFunc(apiv1.GetHeaders)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/raw", middleWareFunc(apiv1.DownloadRaw)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/release", middleWareFunc(apiv1.ReleaseMessage)).Methods("POST")
-	if !config.DisableHTMLCheck {
-		r.HandleFunc(config.Webroot+"api/v1/message/{id}/html-check", middleWareFunc(apiv1.HTMLCheck)).Methods("GET")
-	}
+	r.HandleFunc(config.Webroot+"api/v1/message/{id}/html-check", middleWareFunc(apiv1.HTMLCheck)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/message/{id}/link-check", middleWareFunc(apiv1.LinkCheck)).Methods("GET")
 	if config.EnableSpamAssassin != "" {
 		r.HandleFunc(config.Webroot+"api/v1/message/{id}/sa-check", middleWareFunc(apiv1.SpamAssassinCheck)).Methods("GET")
@@ -171,7 +213,21 @@ func (w gzipResponseWriter) Write(b []byte) (int, error) {
 func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Referrer-Policy", "no-referrer")
-		w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
+
+		// generate a new random nonce on every request
+		randomNonce := shortuuid.New()
+		// header used to pass nonce through to function
+		r.Header.Set("mp-nonce", randomNonce)
+
+		// Prevent JavaScript XSS by adding a nonce for script-src
+		cspHeader := strings.Replace(
+			config.ContentSecurityPolicy,
+			"script-src 'self';",
+			fmt.Sprintf("script-src 'nonce-%s';", randomNonce),
+			1,
+		)
+
+		w.Header().Set("Content-Security-Policy", cspHeader)

 		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
 			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
@@ -193,24 +249,11 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 			}
 		}

-		if auth.UICredentials != nil {
-			user, pass, ok := r.BasicAuth()
-
-			if !ok {
-				basicAuthResponse(w)
-				return
-			}
-
-			if !auth.UICredentials.Match(user, pass) {
-				basicAuthResponse(w)
-				return
-			}
-		}
-
 		if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
 			fn(w, r)
 			return
 		}
+
 		w.Header().Set("Content-Encoding", "gzip")
 		gz := gzip.NewWriter(w)
 		defer gz.Close()
@@ -287,7 +330,7 @@ func swaggerBasePath(w http.ResponseWriter, _ *http.Request) {
 }

 // Just returns the default HTML template
-func index(w http.ResponseWriter, _ *http.Request) {
+func index(w http.ResponseWriter, r *http.Request) {

 	var h = `<!DOCTYPE html>
 <html lang="en" class="h-100">
@@ -304,10 +347,12 @@ func index(w http.ResponseWriter, _ *http.Request) {

 <body class="h-100">
 	<div class="container-fluid h-100 d-flex flex-column" id="app" data-webroot="{{ .Webroot }}" data-version="{{ .Version }}">
-		<noscript>You require JavaScript to use this app.</noscript>
+		<noscript class="alert alert-warning position-absolute top-50 start-50 translate-middle">
+			You need a browser with JavaScript support to use Mailpit
+		</noscript>
 	</div>

-	<script src="{{ .Webroot }}dist/app.js?{{ .Version }}"></script>
+	<script src="{{ .Webroot }}dist/app.js?{{ .Version }}" nonce="{{ .Nonce }}"></script>
 </body>

 </html>`
@@ -320,9 +365,11 @@ func index(w http.ResponseWriter, _ *http.Request) {
 	data := struct {
 		Webroot string
 		Version string
+		Nonce   string
 	}{
 		Webroot: config.Webroot,
 		Version: config.Version,
+		Nonce:   r.Header.Get("mp-nonce"),
 	}

 	buff := new(bytes.Buffer)
@@ -332,8 +379,6 @@ func index(w http.ResponseWriter, _ *http.Request) {
 		panic(err)
 	}

-	buff.Bytes()
-
 	w.Header().Add("Content-Type", "text/html")
 	_, _ = w.Write(buff.Bytes())
 }
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"strings"
 	"testing"

@@ -20,8 +21,8 @@ import (

 var (
 	putDataStruct struct {
-		Read bool     `json:"read"`
-		IDs  []string `json:"ids"`
+		Read bool
+		IDs  []string
 	}
 )

@@ -47,8 +48,6 @@ func TestAPIv1Messages(t *testing.T) {
 	insertEmailData(t)
 	assertStatsEqual(t, ts.URL+"/api/v1/messages", 100, 100)

-	// store this for later tests
-
 	m, err = fetchMessages(ts.URL + "/api/v1/messages")
 	if err != nil {
 		t.Errorf(err.Error())
@@ -56,7 +55,6 @@ func TestAPIv1Messages(t *testing.T) {

 	// read first 10 messages
 	t.Log("Read first 10 messages including raw & headers")
-	putIDS := []string{}
 	for idx, msg := range m.Messages {
 		if idx == 10 {
 			break
@@ -71,13 +69,10 @@ func TestAPIv1Messages(t *testing.T) {
 			t.Errorf(err.Error())
 		}

-		// het headers
+		// get headers
 		if _, err := clientGet(ts.URL + "/api/v1/message/" + msg.ID + "/headers"); err != nil {
 			t.Errorf(err.Error())
 		}
-
-		// store for later
-		putIDS = append(putIDS, msg.ID)
 	}

 	// 10 should be marked as read
@@ -207,14 +202,118 @@ func TestAPIv1Search(t *testing.T) {
 	assertSearchEqual(t, ts.URL+"/api/v1/search", "!tag:\"Test tag 023\"", 99)
 }

+func TestAPIv1Send(t *testing.T) {
+	setup()
+	defer storage.Close()
+
+	r := apiRoutes()
+
+	ts := httptest.NewServer(r)
+	defer ts.Close()
+
+	jsonData := `{
+		"From": {
+		  "Email": "john@example.com",
+		  "Name": "John Doe"
+		},
+		"To": [
+		  {
+			"Email": "jane@example.com",
+			"Name": "Jane Doe"
+		  }
+		],
+		"Cc": [
+		  {
+			"Email": "manager1@example.com",
+			"Name": "Manager 1"
+		  },
+		  {
+			"Email": "manager2@example.com",
+			"Name": "Manager 2"
+		  }
+		],
+		"Bcc": ["jack@example.com"],
+		"Headers": {
+			"X-IP": "1.2.3.4"
+		},
+		"Subject": "Mailpit message via the HTTP API",
+		"Text": "This is the text body",
+		"HTML": "<p style=\"font-family: arial\">Mailpit is <b>awesome</b>!</p>",
+		"Attachments": [
+		  {
+			"Content": "VGhpcyBpcyBhIHBsYWluIHRleHQgYXR0YWNobWVudA==",
+			"Filename": "Attached File.txt"
+		  }
+		],
+		"ReplyTo": [
+		  {
+			"Email": "secretary@example.com",
+			"Name": "Secretary"
+		  }
+		],
+		"Tags": [
+		  "Tag 1",
+		  "Tag 2"
+		]
+	  }`
+
+	t.Log("Sending message via HTTP API")
+	b, err := clientPost(ts.URL+"/api/v1/send", jsonData)
+	if err != nil {
+		t.Errorf("Expected nil, received %s", err.Error())
+	}
+
+	resp := apiv1.SendMessageConfirmation{}
+
+	if err := json.Unmarshal(b, &resp); err != nil {
+		t.Errorf(err.Error())
+		return
+	}
+
+	t.Logf("Fetching response for message %s", resp.ID)
+	msg, err := fetchMessage(ts.URL + "/api/v1/message/" + resp.ID)
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+
+	t.Logf("Testing response for message %s", resp.ID)
+	assertEqual(t, `Mailpit message via the HTTP API`, msg.Subject, "wrong subject")
+	assertEqual(t, `This is the text body`, msg.Text, "wrong text")
+	assertEqual(t, `<p style="font-family: arial">Mailpit is <b>awesome</b>!</p>`, msg.HTML, "wrong HTML")
+	assertEqual(t, `"John Doe" <john@example.com>`, msg.From.String(), "wrong HTML")
+	assertEqual(t, 1, len(msg.To), "wrong To count")
+	assertEqual(t, `"Jane Doe" <jane@example.com>`, msg.To[0].String(), "wrong To address")
+	assertEqual(t, 2, len(msg.Cc), "wrong Cc count")
+	assertEqual(t, `"Manager 1" <manager1@example.com>`, msg.Cc[0].String(), "wrong Cc address")
+	assertEqual(t, `"Manager 2" <manager2@example.com>`, msg.Cc[1].String(), "wrong Cc address")
+	assertEqual(t, 1, len(msg.Bcc), "wrong Bcc count")
+	assertEqual(t, `<jack@example.com>`, msg.Bcc[0].String(), "wrong Bcc address")
+	assertEqual(t, 1, len(msg.ReplyTo), "wrong Reply-To count")
+	assertEqual(t, `"Secretary" <secretary@example.com>`, msg.ReplyTo[0].String(), "wrong Reply-To address")
+	assertEqual(t, 2, len(msg.Tags), "wrong Tags count")
+	assertEqual(t, `Tag 1,Tag 2`, strings.Join(msg.Tags, ","), "wrong Tags")
+	assertEqual(t, 1, len(msg.Attachments), "wrong Attachment count")
+	assertEqual(t, `Attached File.txt`, msg.Attachments[0].FileName, "wrong Attachment name")
+
+	attachmentBytes, err := clientGet(ts.URL + "/api/v1/message/" + resp.ID + "/part/" + msg.Attachments[0].PartID)
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	assertEqual(t, `This is a plain text attachment`, string(attachmentBytes), "wrong Attachment content")
+}
+
 func setup() {
 	logger.NoLogging = true
 	config.MaxMessages = 0
-	config.DataFile = ""
+	config.Database = os.Getenv("MP_DATABASE")

 	if err := storage.InitDB(); err != nil {
 		panic(err)
 	}
+
+	if err := storage.DeleteAllMessages(); err != nil {
+		panic(err)
+	}
 }

 func assertStatsEqual(t *testing.T, uri string, unread, total int) {
@@ -231,8 +330,8 @@ func assertStatsEqual(t *testing.T, uri string, unread, total int) {
 		return
 	}

-	assertEqual(t, unread, m.Unread, "wrong unread count")
-	assertEqual(t, total, m.Total, "wrong total count")
+	assertEqual(t, float64(unread), m.Unread, "wrong unread count")
+	assertEqual(t, float64(total), m.Total, "wrong total count")
 }

 func assertSearchEqual(t *testing.T, uri, query string, count int) {
@@ -252,7 +351,7 @@ func assertSearchEqual(t *testing.T, uri, query string, count int) {
 		return
 	}

-	assertEqual(t, count, m.MessagesCount, "wrong search results count")
+	assertEqual(t, float64(count), m.MessagesCount, "wrong search results count")
 }

 func insertEmailData(t *testing.T) {
@@ -284,12 +383,26 @@ func insertEmailData(t *testing.T) {
 			t.Fail()
 		}

-		if err := storage.SetMessageTags(id, []string{fmt.Sprintf("Test tag %03d", i)}); err != nil {
+		if _, err := storage.SetMessageTags(id, []string{fmt.Sprintf("Test tag %03d", i)}); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
 	}
+}

+func fetchMessage(url string) (storage.Message, error) {
+	m := storage.Message{}
+
+	data, err := clientGet(url)
+	if err != nil {
+		return m, err
+	}
+
+	if err := json.Unmarshal(data, &m); err != nil {
+		return m, err
+	}
+
+	return m, nil
 }

 func fetchMessages(url string) (apiv1.MessagesSummary, error) {
@@ -373,6 +486,31 @@ func clientPut(url, body string) ([]byte, error) {
 	return data, err
 }

+func clientPost(url, body string) ([]byte, error) {
+	client := new(http.Client)
+
+	b := strings.NewReader(body)
+	req, err := http.NewRequest("POST", url, b)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s returned status %d", url, resp.StatusCode)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+
+	return data, err
+}
+
 func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
 	if a == b {
 		return
--- a/server/smtpd/lib.go
+++ b/server/smtpd/lib.go
@@ -0,0 +1,952 @@
+// Package smtpd implements a basic SMTP server.
+//
+// This is a modified version of https://github.com/mhale/smtpd to
+// add optional support for unix sockets.
+package smtpd
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/fs"
+	"log"
+	"net"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+var (
+	// Debug `true` enables verbose logging.
+	Debug      = false
+	rcptToRE   = regexp.MustCompile(`[Tt][Oo]:\s?<(.+)>`)
+	mailFromRE = regexp.MustCompile(`[Ff][Rr][Oo][Mm]:\s?<(.*)>(\s(.*))?`) // Delivery Status Notifications are sent with "MAIL FROM:<>"
+	mailSizeRE = regexp.MustCompile(`[Ss][Ii][Zz][Ee]=(\d+)`)
+)
+
+// Handler function called upon successful receipt of an email.
+// Results in a "250 2.0.0 Ok: queued" response.
+type Handler func(remoteAddr net.Addr, from string, to []string, data []byte) error
+
+// MsgIDHandler function called upon successful receipt of an email. Returns a message ID.
+// Results in a "250 2.0.0 Ok: queued as <message-id>" response.
+type MsgIDHandler func(remoteAddr net.Addr, from string, to []string, data []byte) (string, error)
+
+// HandlerRcpt function called on RCPT. Return accept status.
+type HandlerRcpt func(remoteAddr net.Addr, from string, to string) bool
+
+// AuthHandler function called when a login attempt is performed. Returns true if credentials are correct.
+type AuthHandler func(remoteAddr net.Addr, mechanism string, username []byte, password []byte, shared []byte) (bool, error)
+
+// ErrServerClosed is the default message when a server closes a connection
+var ErrServerClosed = errors.New("Server has been closed")
+
+// ListenAndServe listens on the TCP network address addr
+// and then calls Serve with handler to handle requests
+// on incoming connections.
+func ListenAndServe(addr string, handler Handler, appName string, hostname string) error {
+	srv := &Server{Addr: addr, Handler: handler, AppName: appName, Hostname: hostname}
+	return srv.ListenAndServe()
+}
+
+// ListenAndServeTLS listens on the TCP network address addr
+// and then calls Serve with handler to handle requests
+// on incoming connections. Connections may be upgraded to TLS if the client requests it.
+func ListenAndServeTLS(addr string, certFile string, keyFile string, handler Handler, appName string, hostname string) error {
+	srv := &Server{Addr: addr, Handler: handler, AppName: appName, Hostname: hostname}
+	err := srv.ConfigureTLS(certFile, keyFile)
+	if err != nil {
+		return err
+	}
+	return srv.ListenAndServe()
+}
+
+type maxSizeExceededError struct {
+	limit int
+}
+
+func maxSizeExceeded(limit int) maxSizeExceededError {
+	return maxSizeExceededError{limit}
+}
+
+// Error uses the RFC 5321 response message in preference to RFC 1870.
+// RFC 3463 defines enhanced status code x.3.4 as "Message too big for system".
+func (err maxSizeExceededError) Error() string {
+	return fmt.Sprintf("552 5.3.4 Requested mail action aborted: exceeded storage allocation (%d)", err.limit)
+}
+
+// LogFunc is a function capable of logging the client-server communication.
+type LogFunc func(remoteIP, verb, line string)
+
+// Server is an SMTP server.
+type Server struct {
+	Addr              string // TCP address to listen on, defaults to ":25" (all addresses, port 25) if empty
+	AppName           string
+	AuthHandler       AuthHandler
+	AuthMechs         map[string]bool // Override list of allowed authentication mechanisms. Currently supported: LOGIN, PLAIN, CRAM-MD5. Enabling LOGIN and PLAIN will reduce RFC 4954 compliance.
+	AuthRequired      bool            // Require authentication for every command except AUTH, EHLO, HELO, NOOP, RSET or QUIT as per RFC 4954. Ignored if AuthHandler is not configured.
+	DisableReverseDNS bool            // Disable reverse DNS lookups, enforces "unknown" hostname
+	Handler           Handler
+	HandlerRcpt       HandlerRcpt
+	Hostname          string
+	LogRead           LogFunc
+	LogWrite          LogFunc
+	MaxSize           int // Maximum message size allowed, in bytes
+	MaxRecipients     int // Maximum number of recipients, defaults to 100.
+	MsgIDHandler      MsgIDHandler
+	Timeout           time.Duration
+	TLSConfig         *tls.Config
+	TLSListener       bool        // Listen for incoming TLS connections only (not recommended as it may reduce compatibility). Ignored if TLS is not configured.
+	TLSRequired       bool        // Require TLS for every command except NOOP, EHLO, STARTTLS, or QUIT as per RFC 3207. Ignored if TLS is not configured.
+	Protocol          string      // Default tcp, supports unix
+	SocketPerm        fs.FileMode // if using Unix socket, socket permissions
+
+	inShutdown   int32 // server was closed or shutdown
+	openSessions int32 // count of open sessions
+	mu           sync.Mutex
+	shutdownChan chan struct{} // let the sessions know we are shutting down
+
+	XClientAllowed []string // List of XCLIENT allowed IP addresses
+}
+
+// ConfigureTLS creates a TLS configuration from certificate and key files.
+func (srv *Server) ConfigureTLS(certFile string, keyFile string) error {
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return err
+	}
+	srv.TLSConfig = &tls.Config{Certificates: []tls.Certificate{cert}} // #nosec
+	return nil
+}
+
+// // ConfigureTLSWithPassphrase creates a TLS configuration from a certificate,
+// // an encrypted key file and the associated passphrase:
+// func (srv *Server) ConfigureTLSWithPassphrase(
+// 	certFile string,
+// 	keyFile string,
+// 	passphrase string,
+// ) error {
+// 	certPEMBlock, err := os.ReadFile(certFile)
+// 	if err != nil {
+// 		return err
+// 	}
+// 	keyPEMBlock, err := os.ReadFile(keyFile)
+// 	if err != nil {
+// 		return err
+// 	}
+// 	keyDERBlock, _ := pem.Decode(keyPEMBlock)
+// 	keyPEMDecrypted, err := x509.DecryptPEMBlock(keyDERBlock, []byte(passphrase))
+// 	if err != nil {
+// 		return err
+// 	}
+// 	var pemBlock pem.Block
+// 	pemBlock.Type = keyDERBlock.Type
+// 	pemBlock.Bytes = keyPEMDecrypted
+// 	keyPEMBlock = pem.EncodeToMemory(&pemBlock)
+// 	cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+// 	if err != nil {
+// 		return err
+// 	}
+// 	srv.TLSConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
+// 	return nil
+// }
+
+// ListenAndServe listens on the either a TCP network address srv.Addr or
+// alternatively a Unix socket. and then calls Serve to handle requests on
+// incoming connections. If srv.Addr is blank, ":25" is used.
+func (srv *Server) ListenAndServe() error {
+	if atomic.LoadInt32(&srv.inShutdown) != 0 {
+		return ErrServerClosed
+	}
+
+	if srv.Addr == "" {
+		srv.Addr = ":25"
+	}
+	if srv.AppName == "" {
+		srv.AppName = "smtpd"
+	}
+	if srv.Hostname == "" {
+		srv.Hostname, _ = os.Hostname()
+	}
+	if srv.Timeout == 0 {
+		srv.Timeout = 5 * time.Minute
+	}
+	if srv.Protocol == "" {
+		srv.Protocol = "tcp"
+	}
+
+	var ln net.Listener
+	var err error
+
+	// If TLSListener is enabled, listen for TLS connections only.
+	if srv.TLSConfig != nil && srv.TLSListener {
+		ln, err = tls.Listen(srv.Protocol, srv.Addr, srv.TLSConfig)
+	} else {
+		ln, err = net.Listen(srv.Protocol, srv.Addr)
+	}
+
+	if err != nil {
+		return err
+	}
+
+	if srv.Protocol == "unix" {
+		// set permissions
+		if err := os.Chmod(srv.Addr, srv.SocketPerm); err != nil {
+			return err
+		}
+	}
+
+	return srv.Serve(ln)
+}
+
+// Serve creates a new SMTP session after a network connection is established.
+func (srv *Server) Serve(ln net.Listener) error {
+	if atomic.LoadInt32(&srv.inShutdown) != 0 {
+		return ErrServerClosed
+	}
+
+	defer ln.Close()
+
+	for {
+		// if we are shutting down, don't accept new connections
+		select {
+		case <-srv.getShutdownChan():
+			return ErrServerClosed
+		default:
+		}
+
+		conn, err := ln.Accept()
+		if err != nil {
+			if netErr, ok := err.(net.Error); ok && netErr.Temporary() {
+				continue
+			}
+			return err
+		}
+
+		session := srv.newSession(conn)
+		atomic.AddInt32(&srv.openSessions, 1)
+		go session.serve()
+	}
+}
+
+type session struct {
+	srv           *Server
+	conn          net.Conn
+	br            *bufio.Reader
+	bw            *bufio.Writer
+	remoteIP      string // Remote IP address
+	remoteHost    string // Remote hostname according to reverse DNS lookup
+	remoteName    string // Remote hostname as supplied with EHLO
+	xClient       string // Information string as supplied with XCLIENT
+	xClientADDR   string // Information string as supplied with XCLIENT ADDR
+	xClientNAME   string // Information string as supplied with XCLIENT NAME
+	xClientTrust  bool   // Trust XCLIENT from current IP address
+	tls           bool
+	authenticated bool
+}
+
+// Create new session from connection.
+func (srv *Server) newSession(conn net.Conn) (s *session) {
+	s = &session{
+		srv:  srv,
+		conn: conn,
+		br:   bufio.NewReader(conn),
+		bw:   bufio.NewWriter(conn),
+	}
+
+	// Get remote end info for the Received header.
+	s.remoteIP, _, _ = net.SplitHostPort(s.conn.RemoteAddr().String())
+	if s.remoteIP == "" {
+		s.remoteIP = "127.0.0.1"
+	}
+	if !s.srv.DisableReverseDNS {
+		names, err := net.LookupAddr(s.remoteIP)
+		if err == nil && len(names) > 0 {
+			s.remoteHost = names[0]
+		} else {
+			s.remoteHost = "unknown"
+		}
+	} else {
+		s.remoteHost = "unknown"
+	}
+
+	// Set tls = true if TLS is already in use.
+	_, s.tls = s.conn.(*tls.Conn)
+
+	for _, checkIP := range srv.XClientAllowed {
+		if s.remoteIP == checkIP {
+			s.xClientTrust = true
+		}
+	}
+	return
+}
+
+func (srv *Server) getShutdownChan() <-chan struct{} {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	if srv.shutdownChan == nil {
+		srv.shutdownChan = make(chan struct{})
+	}
+
+	return srv.shutdownChan
+}
+
+func (srv *Server) closeShutdownChan() {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	if srv.shutdownChan == nil {
+		srv.shutdownChan = make(chan struct{})
+	}
+
+	select {
+	case <-srv.shutdownChan:
+	default:
+		close(srv.shutdownChan)
+	}
+}
+
+// Close - closes the connection without waiting
+func (srv *Server) Close() error {
+	atomic.StoreInt32(&srv.inShutdown, 1)
+	srv.closeShutdownChan()
+	return nil
+}
+
+// Shutdown - waits for current sessions to complete before closing
+func (srv *Server) Shutdown(ctx context.Context) error {
+	atomic.StoreInt32(&srv.inShutdown, 1)
+	srv.closeShutdownChan()
+
+	// wait for up to 30 seconds to allow the current sessions to
+	// end
+	timer := time.NewTimer(100 * time.Millisecond)
+	defer timer.Stop()
+
+	for i := 0; i < 300; i++ {
+		// wait for open sessions to close
+		if atomic.LoadInt32(&srv.openSessions) == 0 {
+			break
+		}
+
+		select {
+		case <-timer.C:
+			timer.Reset(100 * time.Millisecond)
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+	}
+
+	return nil
+}
+
+// Function called to handle connection requests.
+func (s *session) serve() {
+	defer atomic.AddInt32(&s.srv.openSessions, -1)
+	defer s.conn.Close()
+
+	var from string
+	var gotFrom bool
+	var to []string
+	var buffer bytes.Buffer
+
+	// Send banner.
+	s.writef("220 %s %s ESMTP Service ready", s.srv.Hostname, s.srv.AppName)
+
+loop:
+	for {
+		// Attempt to read a line from the socket.
+		// On timeout, send a timeout message and return from serve().
+		// On error, assume the client has gone away i.e. return from serve().
+		line, err := s.readLine()
+		if err != nil {
+			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+				s.writef("421 4.4.2 %s %s ESMTP Service closing transmission channel after timeout exceeded", s.srv.Hostname, s.srv.AppName)
+			}
+			break
+		}
+
+		verb, args := s.parseLine(line)
+
+		switch verb {
+		case "HELO":
+			s.remoteName = args
+			s.writef("250 %s greets %s", s.srv.Hostname, s.remoteName)
+
+			// RFC 2821 section 4.1.4 specifies that EHLO has the same effect as RSET, so reset for HELO too.
+			from = ""
+			gotFrom = false
+			to = nil
+			buffer.Reset()
+		case "EHLO":
+			s.remoteName = args
+			s.writef(s.makeEHLOResponse())
+
+			// RFC 2821 section 4.1.4 specifies that EHLO has the same effect as RSET.
+			from = ""
+			gotFrom = false
+			to = nil
+			buffer.Reset()
+		case "MAIL":
+			if s.srv.TLSConfig != nil && s.srv.TLSRequired && !s.tls {
+				s.writef("530 5.7.0 Must issue a STARTTLS command first")
+				break
+			}
+			if s.srv.AuthHandler != nil && s.srv.AuthRequired && !s.authenticated {
+				s.writef("530 5.7.0 Authentication required")
+				break
+			}
+
+			match := mailFromRE.FindStringSubmatch(args)
+			if match == nil {
+				s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid FROM parameter)")
+			} else {
+				// Validate the SIZE parameter if one was sent.
+				if len(match[2]) > 0 { // A parameter is present
+					sizeMatch := mailSizeRE.FindStringSubmatch(match[3])
+					if sizeMatch == nil {
+						s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid SIZE parameter)")
+					} else {
+						// Enforce the maximum message size if one is set.
+						size, err := strconv.Atoi(sizeMatch[1])
+						if err != nil { // Bad SIZE parameter
+							s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid SIZE parameter)")
+						} else if s.srv.MaxSize > 0 && size > s.srv.MaxSize { // SIZE above maximum size, if set
+							err = maxSizeExceeded(s.srv.MaxSize)
+							s.writef(err.Error())
+						} else { // SIZE ok
+							from = match[1]
+							gotFrom = true
+							s.writef("250 2.1.0 Ok")
+						}
+					}
+				} else { // No parameters after FROM
+					from = match[1]
+					gotFrom = true
+					s.writef("250 2.1.0 Ok")
+				}
+			}
+			to = nil
+			buffer.Reset()
+		case "RCPT":
+			if s.srv.TLSConfig != nil && s.srv.TLSRequired && !s.tls {
+				s.writef("530 5.7.0 Must issue a STARTTLS command first")
+				break
+			}
+			if s.srv.AuthHandler != nil && s.srv.AuthRequired && !s.authenticated {
+				s.writef("530 5.7.0 Authentication required")
+				break
+			}
+			if !gotFrom {
+				s.writef("503 5.5.1 Bad sequence of commands (MAIL required before RCPT)")
+				break
+			}
+
+			match := rcptToRE.FindStringSubmatch(args)
+			if match == nil {
+				s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid TO parameter)")
+			} else {
+				// RFC 5321 specifies support for minimum of 100 recipients is required.
+				if s.srv.MaxRecipients == 0 {
+					s.srv.MaxRecipients = 100
+				}
+				if len(to) == s.srv.MaxRecipients {
+					s.writef("452 4.5.3 Too many recipients")
+				} else {
+					accept := true
+					if s.srv.HandlerRcpt != nil {
+						accept = s.srv.HandlerRcpt(s.conn.RemoteAddr(), from, match[1])
+					}
+					if accept {
+						to = append(to, match[1])
+						s.writef("250 2.1.5 Ok")
+					} else {
+						s.writef("550 5.1.0 Requested action not taken: mailbox unavailable")
+					}
+				}
+			}
+		case "DATA":
+			if s.srv.TLSConfig != nil && s.srv.TLSRequired && !s.tls {
+				s.writef("530 5.7.0 Must issue a STARTTLS command first")
+				break
+			}
+			if s.srv.AuthHandler != nil && s.srv.AuthRequired && !s.authenticated {
+				s.writef("530 5.7.0 Authentication required")
+				break
+			}
+			if !gotFrom || len(to) == 0 {
+				s.writef("503 5.5.1 Bad sequence of commands (MAIL & RCPT required before DATA)")
+				break
+			}
+
+			s.writef("354 Start mail input; end with <CR><LF>.<CR><LF>")
+
+			// Attempt to read message body from the socket.
+			// On timeout, send a timeout message and return from serve().
+			// On net.Error, assume the client has gone away i.e. return from serve().
+			// On other errors, allow the client to try again.
+			data, err := s.readData()
+			if err != nil {
+				switch err.(type) {
+				case net.Error:
+					if err.(net.Error).Timeout() {
+						s.writef("421 4.4.2 %s %s ESMTP Service closing transmission channel after timeout exceeded", s.srv.Hostname, s.srv.AppName)
+					}
+					break loop
+				case maxSizeExceededError:
+					s.writef(err.Error())
+					continue
+				default:
+					s.writef("451 4.3.0 Requested action aborted: local error in processing")
+					continue
+				}
+			}
+
+			// Create Received header & write message body into buffer.
+			buffer.Reset()
+			buffer.Write(s.makeHeaders(to))
+			buffer.Write(data)
+
+			// Pass mail on to handler.
+			if s.srv.Handler != nil {
+				err := s.srv.Handler(s.conn.RemoteAddr(), from, to, buffer.Bytes())
+				if err != nil {
+					checkErrFormat := regexp.MustCompile(`^([2-5][0-9]{2})[\s\-](.+)$`)
+					if checkErrFormat.MatchString(err.Error()) {
+						s.writef(err.Error())
+					} else {
+						s.writef("451 4.3.5 Unable to process mail")
+					}
+					break
+				}
+				s.writef("250 2.0.0 Ok: queued")
+			} else if s.srv.MsgIDHandler != nil {
+				msgID, err := s.srv.MsgIDHandler(s.conn.RemoteAddr(), from, to, buffer.Bytes())
+				if err != nil {
+					checkErrFormat := regexp.MustCompile(`^([2-5][0-9]{2})[\s\-](.+)$`)
+					if checkErrFormat.MatchString(err.Error()) {
+						s.writef(err.Error())
+					} else {
+						s.writef("451 4.3.5 Unable to process mail")
+					}
+					break
+				}
+
+				if msgID != "" {
+					s.writef("250 2.0.0 Ok: queued as " + msgID)
+				} else {
+					s.writef("250 2.0.0 Ok: queued")
+				}
+			} else {
+				s.writef("250 2.0.0 Ok: queued")
+			}
+
+			// Reset for next mail.
+			from = ""
+			gotFrom = false
+			to = nil
+			buffer.Reset()
+		case "QUIT":
+			s.writef("221 2.0.0 %s %s ESMTP Service closing transmission channel", s.srv.Hostname, s.srv.AppName)
+			break loop
+		case "RSET":
+			if s.srv.TLSConfig != nil && s.srv.TLSRequired && !s.tls {
+				s.writef("530 5.7.0 Must issue a STARTTLS command first")
+				break
+			}
+			s.writef("250 2.0.0 Ok")
+			from = ""
+			gotFrom = false
+			to = nil
+			buffer.Reset()
+		case "NOOP":
+			s.writef("250 2.0.0 Ok")
+		case "XCLIENT":
+			s.xClient = args
+			if s.xClientTrust {
+				xCArgs := strings.Split(args, " ")
+				for _, xCArg := range xCArgs {
+					xCParse := strings.Split(strings.TrimSpace(xCArg), "=")
+					if strings.ToUpper(xCParse[0]) == "ADDR" && (net.ParseIP(xCParse[1]) != nil) {
+						s.xClientADDR = xCParse[1]
+					}
+					if strings.ToUpper(xCParse[0]) == "NAME" && len(xCParse[1]) > 0 {
+						if xCParse[1] != "[UNAVAILABLE]" {
+							s.xClientNAME = xCParse[1]
+						}
+					}
+				}
+				if len(s.xClientADDR) > 7 {
+					s.remoteIP = s.xClientADDR
+					if len(s.xClientNAME) > 4 {
+						s.remoteHost = s.xClientNAME
+					} else {
+						names, err := net.LookupAddr(s.remoteIP)
+						if err == nil && len(names) > 0 {
+							s.remoteHost = names[0]
+						} else {
+							s.remoteHost = "unknown"
+						}
+					}
+				}
+			}
+			s.writef("250 2.0.0 Ok")
+		case "HELP", "VRFY", "EXPN":
+			// See RFC 5321 section 4.2.4 for usage of 500 & 502 response codes.
+			s.writef("502 5.5.1 Command not implemented")
+		case "STARTTLS":
+			// Parameters are not allowed (RFC 3207 section 4).
+			if args != "" {
+				s.writef("501 5.5.2 Syntax error (no parameters allowed)")
+				break
+			}
+
+			// Handle case where TLS is requested but not configured (and therefore not listed as a service extension).
+			if s.srv.TLSConfig == nil {
+				s.writef("502 5.5.1 Command not implemented")
+				break
+			}
+
+			// Handle case where STARTTLS is received when TLS is already in use.
+			if s.tls {
+				s.writef("503 5.5.1 Bad sequence of commands (TLS already in use)")
+				break
+			}
+
+			s.writef("220 2.0.0 Ready to start TLS")
+
+			// Establish a TLS connection with the client.
+			tlsConn := tls.Server(s.conn, s.srv.TLSConfig)
+			err := tlsConn.Handshake()
+			if err != nil {
+				s.writef("403 4.7.0 TLS handshake failed")
+				break
+			}
+
+			// TLS handshake succeeded, switch to using the TLS connection.
+			s.conn = tlsConn
+			s.br = bufio.NewReader(s.conn)
+			s.bw = bufio.NewWriter(s.conn)
+			s.tls = true
+
+			// RFC 3207 specifies that the server must discard any prior knowledge obtained from the client.
+			s.remoteName = ""
+			from = ""
+			gotFrom = false
+			to = nil
+			buffer.Reset()
+		case "AUTH":
+			if s.srv.TLSConfig != nil && s.srv.TLSRequired && !s.tls {
+				s.writef("530 5.7.0 Must issue a STARTTLS command first")
+				break
+			}
+			// Handle case where AUTH is requested but not configured (and therefore not listed as a service extension).
+			if s.srv.AuthHandler == nil {
+				s.writef("502 5.5.1 Command not implemented")
+				break
+			}
+
+			// Handle case where AUTH is received when already authenticated.
+			if s.authenticated {
+				s.writef("503 5.5.1 Bad sequence of commands (already authenticated for this session)")
+				break
+			}
+
+			// RFC 4954 specifies that AUTH is not permitted during mail transactions.
+			if gotFrom || len(to) > 0 {
+				s.writef("503 5.5.1 Bad sequence of commands (AUTH not permitted during mail transaction)")
+				break
+			}
+
+			// RFC 4954 requires a mechanism parameter.
+			authType, authArgs := s.parseLine(args)
+			if authType == "" {
+				s.writef("501 5.5.4 Malformed AUTH input (argument required)")
+				break
+			}
+
+			// RFC 4954 requires rejecting unsupported authentication mechanisms with a 504 response.
+			allowedAuth := s.authMechs()
+			if allowed, found := allowedAuth[authType]; !found || !allowed {
+				s.writef("504 5.5.4 Unrecognized authentication type")
+				break
+			}
+
+			// RFC 4954 also specifies that ESMTP code 5.5.4 ("Invalid command arguments") should be returned
+			// when attempting to use an unsupported authentication type.
+			// Many servers return 5.7.4 ("Security features not supported") instead.
+			switch authType {
+			case "PLAIN":
+				s.authenticated, err = s.handleAuthPlain(authArgs)
+			case "LOGIN":
+				s.authenticated, err = s.handleAuthLogin(authArgs)
+			case "CRAM-MD5":
+				s.authenticated, err = s.handleAuthCramMD5()
+			}
+
+			if err != nil {
+				if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+					s.writef("421 4.4.2 %s %s ESMTP Service closing transmission channel after timeout exceeded", s.srv.Hostname, s.srv.AppName)
+					break loop
+				}
+
+				s.writef(err.Error())
+				break
+			}
+
+			if s.authenticated {
+				s.writef("235 2.7.0 Authentication successful")
+			} else {
+				s.writef("535 5.7.8 Authentication credentials invalid")
+			}
+		default:
+			// See RFC 5321 section 4.2.4 for usage of 500 & 502 response codes.
+			s.writef("500 5.5.2 Syntax error, command unrecognized")
+		}
+	}
+}
+
+// Wrapper function for writing a complete line to the socket.
+func (s *session) writef(format string, args ...interface{}) {
+	if s.srv.Timeout > 0 {
+		_ = s.conn.SetWriteDeadline(time.Now().Add(s.srv.Timeout))
+	}
+
+	line := fmt.Sprintf(format, args...)
+	fmt.Fprintf(s.bw, line+"\r\n")
+	_ = s.bw.Flush()
+
+	if Debug {
+		verb := "WROTE"
+		if s.srv.LogWrite != nil {
+			s.srv.LogWrite(s.remoteIP, verb, line)
+		} else {
+			log.Println(s.remoteIP, verb, line)
+		}
+	}
+}
+
+// Read a complete line from the socket.
+func (s *session) readLine() (string, error) {
+	if s.srv.Timeout > 0 {
+		_ = s.conn.SetReadDeadline(time.Now().Add(s.srv.Timeout))
+	}
+
+	line, err := s.br.ReadString('\n')
+	if err != nil {
+		return "", err
+	}
+	line = strings.TrimSpace(line) // Strip trailing \r\n
+
+	if Debug {
+		verb := "READ"
+		if s.srv.LogRead != nil {
+			s.srv.LogRead(s.remoteIP, verb, line)
+		} else {
+			log.Println(s.remoteIP, verb, line)
+		}
+	}
+
+	return line, err
+}
+
+// Parse a line read from the socket.
+func (s *session) parseLine(line string) (verb string, args string) {
+	if idx := strings.Index(line, " "); idx != -1 {
+		verb = strings.ToUpper(line[:idx])
+		args = strings.TrimSpace(line[idx+1:])
+	} else {
+		verb = strings.ToUpper(line)
+		args = ""
+	}
+	return verb, args
+}
+
+// Read the message data following a DATA command.
+func (s *session) readData() ([]byte, error) {
+	var data []byte
+	for {
+		if s.srv.Timeout > 0 {
+			_ = s.conn.SetReadDeadline(time.Now().Add(s.srv.Timeout))
+		}
+
+		line, err := s.br.ReadBytes('\n')
+		if err != nil {
+			return nil, err
+		}
+		// Handle end of data denoted by lone period (\r\n.\r\n)
+		if bytes.Equal(line, []byte(".\r\n")) {
+			break
+		}
+		// Remove leading period (RFC 5321 section 4.5.2)
+		if line[0] == '.' {
+			line = line[1:]
+		}
+
+		// Enforce the maximum message size limit.
+		if s.srv.MaxSize > 0 {
+			if len(data)+len(line) > s.srv.MaxSize {
+				_, _ = s.br.Discard(s.br.Buffered()) // Discard the buffer remnants.
+				return nil, maxSizeExceeded(s.srv.MaxSize)
+			}
+		}
+
+		data = append(data, line...)
+	}
+	return data, nil
+}
+
+// Create the Received header to comply with RFC 2821 section 3.8.2.
+// TODO: Work out what to do with multiple to addresses.
+func (s *session) makeHeaders(to []string) []byte {
+	var buffer bytes.Buffer
+	now := time.Now().Format("Mon, 2 Jan 2006 15:04:05 -0700 (MST)")
+	buffer.WriteString(fmt.Sprintf("Received: from %s (%s [%s])\r\n", s.remoteName, s.remoteHost, s.remoteIP))
+	buffer.WriteString(fmt.Sprintf("        by %s (%s) with SMTP\r\n", s.srv.Hostname, s.srv.AppName))
+	buffer.WriteString(fmt.Sprintf("        for <%s>; %s\r\n", to[0], now))
+	return buffer.Bytes()
+}
+
+// Determine allowed authentication mechanisms.
+// RFC 4954 specifies that plaintext authentication mechanisms such as LOGIN and PLAIN require a TLS connection.
+// This can be explicitly overridden e.g. setting s.srv.AuthMechs["LOGIN"] = true.
+func (s *session) authMechs() (mechs map[string]bool) {
+	mechs = map[string]bool{"LOGIN": s.tls, "PLAIN": s.tls, "CRAM-MD5": true}
+
+	for mech := range mechs {
+		allowed, found := s.srv.AuthMechs[mech]
+		if found {
+			mechs[mech] = allowed
+		}
+	}
+
+	return
+}
+
+// Create the greeting string sent in response to an EHLO command.
+func (s *session) makeEHLOResponse() (response string) {
+	response = fmt.Sprintf("250-%s greets %s\r\n", s.srv.Hostname, s.remoteName)
+
+	// RFC 1870 specifies that "SIZE 0" indicates no maximum size is in force.
+	response += fmt.Sprintf("250-SIZE %d\r\n", s.srv.MaxSize)
+
+	// Only list STARTTLS if TLS is configured, but not currently in use.
+	if s.srv.TLSConfig != nil && !s.tls {
+		response += "250-STARTTLS\r\n"
+	}
+
+	// Only list AUTH if an AuthHandler is configured and at least one mechanism is allowed.
+	if s.srv.AuthHandler != nil {
+		var mechs []string
+		for mech, allowed := range s.authMechs() {
+			if allowed {
+				mechs = append(mechs, mech)
+			}
+		}
+		if len(mechs) > 0 {
+			response += "250-AUTH " + strings.Join(mechs, " ") + "\r\n"
+		}
+	}
+
+	response += "250 ENHANCEDSTATUSCODES"
+	return
+}
+
+func (s *session) handleAuthLogin(arg string) (bool, error) {
+	var err error
+
+	if arg == "" {
+		s.writef("334 " + base64.StdEncoding.EncodeToString([]byte("Username:")))
+		arg, err = s.readLine()
+		if err != nil {
+			return false, err
+		}
+	}
+
+	username, err := base64.StdEncoding.DecodeString(arg)
+	if err != nil {
+		return false, errors.New("501 5.5.2 Syntax error (unable to decode)")
+	}
+
+	s.writef("334 " + base64.StdEncoding.EncodeToString([]byte("Password:")))
+	line, err := s.readLine()
+	if err != nil {
+		return false, err
+	}
+
+	password, err := base64.StdEncoding.DecodeString(line)
+	if err != nil {
+		return false, errors.New("501 5.5.2 Syntax error (unable to decode)")
+	}
+
+	// Validate credentials.
+	authenticated, err := s.srv.AuthHandler(s.conn.RemoteAddr(), "LOGIN", username, password, nil)
+
+	return authenticated, err
+}
+
+func (s *session) handleAuthPlain(arg string) (bool, error) {
+	var err error
+
+	// If fast mode (AUTH PLAIN [arg]) is not used, prompt for credentials.
+	if arg == "" {
+		s.writef("334 ")
+		arg, err = s.readLine()
+		if err != nil {
+			return false, err
+		}
+	}
+
+	data, err := base64.StdEncoding.DecodeString(arg)
+	if err != nil {
+		return false, errors.New("501 5.5.2 Syntax error (unable to decode)")
+	}
+
+	parts := bytes.Split(data, []byte{0})
+	if len(parts) != 3 {
+		return false, errors.New("501 5.5.2 Syntax error (unable to parse)")
+	}
+
+	// Validate credentials.
+	authenticated, err := s.srv.AuthHandler(s.conn.RemoteAddr(), "PLAIN", parts[1], parts[2], nil)
+
+	return authenticated, err
+}
+
+func (s *session) handleAuthCramMD5() (bool, error) {
+	shared := "<" + strconv.Itoa(os.Getpid()) + "." + strconv.Itoa(time.Now().Nanosecond()) + "@" + s.srv.Hostname + ">"
+
+	s.writef("334 " + base64.StdEncoding.EncodeToString([]byte(shared)))
+
+	data, err := s.readLine()
+	if err != nil {
+		return false, err
+	}
+
+	if data == "*" {
+		return false, errors.New("501 5.7.0 Authentication cancelled")
+	}
+
+	buf, err := base64.StdEncoding.DecodeString(data)
+	if err != nil {
+		return false, errors.New("501 5.5.2 Syntax error (unable to decode)")
+	}
+
+	fields := strings.Split(string(buf), " ")
+	if len(fields) < 2 {
+		return false, errors.New("501 5.5.2 Syntax error (unable to parse)")
+	}
+
+	// Validate credentials.
+	authenticated, err := s.srv.AuthHandler(s.conn.RemoteAddr(), "CRAM-MD5", []byte(fields[0]), []byte(fields[1]), []byte(shared))
+
+	return authenticated, err
+}
--- a/server/smtpd/relay.go
+++ b/server/smtpd/relay.go
@@ -4,46 +4,61 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"net/mail"
 	"net/smtp"
+	"strings"

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
 )

-func allowedRecipients(to []string) []string {
-	if config.SMTPRelayConfig.RecipientAllowlistRegexp == nil {
-		return to
+func autoRelayMessage(from string, to []string, data *[]byte) {
+	if config.SMTPRelayConfig.BlockedRecipientsRegexp != nil {
+		filteredTo := []string{}
+		for _, address := range to {
+			if config.SMTPRelayConfig.BlockedRecipientsRegexp.MatchString(address) {
+				logger.Log().Debugf("[smtp] ignoring auto-relay to %s: found in blocklist", address)
+				continue
+			}
+
+			filteredTo = append(filteredTo, address)
+		}
+		to = filteredTo
 	}

-	var ar []string
+	if len(to) == 0 {
+		return
+	}

-	for _, recipient := range to {
-		address, err := mail.ParseAddress(recipient)
-
-		if err != nil {
-			logger.Log().Warnf("ignoring invalid email address: %s", recipient)
-			continue
-		}
-
-		if !config.SMTPRelayConfig.RecipientAllowlistRegexp.MatchString(address.Address) {
-			logger.Log().Debugf("[smtp] not allowed to relay to %s: does not match the allowlist %s", recipient, config.SMTPRelayConfig.RecipientAllowlist)
+	if config.SMTPRelayAll {
+		if err := Relay(from, to, *data); err != nil {
+			logger.Log().Errorf("[smtp] error relaying message: %s", err.Error())
 		} else {
-			ar = append(ar, recipient)
+			logger.Log().Debugf("[smtp] auto-relay message to %s from %s via %s:%d",
+				strings.Join(to, ", "), from, config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
+		}
+	} else if config.SMTPRelayMatchingRegexp != nil {
+		filtered := []string{}
+		for _, t := range to {
+			if config.SMTPRelayMatchingRegexp.MatchString(t) {
+				filtered = append(filtered, t)
+			}
+		}
+
+		if len(filtered) == 0 {
+			return
+		}
+
+		if err := Relay(from, filtered, *data); err != nil {
+			logger.Log().Errorf("[smtp] error relaying message: %s", err.Error())
+		} else {
+			logger.Log().Debugf("[smtp] auto-relay message to %s from %s via %s:%d",
+				strings.Join(filtered, ", "), from, config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
 		}
 	}
-
-	return ar
 }

-// Send will connect to a pre-configured SMTP server and send a message to one or more recipients.
-func Send(from string, to []string, msg []byte) error {
-	recipients := allowedRecipients(to)
-
-	if len(recipients) == 0 {
-		return errors.New("no valid recipients")
-	}
-
+// Relay will connect to a pre-configured SMTP server and send a message to one or more recipients.
+func Relay(from string, to []string, msg []byte) error {
 	addr := fmt.Sprintf("%s:%d", config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)

 	c, err := smtp.Dial(addr)
@@ -75,7 +90,7 @@ func Send(from string, to []string, msg []byte) error {
 		return fmt.Errorf("error response to MAIL command: %s", err.Error())
 	}

-	for _, addr := range recipients {
+	for _, addr := range to {
 		if err = c.Rcpt(addr); err != nil {
 			logger.Log().Warnf("error response to RCPT command for %s: %s", addr, err.Error())
 		}
--- a/server/smtpd/server.go
+++ b/server/smtpd/server.go
@@ -14,16 +14,26 @@ import (
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/stats"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/websockets"
 	"github.com/lithammer/shortuuid/v4"
-	"github.com/mhale/smtpd"
 )

 var (
 	// DisableReverseDNS allows rDNS to be disabled
 	DisableReverseDNS bool
+
+	warningResponse = regexp.MustCompile(`^4\d\d `)
+	errorResponse   = regexp.MustCompile(`^5\d\d `)
 )

-func mailHandler(origin net.Addr, from string, to []string, data []byte) error {
+// MailHandler handles the incoming message to store in the database
+func mailHandler(origin net.Addr, from string, to []string, data []byte) (string, error) {
+	return SaveToDatabase(origin, from, to, data)
+}
+
+// SaveToDatabase will attempt to save a message to the database
+func SaveToDatabase(origin net.Addr, from string, to []string, data []byte) (string, error) {
 	if !config.SMTPStrictRFCHeaders {
 		// replace all <CR><CR><LF> (\r\r\n) with <CR><LF> (\r\n)
 		// @see https://github.com/axllent/mailpit/issues/87 & https://github.com/axllent/mailpit/issues/153
@@ -32,9 +42,9 @@ func mailHandler(origin net.Addr, from string, to []string, data []byte) error {

 	msg, err := mail.ReadMessage(bytes.NewReader(data))
 	if err != nil {
-		logger.Log().Errorf("[smtpd] error parsing message: %s", err.Error())
+		logger.Log().Warnf("[smtpd] error parsing message: %s", err.Error())
 		stats.LogSMTPRejected()
-		return err
+		return "", err
 	}

 	// check / set the Return-Path based on SMTP from
@@ -70,18 +80,12 @@ func mailHandler(origin net.Addr, from string, to []string, data []byte) error {
 		if storage.MessageIDExists(messageID) {
 			logger.Log().Debugf("[smtpd] duplicate message found, ignoring %s", messageID)
 			stats.LogSMTPIgnored()
-			return nil
+			return "", nil
 		}
 	}

-	// if enabled, this will route the email 1:1 through to the preconfigured smtp server
-	if config.SMTPRelayAllIncoming {
-		if err := Send(from, to, data); err != nil {
-			logger.Log().Warnf("[smtp] error relaying message: %s", err.Error())
-		} else {
-			logger.Log().Debugf("[smtp] relayed message from %s via %s:%d", from, config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
-		}
-	}
+	// if enabled, this may conditionally relay the email through to the preconfigured smtp server
+	autoRelayMessage(from, to, &data)

 	// build array of all addresses in the header to compare to the []to array
 	emails, hasBccHeader := scanAddressesInHeader(msg.Header)
@@ -123,10 +127,10 @@ func mailHandler(origin net.Addr, from string, to []string, data []byte) error {
 		logger.Log().Debugf("[smtpd] added missing addresses to Bcc header: %s", strings.Join(missingAddresses, ", "))
 	}

-	_, err = storage.Store(&data)
+	id, err := storage.Store(&data)
 	if err != nil {
 		logger.Log().Errorf("[db] error storing message: %s", err.Error())
-		return err
+		return "", err
 	}

 	stats.LogSMTPAccepted(len(data))
@@ -136,7 +140,7 @@ func mailHandler(origin net.Addr, from string, to []string, data []byte) error {
 	subject := msg.Header.Get("Subject")
 	logger.Log().Debugf("[smtpd] received (%s) from:%s subject:%q", cleanIP(origin), from, subject)

-	return nil
+	return id, err
 }

 func authHandler(remoteAddr net.Addr, mechanism string, username []byte, password []byte, _ []byte) (bool, error) {
@@ -177,34 +181,63 @@ func handlerRcpt(remoteAddr net.Addr, from string, to string) bool {
 func Listen() error {
 	if config.SMTPAuthAllowInsecure {
 		if auth.SMTPCredentials != nil {
-			logger.Log().Info("[smtpd] enabling login auth (insecure)")
+			logger.Log().Info("[smtpd] enabling login authentication (insecure)")
 		} else if config.SMTPAuthAcceptAny {
-			logger.Log().Info("[smtpd] enabling all auth (insecure)")
+			logger.Log().Info("[smtpd] enabling any authentication (insecure)")
 		}
 	} else {
 		if auth.SMTPCredentials != nil {
-			logger.Log().Info("[smtpd] enabling login auth (TLS)")
+			logger.Log().Info("[smtpd] enabling login authentication")
 		} else if config.SMTPAuthAcceptAny {
-			logger.Log().Info("[smtpd] enabling any auth (TLS)")
+			logger.Log().Info("[smtpd] enabling any authentication")
 		}
 	}

-	logger.Log().Infof("[smtpd] starting on %s", config.SMTPListen)
-
 	return listenAndServe(config.SMTPListen, mailHandler, authHandler)
 }

-func listenAndServe(addr string, handler smtpd.Handler, authHandler smtpd.AuthHandler) error {
-	srv := &smtpd.Server{
+// Translate the smtpd verb from READ/WRITE
+func verbLogTranslator(verb string) string {
+	if verb == "READ" {
+		return "received"
+	}
+
+	return "response"
+}
+
+func listenAndServe(addr string, handler MsgIDHandler, authHandler AuthHandler) error {
+
+	socketAddr, perm, isSocket := tools.UnixSocket(addr)
+
+	Debug = true // to enable Mailpit logging
+	srv := &Server{
 		Addr:              addr,
-		Handler:           handler,
+		MsgIDHandler:      handler,
 		HandlerRcpt:       handlerRcpt,
-		Appname:           "Mailpit",
+		AppName:           "Mailpit",
 		Hostname:          "",
 		AuthHandler:       nil,
 		AuthRequired:      false,
 		MaxRecipients:     config.SMTPMaxRecipients,
 		DisableReverseDNS: DisableReverseDNS,
+		LogRead: func(remoteIP, verb, line string) {
+			logger.Log().Debugf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+		},
+		LogWrite: func(remoteIP, verb, line string) {
+			if warningResponse.MatchString(line) {
+				logger.Log().Warnf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+				websockets.BroadCastClientError("warning", "smtpd", remoteIP, line)
+			} else if errorResponse.MatchString(line) {
+				logger.Log().Errorf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+				websockets.BroadCastClientError("error", "smtpd", remoteIP, line)
+			} else {
+				logger.Log().Debugf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+			}
+		},
+	}
+
+	if config.Label != "" {
+		srv.AppName = fmt.Sprintf("Mailpit (%s)", config.Label)
 	}

 	if config.SMTPAuthAllowInsecure {
@@ -221,12 +254,46 @@ func listenAndServe(addr string, handler smtpd.Handler, authHandler smtpd.AuthHa
 	}

 	if config.SMTPTLSCert != "" {
-		srv.TLSRequired = config.SMTPTLSRequired
+		srv.TLSRequired = config.SMTPRequireSTARTTLS
+		srv.TLSListener = config.SMTPRequireTLS // if true overrules srv.TLSRequired
 		if err := srv.ConfigureTLS(config.SMTPTLSCert, config.SMTPTLSKey); err != nil {
 			return err
 		}
 	}

+	if isSocket {
+		srv.Addr = socketAddr
+		srv.Protocol = "unix"
+		srv.SocketPerm = perm
+
+		if err := tools.PrepareSocket(srv.Addr); err != nil {
+			storage.Close()
+			return err
+		}
+
+		// delete the Unix socket file on exit
+		storage.AddTempFile(srv.Addr)
+
+		logger.Log().Infof("[smtpd] starting on %s", config.SMTPListen)
+	} else {
+		smtpType := "no encryption"
+
+		if config.SMTPTLSCert != "" {
+			if config.SMTPRequireSTARTTLS {
+				smtpType = "STARTTLS required"
+			} else if config.SMTPRequireTLS {
+				smtpType = "SSL/TLS required"
+			} else {
+				smtpType = "STARTTLS optional"
+				if !config.SMTPAuthAllowInsecure && auth.SMTPCredentials != nil {
+					smtpType = "STARTTLS required"
+				}
+			}
+		}
+
+		logger.Log().Infof("[smtpd] starting on %s (%s)", config.SMTPListen, smtpType)
+	}
+
 	return srv.ListenAndServe()
 }

--- a/server/ui-src/App.vue
+++ b/server/ui-src/App.vue
@@ -2,6 +2,7 @@
 import CommonMixins from './mixins/CommonMixins'
 import Favicon from './components/Favicon.vue'
 import Notifications from './components/Notifications.vue'
+import EditTags from './components/EditTags.vue'
 import { RouterView } from 'vue-router'
 import { mailbox } from "./stores/mailbox"

@@ -11,15 +12,20 @@ export default {
 	components: {
 		Favicon,
 		Notifications,
+		EditTags
 	},

 	beforeMount() {
-		document.title = document.title + ' - ' + location.hostname
-		mailbox.showTagColors = !localStorage.getItem('hideTagColors') == '1'

 		// load global config
 		this.get(this.resolve('/api/v1/webui'), false, function (response) {
 			mailbox.uiConfig = response.data
+
+			if (mailbox.uiConfig.Label) {
+				document.title = document.title + ' - ' + mailbox.uiConfig.Label
+			} else {
+				document.title = document.title + ' - ' + location.hostname
+			}
 		})
 	},

@@ -37,4 +43,5 @@ export default {
 	<RouterView />
 	<Favicon />
 	<Notifications />
+	<EditTags />
 </template>
--- a/server/ui-src/app.js
+++ b/server/ui-src/app.js
@@ -1,11 +1,19 @@
 import App from './App.vue'
 import router from './router'
 import { createApp } from 'vue'
+import mitt from 'mitt';

 import './assets/styles.scss'
 import 'bootstrap-icons/font/bootstrap-icons.scss'
 import 'bootstrap'
+import 'vue-css-donut-chart/src/styles/main.css'

 const app = createApp(App)
+
+// Global event bus used to subscribe to websocket events
+// such as message deletes, updates & truncation.
+const eventBus = mitt()
+app.provide('eventBus', eventBus)
+
 app.use(router)
 app.mount('#app')
--- a/server/ui-src/assets/styles.scss
+++ b/server/ui-src/assets/styles.scss
@@ -91,44 +91,6 @@
 	}
 }

-.about-mailpit {
-	@include media-breakpoint-down(md) {
-		width: var(--bs-offcanvas-width);
-		margin-left: -1rem !important;
-	}
-}
-
-.message {
-	.subject {
-		color: $text-muted;
-
-		b {
-			color: $list-group-color;
-		}
-
-		small {
-			opacity: 0.5;
-		}
-	}
-
-	&.read {
-		color: $text-muted;
-
-		b {
-			opacity: 0.7;
-			font-weight: normal;
-			color: $list-group-color;
-		}
-
-		small {
-			opacity: 0.5;
-		}
-	}
-	&.selected {
-		background: var(--bs-primary-bg-subtle);
-	}
-}
-
 .text-spaces-nowrap {
 	white-space: pre;
 }
@@ -266,8 +228,35 @@
 	}
 }

-.list-group-item.message:first-child {
-	border-top: 0;
+#message-page {
+	.list-group-item.message:first-child {
+		border-top: 0;
+	}
+
+	.message {
+		.subject {
+			color: $text-muted;
+
+			b {
+				color: $list-group-color;
+			}
+
+			small {
+				opacity: 0.5;
+			}
+		}
+
+		&.read {
+			color: $text-muted;
+
+			b {
+				color: $list-group-color;
+			}
+		}
+		&.selected {
+			background: var(--bs-primary-bg-subtle);
+		}
+	}
 }

 body.blur {
@@ -320,16 +309,30 @@ body.blur {
 	display: none;
 }

-.form-control.dropdown {
-	padding: 0;
-	border: 0;
+.message {
+	&.read {
+		> div {
+			opacity: 0.7;
+		}

-	input {
-		font-size: 0.875em;
+		b {
+			font-weight: normal;
+		}
 	}
+}

-	div {
-		cursor: text; // html5-tags
+#message-view {
+	.form-control.dropdown {
+		padding: 0;
+		border: 0;
+
+		input {
+			font-size: 0.875em;
+		}
+
+		div {
+			cursor: text; // html5-tags
+		}
 	}
 }

@@ -355,14 +358,6 @@ body.blur {
 	}
 }

-#ReleaseModal {
-	.form-control.dropdown {
-		div {
-			@extend .form-control;
-		}
-	}
-}
-
 /* PrismJS 1.29.0 - modified!
 https://prismjs.com/download.html#themes=prism-coy&languages=markup+css */
 code[class*="language-"],
--- a/server/ui-src/components/AboutMailpit.vue
+++ b/server/ui-src/components/AboutMailpit.vue
@@ -1,5 +1,6 @@
 <script>
 import AjaxLoader from './AjaxLoader.vue'
+import Settings from '../components/Settings.vue'
 import CommonMixins from '../mixins/CommonMixins'
 import { mailbox } from '../stores/mailbox'

@@ -7,7 +8,8 @@ export default {
 	mixins: [CommonMixins],

 	components: {
-		AjaxLoader
+		AjaxLoader,
+		Settings,
 	},

 	props: {
@@ -20,66 +22,18 @@ export default {
 	data() {
 		return {
 			mailbox,
-			theme: 'auto',
-			icon: 'circle-half',
-			icons: {
-				'auto': 'circle-half',
-				'light': 'sun-fill',
-				'dark': 'moon-stars-fill'
-			},
 		}
 	},

-	mounted() {
-		this.setTheme(this.getPreferredTheme())
-	},
-
 	methods: {
-		loadInfo: function () {
-			let self = this
-			self.get(self.resolve('/api/v1/info'), false, function (response) {
+		loadInfo() {
+			this.get(this.resolve('/api/v1/info'), false, (response) => {
 				mailbox.appInfo = response.data
-				self.modal('AppInfoModal').show()
+				this.modal('AppInfoModal').show()
 			})
 		},

-		getStoredTheme: function () {
-			let theme = localStorage.getItem('theme')
-			if (!theme) {
-				theme = 'auto'
-			}
-
-			return theme
-		},
-
-		setStoredTheme: function (theme) {
-			localStorage.setItem('theme', theme)
-			this.setTheme(theme)
-		},
-
-		getPreferredTheme: function () {
-			const storedTheme = this.getStoredTheme()
-			if (storedTheme) {
-				return storedTheme
-			}
-
-			return window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light'
-		},
-
-		setTheme: function (theme) {
-			this.icon = this.icons[theme]
-			this.theme = theme
-			if (
-				theme === 'auto' &&
-				window.matchMedia('(prefers-color-scheme: dark)').matches
-			) {
-				document.documentElement.setAttribute('data-bs-theme', 'dark')
-			} else {
-				document.documentElement.setAttribute('data-bs-theme', theme)
-			}
-		},
-
-		requestNotifications: function () {
+		requestNotifications() {
 			// check if the browser supports notifications
 			if (!("Notification" in window)) {
 				alert("This browser does not support desktop notifications")
@@ -87,11 +41,12 @@ export default {

 			// we need to ask the user for permission
 			else if (Notification.permission !== "denied") {
-				let self = this
-				Notification.requestPermission().then(function (permission) {
+				Notification.requestPermission().then((permission) => {
 					if (permission === "granted") {
 						mailbox.notificationsEnabled = true
 					}
+
+					this.modal('EnableNotificationsModal').hide()
 				})
 			}
 		},
@@ -101,42 +56,16 @@ export default {

 <template>
 	<template v-if="!modals">
-		<div class="position-fixed bg-body bottom-0 ms-n1 py-2 text-muted small col-xl-2 col-md-3 pe-3 z-3 about-mailpit">
-			<button class="text-muted btn btn-sm" v-on:click="loadInfo">
+		<div class="bg-body ms-sm-n1 me-sm-n1 py-2 text-muted small about-mailpit">
+			<button class="text-muted btn btn-sm" v-on:click="loadInfo()">
 				<i class="bi bi-info-circle-fill me-1"></i>
 				About
 			</button>

-			<div class="dropdown bd-mode-toggle float-end me-2 d-inline-block">
-				<button class="btn btn-sm btn-outline-secondary dropdown-toggle" type="button" aria-expanded="false"
-					title="Toggle theme" data-bs-toggle="dropdown" aria-label="Toggle theme">
-					<i :class="'bi bi-' + icon + ' my-1'"></i>
-					<span class="visually-hidden" id="bd-theme-text">Toggle theme</span>
-				</button>
-				<ul class="dropdown-menu dropdown-menu-end shadow" aria-labelledby="bd-theme-text">
-					<li>
-						<button type="button" class="dropdown-item d-flex align-items-center"
-							:class="theme == 'light' ? 'active' : ''" @click="setStoredTheme('light')">
-							<i class="bi bi-sun-fill me-2 opacity-50"></i>
-							Light
-						</button>
-					</li>
-					<li>
-						<button type="button" class="dropdown-item d-flex align-items-center"
-							:class="theme == 'dark' ? 'active' : ''" @click="setStoredTheme('dark')">
-							<i class="bi bi-moon-stars-fill me-2 opacity-50"></i>
-							Dark
-						</button>
-					</li>
-					<li>
-						<button type="button" class="dropdown-item d-flex align-items-center"
-							:class="theme == 'auto' ? 'active' : ''" @click="setStoredTheme('auto')">
-							<i class="bi bi-circle-half me-2 opacity-50"></i>
-							Auto
-						</button>
-					</li>
-				</ul>
-			</div>
+			<button class="btn btn-sm btn-outline-secondary float-end" data-bs-toggle="modal"
+				data-bs-target="#SettingsModal" title="Mailpit UI settings">
+				<i class="bi bi-gear-fill"></i>
+			</button>

 			<button class="btn btn-sm btn-outline-secondary float-end me-2" data-bs-toggle="modal"
 				data-bs-target="#EnableNotificationsModal" title="Enable browser notifications"
@@ -163,15 +92,20 @@ export default {
 						<div class="row g-3">
 							<div class="col-xl-6">
 								<div class="row g-3" v-if="mailbox.appInfo.LatestVersion == ''">
-									<div class="alert alert-warning mb-3">
-										There might be a newer version available. The check failed.
+									<div class="col">
+										<div class="alert alert-warning mb-3">
+											There might be a newer version available. The check failed.
+										</div>
 									</div>
 								</div>
-								<div class="row g-3" v-else-if="mailbox.appInfo.Version != mailbox.appInfo.LatestVersion">
-									<a class="btn btn-warning d-block mb-3"
-										:href="'https://github.com/axllent/mailpit/releases/tag/' + mailbox.appInfo.LatestVersion">
-										A new version of Mailpit ({{ mailbox.appInfo.LatestVersion }}) is available.
-									</a>
+								<div class="row g-3"
+									v-else-if="mailbox.appInfo.Version != mailbox.appInfo.LatestVersion">
+									<div class="col">
+										<a class="btn btn-warning d-block mb-3"
+											:href="'https://github.com/axllent/mailpit/releases/tag/' + mailbox.appInfo.LatestVersion">
+											A new version of Mailpit ({{ mailbox.appInfo.LatestVersion }}) is available.
+										</a>
+									</div>
 								</div>
 								<div class="row g-3">
 									<div class="col-12">
@@ -197,7 +131,8 @@ export default {
 										<div class="card border-secondary text-center">
 											<div class="card-header">Database size</div>
 											<div class="card-body text-secondary">
-												<h5 class="card-title">{{ getFileSize(mailbox.appInfo.DatabaseSize) }} </h5>
+												<h5 class="card-title">{{ getFileSize(mailbox.appInfo.DatabaseSize) }}
+												</h5>
 											</div>
 										</div>
 									</div>
@@ -205,18 +140,20 @@ export default {
 										<div class="card border-secondary text-center">
 											<div class="card-header">RAM usage</div>
 											<div class="card-body text-secondary">
-												<h5 class="card-title">{{ getFileSize(mailbox.appInfo.RuntimeStats.Memory)
-												}} </h5>
+												<h5 class="card-title">
+													{{ getFileSize(mailbox.appInfo.RuntimeStats.Memory) }}
+												</h5>
 											</div>
 										</div>
 									</div>
 								</div>
 							</div>
 							<div class="col-xl-6">
-								<div class="card border-secondary">
+								<div class="card border-secondary h-100">
 									<div class="card-header h4">
 										Runtime statistics
-										<button class="btn btn-sm btn-outline-secondary float-end" v-on:click="loadInfo">
+										<button class="btn btn-sm btn-outline-secondary float-end"
+											v-on:click="loadInfo()">
 											Refresh
 										</button>
 									</div>
@@ -285,8 +222,8 @@ export default {
 			</div>
 		</div>

-		<div class="modal fade" id="EnableNotificationsModal" tabindex="-1" aria-labelledby="EnableNotificationsModalLabel"
-			aria-hidden="true">
+		<div class="modal fade" id="EnableNotificationsModal" tabindex="-1"
+			aria-labelledby="EnableNotificationsModalLabel" aria-hidden="true">
 			<div class="modal-dialog modal-lg">
 				<div class="modal-content">
 					<div class="modal-header">
@@ -298,17 +235,21 @@ export default {
 						<p>
 							Note that your browser will ask you for confirmation when you click
 							<code>enable notifications</code>,
-							and that you must have Mailpit open in a browser tab to be able to receive the notifications.
+							and that you must have Mailpit open in a browser tab to be able to receive the
+							notifications.
 						</p>
 					</div>
 					<div class="modal-footer">
 						<button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
-						<button type="button" class="btn btn-success" data-bs-dismiss="modal"
-							v-on:click="requestNotifications">Enable notifications</button>
+						<button type="button" class="btn btn-success" v-on:click="requestNotifications">
+							Enable notifications
+						</button>
 					</div>
 				</div>
 			</div>
 		</div>
+
+		<Settings />
 	</template>

 	<AjaxLoader :loading="loading" />
--- a/server/ui-src/components/EditTags.vue
+++ b/server/ui-src/components/EditTags.vue
@@ -0,0 +1,119 @@
+<script>
+import CommonMixins from '../mixins/CommonMixins'
+import { mailbox } from '../stores/mailbox'
+
+export default {
+	mixins: [CommonMixins],
+
+	data() {
+		return {
+			mailbox,
+			editableTags: [],
+			validTagRe: new RegExp(/^([a-zA-Z0-9\-\ \_\.]){1,}$/),
+			tagToDelete: false,
+		}
+	},
+
+	watch: {
+		'mailbox.tags': {
+			handler(tags) {
+				this.editableTags = []
+				tags.forEach((t) => {
+					this.editableTags.push({ before: t, after: t })
+				})
+			},
+			deep: true
+		}
+	},
+
+	methods: {
+		validTag(t) {
+			if (!t.after.match(/^([a-zA-Z0-9\-\ \_\.]){1,}$/)) {
+				return false
+			}
+
+			const lower = t.after.toLowerCase()
+			for (let x = 0; x < this.editableTags.length; x++) {
+				if (this.editableTags[x].before != t.before && lower == this.editableTags[x].before.toLowerCase()) {
+					return false
+				}
+			}
+
+			return true
+		},
+
+		renameTag(t) {
+			if (!this.validTag(t) || t.before == t.after) {
+				return
+			}
+
+			this.put(this.resolve(`/api/v1/tags/` + encodeURI(t.before)), { Name: t.after }, () => {
+				// the API triggers a reload via websockets
+			})
+		},
+
+		deleteTag() {
+			this.delete(this.resolve(`/api/v1/tags/` + encodeURI(this.tagToDelete.before)), null, () => {
+				// the API triggers a reload via websockets
+				this.tagToDelete = false
+			})
+		},
+
+		resetTagEdit(t) {
+			for (let x = 0; x < this.editableTags.length; x++) {
+				if (this.editableTags[x].before != t.before && this.editableTags[x].before != this.editableTags[x].after) {
+					this.editableTags[x].after = this.editableTags[x].before
+				}
+			}
+		}
+	}
+}
+</script>
+
+<template>
+	<div class="modal fade" id="EditTagsModal" tabindex="-1" aria-labelledby="EditTagsModalLabel" aria-hidden="true"
+		data-bs-keyboard="false">
+		<div class="modal-dialog modal-lg">
+			<div class="modal-content">
+				<div class="modal-header">
+					<h5 class="modal-title" id="EditTagsModalLabel">Edit tags</h5>
+					<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+				</div>
+				<div class="modal-body">
+					<p>
+						Renaming a tag will update the tag for all messages. Deleting a tag will only delete the tag
+						itself, and not any messages which had the tag.
+					</p>
+					<div class="mb-3" v-for="t in editableTags">
+						<div class="input-group has-validation">
+							<input type="text" class="form-control" :class="!validTag(t) ? 'is-invalid' : ''"
+								v-model.trim="t.after" aria-describedby="inputGroupPrepend" required
+								@keydown.enter="renameTag(t)" @keydown.esc="t.after = t.before"
+								@focus="resetTagEdit(t)">
+							<button v-if="t.before != t.after" class="btn btn-success"
+								@click="renameTag(t)">Save</button>
+							<template v-else>
+								<button class="btn btn-outline-danger"
+									:class="tagToDelete.before == t.before ? 'text-white btn-danger' : ''"
+									@click="!tagToDelete ? tagToDelete = t : deleteTag()" @blur="tagToDelete = false">
+									<template v-if="tagToDelete == t">
+										Confirm?
+									</template>
+									<template v-else>
+										Delete
+									</template>
+								</button>
+							</template>
+							<div class="invalid-feedback">
+								Invalid tag name
+							</div>
+						</div>
+					</div>
+				</div>
+				<div class="modal-footer">
+					<button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Close</button>
+				</div>
+			</div>
+		</div>
+	</div>
+</template>
--- a/server/ui-src/components/Favicon.vue
+++ b/server/ui-src/components/Favicon.vue
@@ -39,10 +39,9 @@ export default {
            }

            this.iconProcessing = true
-            let self = this

            window.setTimeout(() => {
-                self.icoUpdate()
+                this.icoUpdate()
            }, this.iconTimeout)
        },
    },
--- a/server/ui-src/components/ListMessages.vue
+++ b/server/ui-src/components/ListMessages.vue
@@ -1,7 +1,8 @@
 <script>
 import { mailbox } from '../stores/mailbox'
 import CommonMixins from '../mixins/CommonMixins'
-import moment from 'moment'
+import dayjs from 'dayjs'
+import { pagination } from "../stores/pagination";

 export default {
 	mixins: [
@@ -15,39 +16,33 @@ export default {
 	data() {
 		return {
 			mailbox,
+			pagination,
 		}
 	},

+	created() {
+		const relativeTime = require('dayjs/plugin/relativeTime')
+		dayjs.extend(relativeTime)
+	},
+
 	mounted() {
-		moment.updateLocale('en', {
-			relativeTime: {
-				future: "in %s",
-				past: "%s ago",
-				s: 'seconds',
-				ss: '%d secs',
-				m: "a minute",
-				mm: "%d mins",
-				h: "an hour",
-				hh: "%d hours",
-				d: "a day",
-				dd: "%d days",
-				w: "a week",
-				ww: "%d weeks",
-				M: "a month",
-				MM: "%d months",
-				y: "a year",
-				yy: "%d years"
-			}
-		})
+		this.refreshUI()
 	},

 	methods: {
-		getRelativeCreated: function (message) {
-			let d = new Date(message.Created)
-			return moment(d).fromNow().toString()
+		refreshUI() {
+			window.setTimeout(() => {
+				this.$forceUpdate()
+				this.refreshUI()
+			}, 30000)
 		},

-		getPrimaryEmailTo: function (message) {
+		getRelativeCreated(message) {
+			const d = new Date(message.Created)
+			return dayjs(d).fromNow()
+		},
+
+		getPrimaryEmailTo(message) {
 			for (let i in message.To) {
 				return message.To[i].Address
 			}
@@ -55,11 +50,11 @@ export default {
 			return '[ Undisclosed recipients ]'
 		},

-		isSelected: function (id) {
+		isSelected(id) {
 			return mailbox.selected.indexOf(id) != -1
 		},

-		toggleSelected: function (e, id) {
+		toggleSelected(e, id) {
 			e.preventDefault()

 			if (this.isSelected(id)) {
@@ -71,7 +66,7 @@ export default {
 			}
 		},

-		selectRange: function (e, id) {
+		selectRange(e, id) {
 			e.preventDefault()

 			let selecting = false
@@ -105,6 +100,20 @@ export default {
 				}
 			}
 		},
+
+		toTagUrl(t) {
+			if (t.match(/ /)) {
+				t = `"${t}"`
+			}
+			const p = {
+				q: 'tag:' + t
+			}
+			if (pagination.limit != pagination.defaultLimit) {
+				p.limit = pagination.limit.toString()
+			}
+			const params = new URLSearchParams(p)
+			return '/search?' + params.toString()
+		},
 	}
 }
 </script>
@@ -112,29 +121,29 @@ export default {
 <template>
 	<template v-if="mailbox.messages && mailbox.messages.length">
 		<div class="list-group my-2">
-			<RouterLink v-for="message in mailbox.messages" :to="'/view/' + message.ID" :key="message.ID" :id="message.ID"
+			<RouterLink v-for="message in mailbox.messages" :to="'/view/' + message.ID" :key="message.ID"
+				:id="message.ID"
 				class="row gx-1 message d-flex small list-group-item list-group-item-action border-start-0 border-end-0"
 				:class="message.Read ? 'read' : '', isSelected(message.ID) ? 'selected' : ''"
-				v-on:click.ctrl="toggleSelected($event, message.ID)" v-on:click.shift="selectRange($event, message.ID)">
+				@click.meta="toggleSelected($event, message.ID)" @click.ctrl="toggleSelected($event, message.ID)"
+				@click.shift="selectRange($event, message.ID)">
 				<div class="col-lg-3">
 					<div class="d-lg-none float-end text-muted text-nowrap small">
 						<i class="bi bi-paperclip h6 me-1" v-if="message.Attachments"></i>
 						{{ getRelativeCreated(message) }}
 					</div>
 					<div class="text-truncate d-lg-none privacy">
-						<span v-if="message.From" :title="'From: ' + message.From.Address">{{
-							message.From.Name ?
-							message.From.Name : message.From.Address
-						}}</span>
+						<span v-if="message.From" :title="'From: ' + message.From.Address">
+							{{ message.From.Name ? message.From.Name : message.From.Address }}
+						</span>
 					</div>
 					<div class="text-truncate d-none d-lg-block privacy">
-						<b v-if="message.From" :title="'From: ' + message.From.Address">{{
-							message.From.Name ?
-							message.From.Name : message.From.Address
-						}}</b>
+						<b v-if="message.From" :title="'From: ' + message.From.Address">
+							{{ message.From.Name ? message.From.Name : message.From.Address }}
+						</b>
 					</div>
 					<div class="d-none d-lg-block text-truncate text-muted small privacy">
-						{{ getPrimaryEmailTo(message) }}
+						To: {{ getPrimaryEmailTo(message) }}
 						<span v-if="message.To && message.To.length > 1">
 							[+{{ message.To.length - 1 }}]
 						</span>
@@ -148,7 +157,8 @@ export default {
 						{{ message.Snippet }}
 					</div>
 					<div v-if="message.Tags.length">
-						<RouterLink class="badge me-1" v-for="t in message.Tags" :to="'/search?q=' + tagEncodeURI(t)"
+						<RouterLink class="badge me-1" v-for="t in message.Tags" :to="toTagUrl(t)"
+							v-on:click="pagination.start = 0"
 							:style="mailbox.showTagColors ? { backgroundColor: colorHash(t) } : { backgroundColor: '#6c757d' }"
 							:title="'Filter messages tagged with ' + t">
 							{{ t }}
--- a/server/ui-src/components/NavMailbox.vue
+++ b/server/ui-src/components/NavMailbox.vue
@@ -30,30 +30,33 @@ export default {
 	},

 	methods: {
-		reloadInbox: function () {
-			pagination.start = 0
-			this.loadMessages()
+		reloadInbox() {
+			const paginationParams = this.getPaginationParams()
+			const reload = paginationParams?.start ? false : true
+
+			this.$router.push('/')
+			if (reload) {
+				// already on first page, reload messages
+				this.loadMessages()
+			}
 		},

-
-		loadMessages: function () {
+		loadMessages() {
 			this.hideNav() // hide mobile menu
 			this.$emit('loadMessages')
 		},

-		markAllRead: function () {
-			let self = this
-			self.put(self.resolve(`/api/v1/messages`), { 'read': true }, function (response) {
+		markAllRead() {
+			this.put(this.resolve(`/api/v1/messages`), { 'read': true }, (response) => {
 				window.scrollInPlace = true
-				self.loadMessages()
+				this.loadMessages()
 			})
 		},

-		deleteAllMessages: function () {
-			let self = this
-			self.delete(self.resolve(`/api/v1/messages`), false, function (response) {
+		deleteAllMessages() {
+			this.delete(this.resolve(`/api/v1/messages`), false, (response) => {
 				pagination.start = 0
-				self.loadMessages()
+				this.loadMessages()
 			})
 		}
 	}
@@ -62,7 +65,13 @@ export default {

 <template>
 	<template v-if="!modals">
-		<div class="list-group my-2">
+		<div class="text-center badge text-bg-primary py-2 my-2 w-100" v-if="mailbox.uiConfig.Label">
+			<div class="text-truncate fw-normal">
+				{{ mailbox.uiConfig.Label }}
+			</div>
+		</div>
+
+		<div class="list-group my-2" :class="mailbox.uiConfig.Label ? 'mt-0' : ''">
 			<button @click="reloadInbox" class="list-group-item list-group-item-action active">
 				<i class="bi bi-envelope-fill me-1" v-if="mailbox.connected"></i>
 				<i class="bi bi-arrow-clockwise me-1" v-else></i>
@@ -114,7 +123,8 @@ export default {
 			</div>
 		</div>

-		<div class="modal fade" id="DeleteAllModal" tabindex="-1" aria-labelledby="DeleteAllModalLabel" aria-hidden="true">
+		<div class="modal fade" id="DeleteAllModal" tabindex="-1" aria-labelledby="DeleteAllModalLabel"
+			aria-hidden="true">
 			<div class="modal-dialog">
 				<div class="modal-content">
 					<div class="modal-header">
@@ -122,8 +132,8 @@ export default {
 						<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
 					</div>
 					<div class="modal-body">
-						This will permanently delete {{ formatNumber(mailbox.count) }}
-						message<span v-if="mailbox.count > 1">s</span>.
+						This will permanently delete {{ formatNumber(mailbox.total) }}
+						message<span v-if="mailbox.total > 1">s</span>.
 					</div>
 					<div class="modal-footer">
 						<button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
--- a/Show More
+++ b/Show More