Merge branch 'release/v1.29.2'

Release v1.29.2
Chore: Update caniemail test database
2026-03-03 10:47:01 +00:00 · 2026-02-25 12:28:45 +13:00 · 2026-02-25 12:28:44 +13:00 · 2026-02-25 12:10:33 +13:00 · 2026-02-25 12:09:34 +13:00 · 2026-02-25 12:07:32 +13:00
181 changed files with 23543 additions and 10360 deletions
--- a/.chglog/CHANGELOG.tpl.md
+++ b/.chglog/CHANGELOG.tpl.md
@@ -1,47 +0,0 @@
-# Changelog
-
-Notable changes to Mailpit will be documented in this file.
-
-{{ if .Versions -}}
-{{ if .Unreleased.CommitGroups -}}
-## [Unreleased]
-
-{{ if .Unreleased.CommitGroups -}}
-{{ range .Unreleased.CommitGroups -}}
-### {{ .Title }}
-{{ range .Commits -}}
- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
-{{ end }}
-{{ end }}
-{{ end -}}
-{{ end -}}
-{{ end -}}
-
-{{ range .Versions }} 
-{{- if .CommitGroups -}}
-## [{{ .Tag.Name }}]
-
-{{ if .NoteGroups -}}
-{{ range .NoteGroups -}}
-### {{ .Title }}
-{{ range .Notes }}
-{{ .Body }}
-{{ end -}}
-{{ end }}
-{{ end -}}
-{{ end -}}
-
-{{ range .CommitGroups -}}
-### {{ .Title }}
-{{ range .Commits -}}
- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
-{{ end }}
-{{ end }}
-
-{{- if .MergeCommits -}}
-### Pull Requests
-{{ range .MergeCommits -}}
- {{ .Header }}
-{{ end }}
-{{ end }}
-{{ end -}}
--- a/.chglog/RELEASE.tpl.md
+++ b/.chglog/RELEASE.tpl.md
@@ -1,12 +0,0 @@
-{{ if .Versions -}}
-{{ range .Versions }} 
-{{- if .CommitGroups -}}
-{{ range .CommitGroups -}}
-### {{ .Title }}
-{{ range .Commits -}}
- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
-{{ end }}
-{{ end -}}
-{{ end -}}
-{{ end -}}
-{{ end -}}
--- a/.chglog/config.yml
+++ b/.chglog/config.yml
@@ -1,28 +0,0 @@
-style: github
-template: CHANGELOG.tpl.md
-info:
-  title: CHANGELOG
-  repository_url: https://github.com/axllent/mailpit
-options:
-  commits:
-    # filters:
-    #   Type:
-    #     - feat
-    #     - fix
-    #     - perf
-    #     - refactor
-  commit_groups:
-    title_maps:
-      feature: Feature
-      fix: Fix
-    #   perf: Performance Improvements
-    #   refactor: Code Refactoring
-  header:
-    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
-    pattern_maps:
-      - Type
-      - Scope
-      - Subject
-  notes:
-    keywords:
-      - BREAKING CHANGE
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +1,4 @@
 # These are supported funding model platforms

 github: [axllent]
+thanks_dev: u/gh/axllent
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -0,0 +1,21 @@
+# Reporting security vulnerabilities
+
+Your efforts to responsibly disclose your findings are appreciated.
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you have found a security vulnerability, you can report it using one of the following methods:
+
+1. **GitHub Security Advisory (Recommended):** Use the "Report a vulnerability" button in the [Security tab](../../security/advisories/new) of this repository.
+2. **Email:** Send your findings to security@axllent.org
+
+Your report should include:
+
+- Mailpit version
+- A vulnerability description
+- Reproduction steps (if applicable)
+- Any other details you think are likely to be important
+
+You should receive an initial acknowledgement within 24 hours in most cases, and will be kept updated throughout the process.
+
+With your consent, your contributions will be publicly acknowledged.
--- a/.github/cliff.toml
+++ b/.github/cliff.toml
@@ -0,0 +1,49 @@
+## https://git-cliff.org/
+[changelog]
+body = """
+{% if version %}\
+  \n## [{{ version }}]
+{% else %}\
+  \n## Unreleased
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+  ### {{ group | striptags | trim | upper_first }}\
+  {% for commit in commits %}
+    - {{ commit.message | upper_first }}\
+  {% endfor %}
+{% endfor %}\n
+"""
+footer = ""
+header = "# Changelog\n\nNotable changes to Mailpit will be documented in this file."
+postprocessors = [
+  {pattern = "reponse", replace = "response"},
+  {pattern = "messsage", replace = "message"},
+  {pattern = '(?i) go modules', replace = " Go dependencies"},
+  {pattern = '(?i) node modules', replace = " node dependencies"},
+  {pattern = '#([0-9]+)', replace = "[#$1](https://github.com/axllent/mailpit/issues/$1)"},
+]
+trim = true
+
+[git]
+# HTML comments added for grouping order, stripped on generation
+commit_parsers = [
+  {body = ".*security", group = "<!-- 1 -->Security"},
+  {message = "(?i)^security", group = "<!-- 1 -->Security"},
+  {message = "(?i)^feat", group = "<!-- 2 -->Feature"},
+  {message = "(?i)^chore", group = "<!-- 3 -->Chore"},
+  {message = "(?i)^libs", group = "<!-- 3 -->Chore"},
+  {message = "(?i)^ui", group = "<!-- 3 -->Chore"},
+  {message = "(?i)^api", group = "<!-- 4 -->API"},
+  {message = "(?i)^fix", group = "<!-- 5 -->Fix"},
+  {message = "(?i)^doc", group = "<!-- 6 -->Documentation", default_scope = "unscoped"},
+  {message = "(?i)^swagger", group = "<!-- 6 -->Documentation", default_scope = "unscoped"},
+  {message = "(?i)^test", group = "<!-- 7 -->Test"},
+]
+
+# Exclude commits that are not matched by any commit parser.
+# filter_commits = true
+# Order releases topologically instead of chronologically.
+# topo_order = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "oldest"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,16 +8,16 @@ updates:
  - package-ecosystem: "gomod"
    directory: "/" # Location of package manifests
    schedule:
-      interval: "monthly"
+      interval: "quarterly"
  - package-ecosystem: "github-actions"
    directory: "/" # Location of package manifests
    schedule:
-      interval: "monthly"
+      interval: "quarterly"
  - package-ecosystem: "docker"
    directory: "/" # Location of package manifests
    schedule:
-      interval: "monthly"
+      interval: "quarterly"
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
-      interval: "monthly"
+      interval: "quarterly"
--- a/.github/workflows/build-docker-edge.yml
+++ b/.github/workflows/build-docker-edge.yml
@@ -8,7 +8,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
@@ -29,13 +29,16 @@ jobs:
        username: ${{ github.repository_owner }}
        password: ${{ github.token }}

+    - uses: benjlevesque/short-sha@v3.0
+      id: short-sha
+
    - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
      with:
        context: .
        platforms: linux/386,linux/amd64,linux/arm64
        build-args: |
-          "VERSION=edge-${{ github.sha }}"
+          "VERSION=edge-${{ steps.short-sha.outputs.sha }}"
        push: true
        tags: |
          axllent/mailpit:edge
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -8,7 +8,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
@@ -37,7 +37,7 @@ jobs:
        version_extractor_regex: 'v(.*)$'

    - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
      with:
        context: .
        platforms: linux/386,linux/amd64,linux/arm64
@@ -48,6 +48,6 @@ jobs:
          axllent/mailpit:latest
          axllent/mailpit:${{ github.ref_name }}
          axllent/mailpit:v${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}
-          ghcr.io/${{ github.repository }}:latest
          ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          ghcr.io/${{ github.repository }}:v${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}
+          ghcr.io/${{ github.repository }}:latest
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -10,12 +10,13 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v9.0.0
+      - uses: actions/stale@v10.1.1
        with:
          days-before-issue-stale: 7
          days-before-issue-close: 3
-          exempt-issue-labels: "enhancement,bug,javascript,docker"
+          exempt-issue-labels: "enhancement,bug,awaiting feedback"
          stale-issue-label: "stale"
+          close-issue-reason: "completed"
          stale-issue-message: "This issue has been marked as stale because it has been open for 7 days with no activity."
          close-issue-message: "This issue was closed because there has been no activity since being marked as stale."
          days-before-pr-stale: -1
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,7 +38,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -21,12 +21,12 @@ jobs:
          - goarch: arm
            goos: windows
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6

    # build the assets
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v6
      with:
-        node-version: 18
+        node-version: 22
        cache: 'npm'
    - run: echo "Building assets for ${{ github.ref_name }}"
    - run: npm install
--- a/.github/workflows/tests-rqlite.yml
+++ b/.github/workflows/tests-rqlite.yml
@@ -0,0 +1,29 @@
+name: Tests (rqlite)
+on:
+  pull_request:
+    branches: [ develop, 'feature/**' ]
+  push:
+    branches: [ develop, 'feature/**' ]
+
+jobs:
+  test-rqlite:
+    runs-on: ubuntu-latest
+    services:
+      rqlite:
+        image: rqlite/rqlite:latest
+        ports:
+          - 4001:4001
+        env:
+          # the HTTP address the rqlite node should advertise
+          HTTP_ADV_ADDR: "localhost:4001"
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 'stable'
+          cache-dependency-path: "**/*.sum"
+      - run: go test -p 1 ./internal/storage ./server ./internal/smtpd ./internal/pop3 ./internal/tools ./internal/html2text ./internal/htmlcheck ./internal/linkcheck -v
+        env:
+          # set Mailpit to use the rqlite service container
+          MP_DATABASE: "http://localhost:4001"
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -8,17 +8,17 @@ jobs:
  test:
    strategy:
      matrix:
-        go-version: [1.21.x]
+        go-version: [stable]
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@v6
      with:
        go-version: ${{ matrix.go-version }}
        cache: false
-    - uses: actions/checkout@v4
-    - name: Run Go tests
-      uses: actions/cache@v4
+    - uses: actions/checkout@v6
+    - name: Set up Go environment
+      uses: actions/cache@v5
      with:
        path: |
          ~/.cache/go-build
@@ -26,24 +26,36 @@ jobs:
        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-go-
-    - run: go test -p 1 ./internal/storage ./server ./internal/tools ./internal/html2text -v
-    - run: go test -p 1 ./internal/storage ./internal/html2text -bench=.
+    - name: Test Go linting (gofmt)
+      if: startsWith(matrix.os, 'ubuntu') == true
+      # https://olegk.dev/github-actions-and-go
+      run: gofmt -s -w . && git diff --exit-code
+    - name: Run Go tests
+      run: go test -p 1 ./internal/storage ./server ./internal/smtpd ./internal/pop3 ./internal/tools ./internal/html2text ./internal/htmlcheck ./internal/linkcheck -v
+    - name: Run Go benchmarking
+      run: go test -p 1 ./internal/storage ./internal/html2text -bench=.
    
    # build the assets
-    - name: Build web UI
+    - name: Set up node environment
      if: startsWith(matrix.os, 'ubuntu') == true
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
      with:
-        node-version: 18
+        node-version: 22
        cache: 'npm'
-    - if: startsWith(matrix.os, 'ubuntu') == true
+    - name: Install JavaScript dependencies
+      if: startsWith(matrix.os, 'ubuntu') == true
      run: npm install
-    - if: startsWith(matrix.os, 'ubuntu') == true
+    - name: Run JavaScript linting
+      if: startsWith(matrix.os, 'ubuntu') == true
+      run: npm run lint
+    - name: Test JavaScript packaging
+      if: startsWith(matrix.os, 'ubuntu') == true
      run: npm run package

-    # validate the swagger file
-    - name: Validate OpenAPI definition
-      if: startsWith(matrix.os, 'ubuntu') == true
-      uses: char0n/swagger-editor-validate@v1
-      with:
-        definition-file: server/ui/api/v1/swagger.json
+    # # validate the swagger file
+    # - name: Validate OpenAPI definition
+    #   if: startsWith(matrix.os, 'ubuntu') == true
+    #   uses: swaggerexpert/swagger-editor-validate@v1
+    #   with:
+    #     definition-file: server/ui/api/v1/swagger.json
+    #     default-timeout: 20000
--- a/.prettierignore
+++ b/.prettierignore
@@ -0,0 +1,9 @@
+# Not within the scope of Prettier
+**/*.yml
+**/*.yaml
+**/*.json
+**/*.md
+**/*.css
+**/*.html
+**/*.scss
+composer.lock
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,40 @@
+{
+    "[vue]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "cSpell.words": [
+        "AUTHCRAMMD",
+        "AUTHLOGIN",
+        "AUTHPLAIN",
+        "bordercolor",
+        "CRAMMD",
+        "dateparse",
+        "EHLO",
+        "ESMTP",
+        "EXPN",
+        "gofmt",
+        "Healthz",
+        "HTTPIP",
+        "Inlines",
+        "jhillyerd",
+        "leporo",
+        "lithammer",
+        "livez",
+        "Mechs",
+        "navhtml",
+        "neostandard",
+        "nolint",
+        "popperjs",
+        "readyz",
+        "RSET",
+        "shortuuid",
+        "SMTPTLS",
+        "swaggerexpert",
+        "UITLS",
+        "VRFY",
+        "writef"
+    ]
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,22 @@
+# Contributing to Mailpit
+
+Thank you for your interest in contributing to Mailpit! 
+
+## Reporting issues and feature requests
+
+If you find a bug or have a feature request, please [open an issue](https://github.com/axllent/mailpit/issues) and provide as much detail as possible. Please **do not** report security issues here (see below).
+
+
+## Reporting security issues
+
+Please do not report security issues publicly in GitHub. Refer to [SECURITY document](https://github.com/axllent/mailpit/blob/develop/.github/SECURITY.md) for instructions and contact information.
+
+
+## Contributing code
+
+Please ensure your code is clean and well-commented, and [passes linting](https://mailpit.axllent.org/docs/development/code-linting/) before submitting a Pull Request. Contributions should enhance the functionality or usability of Mailpit, focusing on quality over quantity.
+
+Note that while assistance from AI tools is perfectly acceptable, **"[vibe coded](https://en.wikipedia.org/wiki/Vibe_coding)" pull requests will most likely not be accepted.**
+We value the unique insights and creativity that individual contributors bring to the project.
+
+Thank you for your understanding and for contributing to Mailpit!
--- a/8
+++ b/8
@@ -1,4 +1,4 @@
-FROM golang:alpine as builder
+FROM golang:alpine AS builder

 ARG VERSION=dev

@@ -6,7 +6,7 @@ COPY . /app

 WORKDIR /app

-RUN apk add --no-cache git npm && \
+RUN  apk upgrade && apk add git npm && \
 npm install && npm run package && \
 CGO_ENABLED=0 go build -ldflags "-s -w -X github.com/axllent/mailpit/config.Version=${VERSION}" -o /mailpit

@@ -21,10 +21,10 @@ LABEL org.opencontainers.image.title="Mailpit" \

 COPY --from=builder /mailpit /mailpit

-RUN apk add --no-cache tzdata
+RUN apk upgrade --no-cache && apk add --no-cache tzdata

 EXPOSE 1025/tcp 1110/tcp 8025/tcp

-HEALTHCHECK --interval=15s CMD /mailpit readyz
+HEALTHCHECK --interval=15s --start-period=10s --start-interval=1s CMD ["/mailpit", "readyz"]

 ENTRYPOINT ["/mailpit"]
--- a/README.md
+++ b/README.md
@@ -46,8 +46,10 @@ including image thumbnails), including optional [HTTPS](https://mailpit.axllent.
 - Mobile and tablet HTML preview toggle in desktop mode
 - [Message tagging](https://mailpit.axllent.org/docs/usage/tagging/) including manual tagging or automated tagging using filtering and "plus addressing"
 - [SMTP relaying](https://mailpit.axllent.org/docs/configuration/smtp-relay/) (message release) - relay messages via a different SMTP server including an optional allowlist of accepted recipients
+- [SMTP forwarding](https://mailpit.axllent.org/docs/configuration/smtp-forward/) - automatically forward messages via a different SMTP server to predefined email addresses
 - Fast message [storing & processing](https://mailpit.axllent.org/docs/configuration/email-storage/) - ingesting 100-200 emails per second over SMTP depending on CPU, network speed & email size,
 easily handling tens of thousands of emails, with automatic email pruning (by default keeping the most recent 500 emails)
+- [Chaos](https://mailpit.axllent.org/docs/integration/chaos/) feature to enable configurable SMTP errors to test application resilience
 - `List-Unsubscribe` syntax validation
 - Optional [webhook](https://mailpit.axllent.org/docs/integration/webhook/) for received messages

@@ -66,12 +68,18 @@ Mailpit runs as a single binary and can be installed in different ways:
 - **FreeBSD**: `pkg install mailpit`


-### Install via bash script (Linux & Mac)
+### Install via script (Linux & Mac)

 Linux & Mac users can install it directly to `/usr/local/bin/mailpit` with:

-```bash
-sudo bash < <(curl -sL https://raw.githubusercontent.com/axllent/mailpit/develop/install.sh)
+```shell
+sudo sh < <(curl -sL https://raw.githubusercontent.com/axllent/mailpit/develop/install.sh)
+```
+
+You can also change the install path to something else by setting the `INSTALL_PATH` environment, for example:
+
+```shell
+sudo INSTALL_PATH=/usr/bin sh < <(curl -sL https://raw.githubusercontent.com/axllent/mailpit/develop/install.sh)
 ```


@@ -107,3 +115,10 @@ Please refer to [the documentation](https://mailpit.axllent.org/docs/install/tes
 Mailpit's SMTP server (default on port 1025), so you will likely need to configure your sending application to deliver mail via that port. 
 A common MTA (Mail Transfer Agent) that delivers system emails to an SMTP server is `sendmail`, used by many applications, including PHP. 
 Mailpit can also act as substitute for sendmail. For instructions on how to set this up, please refer to the [sendmail documentation](https://mailpit.axllent.org/docs/install/sendmail/).
+
+---
+
+<p align="center">
+  For team features, multiple inboxes, and a hosted setup, try
+  <a href="https://mailtrap.io/?ref=mailpit">Mailtrap</a>, our friendly companion.
+</p>
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/dump"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/spf13/cobra"
+)
+
+// dumpCmd represents the dump command
+var dumpCmd = &cobra.Command{
+	Use:   "dump <database> <output-dir>",
+	Short: "Dump all messages from a database to a directory",
+	Long: `Dump all messages stored in Mailpit into a local directory as individual files.
+
+The database can either be the database file (eg: --database /var/lib/mailpit/mailpit.db) or a
+URL of a running Mailpit instance (eg: --http http://127.0.0.1/). If dumping over HTTP, the URL
+should be the base URL of your running Mailpit instance, not the link to the API itself.`,
+	Args: cobra.ExactArgs(1),
+	Run: func(_ *cobra.Command, args []string) {
+		if err := dump.Sync(args[0]); err != nil {
+			logger.Log().Fatal(err)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(dumpCmd)
+
+	dumpCmd.Flags().SortFlags = false
+
+	dumpCmd.Flags().StringVar(&config.Database, "database", config.Database, "Dump messages directly from a database file")
+	dumpCmd.Flags().StringVar(&config.TenantID, "tenant-id", config.TenantID, "Database tenant ID to isolate data (optional)")
+	dumpCmd.Flags().StringVar(&dump.URL, "http", dump.URL, "Dump messages via HTTP API (base URL of running Mailpit instance)")
+	dumpCmd.Flags().BoolVarP(&logger.VerboseLogging, "verbose", "v", logger.VerboseLogging, "Verbose logging")
+}
--- a/cmd/ingest.go
+++ b/cmd/ingest.go
@@ -2,9 +2,9 @@ package cmd

 import (
 	"bytes"
+	"fmt"
 	"io"
 	"net/mail"
-	"net/smtp"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,8 +13,6 @@ import (
 	"github.com/axllent/mailpit/internal/logger"
 	sendmail "github.com/axllent/mailpit/sendmail/cmd"
 	"github.com/spf13/cobra"
-	"golang.org/x/text/language"
-	"golang.org/x/text/message"
 )

 var (
@@ -32,11 +30,10 @@ Mailpit server. Each email must be a separate file (eg: Maildir format, not mbox
 The --recent flag will only consider files with a modification date within the last X days.`,
 	// Hidden: true,
 	Args: cobra.MinimumNArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(_ *cobra.Command, args []string) {
 		var count int
 		var total int
 		var per100start = time.Now()
-		p := message.NewPrinter(language.English)

 		for _, a := range args {
 			err := filepath.Walk(a,
@@ -58,7 +55,7 @@ The --recent flag will only consider files with a modification date within the l
 						logger.Log().Errorf("%s: %s", path, err.Error())
 						return nil
 					}
-					defer f.Close() // #nosec
+					defer func() { _ = f.Close() }()

 					body, err := io.ReadAll(f)
 					if err != nil {
@@ -108,7 +105,7 @@ The --recent flag will only consider files with a modification date within the l
 						}
 					}

-					err = smtp.SendMail(sendmail.SMTPAddr, nil, returnPath, recipients, body)
+					err = sendmail.Send(sendmail.SMTPAddr, returnPath, recipients, body)
 					if err != nil {
 						logger.Log().Errorf("error sending mail: %s (%s)", err.Error(), path)
 						return nil
@@ -117,8 +114,7 @@ The --recent flag will only consider files with a modification date within the l
 					count++
 					total++
 					if count%100 == 0 {
-						formatted := p.Sprintf("%d", total)
-						logger.Log().Infof("[%s] 100 messages in %s", formatted, time.Since(per100start))
+						logger.Log().Infof("[%s] 100 messages in %s", format(total), time.Since(per100start))

 						per100start = time.Now()
 					}
@@ -149,3 +145,29 @@ func isFile(path string) bool {

 	return true
 }
+
+// Format a an integer 10000 => 10,000
+func format(n int) string {
+	in := fmt.Sprintf("%d", n)
+	numOfDigits := len(in)
+	if n < 0 {
+		numOfDigits-- // First character is the - sign (not a digit)
+	}
+	numOfCommas := (numOfDigits - 1) / 3
+
+	out := make([]byte, len(in)+numOfCommas)
+	if n < 0 {
+		in, out[0] = in[1:], '-'
+	}
+
+	for i, j, k := len(in)-1, len(out)-1, 0; ; i, j = i-1, j-1 {
+		out[j] = in[i]
+		if i == 0 {
+			return string(out)
+		}
+		if k++; k == 3 {
+			j, k = j-1, 0
+			out[j] = ','
+		}
+	}
+}
--- a/cmd/readyz.go
+++ b/cmd/readyz.go
@@ -28,7 +28,7 @@ status 1 if unhealthy.
 If running within Docker, it should automatically detect environment
 settings to determine the HTTP bind interface & port.
 `,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(_ *cobra.Command, _ []string) {
 		webroot := strings.TrimRight(path.Join("/", config.Webroot, "/"), "/") + "/"
 		proto := "http"
 		if useHTTPS {
--- a/cmd/reindex.go
+++ b/cmd/reindex.go
@@ -18,7 +18,7 @@ var reindexCmd = &cobra.Command{
 If you have several thousand messages in your mailbox, then it is advised to shut down
 Mailpit while you reindex as this process will likely result in database locking issues.`,
 	Args: cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(_ *cobra.Command, args []string) {
 		config.Database = args[0]
 		config.MaxMessages = 0

--- a/cmd/root.go
+++ b/cmd/root.go
@@ -9,10 +9,12 @@ import (
 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/prometheus"
+	"github.com/axllent/mailpit/internal/smtpd"
+	"github.com/axllent/mailpit/internal/smtpd/chaos"
 	"github.com/axllent/mailpit/internal/storage"
 	"github.com/axllent/mailpit/internal/tools"
 	"github.com/axllent/mailpit/server"
-	"github.com/axllent/mailpit/server/smtpd"
 	"github.com/axllent/mailpit/server/webhook"
 	"github.com/spf13/cobra"
 )
@@ -38,6 +40,14 @@ Documentation:
 			os.Exit(1)
 		}

+		// Start Prometheus metrics if enabled
+		switch prometheus.GetMode() {
+		case "integrated":
+			prometheus.StartUpdater()
+		case "separate":
+			go prometheus.StartSeparateServer()
+		}
+
 		go server.Listen()

 		if err := smtpd.Listen(); err != nil {
@@ -57,14 +67,6 @@ func Execute() {
 	}
 }

-// SendmailExecute adds all child commands to the root command and sets flags appropriately.
-// This is called by main.main(). It only needs to happen once to the rootCmd.
-func SendmailExecute() {
-	args := []string{"mailpit", "sendmail"}
-
-	rootCmd.Run(sendmailCmd, args)
-}
-
 func init() {
 	// hide autocompletion
 	rootCmd.CompletionOptions.HiddenDefaultCmd = true
@@ -82,10 +84,15 @@ func init() {
 	initConfigFromEnv()

 	rootCmd.Flags().StringVarP(&config.Database, "database", "d", config.Database, "Database to store persistent data")
+	rootCmd.Flags().BoolVar(&config.DisableWAL, "disable-wal", config.DisableWAL, "Disable WAL for local database (allows NFS mounted DBs)")
+	rootCmd.Flags().BoolVar(&config.DisableVersionCheck, "disable-version-check", config.DisableVersionCheck, "Disable version update checking")
+	rootCmd.Flags().IntVar(&config.Compression, "compression", config.Compression, "Compression level to store raw messages (0-3)")
+	rootCmd.Flags().StringVar(&config.Label, "label", config.Label, "Optional label identify this Mailpit instance")
 	rootCmd.Flags().StringVar(&config.TenantID, "tenant-id", config.TenantID, "Database tenant ID to isolate data")
 	rootCmd.Flags().IntVarP(&config.MaxMessages, "max", "m", config.MaxMessages, "Max number of messages to store")
+	rootCmd.Flags().StringVar(&config.MaxAge, "max-age", config.MaxAge, "Max age of messages in either (h)ours or (d)ays (eg: 3d)")
 	rootCmd.Flags().BoolVar(&config.UseMessageDates, "use-message-dates", config.UseMessageDates, "Use message dates as the received dates")
-	rootCmd.Flags().BoolVar(&config.IgnoreDuplicateIDs, "ignore-duplicate-ids", config.IgnoreDuplicateIDs, "Ignore duplicate messages (by Message-Id)")
+	rootCmd.Flags().BoolVar(&config.IgnoreDuplicateIDs, "ignore-duplicate-ids", config.IgnoreDuplicateIDs, "Ignore duplicate messages (by Message-ID)")
 	rootCmd.Flags().StringVar(&logger.LogFile, "log-file", logger.LogFile, "Log output to file instead of stdout")
 	rootCmd.Flags().BoolVarP(&logger.QuietLogging, "quiet", "q", logger.QuietLogging, "Quiet logging (errors only)")
 	rootCmd.Flags().BoolVarP(&logger.VerboseLogging, "verbose", "v", logger.VerboseLogging, "Verbose logging")
@@ -96,10 +103,17 @@ func init() {
 	rootCmd.Flags().StringVar(&config.UIAuthFile, "ui-auth-file", config.UIAuthFile, "A password file for web UI & API authentication")
 	rootCmd.Flags().StringVar(&config.UITLSCert, "ui-tls-cert", config.UITLSCert, "TLS certificate for web UI (HTTPS) - requires ui-tls-key")
 	rootCmd.Flags().StringVar(&config.UITLSKey, "ui-tls-key", config.UITLSKey, "TLS key for web UI (HTTPS) - requires ui-tls-cert")
-	rootCmd.Flags().StringVar(&server.AccessControlAllowOrigin, "api-cors", server.AccessControlAllowOrigin, "Set API CORS Access-Control-Allow-Origin header")
+	rootCmd.Flags().StringVar(&server.AccessControlAllowOrigin, "api-cors", server.AccessControlAllowOrigin, "Set CORS origin(s) for the API, comma-separated (eg: example.com,foo.com)")
 	rootCmd.Flags().BoolVar(&config.BlockRemoteCSSAndFonts, "block-remote-css-and-fonts", config.BlockRemoteCSSAndFonts, "Block access to remote CSS & fonts")
+	rootCmd.Flags().BoolVar(&config.AllowInternalHTTPRequests, "allow-internal-http-requests", config.AllowInternalHTTPRequests, "Allow link-checker & screenshots to access internal IP addresses")
 	rootCmd.Flags().StringVar(&config.EnableSpamAssassin, "enable-spamassassin", config.EnableSpamAssassin, "Enable integration with SpamAssassin")
 	rootCmd.Flags().BoolVar(&config.AllowUntrustedTLS, "allow-untrusted-tls", config.AllowUntrustedTLS, "Do not verify HTTPS certificates (link checker & screenshots)")
+	rootCmd.Flags().BoolVar(&config.DisableHTTPCompression, "disable-http-compression", config.DisableHTTPCompression, "Disable HTTP compression support (web UI & API)")
+	rootCmd.Flags().BoolVar(&config.HideDeleteAllButton, "hide-delete-all-button", config.HideDeleteAllButton, "Hide the \"Delete all\" button in the web UI")
+
+	// Send API
+	rootCmd.Flags().StringVar(&config.SendAPIAuthFile, "send-api-auth-file", config.SendAPIAuthFile, "A password file for Send API authentication")
+	rootCmd.Flags().BoolVar(&config.SendAPIAuthAcceptAny, "send-api-auth-accept-any", config.SendAPIAuthAcceptAny, "Accept any username and password for the Send API endpoint, including none")

 	// SMTP server
 	rootCmd.Flags().StringVarP(&config.SMTPListen, "smtp", "s", config.SMTPListen, "SMTP bind interface and port")
@@ -113,6 +127,7 @@ func init() {
 	rootCmd.Flags().BoolVar(&config.SMTPStrictRFCHeaders, "smtp-strict-rfc-headers", config.SMTPStrictRFCHeaders, "Return SMTP error if message headers contain <CR><CR><LF>")
 	rootCmd.Flags().IntVar(&config.SMTPMaxRecipients, "smtp-max-recipients", config.SMTPMaxRecipients, "Maximum SMTP recipients allowed")
 	rootCmd.Flags().StringVar(&config.SMTPAllowedRecipients, "smtp-allowed-recipients", config.SMTPAllowedRecipients, "Only allow SMTP recipients matching a regular expression (default allow all)")
+	rootCmd.Flags().BoolVar(&config.SMTPIgnoreRejectedRecipients, "smtp-ignore-rejected-recipients", config.SMTPIgnoreRejectedRecipients, "Ignore rejected SMTP recipients with 2xx response")
 	rootCmd.Flags().BoolVar(&smtpd.DisableReverseDNS, "smtp-disable-rdns", smtpd.DisableReverseDNS, "Disable SMTP reverse DNS lookups")

 	// SMTP relay
@@ -120,6 +135,13 @@ func init() {
 	rootCmd.Flags().BoolVar(&config.SMTPRelayAll, "smtp-relay-all", config.SMTPRelayAll, "Auto-relay all new messages via external SMTP server (caution!)")
 	rootCmd.Flags().StringVar(&config.SMTPRelayMatching, "smtp-relay-matching", config.SMTPRelayMatching, "Auto-relay new messages to only matching recipients (regular expression)")

+	// SMTP forwarding
+	rootCmd.Flags().StringVar(&config.SMTPForwardConfigFile, "smtp-forward-config", config.SMTPForwardConfigFile, "SMTP forwarding configuration file for all messages")
+
+	// Chaos
+	rootCmd.Flags().BoolVar(&chaos.Enabled, "enable-chaos", chaos.Enabled, "Enable Chaos functionality (API / web UI)")
+	rootCmd.Flags().StringVar(&config.ChaosTriggers, "chaos-triggers", config.ChaosTriggers, "Enable Chaos & set the triggers for SMTP server")
+
 	// POP3 server
 	rootCmd.Flags().StringVar(&config.POP3Listen, "pop3", config.POP3Listen, "POP3 server bind interface and port")
 	rootCmd.Flags().StringVar(&config.POP3AuthFile, "pop3-auth-file", config.POP3AuthFile, "A password file for POP3 server authentication (enables POP3 server)")
@@ -130,10 +152,16 @@ func init() {
 	rootCmd.Flags().StringVarP(&config.CLITagsArg, "tag", "t", config.CLITagsArg, "Tag new messages matching filters")
 	rootCmd.Flags().StringVar(&config.TagsConfig, "tags-config", config.TagsConfig, "Load tags filters from yaml configuration file")
 	rootCmd.Flags().BoolVar(&tools.TagsTitleCase, "tags-title-case", tools.TagsTitleCase, "TitleCase new tags generated from plus-addresses and X-Tags")
+	rootCmd.Flags().StringVar(&config.TagsDisable, "tags-disable", config.TagsDisable, "Disable auto-tagging, comma separated (eg: plus-addresses,x-tags)")
+	rootCmd.Flags().BoolVar(&config.TagsUsername, "tags-username", config.TagsUsername, "Auto-tag messages with the authenticated username")
+
+	// Prometheus metrics
+	rootCmd.Flags().StringVar(&config.PrometheusListen, "enable-prometheus", config.PrometheusListen, "Enable Prometheus metrics: true|false|<ip:port> (eg:'0.0.0.0:9090')")

 	// Webhook
 	rootCmd.Flags().StringVar(&config.WebhookURL, "webhook-url", config.WebhookURL, "Send a webhook request for new messages")
 	rootCmd.Flags().IntVar(&webhook.RateLimit, "webhook-limit", webhook.RateLimit, "Limit webhook requests per second")
+	rootCmd.Flags().IntVar(&webhook.Delay, "webhook-delay", webhook.Delay, "Delay in seconds before sending webhook requests (default 0)")

 	// DEPRECATED FLAG 2024/04/12 - but will not be removed to maintain backwards compatibility
 	rootCmd.Flags().StringVar(&config.Database, "db-file", config.Database, "Database file to store persistent data")
@@ -170,11 +198,24 @@ func initConfigFromEnv() {
 		config.Database = os.Getenv("MP_DATABASE")
 	}

+	config.DisableWAL = getEnabledFromEnv("MP_DISABLE_WAL")
+
+	config.DisableVersionCheck = getEnabledFromEnv("MP_DISABLE_VERSION_CHECK")
+
+	if len(os.Getenv("MP_COMPRESSION")) > 0 {
+		config.Compression, _ = strconv.Atoi(os.Getenv("MP_COMPRESSION"))
+	}
+
 	config.TenantID = os.Getenv("MP_TENANT_ID")

+	config.Label = os.Getenv("MP_LABEL")
+
 	if len(os.Getenv("MP_MAX_MESSAGES")) > 0 {
 		config.MaxMessages, _ = strconv.Atoi(os.Getenv("MP_MAX_MESSAGES"))
 	}
+	if len(os.Getenv("MP_MAX_AGE")) > 0 {
+		config.MaxAge = os.Getenv("MP_MAX_AGE")
+	}
 	if getEnabledFromEnv("MP_USE_MESSAGE_DATES") {
 		config.UseMessageDates = true
 	}
@@ -200,7 +241,7 @@ func initConfigFromEnv() {
 	}
 	config.UIAuthFile = os.Getenv("MP_UI_AUTH_FILE")
 	if err := auth.SetUIAuth(os.Getenv("MP_UI_AUTH")); err != nil {
-		logger.Log().Errorf(err.Error())
+		logger.Log().Error(err.Error())
 	}
 	config.UITLSCert = os.Getenv("MP_UI_TLS_CERT")
 	config.UITLSKey = os.Getenv("MP_UI_TLS_KEY")
@@ -210,12 +251,30 @@ func initConfigFromEnv() {
 	if getEnabledFromEnv("MP_BLOCK_REMOTE_CSS_AND_FONTS") {
 		config.BlockRemoteCSSAndFonts = true
 	}
+	if getEnabledFromEnv("MP_ALLOW_INTERNAL_HTTP_REQUESTS") {
+		config.AllowInternalHTTPRequests = true
+	}
 	if len(os.Getenv("MP_ENABLE_SPAMASSASSIN")) > 0 {
 		config.EnableSpamAssassin = os.Getenv("MP_ENABLE_SPAMASSASSIN")
 	}
 	if getEnabledFromEnv("MP_ALLOW_UNTRUSTED_TLS") {
 		config.AllowUntrustedTLS = true
 	}
+	if getEnabledFromEnv("MP_DISABLE_HTTP_COMPRESSION") {
+		config.DisableHTTPCompression = true
+	}
+	if getEnabledFromEnv("MP_HIDE_DELETE_ALL_BUTTON") {
+		config.HideDeleteAllButton = true
+	}
+
+	// Send API
+	config.SendAPIAuthFile = os.Getenv("MP_SEND_API_AUTH_FILE")
+	if err := auth.SetSendAPIAuth(os.Getenv("MP_SEND_API_AUTH")); err != nil {
+		logger.Log().Error(err.Error())
+	}
+	if getEnabledFromEnv("MP_SEND_API_AUTH_ACCEPT_ANY") {
+		config.SendAPIAuthAcceptAny = true
+	}

 	// SMTP server
 	if len(os.Getenv("MP_SMTP_BIND_ADDR")) > 0 {
@@ -223,7 +282,7 @@ func initConfigFromEnv() {
 	}
 	config.SMTPAuthFile = os.Getenv("MP_SMTP_AUTH_FILE")
 	if err := auth.SetSMTPAuth(os.Getenv("MP_SMTP_AUTH")); err != nil {
-		logger.Log().Errorf(err.Error())
+		logger.Log().Error(err.Error())
 	}
 	if getEnabledFromEnv("MP_SMTP_AUTH_ACCEPT_ANY") {
 		config.SMTPAuthAcceptAny = true
@@ -248,6 +307,9 @@ func initConfigFromEnv() {
 	if len(os.Getenv("MP_SMTP_ALLOWED_RECIPIENTS")) > 0 {
 		config.SMTPAllowedRecipients = os.Getenv("MP_SMTP_ALLOWED_RECIPIENTS")
 	}
+	if getEnabledFromEnv("MP_SMTP_IGNORE_REJECTED_RECIPIENTS") {
+		config.SMTPIgnoreRejectedRecipients = true
+	}
 	if getEnabledFromEnv("MP_SMTP_DISABLE_RDNS") {
 		smtpd.DisableReverseDNS = true
 	}
@@ -264,13 +326,41 @@ func initConfigFromEnv() {
 		config.SMTPRelayConfig.Port, _ = strconv.Atoi(os.Getenv("MP_SMTP_RELAY_PORT"))
 	}
 	config.SMTPRelayConfig.STARTTLS = getEnabledFromEnv("MP_SMTP_RELAY_STARTTLS")
+	config.SMTPRelayConfig.TLS = getEnabledFromEnv("MP_SMTP_RELAY_TLS")
 	config.SMTPRelayConfig.AllowInsecure = getEnabledFromEnv("MP_SMTP_RELAY_ALLOW_INSECURE")
 	config.SMTPRelayConfig.Auth = os.Getenv("MP_SMTP_RELAY_AUTH")
 	config.SMTPRelayConfig.Username = os.Getenv("MP_SMTP_RELAY_USERNAME")
 	config.SMTPRelayConfig.Password = os.Getenv("MP_SMTP_RELAY_PASSWORD")
 	config.SMTPRelayConfig.Secret = os.Getenv("MP_SMTP_RELAY_SECRET")
 	config.SMTPRelayConfig.ReturnPath = os.Getenv("MP_SMTP_RELAY_RETURN_PATH")
+	config.SMTPRelayConfig.OverrideFrom = os.Getenv("MP_SMTP_RELAY_OVERRIDE_FROM")
 	config.SMTPRelayConfig.AllowedRecipients = os.Getenv("MP_SMTP_RELAY_ALLOWED_RECIPIENTS")
+	config.SMTPRelayConfig.BlockedRecipients = os.Getenv("MP_SMTP_RELAY_BLOCKED_RECIPIENTS")
+	config.SMTPRelayConfig.PreserveMessageIDs = getEnabledFromEnv("MP_SMTP_RELAY_PRESERVE_MESSAGE_IDS")
+	config.SMTPRelayConfig.ForwardSMTPErrors = getEnabledFromEnv("MP_SMTP_RELAY_FWD_SMTP_ERRORS")
+
+	// SMTP forwarding
+	config.SMTPForwardConfigFile = os.Getenv("MP_SMTP_FORWARD_CONFIG")
+	config.SMTPForwardConfig = config.SMTPForwardConfigStruct{}
+	config.SMTPForwardConfig.Host = os.Getenv("MP_SMTP_FORWARD_HOST")
+	if len(os.Getenv("MP_SMTP_FORWARD_PORT")) > 0 {
+		config.SMTPForwardConfig.Port, _ = strconv.Atoi(os.Getenv("MP_SMTP_FORWARD_PORT"))
+	}
+	config.SMTPForwardConfig.STARTTLS = getEnabledFromEnv("MP_SMTP_FORWARD_STARTTLS")
+	config.SMTPForwardConfig.TLS = getEnabledFromEnv("MP_SMTP_FORWARD_TLS")
+	config.SMTPForwardConfig.AllowInsecure = getEnabledFromEnv("MP_SMTP_FORWARD_ALLOW_INSECURE")
+	config.SMTPForwardConfig.Auth = os.Getenv("MP_SMTP_FORWARD_AUTH")
+	config.SMTPForwardConfig.Username = os.Getenv("MP_SMTP_FORWARD_USERNAME")
+	config.SMTPForwardConfig.Password = os.Getenv("MP_SMTP_FORWARD_PASSWORD")
+	config.SMTPForwardConfig.Secret = os.Getenv("MP_SMTP_FORWARD_SECRET")
+	config.SMTPForwardConfig.ReturnPath = os.Getenv("MP_SMTP_FORWARD_RETURN_PATH")
+	config.SMTPForwardConfig.OverrideFrom = os.Getenv("MP_SMTP_FORWARD_OVERRIDE_FROM")
+	config.SMTPForwardConfig.To = os.Getenv("MP_SMTP_FORWARD_TO")
+	config.SMTPForwardConfig.ForwardSMTPErrors = getEnabledFromEnv("MP_SMTP_FORWARD_FWD_SMTP_ERRORS")
+
+	// Chaos
+	chaos.Enabled = getEnabledFromEnv("MP_ENABLE_CHAOS")
+	config.ChaosTriggers = os.Getenv("MP_CHAOS_TRIGGERS")

 	// POP3 server
 	if len(os.Getenv("MP_POP3_BIND_ADDR")) > 0 {
@@ -278,7 +368,7 @@ func initConfigFromEnv() {
 	}
 	config.POP3AuthFile = os.Getenv("MP_POP3_AUTH_FILE")
 	if err := auth.SetPOP3Auth(os.Getenv("MP_POP3_AUTH")); err != nil {
-		logger.Log().Errorf(err.Error())
+		logger.Log().Error(err.Error())
 	}
 	config.POP3TLSCert = os.Getenv("MP_POP3_TLS_CERT")
 	config.POP3TLSKey = os.Getenv("MP_POP3_TLS_KEY")
@@ -287,6 +377,13 @@ func initConfigFromEnv() {
 	config.CLITagsArg = os.Getenv("MP_TAG")
 	config.TagsConfig = os.Getenv("MP_TAGS_CONFIG")
 	tools.TagsTitleCase = getEnabledFromEnv("MP_TAGS_TITLE_CASE")
+	config.TagsDisable = os.Getenv("MP_TAGS_DISABLE")
+	config.TagsUsername = getEnabledFromEnv("MP_TAGS_USERNAME")
+
+	// Prometheus metrics
+	if len(os.Getenv("MP_ENABLE_PROMETHEUS")) > 0 {
+		config.PrometheusListen = os.Getenv("MP_ENABLE_PROMETHEUS")
+	}

 	// Webhook
 	if len(os.Getenv("MP_WEBHOOK_URL")) > 0 {
@@ -295,15 +392,21 @@ func initConfigFromEnv() {
 	if len(os.Getenv("MP_WEBHOOK_LIMIT")) > 0 {
 		webhook.RateLimit, _ = strconv.Atoi(os.Getenv("MP_WEBHOOK_LIMIT"))
 	}
+	if len(os.Getenv("MP_WEBHOOK_DELAY")) > 0 {
+		webhook.Delay, _ = strconv.Atoi(os.Getenv("MP_WEBHOOK_DELAY"))
+	}
+
+	// Demo mode
+	config.DemoMode = getEnabledFromEnv("MP_DEMO_MODE")
 }

 // load deprecated settings from environment and warn
 func initDeprecatedConfigFromEnv() {
 	// deprecated 2024/04/12 - but will not be removed to maintain backwards compatibility
 	if len(os.Getenv("MP_DATA_FILE")) > 0 {
+		logger.Log().Warn("ENV MP_DATA_FILE has been deprecated, use MP_DATABASE")
 		config.Database = os.Getenv("MP_DATA_FILE")
 	}
-
 	// deprecated 2023/03/12
 	if len(os.Getenv("MP_UI_SSL_CERT")) > 0 {
 		logger.Log().Warn("ENV MP_UI_SSL_CERT has been deprecated, use MP_UI_TLS_CERT")
--- a/cmd/sendmail.go
+++ b/cmd/sendmail.go
@@ -12,13 +12,13 @@ var sendmailCmd = &cobra.Command{
 	Use:   "sendmail [flags] [recipients]",
 	Short: "A sendmail command replacement for Mailpit",
 	Run: func(_ *cobra.Command, _ []string) {
-
 		sendmail.Run()
 	},
 }

 func init() {
 	rootCmd.AddCommand(sendmailCmd)
+	var ignored string

 	// print out manual help screen
 	sendmailCmd.SetHelpTemplate(sendmail.HelpTemplate([]string{os.Args[0], "sendmail"}))
@@ -27,10 +27,13 @@ func init() {
 	// multi-letter single-dash variables (-bs)
 	sendmailCmd.Flags().StringVarP(&sendmail.FromAddr, "from", "f", sendmail.FromAddr, "SMTP sender")
 	sendmailCmd.Flags().StringVarP(&sendmail.SMTPAddr, "smtp-addr", "S", sendmail.SMTPAddr, "SMTP server address")
-	sendmailCmd.Flags().BoolVarP(&sendmail.UseB, "long-b", "b", false, "Handle SMTP commands on standard input (use as -bs)")
-	sendmailCmd.Flags().BoolVarP(&sendmail.UseS, "long-s", "s", false, "Handle SMTP commands on standard input (use as -bs)")
+	sendmailCmd.Flags().BoolVarP(&sendmail.UseB, "ignored-b", "b", false, "Handle SMTP commands on standard input (use as -bs)")
+	sendmailCmd.Flags().BoolVarP(&sendmail.UseS, "ignored-s", "s", false, "Handle SMTP commands on standard input (use as -bs)")
 	sendmailCmd.Flags().BoolP("verbose", "v", false, "Verbose mode (sends debug output to stderr)")
-	sendmailCmd.Flags().BoolP("long-i", "i", false, "Ignored")
-	sendmailCmd.Flags().BoolP("long-o", "o", false, "Ignored")
-	sendmailCmd.Flags().BoolP("long-t", "t", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-i", "i", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-o", "o", false, "Ignored")
+	sendmailCmd.Flags().BoolP("ignored-t", "t", false, "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-name", "F", "", "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-bits", "B", "", "Ignored")
+	sendmailCmd.Flags().StringVarP(&ignored, "ignored-errors", "e", "", "Ignored")
 }
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -6,7 +6,6 @@ import (
 	"runtime"

 	"github.com/axllent/mailpit/config"
-	"github.com/axllent/mailpit/internal/updater"
 	"github.com/spf13/cobra"
 )

@@ -15,29 +14,44 @@ var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Display the current version & update information",
 	Long:  `Display the current version & update information (if available).`,
-	RunE: func(cmd *cobra.Command, args []string) error {
-
-		updater.AllowPrereleases = true
-
+	Run: func(cmd *cobra.Command, _ []string) {
 		update, _ := cmd.Flags().GetBool("update")
+		noReleaseCheck, _ := cmd.Flags().GetBool("no-release-check")

 		if update {
-			return updateApp()
+			// Update the application
+			rel, err := config.GHRUConfig.SelfUpdate()
+			if err != nil {
+				fmt.Printf("Error updating: %s\n", err)
+				os.Exit(1)
+			}
+
+			fmt.Printf("Updated %s to version %s\n", os.Args[0], rel.Tag)
+			os.Exit(0)
 		}

 		fmt.Printf("%s %s compiled with %s on %s/%s\n",
 			os.Args[0], config.Version, runtime.Version(), runtime.GOOS, runtime.GOARCH)

-		latest, _, _, err := updater.GithubLatest(config.Repo, config.RepoBinaryName)
-		if err == nil && updater.GreaterThan(latest, config.Version) {
+		if !noReleaseCheck {
+			release, err := config.GHRUConfig.Latest()
+			if err != nil {
+				fmt.Printf("Error checking for latest release: %s\n", err)
+				os.Exit(1)
+			}
+
+			// The latest version is the same version
+			if release.Tag == config.Version {
+				os.Exit(0)
+			}
+
+			// A newer release is available
 			fmt.Printf(
 				"\nUpdate available: %s\nRun `%s version -u` to update (requires read/write access to install directory).\n",
-				latest,
+				release.Tag,
 				os.Args[0],
 			)
 		}
-
-		return nil
 	},
 }

@@ -46,14 +60,6 @@ func init() {

 	versionCmd.Flags().
 		BoolP("update", "u", false, "update to latest version")
-}
-
-func updateApp() error {
-	rel, err := updater.GithubUpdate(config.Repo, config.RepoBinaryName, config.Version)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Updated %s to version %s\n", os.Args[0], rel)
-	return nil
+	versionCmd.Flags().
+		Bool("no-release-check", false, "do not check online for the latest release version")
 }
--- a/config/config.go
+++ b/config/config.go
@@ -5,20 +5,34 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"

+	"github.com/axllent/ghru/v2"
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/smtpd/chaos"
+	"github.com/axllent/mailpit/internal/snakeoil"
 	"github.com/axllent/mailpit/internal/spamassassin"
-	"gopkg.in/yaml.v3"
+	"github.com/axllent/mailpit/internal/tools"
 )

 var (
+	// Version is the Mailpit version, updated with every release
+	Version = "dev"
+
+	// GHRUConfig is the configuration for the GitHub Release Updater
+	// used to check for updates and self-update
+	GHRUConfig = ghru.Config{
+		Repo:           "axllent/mailpit",
+		ArchiveName:    "mailpit-{{.OS}}-{{.Arch}}",
+		BinaryName:     "mailpit",
+		CurrentVersion: Version,
+	}
+
 	// SMTPListen to listen on <interface>:<port>
 	SMTPListen = "[::]:1025"

@@ -28,13 +42,32 @@ var (
 	// Database for mail (optional)
 	Database string

+	// DisableWAL will disable Write-Ahead Logging in SQLite
+	// @see https://sqlite.org/wal.html
+	DisableWAL bool
+
+	// Compression is the compression level used to store raw messages in the database:
+	// 0 = off, 1 = fastest (default), 2 = standard, 3 = best compression
+	Compression = 1
+
 	// TenantID is an optional prefix to be applied to all database tables,
 	// allowing multiple isolated instances of Mailpit to share a database.
-	TenantID = ""
+	TenantID string
+
+	// Label to identify this Mailpit instance (optional).
+	// This gets applied to web UI, SMTP and optional POP3 server.
+	Label string

 	// MaxMessages is the maximum number of messages a mailbox can have (auto-pruned every minute)
 	MaxMessages = 500

+	// MaxAge is the maximum age of messages (auto-pruned every hour).
+	// Value can be either <int>h for hours or <int>d for days
+	MaxAge string
+
+	// MaxAgeInHours is the maximum age of messages in hours, set with parseMaxAge() using MaxAge value
+	MaxAgeInHours int
+
 	// UseMessageDates sets the Created date using the message date, not the delivered date
 	UseMessageDates bool

@@ -50,6 +83,15 @@ var (
 	// Webroot to define the base path for the UI and API
 	Webroot = "/"

+	// DisableHTTPCompression will explicitly disable HTTP compression in the web UI and API
+	DisableHTTPCompression bool
+
+	// SendAPIAuthFile for Send API authentication
+	SendAPIAuthFile string
+
+	// SendAPIAuthAcceptAny accepts any username/password for the send API endpoint, including none
+	SendAPIAuthAcceptAny bool
+
 	// SMTPTLSCert file
 	SMTPTLSCert string

@@ -85,11 +127,15 @@ var (
 	// BlockRemoteCSSAndFonts used to disable remote CSS & fonts
 	BlockRemoteCSSAndFonts = false

+	// AllowInternalHTTPRequests will allow HTTP requests to internal IP addresses (e.g., loopback, private, link-local, or multicast) when set to true.
+	// This policy applies to both link checking and screenshot generation (proxy) features and is disabled by default for security reasons.
+	AllowInternalHTTPRequests = false
+
 	// CLITagsArg is used to map the CLI args
 	CLITagsArg string

 	// ValidTagRegexp represents a valid tag
-	ValidTagRegexp = regexp.MustCompile(`^([a-zA-Z0-9\-\ \_\.]){1,}$`)
+	ValidTagRegexp = regexp.MustCompile(`^([a-zA-Z0-9\-\ \_\.@]){1,100}$`)

 	// TagsConfig is a yaml file to pre-load tags
 	TagsConfig string
@@ -97,22 +143,19 @@ var (
 	// TagFilters are used to apply tags to new mail
 	TagFilters []autoTag

-	// SMTPRelayConfigFile to parse a yaml file and store config of relay SMTP server
+	// TagsDisable accepts a comma-separated list of tag types to disable
+	// including x-tags & plus-addresses
+	TagsDisable string
+
+	// TagsUsername enables auto-tagging messages with the authenticated username
+	TagsUsername bool
+
+	// SMTPRelayConfigFile to parse a yaml file and store config of the relay SMTP server
 	SMTPRelayConfigFile string

-	// SMTPRelayConfig to parse a yaml file and store config of relay SMTP server
+	// SMTPRelayConfig to parse a yaml file and store config of the the relay SMTP server
 	SMTPRelayConfig SMTPRelayConfigStruct

-	// SMTPStrictRFCHeaders will return an error if the email headers contain <CR><CR><LF> (\r\r\n)
-	// @see https://github.com/axllent/mailpit/issues/87 & https://github.com/axllent/mailpit/issues/153
-	SMTPStrictRFCHeaders bool
-
-	// SMTPAllowedRecipients if set, will only accept recipients matching this regular expression
-	SMTPAllowedRecipients string
-
-	// SMTPAllowedRecipientsRegexp is the compiled version of SMTPAllowedRecipients
-	SMTPAllowedRecipientsRegexp *regexp.Regexp
-
 	// ReleaseEnabled is whether message releases are enabled, requires a valid SMTPRelayConfigFile
 	ReleaseEnabled = false

@@ -126,6 +169,25 @@ var (
 	// SMTPRelayMatchingRegexp is the compiled version of SMTPRelayMatching
 	SMTPRelayMatchingRegexp *regexp.Regexp

+	// SMTPForwardConfigFile to parse a yaml file and store config of the forwarding SMTP server
+	SMTPForwardConfigFile string
+
+	// SMTPForwardConfig to parse a yaml file and store config of the forwarding SMTP server
+	SMTPForwardConfig SMTPForwardConfigStruct
+
+	// SMTPStrictRFCHeaders will return an error if the email headers contain <CR><CR><LF> (\r\r\n)
+	// @see https://github.com/axllent/mailpit/issues/87 & https://github.com/axllent/mailpit/issues/153
+	SMTPStrictRFCHeaders bool
+
+	// SMTPAllowedRecipients if set, will only accept recipients matching this regular expression
+	SMTPAllowedRecipients string
+
+	// SMTPAllowedRecipientsRegexp is the compiled version of SMTPAllowedRecipients
+	SMTPAllowedRecipientsRegexp *regexp.Regexp
+
+	// SMTPIgnoreRejectedRecipients if true, will accept emails to rejected recipients with 2xx response but silently drop them
+	SMTPIgnoreRejectedRecipients bool
+
 	// POP3Listen address - if set then Mailpit will start the POP3 server and listen on this address
 	POP3Listen = "[::]:1110"

@@ -141,6 +203,9 @@ var (
 	// EnableSpamAssassin must be either <host>:<port> or "postmark"
 	EnableSpamAssassin string

+	// HideDeleteAllButton hides the delete all button in the web UI
+	HideDeleteAllButton bool
+
 	// WebhookURL for calling
 	WebhookURL string

@@ -150,17 +215,21 @@ var (
 	// AllowUntrustedTLS allows untrusted HTTPS connections link checking & screenshot generation
 	AllowUntrustedTLS bool

-	// Version is the default application version, updated on release
-	Version = "dev"
+	// PrometheusListen address for Prometheus metrics server
+	// Empty = disabled, true= use existing web server, address = separate server
+	PrometheusListen string

-	// Repo on Github for updater
-	Repo = "axllent/mailpit"
-
-	// RepoBinaryName on Github for updater
-	RepoBinaryName = "mailpit"
+	// ChaosTriggers are parsed and set in the chaos module
+	ChaosTriggers string

 	// DisableHTMLCheck DEPRECATED 2024/04/13 - kept here to display console warning only
 	DisableHTMLCheck = false
+
+	// DisableVersionCheck disables version checking
+	DisableVersionCheck bool
+
+	// DemoMode disables SMTP relay, link checking & HTTP send functionality
+	DemoMode = false
 )

 // AutoTag struct for auto-tagging
@@ -171,21 +240,45 @@ type autoTag struct {

 // SMTPRelayConfigStruct struct for parsing yaml & storing variables
 type SMTPRelayConfigStruct struct {
-	Host                    string         `yaml:"host"`
-	Port                    int            `yaml:"port"`
-	STARTTLS                bool           `yaml:"starttls"`
-	AllowInsecure           bool           `yaml:"allow-insecure"`
+	Host                    string         `yaml:"host"`               // SMTP host
+	Port                    int            `yaml:"port"`               // SMTP port
+	STARTTLS                bool           `yaml:"starttls"`           // whether to use STARTTLS
+	TLS                     bool           `yaml:"tls"`                // whether to use TLS
+	AllowInsecure           bool           `yaml:"allow-insecure"`     // allow insecure authentication, ignore TLS validation
 	Auth                    string         `yaml:"auth"`               // none, plain, login, cram-md5
 	Username                string         `yaml:"username"`           // plain & cram-md5
 	Password                string         `yaml:"password"`           // plain
 	Secret                  string         `yaml:"secret"`             // cram-md5
 	ReturnPath              string         `yaml:"return-path"`        // allow overriding the bounce address
+	OverrideFrom            string         `yaml:"override-from"`      // allow overriding of the from address
 	AllowedRecipients       string         `yaml:"allowed-recipients"` // regex, if set needs to match for mails to be relayed
 	AllowedRecipientsRegexp *regexp.Regexp // compiled regexp using AllowedRecipients
+	BlockedRecipients       string         `yaml:"blocked-recipients"` // regex, if set prevents relating to these addresses
+	BlockedRecipientsRegexp *regexp.Regexp // compiled regexp using BlockedRecipients
+	PreserveMessageIDs      bool           `yaml:"preserve-message-ids"` // preserve the original Message-ID when relaying
+	ForwardSMTPErrors       bool           `yaml:"forward-smtp-errors"`  // whether to log smtp-errors or forward them to upstream-client
+
 	// DEPRECATED 2024/03/12
 	RecipientAllowlist string `yaml:"recipient-allowlist"`
 }

+// SMTPForwardConfigStruct struct for parsing yaml & storing variables
+type SMTPForwardConfigStruct struct {
+	To                string `yaml:"to"`                  // comma-separated list of email addresses
+	Host              string `yaml:"host"`                // SMTP host
+	Port              int    `yaml:"port"`                // SMTP port
+	STARTTLS          bool   `yaml:"starttls"`            // whether to use STARTTLS
+	TLS               bool   `yaml:"tls"`                 // whether to use TLS
+	AllowInsecure     bool   `yaml:"allow-insecure"`      // allow insecure authentication, ignore TLS validation
+	Auth              string `yaml:"auth"`                // none, plain, login, cram-md5
+	Username          string `yaml:"username"`            // plain & cram-md5
+	Password          string `yaml:"password"`            // plain
+	Secret            string `yaml:"secret"`              // cram-md5
+	ReturnPath        string `yaml:"return-path"`         // allow overriding the bounce address
+	OverrideFrom      string `yaml:"override-from"`       // allow overriding of the from address
+	ForwardSMTPErrors bool   `yaml:"forward-smtp-errors"` // whether to log smtp-errors or forward them to upstream-client
+}
+
 // VerifyConfig wil do some basic checking
 func VerifyConfig() error {
 	cssFontRestriction := "*"
@@ -193,7 +286,11 @@ func VerifyConfig() error {
 		cssFontRestriction = "'self'"
 	}

-	ContentSecurityPolicy = fmt.Sprintf("default-src 'self'; script-src 'self'; style-src %s 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src %s data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';",
+	// The default Content Security Policy is updates on every application page load to replace script-src 'self'
+	// with a random nonce ID to prevent XSS. This applies to the Mailpit app & API.
+	// See server.middleWareFunc()
+	ContentSecurityPolicy = fmt.Sprintf(
+		"default-src 'self'; script-src 'self'; style-src %s 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src %s data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';",
 		cssFontRestriction, cssFontRestriction,
 	)

@@ -201,24 +298,30 @@ func VerifyConfig() error {
 		Database = filepath.Join(Database, "mailpit.db")
 	}

-	TenantID = strings.TrimSpace(TenantID)
+	if Compression < 0 || Compression > 3 {
+		return errors.New("[db] compression level must be between 0 and 3")
+	}
+
+	Label = tools.Normalize(Label)
+
+	if err := parseMaxAge(); err != nil {
+		return err
+	}
+
+	TenantID = DBTenantID(TenantID)
 	if TenantID != "" {
 		logger.Log().Infof("[db] using tenant \"%s\"", TenantID)
-		re := regexp.MustCompile(`[^a-zA-Z0-9\_]`)
-		TenantID = re.ReplaceAllString(TenantID, "_")
-		if !strings.HasSuffix(TenantID, "_") {
-			TenantID = TenantID + "_"
-		}
 	}

 	re := regexp.MustCompile(`.*:\d+$`)
-	if !re.MatchString(SMTPListen) {
+	if _, _, isSocket := tools.UnixSocket(SMTPListen); !isSocket && !re.MatchString(SMTPListen) {
 		return errors.New("[smtp] bind should be in the format of <ip>:<port>")
 	}
-	if !re.MatchString(HTTPListen) {
+	if _, _, isSocket := tools.UnixSocket(HTTPListen); !isSocket && !re.MatchString(HTTPListen) {
 		return errors.New("[ui] HTTP bind should be in the format of <ip>:<port>")
 	}

+	// Web UI & API
 	if UIAuthFile != "" {
 		UIAuthFile = filepath.Clean(UIAuthFile)

@@ -241,8 +344,19 @@ func VerifyConfig() error {
 	}

 	if UITLSCert != "" {
-		UITLSCert = filepath.Clean(UITLSCert)
-		UITLSKey = filepath.Clean(UITLSKey)
+		if strings.HasPrefix(UITLSCert, "sans:") {
+			// generate a self-signed certificate
+			UITLSCert = snakeoil.Public(UITLSCert)
+		} else {
+			UITLSCert = filepath.Clean(UITLSCert)
+		}
+
+		if strings.HasPrefix(UITLSKey, "sans:") {
+			// generate a self-signed key
+			UITLSKey = snakeoil.Private(UITLSKey)
+		} else {
+			UITLSKey = filepath.Clean(UITLSKey)
+		}

 		if !isFile(UITLSCert) {
 			return fmt.Errorf("[ui] TLS certificate not found or readable: %s", UITLSCert)
@@ -253,13 +367,67 @@ func VerifyConfig() error {
 		}
 	}

+	// Send API
+	if SendAPIAuthFile != "" {
+		SendAPIAuthFile = filepath.Clean(SendAPIAuthFile)
+
+		if !isFile(SendAPIAuthFile) {
+			return fmt.Errorf("[send-api] password file not found or readable: %s", SendAPIAuthFile)
+		}
+
+		b, err := os.ReadFile(SendAPIAuthFile)
+		if err != nil {
+			return err
+		}
+
+		if err := auth.SetSendAPIAuth(string(b)); err != nil {
+			return err
+		}
+
+		logger.Log().Info("[send-api] enabling basic authentication")
+	}
+
+	if auth.SendAPICredentials != nil && SendAPIAuthAcceptAny {
+		return errors.New("[send-api] authentication cannot use both credentials and --send-api-auth-accept-any")
+	}
+
+	if SendAPIAuthAcceptAny && auth.UICredentials != nil {
+		logger.Log().Info("[send-api] disabling authentication")
+	}
+
+	// Prometheus configuration validation
+	if PrometheusListen != "" {
+		mode := strings.ToLower(strings.TrimSpace(PrometheusListen))
+		if mode != "true" && mode != "false" {
+			// Validate as address for separate server mode
+			_, err := net.ResolveTCPAddr("tcp", PrometheusListen)
+			if err != nil {
+				return fmt.Errorf("[prometheus] %s", err.Error())
+			}
+		} else if mode == "true" {
+			logger.Log().Info("[prometheus] enabling metrics")
+		}
+	}
+
+	// SMTP server
 	if SMTPTLSCert != "" && SMTPTLSKey == "" || SMTPTLSCert == "" && SMTPTLSKey != "" {
-		return errors.New("[smtp] You must provide both an SMTP TLS certificate and a key")
+		return errors.New("[smtp] you must provide both an SMTP TLS certificate and a key")
 	}

 	if SMTPTLSCert != "" {
-		SMTPTLSCert = filepath.Clean(SMTPTLSCert)
-		SMTPTLSKey = filepath.Clean(SMTPTLSKey)
+		if strings.HasPrefix(SMTPTLSCert, "sans:") {
+			// generate a self-signed certificate
+			SMTPTLSCert = snakeoil.Public(SMTPTLSCert)
+		} else {
+			SMTPTLSCert = filepath.Clean(SMTPTLSCert)
+		}
+
+		if strings.HasPrefix(SMTPTLSKey, "sans:") {
+			// generate a self-signed key
+			SMTPTLSKey = snakeoil.Private(SMTPTLSKey)
+		} else {
+			SMTPTLSKey = filepath.Clean(SMTPTLSKey)
+		}

 		if !isFile(SMTPTLSCert) {
 			return fmt.Errorf("[smtp] TLS certificate not found or readable: %s", SMTPTLSCert)
@@ -317,10 +485,28 @@ func VerifyConfig() error {
 		return errors.New("[smtp] authentication requires STARTTLS or TLS encryption, run with `--smtp-auth-allow-insecure` to allow insecure authentication")
 	}

+	if err := parseChaosTriggers(); err != nil {
+		return fmt.Errorf("[chaos] %s", err.Error())
+	}
+
+	if chaos.Enabled {
+		logger.Log().Info("[chaos] is enabled")
+	}
+
 	// POP3 server
 	if POP3TLSCert != "" {
-		POP3TLSCert = filepath.Clean(POP3TLSCert)
-		POP3TLSKey = filepath.Clean(POP3TLSKey)
+		if strings.HasPrefix(POP3TLSCert, "sans:") {
+			// generate a self-signed certificate
+			POP3TLSCert = snakeoil.Public(POP3TLSCert)
+		} else {
+			POP3TLSCert = filepath.Clean(POP3TLSCert)
+		}
+		if strings.HasPrefix(POP3TLSKey, "sans:") {
+			// generate a self-signed key
+			POP3TLSKey = snakeoil.Private(POP3TLSKey)
+		} else {
+			POP3TLSKey = filepath.Clean(POP3TLSKey)
+		}

 		if !isFile(POP3TLSCert) {
 			return fmt.Errorf("[pop3] TLS certificate not found or readable: %s", POP3TLSCert)
@@ -331,7 +517,7 @@ func VerifyConfig() error {
 		}
 	}
 	if POP3TLSCert != "" && POP3TLSKey == "" || POP3TLSCert == "" && POP3TLSKey != "" {
-		return errors.New("[pop3] You must provide both a POP3 TLS certificate and a key")
+		return errors.New("[pop3] you must provide both a POP3 TLS certificate and a key")
 	}
 	if POP3Listen != "" {
 		_, err := net.ResolveTCPAddr("tcp", POP3Listen)
@@ -383,7 +569,7 @@ func VerifyConfig() error {
 		}
 	}

-	// load tag filters
+	// load tag filters & options
 	TagFilters = []autoTag{}
 	if err := loadTagsFromArgs(CLITagsArg); err != nil {
 		return err
@@ -391,6 +577,9 @@ func VerifyConfig() error {
 	if err := loadTagsFromConfig(TagsConfig); err != nil {
 		return err
 	}
+	if err := parseTagsDisable(TagsDisable); err != nil {
+		return err
+	}

 	if SMTPAllowedRecipients != "" {
 		restrictRegexp, err := regexp.Compile(SMTPAllowedRecipients)
@@ -402,6 +591,14 @@ func VerifyConfig() error {
 		logger.Log().Infof("[smtp] only allowing recipients matching regexp: %s", SMTPAllowedRecipients)
 	}

+	if SMTPIgnoreRejectedRecipients {
+		if SMTPAllowedRecipientsRegexp == nil {
+			logger.Log().Warn("[smtp] ignoring rejected recipients has no effect without setting smtp-allowed-recipients")
+		} else {
+			logger.Log().Info("[smtp] ignoring rejected recipients")
+		}
+	}
+
 	if err := parseRelayConfig(SMTPRelayConfigFile); err != nil {
 		return err
 	}
@@ -419,14 +616,16 @@ func VerifyConfig() error {
 		if SMTPRelayAll {
 			logger.Log().Warnf("[relay] ignoring smtp-relay-matching when smtp-relay-all is enabled")
 		} else {
-			restrictRegexp, err := regexp.Compile(SMTPRelayMatching)
+			re, err := regexp.Compile(SMTPRelayMatching)
 			if err != nil {
 				return fmt.Errorf("[relay] failed to compile smtp-relay-matching regexp: %s", err.Error())
 			}

-			SMTPRelayMatchingRegexp = restrictRegexp
-			logger.Log().Infof("[relay] auto-relaying new messages to recipients matching \"%s\" via %s:%d",
-				SMTPRelayMatching, SMTPRelayConfig.Host, SMTPRelayConfig.Port)
+			SMTPRelayMatchingRegexp = re
+			logger.Log().Infof(
+				"[relay] auto-relaying new messages to recipients matching \"%s\" via %s:%d",
+				SMTPRelayMatching, SMTPRelayConfig.Host, SMTPRelayConfig.Port,
+			)
 		}
 	}

@@ -435,117 +634,20 @@ func VerifyConfig() error {
 		logger.Log().Warnf("[relay] auto-relaying all new messages via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
 	}

-	return nil
-}
-
-// Parse the SMTPRelayConfigFile (if set)
-func parseRelayConfig(c string) error {
-	if c == "" {
-		return nil
-	}
-
-	c = filepath.Clean(c)
-
-	if !isFile(c) {
-		return fmt.Errorf("[smtp] relay configuration not found or readable: %s", c)
-	}
-
-	data, err := os.ReadFile(c)
-	if err != nil {
+	if err := parseForwardConfig(SMTPForwardConfigFile); err != nil {
 		return err
 	}

-	if err := yaml.Unmarshal(data, &SMTPRelayConfig); err != nil {
+	// separate forwarding config validation to account for environment variables
+	if err := validateForwardConfig(); err != nil {
 		return err
 	}

-	if SMTPRelayConfig.Host == "" {
-		return errors.New("[smtp] relay host not set")
-	}
-
-	// DEPRECATED 2024/03/12
-	if SMTPRelayConfig.RecipientAllowlist != "" {
-		logger.Log().Warn("[smtp] relay 'recipient-allowlist' is deprecated, use 'allowed-recipients' instead")
-		if SMTPRelayConfig.AllowedRecipients == "" {
-			SMTPRelayConfig.AllowedRecipients = SMTPRelayConfig.RecipientAllowlist
-		}
+	if DemoMode {
+		MaxMessages = 1000
+		// this deserves a warning
+		logger.Log().Info("demo mode enabled")
 	}

 	return nil
 }
-
-// Validate the SMTPRelayConfig (if Host is set)
-func validateRelayConfig() error {
-	if SMTPRelayConfig.Host == "" {
-		return nil
-	}
-
-	if SMTPRelayConfig.Port == 0 {
-		SMTPRelayConfig.Port = 25 // default
-	}
-
-	SMTPRelayConfig.Auth = strings.ToLower(SMTPRelayConfig.Auth)
-
-	if SMTPRelayConfig.Auth == "" || SMTPRelayConfig.Auth == "none" || SMTPRelayConfig.Auth == "false" {
-		SMTPRelayConfig.Auth = "none"
-	} else if SMTPRelayConfig.Auth == "plain" {
-		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
-			return fmt.Errorf("[smtp] relay host username or password not set for PLAIN authentication")
-		}
-	} else if SMTPRelayConfig.Auth == "login" {
-		SMTPRelayConfig.Auth = "login"
-		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
-			return fmt.Errorf("[smtp] relay host username or password not set for LOGIN authentication")
-		}
-	} else if strings.HasPrefix(SMTPRelayConfig.Auth, "cram") {
-		SMTPRelayConfig.Auth = "cram-md5"
-		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Secret == "" {
-			return fmt.Errorf("[smtp] relay host username or secret not set for CRAM-MD5 authentication")
-		}
-	} else {
-		return fmt.Errorf("[smtp] relay authentication method not supported: %s", SMTPRelayConfig.Auth)
-	}
-
-	ReleaseEnabled = true
-
-	logger.Log().Infof("[smtp] enabling message relaying via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
-
-	if SMTPRelayConfig.AllowedRecipients != "" {
-		allowlistRegexp, err := regexp.Compile(SMTPRelayConfig.AllowedRecipients)
-		if err != nil {
-			return fmt.Errorf("[smtp] failed to compile relay recipient allowlist regexp: %s", err.Error())
-		}
-
-		SMTPRelayConfig.AllowedRecipientsRegexp = allowlistRegexp
-		logger.Log().Infof("[smtp] relay recipient allowlist is active with the following regexp: %s", SMTPRelayConfig.AllowedRecipients)
-
-	}
-
-	return nil
-}
-
-// IsFile returns whether a file exists and is readable
-func isFile(path string) bool {
-	f, err := os.Open(filepath.Clean(path))
-	defer f.Close()
-	return err == nil
-}
-
-// IsDir returns whether a path is a directory
-func isDir(path string) bool {
-	info, err := os.Stat(path)
-	if err != nil || os.IsNotExist(err) || !info.IsDir() {
-		return false
-	}
-
-	return true
-}
-
-func isValidURL(s string) bool {
-	u, err := url.ParseRequestURI(s)
-	if err != nil {
-		return false
-	}
-
-	return strings.HasPrefix(u.Scheme, "http")
-}
--- a/config/tags.go
+++ b/config/tags.go
@@ -8,7 +8,15 @@ import (

 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
-	"gopkg.in/yaml.v3"
+	"github.com/goccy/go-yaml"
+)
+
+var (
+	// TagsDisablePlus disables message tagging using plus-addresses (user+tag@example.com) - set via verifyConfig()
+	TagsDisablePlus bool
+
+	// TagsDisableXTags disables message tagging via the X-Tags header - set via verifyConfig()
+	TagsDisableXTags bool
 )

 type yamlTags struct {
@@ -79,3 +87,25 @@ func loadTagsFromArgs(c string) error {

 	return nil
 }
+
+func parseTagsDisable(s string) error {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return nil
+	}
+
+	parts := strings.Split(strings.ToLower(s), ",")
+
+	for _, p := range parts {
+		switch strings.TrimSpace(p) {
+		case "x-tags", "xtags":
+			TagsDisableXTags = true
+		case "plus-addresses", "plus-addressing":
+			TagsDisablePlus = true
+		default:
+			return fmt.Errorf("[tags] invalid --tags-disable option: %s", p)
+		}
+	}
+
+	return nil
+}
--- a/config/utils.go
+++ b/config/utils.go
@@ -0,0 +1,51 @@
+package config
+
+import (
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/tools"
+)
+
+// IsFile returns whether a file exists and is readable
+func isFile(path string) bool {
+	f, err := os.Open(filepath.Clean(path))
+	defer func() { _ = f.Close() }()
+	return err == nil
+}
+
+// IsDir returns whether a path is a directory
+func isDir(path string) bool {
+	info, err := os.Stat(path)
+	if err != nil || os.IsNotExist(err) || !info.IsDir() {
+		return false
+	}
+
+	return true
+}
+
+func isValidURL(s string) bool {
+	u, err := url.ParseRequestURI(s)
+	if err != nil {
+		return false
+	}
+
+	return strings.HasPrefix(u.Scheme, "http")
+}
+
+// DBTenantID converts a tenant ID to a DB-friendly value if set
+func DBTenantID(s string) string {
+	s = tools.Normalize(s)
+	if s != "" {
+		re := regexp.MustCompile(`[^a-zA-Z0-9\_]`)
+		s = re.ReplaceAllString(s, "_")
+		if !strings.HasSuffix(s, "_") {
+			s = s + "_"
+		}
+	}
+
+	return s
+}
--- a/config/validators.go
+++ b/config/validators.go
@@ -0,0 +1,290 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net/mail"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/smtpd/chaos"
+	"github.com/goccy/go-yaml"
+)
+
+// Parse the --max-age value (if set)
+func parseMaxAge() error {
+	if MaxAge == "" {
+		return nil
+	}
+
+	re := regexp.MustCompile(`^\d+(h|d)$`)
+	if !re.MatchString(MaxAge) {
+		return fmt.Errorf("max-age must be either <int>h for hours or <int>d for days: %s", MaxAge)
+	}
+
+	if strings.HasSuffix(MaxAge, "h") {
+		hours, err := strconv.Atoi(strings.TrimSuffix(MaxAge, "h"))
+		if err != nil {
+			return err
+		}
+
+		MaxAgeInHours = hours
+
+		return nil
+	}
+
+	days, err := strconv.Atoi(strings.TrimSuffix(MaxAge, "d"))
+	if err != nil {
+		return err
+	}
+
+	logger.Log().Debugf("[db] auto-deleting messages older than %s", MaxAge)
+
+	MaxAgeInHours = days * 24
+	return nil
+}
+
+// Parse the SMTPRelayConfigFile (if set)
+func parseRelayConfig(c string) error {
+	if c == "" {
+		return nil
+	}
+
+	c = filepath.Clean(c)
+
+	if !isFile(c) {
+		return fmt.Errorf("[relay] configuration not found or readable: %s", c)
+	}
+
+	data, err := os.ReadFile(c)
+	if err != nil {
+		return err
+	}
+
+	if err := yaml.Unmarshal(data, &SMTPRelayConfig); err != nil {
+		return err
+	}
+
+	if SMTPRelayConfig.Host == "" {
+		return errors.New("[relay] host not set")
+	}
+
+	// DEPRECATED 2024/03/12
+	if SMTPRelayConfig.RecipientAllowlist != "" {
+		logger.Log().Warn("[relay] 'recipient-allowlist' is deprecated, use 'allowed-recipients' instead")
+		if SMTPRelayConfig.AllowedRecipients == "" {
+			SMTPRelayConfig.AllowedRecipients = SMTPRelayConfig.RecipientAllowlist
+		}
+	}
+
+	return nil
+}
+
+// Validate the SMTPRelayConfig (if Host is set)
+func validateRelayConfig() error {
+	if SMTPRelayConfig.Host == "" {
+		return nil
+	}
+
+	if SMTPRelayConfig.Port == 0 {
+		SMTPRelayConfig.Port = 25 // default
+	}
+
+	SMTPRelayConfig.Auth = strings.ToLower(SMTPRelayConfig.Auth)
+
+	if SMTPRelayConfig.Auth == "" || SMTPRelayConfig.Auth == "none" || SMTPRelayConfig.Auth == "false" {
+		SMTPRelayConfig.Auth = "none"
+	} else if SMTPRelayConfig.Auth == "plain" {
+		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
+			return fmt.Errorf("[relay] host username or password not set for PLAIN authentication")
+		}
+	} else if SMTPRelayConfig.Auth == "login" {
+		SMTPRelayConfig.Auth = "login"
+		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Password == "" {
+			return fmt.Errorf("[relay] host username or password not set for LOGIN authentication")
+		}
+	} else if strings.HasPrefix(SMTPRelayConfig.Auth, "cram") {
+		SMTPRelayConfig.Auth = "cram-md5"
+		if SMTPRelayConfig.Username == "" || SMTPRelayConfig.Secret == "" {
+			return fmt.Errorf("[relay] host username or secret not set for CRAM-MD5 authentication")
+		}
+	} else {
+		return fmt.Errorf("[relay] authentication method not supported: %s", SMTPRelayConfig.Auth)
+	}
+
+	if SMTPRelayConfig.AllowedRecipients != "" {
+		re, err := regexp.Compile(SMTPRelayConfig.AllowedRecipients)
+		if err != nil {
+			return fmt.Errorf("[relay] failed to compile recipient allowlist regexp: %s", err.Error())
+		}
+
+		SMTPRelayConfig.AllowedRecipientsRegexp = re
+		logger.Log().Infof("[relay] recipient allowlist is active with the following regexp: %s", SMTPRelayConfig.AllowedRecipients)
+	}
+
+	if SMTPRelayConfig.BlockedRecipients != "" {
+		re, err := regexp.Compile(SMTPRelayConfig.BlockedRecipients)
+		if err != nil {
+			return fmt.Errorf("[relay] failed to compile recipient blocklist regexp: %s", err.Error())
+		}
+
+		SMTPRelayConfig.BlockedRecipientsRegexp = re
+		logger.Log().Infof("[relay] recipient blocklist is active with the following regexp: %s", SMTPRelayConfig.BlockedRecipients)
+	}
+
+	if SMTPRelayConfig.OverrideFrom != "" {
+		m, err := mail.ParseAddress(SMTPRelayConfig.OverrideFrom)
+		if err != nil {
+			return fmt.Errorf("[relay] override-from is not a valid email address: %s", SMTPRelayConfig.OverrideFrom)
+		}
+
+		SMTPRelayConfig.OverrideFrom = m.Address
+	}
+
+	if SMTPRelayConfig.STARTTLS && SMTPRelayConfig.TLS {
+		return fmt.Errorf("[relay] TLS & STARTTLS cannot be required together")
+	}
+
+	ReleaseEnabled = true
+
+	logger.Log().Infof("[relay] enabling message relaying via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
+
+	return nil
+}
+
+// Parse the SMTPForwardConfigFile (if set)
+func parseForwardConfig(c string) error {
+	if c == "" {
+		return nil
+	}
+
+	c = filepath.Clean(c)
+
+	if !isFile(c) {
+		return fmt.Errorf("[forward] configuration not found or readable: %s", c)
+	}
+
+	data, err := os.ReadFile(c)
+	if err != nil {
+		return err
+	}
+
+	if err := yaml.Unmarshal(data, &SMTPForwardConfig); err != nil {
+		return err
+	}
+
+	if SMTPForwardConfig.Host == "" {
+		return errors.New("[forward] host not set")
+	}
+
+	return nil
+}
+
+// Validate the SMTPForwardConfig (if Host is set)
+func validateForwardConfig() error {
+	if SMTPForwardConfig.Host == "" {
+		return nil
+	}
+
+	if SMTPForwardConfig.Port == 0 {
+		SMTPForwardConfig.Port = 25 // default
+	}
+
+	SMTPForwardConfig.Auth = strings.ToLower(SMTPForwardConfig.Auth)
+
+	if SMTPForwardConfig.Auth == "" || SMTPForwardConfig.Auth == "none" || SMTPForwardConfig.Auth == "false" {
+		SMTPForwardConfig.Auth = "none"
+	} else if SMTPForwardConfig.Auth == "plain" {
+		if SMTPForwardConfig.Username == "" || SMTPForwardConfig.Password == "" {
+			return fmt.Errorf("[forward] host username or password not set for PLAIN authentication")
+		}
+	} else if SMTPForwardConfig.Auth == "login" {
+		SMTPForwardConfig.Auth = "login"
+		if SMTPForwardConfig.Username == "" || SMTPForwardConfig.Password == "" {
+			return fmt.Errorf("[forward] host username or password not set for LOGIN authentication")
+		}
+	} else if strings.HasPrefix(SMTPForwardConfig.Auth, "cram") {
+		SMTPForwardConfig.Auth = "cram-md5"
+		if SMTPForwardConfig.Username == "" || SMTPForwardConfig.Secret == "" {
+			return fmt.Errorf("[forward] host username or secret not set for CRAM-MD5 authentication")
+		}
+	} else {
+		return fmt.Errorf("[forward] authentication method not supported: %s", SMTPForwardConfig.Auth)
+	}
+
+	if SMTPForwardConfig.To == "" {
+		return errors.New("[forward] To addresses missing")
+	}
+
+	to := []string{}
+	addresses := strings.Split(SMTPForwardConfig.To, ",")
+	for _, a := range addresses {
+		a = strings.TrimSpace(a)
+		m, err := mail.ParseAddress(a)
+		if err != nil {
+			return fmt.Errorf("[forward] To address is not a valid email address: %s", a)
+		}
+		to = append(to, m.Address)
+	}
+
+	if len(to) == 0 {
+		return errors.New("[forward] no valid To addresses found")
+	}
+
+	// overwrite the To field with the cleaned up list
+	SMTPForwardConfig.To = strings.Join(to, ",")
+
+	if SMTPForwardConfig.OverrideFrom != "" {
+		m, err := mail.ParseAddress(SMTPForwardConfig.OverrideFrom)
+		if err != nil {
+			return fmt.Errorf("[forward] override-from is not a valid email address: %s", SMTPForwardConfig.OverrideFrom)
+		}
+
+		SMTPForwardConfig.OverrideFrom = m.Address
+	}
+
+	if SMTPForwardConfig.STARTTLS && SMTPForwardConfig.TLS {
+		return fmt.Errorf("[forward] TLS & STARTTLS cannot be required together")
+	}
+
+	logger.Log().Infof("[forward] enabling message forwarding to %s via %s:%d", SMTPForwardConfig.To, SMTPForwardConfig.Host, SMTPForwardConfig.Port)
+
+	return nil
+}
+
+func parseChaosTriggers() error {
+	if ChaosTriggers == "" {
+		return nil
+	}
+
+	re := regexp.MustCompile(`^([a-zA-Z0-0]+):(\d\d\d):(\d+(\.\d)?)$`)
+
+	parts := strings.Split(ChaosTriggers, ",")
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if !re.MatchString(p) {
+			return fmt.Errorf("invalid argument: %s", p)
+		}
+
+		matches := re.FindAllStringSubmatch(p, 1)
+		key := matches[0][1]
+		errorCode, err := strconv.Atoi(matches[0][2])
+		if err != nil {
+			return err
+		}
+		probability, err := strconv.Atoi(matches[0][3])
+		if err != nil {
+			return err
+		}
+
+		if err := chaos.Set(key, errorCode, probability); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/esbuild.config.mjs
+++ b/esbuild.config.mjs
@@ -1,38 +1,39 @@
-import * as esbuild from 'esbuild'
-import pluginVue from 'esbuild-plugin-vue-next'
-import { sassPlugin } from 'esbuild-sass-plugin'
+import * as esbuild from "esbuild";
+import pluginVue from "esbuild-plugin-vue-next";
+import { sassPlugin } from "esbuild-sass-plugin";

-const doWatch = process.env.WATCH == 'true' ? true : false;
-const doMinify = process.env.MINIFY == 'true' ? true : false;
+const doWatch = process.env.WATCH === "true";
+const doMinify = process.env.MINIFY === "true";

-const ctx = await esbuild.context(
-    {
-        entryPoints: [
-            "server/ui-src/app.js",
-            "server/ui-src/docs.js"
-        ],
-        bundle: true,
-        minify: doMinify,
-        sourcemap: false,
-        define: {
-            '__VUE_OPTIONS_API__': 'true',
-            '__VUE_PROD_DEVTOOLS__': 'false',
-            '__VUE_PROD_HYDRATION_MISMATCH_DETAILS__': 'false',
-        },
-        outdir: "server/ui/dist/",
-        plugins: [pluginVue(), sassPlugin()],
-        loader: {
-            ".svg": "file",
-            ".woff": "file",
-            ".woff2": "file",
-        },
-        logLevel: "info"
-    }
-)
+const ctx = await esbuild.context({
+	entryPoints: ["server/ui-src/app.js", "server/ui-src/docs.js"],
+	bundle: true,
+	minify: doMinify,
+	sourcemap: false,
+	define: {
+		__VUE_OPTIONS_API__: "true",
+		__VUE_PROD_DEVTOOLS__: "false",
+		__VUE_PROD_HYDRATION_MISMATCH_DETAILS__: "false",
+	},
+	outdir: "server/ui/dist/",
+	plugins: [
+		pluginVue(),
+		sassPlugin({
+			silenceDeprecations: ["import"],
+			quietDeps: true,
+		}),
+	],
+	loader: {
+		".svg": "file",
+		".woff": "file",
+		".woff2": "file",
+	},
+	logLevel: "info",
+});

 if (doWatch) {
-    await ctx.watch()
+	await ctx.watch();
 } else {
-    await ctx.rebuild()
-    ctx.dispose()
+	await ctx.rebuild();
+	ctx.dispose();
 }
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -0,0 +1,76 @@
+import eslintConfigPrettier from "eslint-config-prettier/flat";
+import globals from "globals";
+import { includeIgnoreFile } from "@eslint/compat";
+import js from "@eslint/js";
+import vue from "eslint-plugin-vue";
+import { fileURLToPath } from "node:url";
+
+const gitignorePath = fileURLToPath(new URL(".gitignore", import.meta.url));
+
+export default [
+	/* Use .gitignore to prevent linting of irrelevant files */
+	includeIgnoreFile(gitignorePath, ".gitignore"),
+
+	/* ESLint's recommended rules */
+	{
+		files: ["**/*.js", "**/*.vue"],
+		languageOptions: { globals: { ...globals.browser, ...globals.node } },
+		rules: js.configs.recommended.rules,
+	},
+
+	/* Vue-specific rules */
+	...vue.configs["flat/recommended"],
+
+	/* Prettier is responsible for formatting, so we disable conflicting rules */
+	eslintConfigPrettier,
+
+	/* Our custom rules */
+	{
+		rules: {
+			/* Always use arrow functions for tidiness and consistency */
+			"prefer-arrow-callback": "error",
+
+			/* Always use camelCase for variable names */
+			camelcase: [
+				"error",
+				{
+					ignoreDestructuring: false,
+					ignoreGlobals: true,
+					ignoreImports: false,
+					properties: "never",
+				},
+			],
+
+			/* The default case in switch statements must always be last */
+			"default-case-last": "error",
+
+			/* Always use dot notation where possible (e.g. `obj.val` over `obj['val']`) */
+			"dot-notation": "error",
+
+			/* Always use `===` and `!==` for comparisons unless unambiguous */
+			eqeqeq: ["error", "smart"],
+
+			/* Never use `eval()` as it violates our CSP and can lead to security issues */
+			"no-eval": "error",
+			"no-implied-eval": "error",
+
+			/* Prevents accidental use of template literals in plain strings, e.g. "my ${var}" */
+			"no-template-curly-in-string": "error",
+
+			/* Avoid unnecessary ternary operators */
+			"no-unneeded-ternary": "error",
+
+			/* Avoid unused expressions that have no purpose */
+			"no-unused-expressions": "error",
+
+			/* Always use `const` or `let` to make scope behaviour clear */
+			"no-var": "error",
+
+			/* Always use shorthand syntax for objects where possible, e.g. { a, b() { } } */
+			"object-shorthand": "error",
+
+			/* Always use `const` for variables that are never reassigned */
+			"prefer-const": "error",
+		},
+	},
+];
--- a/go.mod
+++ b/go.mod
@@ -1,67 +1,81 @@
 module github.com/axllent/mailpit

-go 1.21.0
-
-toolchain go1.22.1
+go 1.25.0

 require (
-	github.com/PuerkitoBio/goquery v1.9.2
+	github.com/PuerkitoBio/goquery v1.11.0
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
-	github.com/axllent/semver v0.0.1
-	github.com/gomarkdown/markdown v0.0.0-20240419095408-642f0ee99ae2
+	github.com/axllent/ghru/v2 v2.1.0
+	github.com/axllent/semver v1.0.0
+	github.com/goccy/go-yaml v1.19.2
+	github.com/gomarkdown/markdown v0.0.0-20260217112301-37c66b85d6ab
 	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/websocket v1.5.1
-	github.com/jhillyerd/enmime v1.2.0
-	github.com/klauspost/compress v1.17.8
-	github.com/kovidgoyal/imaging v1.6.3
+	github.com/gorilla/websocket v1.5.3
+	github.com/jhillyerd/enmime/v2 v2.3.0
+	github.com/klauspost/compress v1.18.4
+	github.com/kovidgoyal/imaging v1.8.20
 	github.com/leporo/sqlf v1.4.0
-	github.com/lithammer/shortuuid/v4 v4.0.0
-	github.com/mhale/smtpd v0.8.3
-	github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e
-	github.com/rqlite/gorqlite v0.0.0-20240227123050-397b03f02418
-	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.8.0
-	github.com/spf13/pflag v1.0.5
-	github.com/tg123/go-htpasswd v1.2.2
-	github.com/vanng822/go-premailer v1.21.0
-	golang.org/x/net v0.25.0
-	golang.org/x/text v0.15.0
-	golang.org/x/time v0.5.0
-	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.29.10
+	github.com/lithammer/shortuuid/v4 v4.2.0
+	github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62
+	github.com/pkg/errors v0.9.1
+	github.com/prometheus/client_golang v1.23.2
+	github.com/rqlite/gorqlite v0.0.0-20250609141355-ac86a4a1c9a8
+	github.com/sirupsen/logrus v1.9.4
+	github.com/spf13/cobra v1.10.2
+	github.com/spf13/pflag v1.0.10
+	github.com/tg123/go-htpasswd v1.2.4
+	github.com/vanng822/go-premailer v1.31.0
+	golang.org/x/crypto v0.48.0
+	golang.org/x/net v0.50.0
+	golang.org/x/text v0.34.0
+	golang.org/x/time v0.14.0
+	modernc.org/sqlite v1.46.1
 )

 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
-	github.com/andybalholm/cascadia v1.3.2 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/inbucket/html2text v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kovidgoyal/go-parallel v1.1.1 // indirect
+	github.com/kovidgoyal/go-shm v1.0.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/ncruces/go-strftime v0.1.9 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/mattn/go-runewidth v0.0.20 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
+	github.com/olekukonko/errors v1.2.0 // indirect
+	github.com/olekukonko/ll v0.1.7 // indirect
+	github.com/olekukonko/tablewriter v1.1.3 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/reiver/go-oi v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vanng822/css v1.0.1 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/image v0.16.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	modernc.org/gc/v3 v3.0.0-20240304020402-f0dba7c97c2b // indirect
-	modernc.org/libc v1.50.9 // indirect
-	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.8.0 // indirect
-	modernc.org/strutil v1.2.0 // indirect
-	modernc.org/token v1.1.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
+	golang.org/x/image v0.36.0 // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	modernc.org/libc v1.68.0 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,221 +1,280 @@
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
-github.com/PuerkitoBio/goquery v1.9.1/go.mod h1:cW1n6TmIMDoORQU5IU/P1T3tGFunOeXEpGP2WHRwkbY=
-github.com/PuerkitoBio/goquery v1.9.2 h1:4/wZksC3KgkQw7SQgkKotmKljk0M6V8TUvA8Wb4yPeE=
-github.com/PuerkitoBio/goquery v1.9.2/go.mod h1:GHPCaP0ODyyxqcNoFGYlAprUFH81NuRPd0GX3Zu2Mvk=
-github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
-github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
+github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
+github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
+github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
-github.com/axllent/semver v0.0.1 h1:QqF+KSGxgj8QZzSXAvKFqjGWE5792ksOnQhludToK8E=
-github.com/axllent/semver v0.0.1/go.mod h1:2xSPzvG8n9mRfdtxSvWvfTfQGWfHsMsHO1iZnKATMSc=
+github.com/axllent/ghru/v2 v2.1.0 h1:zNW96KO+rmXggizZhHzIX7MExOiV4jx+63Y9nXlwLV0=
+github.com/axllent/ghru/v2 v2.1.0/go.mod h1:8l7s1phdc375vvf8LHxT7wnJqXlThdHJR5EBtHNWhTg=
+github.com/axllent/semver v1.0.0 h1:FDekA0alnMed5bWVWjUwBS+6QouZZkmPXsGVmOfjWOg=
+github.com/axllent/semver v1.0.0/go.mod h1:ySHHYLyFX3vKAALmaO8TOOJkzGRsUNmzFiIWwPm8li8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/ztvmWKFcI7UGb5/HQT7B+i3a2myKgI=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
+github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385/go.mod h1:0vRUJqYpeSZifjYj7uP3BG/gKcuzL9xWVV/Y+cK33KM=
-github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
-github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
-github.com/gomarkdown/markdown v0.0.0-20240419095408-642f0ee99ae2 h1:yEt5djSYb4iNtmV9iJGVday+i4e9u6Mrn5iP64HH5QM=
-github.com/gomarkdown/markdown v0.0.0-20240419095408-642f0ee99ae2/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
-github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
-github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gomarkdown/markdown v0.0.0-20260217112301-37c66b85d6ab h1:VYNivV7P8IRHUam2swVUNkhIdp0LRRFKe4hXNnoZKTc=
+github.com/gomarkdown/markdown v0.0.0-20260217112301-37c66b85d6ab/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/inbucket/html2text v1.0.0 h1:N5kza++4uBBDJ2Z3KUnTRyPNoBcW+YfOgNiNmNB+sgs=
+github.com/inbucket/html2text v1.0.0/go.mod h1:5TrhXQKGU+LXurODaSm55Y9eXoPBRnYiOz4x2XfUoJU=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 h1:iCHtR9CQyktQ5+f3dMVZfwD2KWJUgm7M0gdL9NGr8KA=
-github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
-github.com/jhillyerd/enmime v1.2.0 h1:dIu1IPEymQgoT2dzuB//ttA/xcV40NMPpQtmd4wslHk=
-github.com/jhillyerd/enmime v1.2.0/go.mod h1:FRFuUPCLh8PByQv+8xRcLO9QHqaqTqreYhopv5eyk4I=
-github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
-github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
-github.com/kovidgoyal/imaging v1.6.3 h1:iNPpv7ygiaB/NOztc6APMT7yr9UwBS+rOZwIbAdtyY8=
-github.com/kovidgoyal/imaging v1.6.3/go.mod h1:sHvcLOOVhJuto2IoNdPLEqnAUoL5ZfHEF0PpNH+882g=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/jhillyerd/enmime/v2 v2.3.0 h1:Y/pzQanyU8nkSgB2npXX8Dha5OItJE/QwbDJM4sf/kU=
+github.com/jhillyerd/enmime/v2 v2.3.0/go.mod h1:mGKXAP45l6pF6HZiaLhgSYsgteJskaSIYmEZXpw6ZpI=
+github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/kovidgoyal/go-parallel v1.1.1 h1:1OzpNjtrUkBPq3UaqrnvOoB2F9RttSt811uiUXyI7ok=
+github.com/kovidgoyal/go-parallel v1.1.1/go.mod h1:BJNIbe6+hxyFWv7n6oEDPj3PA5qSw5OCtf0hcVxWJiw=
+github.com/kovidgoyal/go-shm v1.0.0 h1:HJEel9D1F9YhULvClEHJLawoRSj/1u/EDV7MJbBPgQo=
+github.com/kovidgoyal/go-shm v1.0.0/go.mod h1:Yzb80Xf9L3kaoB2RGok9hHwMIt7Oif61kT6t3+VnZds=
+github.com/kovidgoyal/imaging v1.8.20 h1:74GZ7C2rIm3rqmGEjK1GvvPOOnJ0SS5iDOa6Flfo0b0=
+github.com/kovidgoyal/imaging v1.8.20/go.mod h1:d3phGYkTChGYkY4y++IjpHgUGhWGELDc2NEQAqxwZZg=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leporo/sqlf v1.4.0 h1:SyWnX/8GSGOzVmanG0Ub1c04mR9nNl6Tq3IeFKX2/4c=
 github.com/leporo/sqlf v1.4.0/go.mod h1:pgN9yKsAnQ+2ewhbZogr98RcasUjPsHF3oXwPPhHvBw=
-github.com/lithammer/shortuuid/v4 v4.0.0 h1:QRbbVkfgNippHOS8PXDkti4NaWeyYfcBTHtw7k08o4c=
-github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQI3lv67aw4KiB1Y=
+github.com/lithammer/shortuuid/v4 v4.2.0 h1:LMFOzVB3996a7b8aBuEXxqOBflbfPQAiVzkIcHO0h8c=
+github.com/lithammer/shortuuid/v4 v4.2.0/go.mod h1:D5noHZ2oFw/YaKCfGy0YxyE7M0wMbezmMjPdhyEFe6Y=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=
+github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
-github.com/mhale/smtpd v0.8.3 h1:8j8YNXajksoSLZja3HdwvYVZPuJSqAxFsib3adzRRt8=
-github.com/mhale/smtpd v0.8.3/go.mod h1:MQl+y2hwIEQCXtNhe5+55n0GZOjSmeqORDIXbqUL3x4=
-github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
-github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62 h1:XMG5DklHoioVYysfYglOB7vRBg/LOUJZy2mq2QyedLg=
+github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62/go.mod h1:niAM5cni0I/47IFA995xQfeK58Mkbb7FHJjacY4OGQg=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
+github.com/olekukonko/errors v1.2.0 h1:10Zcn4GeV59t/EGqJc8fUjtFT/FuUh5bTMzZ1XwmCRo=
+github.com/olekukonko/errors v1.2.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.1.7 h1:WyK1YZwOTUKHEXZz3VydBDT5t3zDqa9yI8iJg5PHon4=
+github.com/olekukonko/ll v0.1.7/go.mod h1:RPRC6UcscfFZgjo1nulkfMH5IM0QAYim0LfnMvUuozw=
+github.com/olekukonko/tablewriter v1.1.3 h1:VSHhghXxrP0JHl+0NnKid7WoEmd9/urKRJLysb70nnA=
+github.com/olekukonko/tablewriter v1.1.3/go.mod h1:9VU0knjhmMkXjnMKrZ3+L2JhhtsQ/L38BbL3CRNE8tM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/reiver/go-oi v1.0.0 h1:nvECWD7LF+vOs8leNGV/ww+F2iZKf3EYjYZ527turzM=
 github.com/reiver/go-oi v1.0.0/go.mod h1:RrDBct90BAhoDTxB1fenZwfykqeGvhI6LsNfStJoEkI=
-github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e h1:quuzZLi72kkJjl+f5AQ93FMcadG19WkS7MO6TXFOSas=
-github.com/reiver/go-telnet v0.0.0-20180421082511-9ff0b2ab096e/go.mod h1:+5vNVvEWwEIx86DB9Ke/+a5wBI464eDRo3eF0LcfpWg=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rqlite/gorqlite v0.0.0-20240227123050-397b03f02418 h1:gYUQqzapdN4PQF5j0zDFI9ANQVAVFoJivNp5bTZEZMo=
-github.com/rqlite/gorqlite v0.0.0-20240227123050-397b03f02418/go.mod h1:xF/KoXmrRyahPfo5L7Szb5cAAUl53dMWBh9cMruGEZg=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rqlite/gorqlite v0.0.0-20250609141355-ac86a4a1c9a8 h1:BoxiqWvhprOB2isgM59s8wkgKwAoyQH66Twfmof41oE=
+github.com/rqlite/gorqlite v0.0.0-20250609141355-ac86a4a1c9a8/go.mod h1:xF/KoXmrRyahPfo5L7Szb5cAAUl53dMWBh9cMruGEZg=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd h1:CmH9+J6ZSsIjUK3dcGsnCnO41eRBOnY12zwkn5qVwgc=
+github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/tg123/go-htpasswd v1.2.2 h1:tmNccDsQ+wYsoRfiONzIhDm5OkVHQzN3w4FOBAlN6BY=
-github.com/tg123/go-htpasswd v1.2.2/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/FLWl7nx8A=
-github.com/unrolled/render v1.0.3/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
+github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/vanng822/css v1.0.1 h1:10yiXc4e8NI8ldU6mSrWmSWMuyWgPr9DZ63RSlsgDw8=
 github.com/vanng822/css v1.0.1/go.mod h1:tcnB1voG49QhCrwq1W0w5hhGasvOg+VQp9i9H1rCM1w=
-github.com/vanng822/go-premailer v1.21.0 h1:qIwX4urphNPO3xa60MGqowmyjzzMtFacJPKNrt1UWFU=
-github.com/vanng822/go-premailer v1.21.0/go.mod h1:6Y3H2NzNmK3sFBNgR1ENdfV9hzG8hMzrA1nL/XBbbP4=
-github.com/vanng822/r2router v0.0.0-20150523112421-1023140a4f30/go.mod h1:1BVq8p2jVr55Ost2PkZWDrG86PiJ/0lxqcXoAcGxvWU=
+github.com/vanng822/go-premailer v1.31.0 h1:r1a1WH2I5NnGMhrmjVZyYhY0ThvaamKBkS2UuM91Fuo=
+github.com/vanng822/go-premailer v1.31.0/go.mod h1:hzI26/YvzUADrxqifxGLJvNvn3tWBU6VMHRvxsskpuo=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/image v0.16.0 h1:9kloLAKhUufZhA12l5fwnx2NZW39/we1UhBesW433jw=
-golang.org/x/image v0.16.0/go.mod h1:ugSZItdV4nOxyqp56HmXwH0Ry0nBCpjnZdpDaIHdoPs=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0=
+golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA=
+golang.org/x/image v0.36.0 h1:Iknbfm1afbgtwPTmHnS2gTM/6PPZfH+z2EFuOkSbqwc=
+golang.org/x/image v0.36.0/go.mod h1:YsWD2TyyGKiIX1kZlu9QfKIsQ4nAAK9bdgdrIsE7xy4=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-modernc.org/cc/v4 v4.21.2 h1:dycHFB/jDc3IyacKipCNSDrjIC0Lm1hyoWOZTRR20Lk=
-modernc.org/cc/v4 v4.21.2/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
-modernc.org/ccgo/v4 v4.17.8 h1:yyWBf2ipA0Y9GGz/MmCmi3EFpKgeS7ICrAFes+suEbs=
-modernc.org/ccgo/v4 v4.17.8/go.mod h1:buJnJ6Fn0tyAdP/dqePbrrvLyr6qslFfTbFrCuaYvtA=
-modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
-modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
-modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
-modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
-modernc.org/gc/v3 v3.0.0-20240304020402-f0dba7c97c2b h1:BnN1t+pb1cy61zbvSUV7SeI0PwosMhlAEi/vBY4qxp8=
-modernc.org/gc/v3 v3.0.0-20240304020402-f0dba7c97c2b/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
-modernc.org/libc v1.50.9 h1:hIWf1uz55lorXQhfoEoezdUHjxzuO6ceshET/yWjSjk=
-modernc.org/libc v1.50.9/go.mod h1:15P6ublJ9FJR8YQCGy8DeQ2Uwur7iW9Hserr/T3OFZE=
-modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
-modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
-modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
-modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
-modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
-modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
-modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
-modernc.org/sqlite v1.29.10 h1:3u93dz83myFnMilBGCOLbr+HjklS6+5rJLx4q86RDAg=
-modernc.org/sqlite v1.29.10/go.mod h1:ItX2a1OVGgNsFh6Dv60JQvGfJfTPHPVpV6DF59akYOA=
-modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
-modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.30.2 h1:4yPaaq9dXYXZ2V8s1UgrC3KIj580l2N4ClrLwnbv2so=
+modernc.org/ccgo/v4 v4.30.2/go.mod h1:yZMnhWEdW0qw3EtCndG1+ldRrVGS+bIwyWmAWzS0XEw=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.68.0 h1:PJ5ikFOV5pwpW+VqCK1hKJuEWsonkIJhhIXyuF/91pQ=
+modernc.org/libc v1.68.0/go.mod h1:NnKCYeoYgsEqnY3PgvNgAeaJnso968ygU8Z0DxjoEc0=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
--- a/install.sh
+++ b/install.sh
@@ -1,98 +1,214 @@
-#!/usr/bin/env bash
+#!/bin/sh

-GH_REPO="axllent/mailpit"
-TIMEOUT=90
+# This script will install the latest release of Mailpit.

-set -e
+# Check dependencies is installed
+for cmd in curl tar; do
+    if ! command -v "$cmd" >/dev/null 2>&1; then
+        echo "Then $cmd command is required but not installed."
+        echo "Please install $cmd and try again."
+        exit 1
+    fi
+done

-VERSION=$(curl --silent --location --max-time "${TIMEOUT}" "https://api.github.com/repos/${GH_REPO}/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
-if [ $? -ne 0 ]; then
-    echo -ne "\nThere was an error trying to check what is the latest version of Mailpit.\nPlease try again later.\n"
-    exit 1
-fi
-
-# detect the platform
-OS="$(uname)"
-case $OS in
-Linux)
-    OS='linux'
-    ;;
-FreeBSD)
-    OS='freebsd'
-    echo 'OS not supported'
-    exit 2
-    ;;
-NetBSD)
-    OS='netbsd'
-    echo 'OS not supported'
-    exit 2
-    ;;
-OpenBSD)
-    OS='openbsd'
-    echo 'OS not supported'
-    exit 2
-    ;;
-Darwin)
-    OS='darwin'
-    ;;
-SunOS)
-    OS='solaris'
-    echo 'OS not supported'
-    exit 2
-    ;;
+# Check if the OS is supported.
+OS=
+case "$(uname -s)" in
+Linux) OS="linux" ;;
+Darwin) OS="darwin" ;;
 *)
-    echo 'OS not supported'
+    echo "OS not supported."
    exit 2
    ;;
 esac

-# detect the arch
-OS_type="$(uname -m)"
-case "$OS_type" in
+# Detect the architecture of the OS.
+OS_ARCH=
+case "$(uname -m)" in
 x86_64 | amd64)
-    OS_type='amd64'
+    OS_ARCH="amd64"
    ;;
 i?86 | x86)
-    OS_type='386'
+    OS_ARCH="386"
    ;;
 aarch64 | arm64)
-    OS_type='arm64'
+    OS_ARCH="arm64"
    ;;
 *)
-    echo 'OS type not supported'
+    echo "OS architecture not supported."
    exit 2
    ;;
 esac

-GH_REPO_BIN="mailpit-${OS}-${OS_type}.tar.gz"
+GH_REPO="axllent/mailpit"
+INSTALL_PATH="${INSTALL_PATH:-/usr/local/bin}"
+TIMEOUT=90
+# This is used to authenticate with the GitHub API. (Fix the public rate limiting issue)
+# Try the GITHUB_TOKEN environment variable is set globally.
+GITHUB_API_TOKEN="${GITHUB_TOKEN:-}"

-#create tmp directory and move to it with macOS compatibility fallback
-tmp_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mailpit-install.XXXXXXXXXX')
-cd "$tmp_dir"
+# Update the default values if the user has set.
+while [ $# -gt 0 ]; do
+    case $1 in
+    --install-path)
+        shift
+        case "$1" in
+        */*)
+            # Remove trailing slashes from the path.
+            INSTALL_PATH="$(echo "$1" | sed 's#/\+$##')"
+            [ -z "$INSTALL_PATH" ] && INSTALL_PATH="/"
+            ;;
+        esac
+        ;;
+    --auth | --auth-token | --github-token | --token)
+        shift
+        case "$1" in
+        gh*)
+            GITHUB_API_TOKEN="$1"
+            ;;
+        esac
+        ;;
+    *) ;;
+    esac
+    shift
+done

-echo "Downloading Mailpit $VERSION"
-LINK="https://github.com/${GH_REPO}/releases/download/${VERSION}/${GH_REPO_BIN}"
+# Description of the sort parameters for curl command.
+# -s: Silent mode.
+# -f: Fail silently on server errors.
+# -L: Follow redirects.
+# -m: Set maximum time allowed for the transfer.

-curl --silent --location --max-time "${TIMEOUT}" "${LINK}" | tar zxf - || {
-    echo "Error downloading"
-    exit 2
-}
+if [ -n "$GITHUB_API_TOKEN" ] && [ "${#GITHUB_API_TOKEN}" -gt 36 ]; then
+    CURL_OUTPUT="$(curl -sfL -m $TIMEOUT -H "Authorization: Bearer $GITHUB_API_TOKEN" https://api.github.com/repos/${GH_REPO}/releases/latest)"
+    EXIT_CODE=$?
+else
+    CURL_OUTPUT="$(curl -sfL -m $TIMEOUT https://api.github.com/repos/${GH_REPO}/releases/latest)"
+    EXIT_CODE=$?
+fi

-mkdir -p /usr/local/bin || exit 2
-cp mailpit /usr/local/bin/ || exit 2
-chmod 755 /usr/local/bin/mailpit || exit 2
-case "$OS" in
-'linux')
-    chown root:root /usr/local/bin/mailpit || exit 2
-    ;;
-'freebsd' | 'openbsd' | 'netbsd' | 'darwin')
-    chown root:wheel /usr/local/bin/mailpit || exit 2
-    ;;
+VERSION=""
+if [ $EXIT_CODE -eq 0 ]; then
+    # Extracts the latest version using jq, awk, or sed.
+    if command -v jq >/dev/null 2>&1; then
+        # Use jq -n because the output is not a valid JSON in sh.
+        VERSION=$(jq -n "$CURL_OUTPUT" | jq -r '.tag_name')
+    elif command -v awk >/dev/null 2>&1; then
+        VERSION=$(echo "$CURL_OUTPUT" | awk -F: '$1 ~ /tag_name/ {gsub(/[^v0-9\.]+/, "", $2) ;print $2; exit}')
+    elif command -v sed >/dev/null 2>&1; then
+        VERSION=$(echo "$CURL_OUTPUT" | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')
+    else
+        EXIT_CODE=3
+    fi
+fi
+
+# Validate the version.
+case "$VERSION" in
+v[0-9][0-9\.]*) ;;
 *)
-    echo 'OS not supported'
-    exit 2
+    echo "There was an error trying to check what is the latest version of Mailpit."
+    echo "Please try again later."
+    exit $EXIT_CODE
    ;;
 esac

-rm -rf "$tmp_dir"
-echo "Installed successfully to /usr/local/bin/mailpit"
+TEMP_DIR="$(mktemp -qd)"
+EXIT_CODE=$?
+# Ensure the temporary directory exists and is a directory.
+if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
+    echo "ERROR: Creating temporary directory."
+    exit $EXIT_CODE
+fi
+
+GH_REPO_BIN="mailpit-${OS}-${OS_ARCH}.tar.gz"
+if [ "$INSTALL_PATH" = "/" ]; then
+    INSTALL_BIN_PATH="/mailpit"
+else
+    INSTALL_BIN_PATH="${INSTALL_PATH}/mailpit"
+fi
+cd "$TEMP_DIR" || EXIT_CODE=$?
+if [ $EXIT_CODE -eq 0 ]; then
+    # Download the latest release.
+    #
+    # Description of the sort parameters for curl command.
+    # -s: Silent mode.
+    # -f: Fail silently on server errors.
+    # -L: Follow redirects.
+    # -m: Set maximum time allowed for the transfer.
+    # -o: Write output to a file instead of stdout.
+    curl -sfL -m $TIMEOUT -o "${GH_REPO_BIN}" "https://github.com/${GH_REPO}/releases/download/${VERSION}/${GH_REPO_BIN}"
+    EXIT_CODE=$?
+
+    # The following conditions check each step of the installation.
+    # If there is an error in any of the steps, an error message is printed.
+
+    if [ $EXIT_CODE -eq 0 ]; then
+        if ! [ -f "${GH_REPO_BIN}" ]; then
+            EXIT_CODE=1
+            echo "ERROR: Downloading latest release."
+        fi
+    fi
+
+    if [ $EXIT_CODE -eq 0 ]; then
+        tar zxf "$GH_REPO_BIN"
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -ne 0 ]; then
+            echo "ERROR: Extracting \"${GH_REPO_BIN}\"."
+        fi
+    fi
+
+    if [ $EXIT_CODE -eq 0 ] && [ ! -d "$INSTALL_PATH" ]; then
+        mkdir -p "${INSTALL_PATH}"
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -ne 0 ]; then
+            echo "ERROR: Creating \"${INSTALL_PATH}\" directory."
+        fi
+    fi
+
+    if [ $EXIT_CODE -eq 0 ]; then
+        cp mailpit "$INSTALL_BIN_PATH"
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -ne 0 ]; then
+            echo "ERROR: Copying mailpit to \"${INSTALL_PATH}\" directory."
+        fi
+    fi
+
+    if [ $EXIT_CODE -eq 0 ]; then
+        chmod 755 "$INSTALL_BIN_PATH"
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -ne 0 ]; then
+            echo "ERROR: Setting permissions for \"$INSTALL_BIN_PATH\" binary."
+        fi
+    fi
+
+    # Set the owner and group to root:root if the script is run as root.
+    if [ $EXIT_CODE -eq 0 ] && [ "$(id -u)" -eq "0" ]; then
+        OWNER="root"
+        GROUP="root"
+        # Set the OWNER, GROUP variable when the OS not use the default root:root.
+        case "$OS" in
+        darwin) GROUP="wheel" ;;
+        *) ;;
+        esac
+
+        chown "${OWNER}:${GROUP}" "$INSTALL_BIN_PATH"
+        EXIT_CODE=$?
+        if [ $EXIT_CODE -ne 0 ]; then
+            echo "ERROR: Setting ownership for \"$INSTALL_BIN_PATH\" binary."
+        fi
+    fi
+else
+    echo "ERROR: Changing to temporary directory."
+    exit $EXIT_CODE
+fi
+
+# Cleanup the temporary directory.
+rm -rf "$TEMP_DIR"
+# Check the EXIT_CODE variable, and print the success or error message.
+if [ $EXIT_CODE -ne 0 ]; then
+    echo "There was an error installing Mailpit."
+    exit $EXIT_CODE
+fi
+
+echo "Installed successfully to \"$INSTALL_BIN_PATH\"."
+exit 0
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -11,6 +11,8 @@ import (
 var (
 	// UICredentials passwords
 	UICredentials *htpasswd.File
+	// SendAPICredentials passwords
+	SendAPICredentials *htpasswd.File
 	// SMTPCredentials passwords
 	SMTPCredentials *htpasswd.File
 	// POP3Credentials passwords
@@ -36,6 +38,25 @@ func SetUIAuth(s string) error {
 	return nil
 }

+// SetSendAPIAuth will set Send API credentials
+func SetSendAPIAuth(s string) error {
+	var err error
+
+	credentials := credentialsFromString(s)
+	if len(credentials) == 0 {
+		return nil
+	}
+
+	r := strings.NewReader(strings.Join(credentials, "\n"))
+
+	SendAPICredentials, err = htpasswd.NewFromReader(r, htpasswd.DefaultSystems, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // SetSMTPAuth will set SMTP credentials
 func SetSMTPAuth(s string) error {
 	var err error
--- a/internal/dump/dump.go
+++ b/internal/dump/dump.go
@@ -0,0 +1,163 @@
+// Package dump is used to export all messages from mailpit into a directory
+package dump
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/apiv1"
+)
+
+var (
+	linkRe = regexp.MustCompile(`(?i)^https?:\/\/`)
+
+	outDir string
+
+	// Base URL of mailpit instance
+	base string
+
+	// URL is the base URL of a remove Mailpit instance
+	URL string
+
+	summary = []storage.MessageSummary{}
+)
+
+// Sync will sync all messages from the specified database or API to the specified output directory
+func Sync(d string) error {
+
+	outDir = path.Clean(d)
+
+	if URL != "" {
+		if !linkRe.MatchString(URL) {
+			return errors.New("invalid URL")
+		}
+
+		base = strings.TrimRight(URL, "/") + "/"
+	}
+
+	if base == "" && config.Database == "" {
+		return errors.New("no database or API URL specified")
+	}
+
+	if !tools.IsDir(outDir) {
+		if err := os.MkdirAll(outDir, 0755); /* #nosec */ err != nil {
+			return err
+		}
+	}
+
+	if err := loadIDs(); err != nil {
+		return err
+	}
+
+	if err := saveMessages(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadIDs will load all message IDs from the specified database or API
+func loadIDs() error {
+	if base != "" {
+		// remote
+		logger.Log().Debugf("Fetching messages summary from %s", base)
+		res, err := http.Get(base + "api/v1/messages?limit=0")
+
+		if err != nil {
+			return err
+		}
+
+		body, err := io.ReadAll(res.Body)
+
+		if err != nil {
+			return err
+		}
+
+		var data apiv1.MessagesSummary
+		if err := json.Unmarshal(body, &data); err != nil {
+			return err
+		}
+
+		summary = data.Messages
+
+	} else {
+		// make sure the database isn't pruned while open
+		config.MaxMessages = 0
+
+		var err error
+		// local database
+		if err = storage.InitDB(); err != nil {
+			return err
+		}
+
+		logger.Log().Debugf("Fetching messages summary from %s", config.Database)
+
+		summary, err = storage.List(0, 0, 0)
+		if err != nil {
+			return err
+		}
+	}
+
+	if len(summary) == 0 {
+		return errors.New("no messages found")
+	}
+
+	return nil
+}
+
+func saveMessages() error {
+	for _, m := range summary {
+		out := path.Join(outDir, m.ID+".eml")
+
+		// skip if message exists
+		if tools.IsFile(out) {
+			continue
+		}
+
+		var b []byte
+
+		if base != "" {
+			res, err := http.Get(base + "api/v1/message/" + m.ID + "/raw")
+
+			if err != nil {
+				logger.Log().Errorf("error fetching message %s: %s", m.ID, err.Error())
+				continue
+			}
+
+			b, err = io.ReadAll(res.Body)
+
+			if err != nil {
+				logger.Log().Errorf("error fetching message %s: %s", m.ID, err.Error())
+				continue
+			}
+		} else {
+			var err error
+			b, err = storage.GetMessageRaw(m.ID)
+			if err != nil {
+				logger.Log().Errorf("error fetching message %s: %s", m.ID, err.Error())
+				continue
+			}
+		}
+
+		if err := os.WriteFile(out, b, 0644); /* #nosec */ err != nil {
+			logger.Log().Errorf("error writing message %s: %s", m.ID, err.Error())
+			continue
+		}
+
+		_ = os.Chtimes(out, m.Created, m.Created)
+
+		logger.Log().Debugf("Saved message %s to %s", m.ID, out)
+	}
+
+	return nil
+}
--- a/internal/html2text/html2text.go
+++ b/internal/html2text/html2text.go
@@ -78,5 +78,6 @@ func clean(text string) string {
 	}, text)

 	text = re.ReplaceAllString(text, " ")
+
 	return strings.TrimSpace(text)
 }
--- a/internal/htmlcheck/caniemail-data.json
+++ b/internal/htmlcheck/caniemail-data.json
--- a/internal/htmlcheck/config.go
+++ b/internal/htmlcheck/config.go
@@ -38,167 +38,178 @@ var htmlTests = map[string]string{

 // Image tests using regex to match against img[src]
 var imageRegexpTests = map[string]*regexp.Regexp{
-	"image-apng":   regexp.MustCompile(`(?i)\.apng$`),       // 78.723404
-	"image-avif":   regexp.MustCompile(`(?i)\.avif$`),       // 14.864864
-	"image-base64": regexp.MustCompile(`^(?i)data:image\/`), // 61.702126
-	"image-bmp":    regexp.MustCompile(`(?i)\.bmp$`),        // 89.3617
-	"image-gif":    regexp.MustCompile(`(?i)\.gif$`),        // 89.3617
-	"image-hdr":    regexp.MustCompile(`(?i)\.hdr$`),        // 12.5
-	"image-heif":   regexp.MustCompile(`(?i)\.heif$`),       // 0
-	"image-ico":    regexp.MustCompile(`(?i)\.ico$`),        // 87.23404
-	"image-mp4":    regexp.MustCompile(`(?i)\.mp4$`),        // 26.53061
-	"image-ppm":    regexp.MustCompile(`(?i)\.ppm$`),        // 2.0833282
-	"image-svg":    regexp.MustCompile(`(?i)\.svg$`),        // 64.91228
-	"image-tiff":   regexp.MustCompile(`(?i)\.tiff?$`),      // 38.29787
-	"image-webp":   regexp.MustCompile(`(?i)\.webp$`),       // 59.649124
+	"image-apng":   regexp.MustCompile(`(?i)\.apng$`),
+	"image-avif":   regexp.MustCompile(`(?i)\.avif$`),
+	"image-base64": regexp.MustCompile(`^(?i)data:image\/`),
+	"image-bmp":    regexp.MustCompile(`(?i)\.bmp$`),
+	"image-gif":    regexp.MustCompile(`(?i)\.gif$`),
+	"image-hdr":    regexp.MustCompile(`(?i)\.hdr$`),
+	"image-heif":   regexp.MustCompile(`(?i)\.heif$`),
+	"image-ico":    regexp.MustCompile(`(?i)\.ico$`),
+	"image-mp4":    regexp.MustCompile(`(?i)\.mp4$`),
+	"image-ppm":    regexp.MustCompile(`(?i)\.ppm$`),
+	"image-svg":    regexp.MustCompile(`(?i)\.svg$`),
+	"image-tiff":   regexp.MustCompile(`(?i)\.tiff?$`),
+	"image-webp":   regexp.MustCompile(`(?i)\.webp$`),
 }

-var cssInlineTests = map[string]string{
-	"css-accent-color":                   "[style*=\"accent-color:\"]",                                           // 6.6666718
-	"css-align-items":                    "[style*=\"align-items:\"]",                                            // 60.784313
-	"css-aspect-ratio":                   "[style*=\"aspect-ratio:\"]",                                           // 30
-	"css-background-blend-mode":          "[style*=\"background-blend-mode:\"]",                                  // 61.70213
-	"css-background-clip":                "[style*=\"background-clip:\"]",                                        // 61.70213
-	"css-background-color":               "[style*=\"background-color:\"], [bgcolor]",                            // 90
-	"css-background-image":               "[style*=\"background-image:\"]",                                       // 57.62712
-	"css-background-origin":              "[style*=\"background-origin:\"]",                                      // 61.70213
-	"css-background-position":            "[style*=\"background-position:\"]",                                    // 61.224487
-	"css-background-repeat":              "[style*=\"background-repeat:\"]",                                      // 67.34694
-	"css-background-size":                "[style*=\"background-size:\"]",                                        // 61.702126
-	"css-background":                     "[style*=\"background:\"], [background]",                               // 57.407406
-	"css-block-inline-size":              "[style*=\"block-inline-size:\"]",                                      // 46.93877
-	"css-border-image":                   "[style*=\"border-image:\"]",                                           // 52.173912
-	"css-border-inline-block-individual": "[style*=\"border-inline:\"]",                                          // 18.518517
-	"css-border-radius":                  "[style*=\"border-radius:\"]",                                          // 67.34694
-	"css-border":                         "[style*=\"border:\"], [border]",                                       // 86.95652
-	"css-box-shadow":                     "[style*=\"box-shadow:\"]",                                             // 43.103447
-	"css-box-sizing":                     "[style*=\"box-sizing:\"]",                                             // 71.739136
-	"css-caption-side":                   "[style*=\"caption-side:\"]",                                           // 84
-	"css-clip-path":                      "[style*=\"clip-path:\"]",                                              // 43.396225
-	"css-column-count":                   "[style*=\"column-count:\"]",                                           // 67.391304
-	"css-column-layout-properties":       "[style*=\"column-layout-properties:\"]",                               // 47.368423
-	"css-conic-gradient":                 "[style*=\"conic-gradient:\"]",                                         // 38.461536
-	"css-direction":                      "[style*=\"direction:\"]",                                              // 97.77778
-	"css-display-flex":                   "[style*=\"display:flex\"]",                                            // 53.448277
-	"css-display-grid":                   "[style*=\"display:grid\"]",                                            // 54.347824
-	"css-display-none":                   "[style*=\"display:none\"]",                                            // 84.78261
-	"css-display":                        "[style*=\"display:\"]",                                                // 55.555553
-	"css-filter":                         "[style*=\"filter:\"]",                                                 // 50
-	"css-flex-direction":                 "[style*=\"flex-direction:\"]",                                         // 50
-	"css-flex-wrap":                      "[style*=\"flex-wrap:\"]",                                              // 49.09091
-	"css-float":                          "[style*=\"float:\"]",                                                  // 85.10638
-	"css-font-kerning":                   "[style*=\"font-kerning:\"]",                                           // 66.666664
-	"css-font-weight":                    "[style*=\"font-weight:\"]",                                            // 76.666664
-	"css-font":                           "[style*=\"font:\"]",                                                   // 95.833336
-	"css-gap":                            "[style*=\"gap:\"]",                                                    // 40
-	"css-grid-template":                  "[style*=\"grid-template:\"]",                                          // 34.042553
-	"css-height":                         "[style*=\"height:\"], [height]",                                       // 77.08333
-	"css-hyphens":                        "[style*=\"hyphens:\"]",                                                // 31.111107
-	"css-important":                      "[style*=\"!important\"]",                                              // 43.478264
-	"css-inline-size":                    "[style*=\"inline-size:\"]",                                            // 43.478264
-	"css-intrinsic-size":                 "[style*=\"intrinsic-size:\"]",                                         // 40.54054
-	"css-justify-content":                "[style*=\"justify-content:\"]",                                        // 59.25926
-	"css-letter-spacing":                 "[style*=\"letter-spacing:\"]",                                         // 87.23404
-	"css-line-height":                    "[style*=\"line-height:\"]",                                            // 82.608696
-	"css-list-style-image":               "[style*=\"list-style-image:\"]",                                       // 54.16667
-	"css-list-style-position":            "[style*=\"list-style-position:\"]",                                    // 87.5
-	"css-list-style":                     "[style*=\"list-style:\"]",                                             // 62.500004
-	"css-margin-block-start-end":         "[style*=\"margin-block-start:\"], [style*=\"margin-block-end:\"]",     // 32.07547
-	"css-margin-inline-block":            "[style*=\"margin-inline-block:\"]",                                    // 16.981125
-	"css-margin-inline-start-end":        "[style*=\"margin-inline-start:\"], [style*=\"margin-inline-end:\"]",   // 32.07547
-	"css-margin-inline":                  "[style*=\"margin-inline:\"]",                                          // 43.39623
-	"css-margin":                         "[style*=\"margin:\"]",                                                 // 71.42857
-	"css-max-block-size":                 "[style*=\"max-block-size:\"]",                                         // 35.714287
-	"css-max-height":                     "[style*=\"max-height:\"]",                                             // 86.95652
-	"css-max-width":                      "[style*=\"max-width:\"]",                                              // 76.47058
-	"css-min-height":                     "[style*=\"min-height:\"]",                                             // 82.608696
-	"css-min-inline-size":                "[style*=\"min-inline-size:\"]",                                        // 33.33333
-	"css-min-width":                      "[style*=\"min-width:\"]",                                              // 86.95652
-	"css-mix-blend-mode":                 "[style*=\"mix-blend-mode:\"]",                                         // 62.745094
-	"css-modern-color":                   "[style*=\"modern-color:\"]",                                           // 10.81081
-	"css-object-fit":                     "[style*=\"object-fit:\"]",                                             // 57.142857
-	"css-object-position":                "[style*=\"object-position:\"]",                                        // 55.10204
-	"css-opacity":                        "[style*=\"opacity:\"]",                                                // 63.04348
-	"css-outline-offset":                 "[style*=\"outline-offset:\"]",                                         // 42.5
-	"css-outline":                        "[style*=\"outline:\"]",                                                // 80.85106
-	"css-overflow-wrap":                  "[style*=\"overflow-wrap:\"]",                                          // 6.6666603
-	"css-overflow":                       "[style*=\"overflow:\"]",                                               // 78.26087
-	"css-padding-block-start-end":        "[style*=\"padding-block-start:\"], [style*=\"padding-block-end:\"]",   // 32.07547
-	"css-padding-inline-block":           "[style*=\"padding-inline-block:\"]",                                   // 16.981125
-	"css-padding-inline-start-end":       "[style*=\"padding-inline-start:\"], [style*=\"padding-inline-end:\"]", // 32.07547
-	"css-padding":                        "[style*=\"padding:\"], [padding]",                                     // 87.755104
-	"css-position":                       "[style*=\"position:\"]",                                               // 19.56522
-	"css-radial-gradient":                "[style*=\"radial-gradient:\"]",                                        // 64.583336
-	"css-rgb":                            "[style*=\"rgb(\"]",                                                    // 53.846153
-	"css-rgba":                           "[style*=\"rgba(\"]",                                                   // 56
-	"css-scroll-snap":                    "[style*=\"roll-snap:\"]",                                              // 38.88889
-	"css-tab-size":                       "[style*=\"tab-size:\"]",                                               // 32.075474
-	"css-table-layout":                   "[style*=\"table-layout:\"]",                                           // 53.33333
-	"css-text-align-last":                "[style*=\"text-align-last:\"]",                                        // 42.307693
-	"css-text-align":                     "[style*=\"text-align:\"]",                                             // 60.416664
-	"css-text-decoration-color":          "[style*=\"text-decoration-color:\"]",                                  // 67.34695
-	"css-text-decoration-thickness":      "[style*=\"text-decoration-thickness:\"]",                              // 38.333336
-	"css-text-decoration":                "[style*=\"text-decoration:\"]",                                        // 67.391304
-	"css-text-emphasis-position":         "[style*=\"text-emphasis-position:\"]",                                 // 28.571434
-	"css-text-emphasis":                  "[style*=\"text-emphasis:\"]",                                          // 36.734695
-	"css-text-indent":                    "[style*=\"text-indent:\"]",                                            // 78.43137
-	"css-text-overflow":                  "[style*=\"text-overflow:\"]",                                          // 58.695656
-	"css-text-shadow":                    "[style*=\"text-shadow:\"]",                                            // 69.565216
-	"css-text-transform":                 "[style*=\"text-transform:\"]",                                         // 86.666664
-	"css-text-underline-offset":          "[style*=\"text-underline-offset:\"]",                                  // 39.285713
-	"css-transform":                      "[style*=\"transform:\"]",                                              // 50
-	"css-unit-calc":                      "[style*=\"calc(:\"]",                                                  // 56.25
-	"css-variables":                      "[style*=\"variables:\"]",                                              // 46.551727
-	"css-visibility":                     "[style*=\"visibility:\"]",                                             // 52.173916
-	"css-white-space":                    "[style*=\"white-space:\"]",                                            // 58.69565
-	"css-width":                          "[style*=\"width:\"], [width]",                                         // 87.5
-	"css-word-break":                     "[style*=\"word-break:\"]",                                             // 28.888887
-	"css-writing-mode":                   "[style*=\"writing-mode:\"]",                                           // 56.25
-	"css-z-index":                        "[style*=\"z-index:\"]",                                                // 76.08696
+// inline attribute <match>=""
+var styleInlineAttributes = map[string]string{
+	"css-background-color": "[bgcolor]",
+	"css-background":       "[background]",
+	"css-border":           "[border]",
+	"css-height":           "[height]",
+	"css-padding":          "[padding]",
+	"css-width":            "[width]",
+}
+
+// inline style="<match>"
+var cssInlineRegexTests = map[string]*regexp.Regexp{
+	"css-accent-color":                   regexp.MustCompile(`(?i)(^|\s|;)accent-color(\s+)?:`),
+	"css-align-items":                    regexp.MustCompile(`(?i)(^|\s|;)align-items(\s+)?:`),
+	"css-aspect-ratio":                   regexp.MustCompile(`(?i)(^|\s|;)aspect-ratio(\s+)?:`),
+	"css-background-blend-mode":          regexp.MustCompile(`(?i)(^|\s|;)background-blend-mode(\s+)?:`),
+	"css-background-clip":                regexp.MustCompile(`(?i)(^|\s|;)background-clip(\s+)?:`),
+	"css-background-color":               regexp.MustCompile(`(?i)(^|\s|;)background-color(\s+)?:`),
+	"css-background-image":               regexp.MustCompile(`(?i)(^|\s|;)background-image(\s+)?:`),
+	"css-background-origin":              regexp.MustCompile(`(?i)(^|\s|;)background-origin(\s+)?:`),
+	"css-background-position":            regexp.MustCompile(`(?i)(^|\s|;)background-position(\s+)?:`),
+	"css-background-repeat":              regexp.MustCompile(`(?i)(^|\s|;)background-repeat(\s+)?:`),
+	"css-background-size":                regexp.MustCompile(`(?i)(^|\s|;)background-size(\s+)?:`),
+	"css-background":                     regexp.MustCompile(`(?i)(^|\s|;)background(\s+)?:`),
+	"css-block-inline-size":              regexp.MustCompile(`(?i)(^|\s|;)block-inline-size(\s+)?:`),
+	"css-border-image":                   regexp.MustCompile(`(?i)(^|\s|;)border-image(\s+)?:`),
+	"css-border-inline-block-individual": regexp.MustCompile(`(?i)(^|\s|;)border-inline(\s+)?:`),
+	"css-border-radius":                  regexp.MustCompile(`(?i)(^|\s|;)border-radius(\s+)?:`),
+	"css-border":                         regexp.MustCompile(`(?i)(^|\s|;)border(\s+)?:`),
+	"css-box-shadow":                     regexp.MustCompile(`(?i)(^|\s|;)box-shadow(\s+)?:`),
+	"css-box-sizing":                     regexp.MustCompile(`(?i)(^|\s|;)box-sizing(\s+)?:`),
+	"css-caption-side":                   regexp.MustCompile(`(?i)(^|\s|;)caption-side(\s+)?:`),
+	"css-clip-path":                      regexp.MustCompile(`(?i)(^|\s|;)clip-path(\s+)?:`),
+	"css-column-count":                   regexp.MustCompile(`(?i)(^|\s|;)column-count(\s+)?:`),
+	"css-column-layout-properties":       regexp.MustCompile(`(?i)(^|\s|;)column-layout-properties(\s+)?:`),
+	"css-conic-gradient":                 regexp.MustCompile(`(?i)(^|\s|;)conic-gradient(\s+)?:`),
+	"css-direction":                      regexp.MustCompile(`(?i)(^|\s|;)direction(\s+)?:`),
+	"css-display-flex":                   regexp.MustCompile(`(?i)(^|\s|;)display(\s+)?:(\s+)?flex($|\s|;)`),
+	"css-display-grid":                   regexp.MustCompile(`(?i)(^|\s|;)display:grid`),
+	"css-display-none":                   regexp.MustCompile(`(?i)(^|\s|;)display:none`),
+	"css-display":                        regexp.MustCompile(`(?i)(^|\s|;)display(\s+)?:`),
+	"css-filter":                         regexp.MustCompile(`(?i)(^|\s|;)filter(\s+)?:`),
+	"css-flex-direction":                 regexp.MustCompile(`(?i)(^|\s|;)flex-direction(\s+)?:`),
+	"css-flex-wrap":                      regexp.MustCompile(`(?i)(^|\s|;)flex-wrap(\s+)?:`),
+	"css-float":                          regexp.MustCompile(`(?i)(^|\s|;)float(\s+)?:`),
+	"css-font-kerning":                   regexp.MustCompile(`(?i)(^|\s|;)font-kerning(\s+)?:`),
+	"css-font-weight":                    regexp.MustCompile(`(?i)(^|\s|;)font-weight(\s+)?:`),
+	"css-font":                           regexp.MustCompile(`(?i)(^|\s|;)font(\s+)?:`),
+	"css-gap":                            regexp.MustCompile(`(?i)(^|\s|;)gap(\s+)?:`),
+	"css-grid-template":                  regexp.MustCompile(`(?i)(^|\s|;)grid-template(\s+)?:`),
+	"css-height":                         regexp.MustCompile(`(?i)(^|\s|;)height(\s+)?:`),
+	"css-hyphens":                        regexp.MustCompile(`(?i)(^|\s|;)hyphens(\s+)?:`),
+	"css-important":                      regexp.MustCompile(`(?i)!important($|\s|;)`),
+	"css-inline-size":                    regexp.MustCompile(`(?i)(^|\s|;)inline-size(\s+)?:`),
+	"css-intrinsic-size":                 regexp.MustCompile(`(?i)(^|\s|;)intrinsic-size(\s+)?:`),
+	"css-justify-content":                regexp.MustCompile(`(?i)(^|\s|;)justify-content(\s+)?:`),
+	"css-letter-spacing":                 regexp.MustCompile(`(?i)(^|\s|;)letter-spacing(\s+)?:`),
+	"css-line-height":                    regexp.MustCompile(`(?i)(^|\s|;)line-height(\s+)?:`),
+	"css-list-style-image":               regexp.MustCompile(`(?i)(^|\s|;)list-style-image(\s+)?:`),
+	"css-list-style-position":            regexp.MustCompile(`(?i)(^|\s|;)list-style-position(\s+)?:`),
+	"css-list-style":                     regexp.MustCompile(`(?i)(^|\s|;)list-style(\s+)?:`),
+	"css-margin-block-start-end":         regexp.MustCompile(`(?i)(^|\s|;)margin-block-(start|end)(\s+)?:`),
+	"css-margin-inline-block":            regexp.MustCompile(`(?i)(^|\s|;)margin-inline-block(\s+)?:`),
+	"css-margin-inline-start-end":        regexp.MustCompile(`(?i)(^|\s|;)margin-inline-(start|end)(\s+)?:`),
+	"css-margin-inline":                  regexp.MustCompile(`(?i)(^|\s|;)margin-inline(\s+)?:`),
+	"css-margin":                         regexp.MustCompile(`(?i)(^|\s|;)margin(\s+)?:`),
+	"css-max-block-size":                 regexp.MustCompile(`(?i)(^|\s|;)max-block-size(\s+)?:`),
+	"css-max-height":                     regexp.MustCompile(`(?i)(^|\s|;)max-height(\s+)?:`),
+	"css-max-width":                      regexp.MustCompile(`(?i)(^|\s|;)max-width(\s+)?:`),
+	"css-min-height":                     regexp.MustCompile(`(?i)(^|\s|;)min-height(\s+)?:`),
+	"css-min-inline-size":                regexp.MustCompile(`(?i)(^|\s|;)min-inline-size(\s+)?:`),
+	"css-min-width":                      regexp.MustCompile(`(?i)(^|\s|;)min-width(\s+)?:`),
+	"css-mix-blend-mode":                 regexp.MustCompile(`(?i)(^|\s|;)mix-blend-mode(\s+)?:`),
+	"css-modern-color":                   regexp.MustCompile(`(?i)(^|\s|;)modern-color(\s+)?:`),
+	"css-object-fit":                     regexp.MustCompile(`(?i)(^|\s|;)object-fit(\s+)?:`),
+	"css-object-position":                regexp.MustCompile(`(?i)(^|\s|;)object-position(\s+)?:`),
+	"css-opacity":                        regexp.MustCompile(`(?i)(^|\s|;)opacity(\s+)?:`),
+	"css-outline-offset":                 regexp.MustCompile(`(?i)(^|\s|;)outline-offset(\s+)?:`),
+	"css-outline":                        regexp.MustCompile(`(?i)(^|\s|;)outline(\s+)?:`),
+	"css-overflow-wrap":                  regexp.MustCompile(`(?i)(^|\s|;)overflow-wrap(\s+)?:`),
+	"css-overflow":                       regexp.MustCompile(`(?i)(^|\s|;)overflow(\s+)?:`),
+	"css-padding-block-start-end":        regexp.MustCompile(`(?i)(^|\s|;)padding-block-(start|end)(\s+)?:`),
+	"css-padding-inline-block":           regexp.MustCompile(`(?i)(^|\s|;)padding-inline-block(\s+)?:`),
+	"css-padding-inline-start-end":       regexp.MustCompile(`(?i)(^|\s|;)padding-inline-(start|end)(\s+)?:`),
+	"css-padding":                        regexp.MustCompile(`(?i)(^|\s|;)padding(\s+)?:`),
+	"css-position":                       regexp.MustCompile(`(?i)(^|\s|;)position(\s+)?:`),
+	"css-radial-gradient":                regexp.MustCompile(`(?i)(^|\s|;)radial-gradient(\s+)?:`),
+	"css-rgb":                            regexp.MustCompile(`(?i)(\s|:)rgb\(`),
+	"css-rgba":                           regexp.MustCompile(`(?i)(\s|:)rgba\(`),
+	"css-scroll-snap":                    regexp.MustCompile(`(?i)(^|\s|;)roll-snap(\s+)?:`),
+	"css-tab-size":                       regexp.MustCompile(`(?i)(^|\s|;)tab-size(\s+)?:`),
+	"css-table-layout":                   regexp.MustCompile(`(?i)(^|\s|;)table-layout(\s+)?:`),
+	"css-text-align-last":                regexp.MustCompile(`(?i)(^|\s|;)text-align-last(\s+)?:`),
+	"css-text-align":                     regexp.MustCompile(`(?i)(^|\s|;)text-align(\s+)?:`),
+	"css-text-decoration-color":          regexp.MustCompile(`(?i)(^|\s|;)text-decoration-color(\s+)?:`),
+	"css-text-decoration-thickness":      regexp.MustCompile(`(?i)(^|\s|;)text-decoration-thickness(\s+)?:`),
+	"css-text-decoration":                regexp.MustCompile(`(?i)(^|\s|;)text-decoration(\s+)?:`),
+	"css-text-emphasis-position":         regexp.MustCompile(`(?i)(^|\s|;)text-emphasis-position(\s+)?:`),
+	"css-text-emphasis":                  regexp.MustCompile(`(?i)(^|\s|;)text-emphasis(\s+)?:`),
+	"css-text-indent":                    regexp.MustCompile(`(?i)(^|\s|;)text-indent(\s+)?:`),
+	"css-text-overflow":                  regexp.MustCompile(`(?i)(^|\s|;)text-overflow(\s+)?:`),
+	"css-text-shadow":                    regexp.MustCompile(`(?i)(^|\s|;)text-shadow(\s+)?:`),
+	"css-text-transform":                 regexp.MustCompile(`(?i)(^|\s|;)text-transform(\s+)?:`),
+	"css-text-underline-offset":          regexp.MustCompile(`(?i)(^|\s|;)text-underline-offset(\s+)?:`),
+	"css-transform":                      regexp.MustCompile(`(?i)(^|\s|;)transform(\s+)?:`),
+	"css-unit-calc":                      regexp.MustCompile(`(?i)(\s|:)calc\(`),
+	"css-variables":                      regexp.MustCompile(`(?i)(^|\s|;)variables(\s+)?:`),
+	"css-visibility":                     regexp.MustCompile(`(?i)(^|\s|;)visibility(\s+)?:`),
+	"css-white-space":                    regexp.MustCompile(`(?i)(^|\s|;)white-space(\s+)?:`),
+	"css-width":                          regexp.MustCompile(`(?i)(^|\s|;)width(\s+)?:`),
+	"css-word-break":                     regexp.MustCompile(`(?i)(^|\s|;)word-break(\s+)?:`),
+	"css-writing-mode":                   regexp.MustCompile(`(?i)(^|\s|;)writing-mode(\s+)?:`),
+	"css-z-index":                        regexp.MustCompile(`(?i)(^|\s|;)z-index(\s+)?:`),
 }

 // some CSS tests using regex for things that can't be merged inline
 var cssRegexpTests = map[string]*regexp.Regexp{
-	"css-at-font-face":                  regexp.MustCompile(`(?mi)@font\-face\s+?{`),        // 26.923073
-	"css-at-import":                     regexp.MustCompile(`(?mi)@import\s`),               // 36.170216
-	"css-at-keyframes":                  regexp.MustCompile(`(?mi)@keyframes\s`),            // 31.914898
-	"css-at-media":                      regexp.MustCompile(`(?mi)@media\s?\(`),             // 47.05882
-	"css-at-supports":                   regexp.MustCompile(`(?mi)@supports\s?\(`),          // 40.81633
-	"css-pseudo-class-active":           regexp.MustCompile(`:active`),                      // 52.173912
-	"css-pseudo-class-checked":          regexp.MustCompile(`:checked`),                     // 31.91489
-	"css-pseudo-class-first-child":      regexp.MustCompile(`:first\-child`),                // 66.666664
-	"css-pseudo-class-first-of-type":    regexp.MustCompile(`:first\-of\-type`),             // 62.5
-	"css-pseudo-class-focus":            regexp.MustCompile(`:focus`),                       // 47.826088
-	"css-pseudo-class-has":              regexp.MustCompile(`:has`),                         // 25.531914
-	"css-pseudo-class-hover":            regexp.MustCompile(`:hover`),                       // 60.41667
-	"css-pseudo-class-lang":             regexp.MustCompile(`:lang\s?\(`),                   // 18.918922
-	"css-pseudo-class-last-child":       regexp.MustCompile(`:last\-child`),                 // 64.58333
-	"css-pseudo-class-last-of-type":     regexp.MustCompile(`:last\-of\-type`),              // 60.416664
-	"css-pseudo-class-link":             regexp.MustCompile(`:link`),                        // 81.63265
-	"css-pseudo-class-not":              regexp.MustCompile(`:not(\s+)?\(`),                 // 44.89796
-	"css-pseudo-class-nth-child":        regexp.MustCompile(`:nth\-child(\s+)?\(`),          // 44.89796
-	"css-pseudo-class-nth-last-child":   regexp.MustCompile(`:nth\-last\-child(\s+)?\(`),    // 44.89796
-	"css-pseudo-class-nth-last-of-type": regexp.MustCompile(`:nth\-last\-of\-type(\s+)?\(`), // 42.857143
-	"css-pseudo-class-nth-of-type":      regexp.MustCompile(`:nth\-of\-type(\s+)?\(`),       // 42.857143
-	"css-pseudo-class-only-child":       regexp.MustCompile(`:only\-child(\s+)?\(`),         // 64.58333
-	"css-pseudo-class-only-of-type":     regexp.MustCompile(`:only\-of\-type(\s+)?\(`),      // 64.58333
-	"css-pseudo-class-target":           regexp.MustCompile(`:target`),                      // 39.13044
-	"css-pseudo-class-visited":          regexp.MustCompile(`:visited`),                     // 39.13044
-	"css-pseudo-element-after":          regexp.MustCompile(`:after`),                       // 40
-	"css-pseudo-element-before":         regexp.MustCompile(`:before`),                      // 40
-	"css-pseudo-element-first-letter":   regexp.MustCompile(`::first\-letter`),              // 60
-	"css-pseudo-element-first-line":     regexp.MustCompile(`::first\-line`),                // 60
-	"css-pseudo-element-marker":         regexp.MustCompile(`::marker`),                     // 50
-	"css-pseudo-element-placeholder":    regexp.MustCompile(`::placeholder`),                // 32
+	"css-at-font-face":                  regexp.MustCompile(`(?mi)@font\-face\s+?{`),
+	"css-at-import":                     regexp.MustCompile(`(?mi)@import\s`),
+	"css-at-keyframes":                  regexp.MustCompile(`(?mi)@keyframes\s`),
+	"css-at-media":                      regexp.MustCompile(`(?mi)@media\s?\(`),
+	"css-at-supports":                   regexp.MustCompile(`(?mi)@supports\s?\(`),
+	"css-pseudo-class-active":           regexp.MustCompile(`:active`),
+	"css-pseudo-class-checked":          regexp.MustCompile(`:checked`),
+	"css-pseudo-class-first-child":      regexp.MustCompile(`:first\-child`),
+	"css-pseudo-class-first-of-type":    regexp.MustCompile(`:first\-of\-type`),
+	"css-pseudo-class-focus":            regexp.MustCompile(`:focus`),
+	"css-pseudo-class-has":              regexp.MustCompile(`:has`),
+	"css-pseudo-class-hover":            regexp.MustCompile(`:hover`),
+	"css-pseudo-class-lang":             regexp.MustCompile(`:lang\s?\(`),
+	"css-pseudo-class-last-child":       regexp.MustCompile(`:last\-child`),
+	"css-pseudo-class-last-of-type":     regexp.MustCompile(`:last\-of\-type`),
+	"css-pseudo-class-link":             regexp.MustCompile(`:link`),
+	"css-pseudo-class-not":              regexp.MustCompile(`:not(\s+)?\(`),
+	"css-pseudo-class-nth-child":        regexp.MustCompile(`:nth\-child(\s+)?\(`),
+	"css-pseudo-class-nth-last-child":   regexp.MustCompile(`:nth\-last\-child(\s+)?\(`),
+	"css-pseudo-class-nth-last-of-type": regexp.MustCompile(`:nth\-last\-of\-type(\s+)?\(`),
+	"css-pseudo-class-nth-of-type":      regexp.MustCompile(`:nth\-of\-type(\s+)?\(`),
+	"css-pseudo-class-only-child":       regexp.MustCompile(`:only\-child(\s+)?\(`),
+	"css-pseudo-class-only-of-type":     regexp.MustCompile(`:only\-of\-type(\s+)?\(`),
+	"css-pseudo-class-target":           regexp.MustCompile(`:target`),
+	"css-pseudo-class-visited":          regexp.MustCompile(`:visited`),
+	"css-pseudo-element-after":          regexp.MustCompile(`:after`),
+	"css-pseudo-element-before":         regexp.MustCompile(`:before`),
+	"css-pseudo-element-first-letter":   regexp.MustCompile(`::first\-letter`),
+	"css-pseudo-element-first-line":     regexp.MustCompile(`::first\-line`),
+	"css-pseudo-element-marker":         regexp.MustCompile(`::marker`),
+	"css-pseudo-element-placeholder":    regexp.MustCompile(`::placeholder`),
 }

 // some CSS tests using regex for units
 var cssRegexpUnitTests = map[string]*regexp.Regexp{
-	"css-unit-ch":      regexp.MustCompile(`\b\d+ch\b`),     // 66.666664
-	"css-unit-initial": regexp.MustCompile(`:\s?initial\b`), // 58.33333
-	"css-unit-rem":     regexp.MustCompile(`\b\d+rem\b`),    // 66.666664
-	"css-unit-vh":      regexp.MustCompile(`\b\d+vh\b`),     // 68.75
-	"css-unit-vmax":    regexp.MustCompile(`\b\d+vmax\b`),   // 60.416664
-	"css-unit-vmin":    regexp.MustCompile(`\b\d+vmin\b`),   // 58.333336
-	"css-unit-vw":      regexp.MustCompile(`\b\d+vw\b`),     // 77.08333
+	"css-unit-ch":      regexp.MustCompile(`\b\d+ch\b`),
+	"css-unit-initial": regexp.MustCompile(`:\s?initial\b`),
+	"css-unit-rem":     regexp.MustCompile(`\b\d+rem\b`),
+	"css-unit-vh":      regexp.MustCompile(`\b\d+vh\b`),
+	"css-unit-vmax":    regexp.MustCompile(`\b\d+vmax\b`),
+	"css-unit-vmin":    regexp.MustCompile(`\b\d+vmin\b`),
+	"css-unit-vw":      regexp.MustCompile(`\b\d+vw\b`),
 }
--- a/internal/htmlcheck/css.go
+++ b/internal/htmlcheck/css.go
@@ -1,8 +1,11 @@
 package htmlcheck

 import (
+	"context"
+	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -42,17 +45,15 @@ func runCSSTests(html string) ([]Warning, int, error) {
 		return results, totalTests, err
 	}

-	for key, test := range cssInlineTests {
-		totalTests++
-		found := len(doc.Find(test).Nodes)
-		if found > 0 {
-			result, err := cie.getTest(key)
-			if err != nil {
-				return results, totalTests, err
-			}
-			result.Score.Found = found
+	inlineStyleResults := testInlineStyles(doc)
+	totalTests = totalTests + len(cssInlineRegexTests) + len(styleInlineAttributes)
+	for key, count := range inlineStyleResults {
+		result, err := cie.getTest(key)
+		if err == nil {
+			result.Score.Found = count
 			results = append(results, result)
 		}
+
 	}

 	// get a list of all generated styles from all nodes
@@ -143,19 +144,20 @@ func inlineRemoteCSS(h string) (string, error) {
 		attributes := link.Attr
 		for _, a := range attributes {
 			if a.Key == "href" {
-				if !isURL(a.Val) {
-					// skip invalid URL
-					continue
-				}
-
 				if config.BlockRemoteCSSAndFonts {
 					logger.Log().Debugf("[html-check] skip testing remote CSS content: %s (--block-remote-css-and-fonts)", a.Val)
 					return h, nil
 				}

-				resp, err := downloadToBytes(a.Val)
+				if !isValidURL(a.Val) {
+					// skip invalid URL
+					logger.Log().Warnf("[html-check] ignoring unsupported stylesheet URL: %s", a.Val)
+					continue
+				}
+
+				resp, err := downloadCSSToBytes(a.Val)
 				if err != nil {
-					logger.Log().Warnf("[html-check] failed to download %s", a.Val)
+					logger.Log().Warnf("[html-check] %s", err.Error())
 					continue
 				}

@@ -184,25 +186,41 @@ func inlineRemoteCSS(h string) (string, error) {
 	return newDoc, nil
 }

-// DownloadToBytes returns a []byte slice from a URL
-func downloadToBytes(url string) ([]byte, error) {
-	client := http.Client{
-		Timeout: 5 * time.Second,
-	}
-
-	// Get the link response data
-	resp, err := client.Get(url)
+// DownloadCSSToBytes returns a []byte slice from a URL.
+// It requires the HTTP response code to be 200 and the content-type to be text/css.
+// It will download a maximum of 5MB.
+func downloadCSSToBytes(url string) ([]byte, error) {
+	client := newSafeHTTPClient()
+	req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+
+	req.Header.Set("User-Agent", "Mailpit HTML Checker/"+config.Version)
+
+	// Get the link response data
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = resp.Body.Close() }()

 	if resp.StatusCode != 200 {
-		err := fmt.Errorf("Error downloading %s", url)
+		err := fmt.Errorf("error downloading %s", url)
 		return nil, err
 	}

-	body, err := io.ReadAll(resp.Body)
+	ct := strings.ToLower(resp.Header.Get("content-type"))
+	if !strings.Contains(ct, "text/css") {
+		err := fmt.Errorf("invalid CSS content-type from %s: \"%s\" (expected \"text/css\")", url, ct)
+		return nil, err
+	}
+
+	// set a limit on the number of bytes to read - max 5MB
+	limit := int64(5242880)
+	limitedReader := &io.LimitedReader{R: resp.Body, N: limit}
+
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return nil, err
 	}
@@ -210,8 +228,83 @@ func downloadToBytes(url string) ([]byte, error) {
 	return body, nil
 }

-// Test if str is a URL
-func isURL(str string) bool {
+// Test if the string is a supported URL.
+// The URL must have the "http" or "https" scheme, and must not contain any login info (http://user:pass@<host>).
+func isValidURL(str string) bool {
 	u, err := url.Parse(str)
-	return err == nil && (u.Scheme == "http" || u.Scheme == "https") && u.Host != ""
+
+	return err == nil && (u.Scheme == "http" || u.Scheme == "https") && u.Hostname() != "" && u.User.String() == ""
+}
+
+// Test the HTML for inline CSS styles and styling attributes
+func testInlineStyles(doc *goquery.Document) map[string]int {
+	matches := make(map[string]int)
+
+	// find all elements containing a style attribute
+	styles := doc.Find("[style]").Nodes
+	for _, s := range styles {
+		style, err := tools.GetHTMLAttributeVal(s, "style")
+		if err != nil {
+			continue
+		}
+
+		for id, test := range cssInlineRegexTests {
+			if test.MatchString(style) {
+				if _, ok := matches[id]; !ok {
+					matches[id] = 0
+				}
+				matches[id]++
+			}
+		}
+	}
+
+	// find all elements containing styleInlineAttributes
+	for id, test := range styleInlineAttributes {
+		a := doc.Find(test).Nodes
+		if len(a) > 0 {
+			if _, ok := matches[id]; !ok {
+				matches[id] = 0
+			}
+			matches[id]++
+		}
+	}
+
+	return matches
+}
+
+func newSafeHTTPClient() *http.Client {
+	dialer := &net.Dialer{
+		Timeout:   5 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+
+	tr := &http.Transport{
+		Proxy: nil, // avoid env proxy surprises unless you explicitly want it
+		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, address)
+		},
+		TLSHandshakeTimeout:   5 * time.Second,
+		ResponseHeaderTimeout: 10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		IdleConnTimeout:       30 * time.Second,
+		MaxIdleConns:          50,
+	}
+
+	client := &http.Client{
+		Transport: tr,
+		Timeout:   15 * time.Second,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			// re-validate every redirect hop.
+			if len(via) >= 3 {
+				return errors.New("too many redirects")
+			}
+			if !isValidURL(req.URL.String()) {
+				return errors.New("invalid redirect URL")
+			}
+
+			return nil
+		},
+	}
+
+	return client
 }
--- a/internal/htmlcheck/inline_test.go
+++ b/internal/htmlcheck/inline_test.go
@@ -0,0 +1,81 @@
+package htmlcheck
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/PuerkitoBio/goquery"
+)
+
+func TestInlineStyleDetection(t *testing.T) {
+	/// tests should contain the HTML test, and expected test results in alphabetical order
+	tests := map[string]string{}
+	tests[`<h1 style="transform: rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="color: green; transform:rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="color:green; transform :rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="transform:rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="TRANSFORM:rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="transform:	rotate(20deg)">Heading</h1>`] = "css-transform"
+	tests[`<h1 style="ignore-transform: something">Heading</h1>`] = "" // no match
+	tests[`<h1 style="text-transform: uppercase">Heading</h1>`] = "css-text-transform"
+	tests[`<h1 style="text-transform: uppercase; text-transform: uppercase">Heading</h1>`] = "css-text-transform"
+	tests[`<h1 style="test-transform: uppercase">Heading</h1>`] = "" // no match
+	tests[`<h1 style="padding-inline-start: 5rem">Heading</h1>`] = "css-padding-inline-start-end"
+	tests[`<h1 style="margin-inline-end: 5rem">Heading</h1>`] = "css-margin-inline-start-end"
+	tests[`<h1 style="margin-inline-middle: 5rem">Heading</h1>`] = "" // no match
+	tests[`<h1 style="color:green!important">Heading</h1>`] = "css-important"
+	tests[`<h1 style="color: green !important">Heading</h1>`] = "css-important"
+	tests[`<h1 style="color: green!important;">Heading</h1>`] = "css-important"
+	tests[`<h1 style="color:green!important-stuff;">Heading</h1>`] = "" // no match
+	tests[`<h1 style="background-image:url('img.jpg')">Heading</h1>`] = "css-background-image"
+	tests[`<h1 style="background-image:url('img.jpg'); color: green">Heading</h1>`] = "css-background-image"
+	tests[`<h1 style=" color:green; background-image:url('img.jpg');">Heading</h1>`] = "css-background-image"
+	tests[`<h1 style="display  : flex ;">Heading</h1>`] = "css-display,css-display-flex"
+	tests[`<h1 style="DISPLAY:FLEX;">Heading</h1>`] = "css-display,css-display-flex"
+	tests[`<h1 style="display: flexing;">Heading</h1>`] = "css-display" // should not match css-display-flex rule
+	tests[`<h1 style="line-height: 1rem;opacity: 0.5; width: calc(10px + 100px)">Heading</h1>`] = "css-line-height,css-opacity,css-unit-calc,css-width"
+	tests[`<h1 style="color: rgb(255,255,255);">Heading</h1>`] = "css-rgb"
+	tests[`<h1 style="color:rgb(255,255,255);">Heading</h1>`] = "css-rgb"
+	tests[`<h1 style="color:rgb(255,255,255);">Heading</h1>`] = "css-rgb"
+	tests[`<h1 style="color:rgba(255,255,255, 0);">Heading</h1>`] = "css-rgba"
+	tests[`<h1 style="border: solid rgb(255,255,255) 1px; color:rgba(255,255,255, 0);">Heading</h1>`] = "css-border,css-rgb,css-rgba"
+	tests[`<h1 border="2">Heading</h1>`] = "css-border"
+	tests[`<h1 border="2" background="green">Heading</h1>`] = "css-background,css-border"
+	tests[`<h1 BORDER="2" BACKGROUND="GREEN">Heading</h1>`] = "css-background,css-border"
+	tests[`<h1 border-something="2" background-something="green">Heading</h1>`] = "" // no match
+	tests[`<h1 border="2" style="border: solid green 1px!important">Heading</h1>`] = "css-border,css-important"
+
+	for html, expected := range tests {
+		reader := strings.NewReader(html)
+		doc, err := goquery.NewDocumentFromReader(reader)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		results := testInlineStyles(doc)
+
+		matches := []string{}
+		uniqMap := make(map[string]bool)
+		for key := range results {
+			if _, exists := uniqMap[key]; !exists {
+				matches = append(matches, key)
+			}
+		}
+
+		// ensure results are sorted to ensure consistent results
+		sort.Strings(matches)
+
+		assertEqual(t, expected, strings.Join(matches, ","), fmt.Sprintf("inline style detection \"%s\"", html))
+	}
+}
+
+func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a == b {
+		return
+	}
+	message = fmt.Sprintf("%s: \"%v\" != \"%v\"", message, a, b)
+	t.Fatal(message)
+}
--- a/internal/htmlcheck/main.go
+++ b/internal/htmlcheck/main.go
@@ -152,19 +152,20 @@ func (c CanIEmail) getTest(k string) (Warning, error) {
 				s.Platform = platform
 				s.Version = version

-				if support == "y" {
+				switch support {
+				case "y":
 					y++
 					s.Support = "yes"
-				} else if support == "n" {
+				case "n":
 					n++
 					s.Support = "no"
-				} else {
+				default:
 					p++
 					s.Support = "partial"

-					noteIDS := noteMatch.FindStringSubmatch(fmt.Sprintf("%s", support))
+					noteIDs := noteMatch.FindStringSubmatch(fmt.Sprintf("%s", support))

-					for _, id := range noteIDS {
+					for _, id := range noteIDs {
 						s.NoteNumber = id
 					}
 				}
--- a/internal/linkcheck/linkcheck_test.go
+++ b/internal/linkcheck/linkcheck_test.go
@@ -0,0 +1,86 @@
+package linkcheck
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/axllent/mailpit/internal/storage"
+)
+
+var (
+	testHTML = `
+	<html>
+	<head>
+		<link rel=stylesheet href="http://remote-host/style.css"></link>
+		<script async src="https://www.googletagmanager.com/gtag/js?id=ignored"></script>
+	</head>
+	<body>
+		<div>
+			<p><a href="http://example.com">HTTP link</a></p>
+			<p><a href="https://example.com">HTTPS link</a></p>
+			<p><a href="HTTPS://EXAMPLE.COM">HTTPS link</a></p>
+			<p><a href="http://localhost">Localhost link</a> (ignored)</p>
+			<p><a href="https://localhost">Localhost link</a> (ignored)</p>
+			<p><a href='https://127.0.0.1'>Single quotes link</a> (ignored)</p>
+			<p><img src=https://example.com/image.jpg></p>
+			<p href="http://invalid-link.com">This should be ignored</p>
+			<p><a href="http://link with spaces">Link with spaces</a></p>
+			<p><a href="http://example.com/?blaah=yes&amp;test=true">URL-encoded characters</a></p>
+		</div>
+	</body>
+	</html>`
+
+	expectedHTMLLinks = []string{
+		"http://example.com",
+		"https://example.com",
+		"HTTPS://EXAMPLE.COM",
+		"http://localhost",
+		"https://localhost",
+		"https://127.0.0.1",
+		"http://link with spaces",
+		"http://example.com/?blaah=yes&test=true",
+		"http://remote-host/style.css",  // css
+		"https://example.com/image.jpg", // images
+	}
+
+	testTextLinks = `This is a line with http://example.com https://example.com
+		HTTPS://EXAMPLE.COM
+		[http://localhost]
+		www.google.com < ignored
+		|||http://example.com/?some=query-string|||
+		// RFC2396 appendix E states angle brackets are recommended for text/plain emails to
+		// recognize potential spaces in between the URL
+		<https://example.com/ link with spaces>
+	`
+
+	expectedTextLinks = []string{
+		"http://example.com",
+		"https://example.com",
+		"HTTPS://EXAMPLE.COM",
+		"http://localhost",
+		"http://example.com/?some=query-string",
+		"https://example.com/ link with spaces",
+	}
+)
+
+func TestLinkDetection(t *testing.T) {
+
+	t.Log("Testing HTML link detection")
+
+	m := storage.Message{}
+
+	m.Text = testTextLinks
+	m.HTML = testHTML
+
+	textLinks := extractTextLinks(&m)
+
+	if !reflect.DeepEqual(textLinks, expectedTextLinks) {
+		t.Fatalf("Failed to detect text links correctly")
+	}
+
+	htmlLinks := extractHTMLLinks(&m)
+
+	if !reflect.DeepEqual(htmlLinks, expectedHTMLLinks) {
+		t.Fatalf("Failed to detect HTML links correctly")
+	}
+}
--- a/internal/linkcheck/main.go
+++ b/internal/linkcheck/main.go
@@ -10,7 +10,7 @@ import (
 	"github.com/axllent/mailpit/internal/tools"
 )

-var linkRe = regexp.MustCompile(`(?m)\b(http|ftp|https):\/\/([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:'!\/~+#-]*[\w@?^=%&\/~+#-])`)
+var linkRe = regexp.MustCompile(`(?im)\b(http|https):\/\/([\-\w@:%_\+'!.~#?,&\/\/=;]+)`)

 // RunTests will run all tests on an HTML string
 func RunTests(msg *storage.Message, followRedirects bool) (Response, error) {
@@ -30,9 +30,28 @@ func RunTests(msg *storage.Message, followRedirects bool) (Response, error) {
 }

 func extractTextLinks(msg *storage.Message) []string {
+	testLinkRe := regexp.MustCompile(`(?im)([^<]\b)((http|https):\/\/([\-\w@:%_\+'!.~#?,&\/\/=;]+))`)
+	// RFC2396 appendix E states angle brackets are recommended for text/plain emails to
+	// recognize potential spaces in between the URL
+	// @see https://www.rfc-editor.org/rfc/rfc2396#appendix-E
+	bracketLinkRe := regexp.MustCompile(`(?im)<((http|https):\/\/([\-\w@:%_\+'!.~#?,&\/\/=;][^>]+))>`)
+
 	links := []string{}

-	links = append(links, linkRe.FindAllString(msg.Text, -1)...)
+	matches := testLinkRe.FindAllStringSubmatch(msg.Text, -1)
+	for _, match := range matches {
+		if len(match) > 0 {
+			links = append(links, match[2])
+		}
+	}
+
+	angleMatches := bracketLinkRe.FindAllStringSubmatch(msg.Text, -1)
+	for _, match := range angleMatches {
+		if len(match) > 0 {
+			link := strings.ReplaceAll(match[1], "\n", "")
+			links = append(links, link)
+		}
+	}

 	return links
 }
--- a/internal/linkcheck/status.go
+++ b/internal/linkcheck/status.go
@@ -1,14 +1,20 @@
 package linkcheck

 import (
+	"context"
 	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
 	"net/http"
 	"regexp"
+	"strings"
 	"sync"
 	"time"

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
 )

 func getHTTPStatuses(links []string, followRedirects bool) []Link {
@@ -34,6 +40,10 @@ func getHTTPStatuses(links []string, followRedirects bool) []Link {
 			if err != nil {
 				l.StatusCode = 0
 				l.Status = httpErrorSummary(err)
+				if strings.Contains(l.Status, "private/reserved address") {
+					l.Status = "Blocked private/reserved address"
+					l.StatusCode = 451
+				}
 			} else {
 				l.StatusCode = code
 				l.Status = http.StatusText(code)
@@ -57,23 +67,37 @@ func getHTTPStatuses(links []string, followRedirects bool) []Link {

 // Do a HEAD request to return HTTP status code
 func doHead(link string, followRedirects bool) (int, error) {
+	if !tools.IsValidLinkURL(link) {
+		return 0, fmt.Errorf("invalid URL: %s", link)
+	}

-	timeout := time.Duration(10 * time.Second)
+	dialer := &net.Dialer{
+		Timeout:   10 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}

-	tr := &http.Transport{}
+	tr := &http.Transport{
+		DialContext: safeDialContext(dialer),
+	}

 	if config.AllowUntrustedTLS {
 		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec
 	}

 	client := http.Client{
-		Timeout:   timeout,
+		Timeout:   10 * time.Second,
 		Transport: tr,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			if followRedirects {
-				return nil
+			if len(via) >= 3 {
+				return errors.New("too many redirects")
 			}
-			return http.ErrUseLastResponse
+			if !followRedirects {
+				return http.ErrUseLastResponse
+			}
+			if !tools.IsValidLinkURL(req.URL.String()) {
+				return fmt.Errorf("blocked redirect to invalid URL: %s", req.URL)
+			}
+			return nil
 		},
 	}

@@ -92,7 +116,6 @@ func doHead(link string, followRedirects bool) (int, error) {
 		}

 		return 0, err
-
 	}

 	return res.StatusCode, nil
@@ -107,8 +130,33 @@ func httpErrorSummary(err error) string {
 	if !re.MatchString(e) {
 		return e
 	}
-
 	parts := re.FindAllStringSubmatch(e, -1)

 	return parts[0][len(parts[0])-1]
 }
+
+// SafeDialContext is a custom dialer that checks if the resolved IP addresses are internal before allowing the connection.
+func safeDialContext(dialer *net.Dialer) func(ctx context.Context, network, address string) (net.Conn, error) {
+	return func(ctx context.Context, network, address string) (net.Conn, error) {
+		host, port, err := net.SplitHostPort(address)
+		if err != nil {
+			return nil, err
+		}
+
+		ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
+		if err != nil {
+			return nil, err
+		}
+
+		if !config.AllowInternalHTTPRequests {
+			for _, ip := range ips {
+				if tools.IsInternalIP(ip.IP) {
+					logger.Log().Warnf("[link-check] Blocked HEAD request to private/reserved address: %s (%s)", host, ip)
+					return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
+				}
+			}
+		}
+
+		return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))
+	}
+}
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -66,17 +66,6 @@ func PrettyPrint(i interface{}) {
 	fmt.Println(string(s))
 }

-// CleanIP returns a human-readable IP for the logging interface
-// when starting services. It translates [::]:<port> to "0.0.0.0:<port>"
-func CleanIP(s string) string {
-	re := regexp.MustCompile(`^\[\:\:\]\:\d+`)
-	if re.MatchString(s) {
-		return "0.0.0.0:" + s[5:]
-	}
-
-	return s
-}
-
 // CleanHTTPIP returns a human-readable IP for the logging interface
 // when starting services. It translates [::]:<port> to "localhost:<port>"
 func CleanHTTPIP(s string) string {
--- a/internal/pop3/functions.go
+++ b/internal/pop3/functions.go
@@ -9,6 +9,7 @@ import (
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/server/websockets"
 )

 func authUser(username, password string) bool {
@@ -17,18 +18,24 @@ func authUser(username, password string) bool {

 // Send a response with debug logging
 func sendResponse(c net.Conn, m string) {
-	fmt.Fprintf(c, "%s\r\n", m)
+	_, _ = fmt.Fprintf(c, "%s\r\n", m)
 	logger.Log().Debugf("[pop3] response: %s", m)
+
+	if strings.HasPrefix(m, "-ERR ") {
+		sub, _ := strings.CutPrefix(m, "-ERR ")
+		websockets.BroadCastClientError("error", "pop3", c.RemoteAddr().String(), sub)
+	}
 }

 // Send a response without debug logging (for data)
 func sendData(c net.Conn, m string) {
-	fmt.Fprintf(c, "%s\r\n", m)
+	_, _ = fmt.Fprintf(c, "%s\r\n", m)
 }

+// Get the latest 100 messages
 func getMessages() ([]message, error) {
 	messages := []message{}
-	list, err := storage.List(0, 100)
+	list, err := storage.List(0, 0, 100)
 	if err != nil {
 		return messages, err
 	}
@@ -72,5 +79,6 @@ func getSafeArg(args []string, nr int) (string, error) {
 	if nr < len(args) {
 		return args[nr], nil
 	}
-	return "", errors.New("Out of range")
+
+	return "", errors.New("-ERR out of range")
 }
--- a/internal/pop3/pop3_test.go
+++ b/internal/pop3/pop3_test.go
@@ -0,0 +1,406 @@
+package pop3
+
+import (
+	"bytes"
+	"fmt"
+	"math/rand/v2"
+	"net"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/auth"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/pop3client"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/jhillyerd/enmime/v2"
+)
+
+var (
+	testingPort int
+)
+
+func TestPOP3(t *testing.T) {
+	t.Log("Testing POP3 server")
+	setup()
+	defer storage.Close()
+
+	// connect with bad password
+	t.Log("Testing invalid login")
+	if _, err := connectBadAuth(); err == nil {
+		t.Error("invalid login gained access")
+		return
+	}
+
+	t.Log("Testing valid login")
+	c, err := connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	count, size, err := c.Stat()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 0, "incorrect message count")
+	assertEqual(t, size, 0, "incorrect size")
+
+	// quit else we get old data
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	t.Log("Inserting 50 messages")
+
+	insertEmailData(t) // insert 50 messages
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 50, "incorrect message count")
+
+	t.Log("Fetching 20 messages")
+
+	for i := 1; i <= 20; i++ {
+		_, err := c.Retr(i)
+		if err != nil {
+			t.Error(err.Error())
+			return
+		}
+	}
+
+	t.Log("Checking UIDL with multiple arguments")
+
+	_, err = c.Cmd("UIDL", false, 1, 2, 3)
+	if err == nil {
+		t.Error("UIDL with multiple arguments should return an error")
+		return
+	}
+
+	t.Log("Checking UIDL without a message id")
+
+	messageIDs, err := c.Uidl(0)
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	if len(messageIDs) != 50 {
+		assertEqual(t, len(messageIDs), 50, "incorrect UIDL message count")
+	}
+
+	t.Log("Checking UIDL with a message ID")
+
+	messageIDs, err = c.Uidl(50)
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	assertEqual(t, len(messageIDs), 1, "incorrect UIDL message count")
+
+	t.Log("Checking UIDL with an invalid message ID")
+
+	if _, err := c.Uidl(51); err == nil {
+		t.Errorf("UIDL 51 should return an error")
+		return
+	}
+
+	t.Log("Deleting 25 messages")
+
+	for i := 1; i <= 25; i++ {
+		if err := c.Dele(i); err != nil {
+			t.Error(err.Error())
+			return
+		}
+	}
+
+	// messages get deleted after a QUIT
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	// allow for background delete when using rqlite driver
+	time.Sleep(time.Millisecond * 200)
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	t.Log("Fetching message count")
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 25, "incorrect message count")
+
+	// messages get deleted after a QUIT
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	t.Log("Deleting 25 messages")
+
+	for i := 1; i <= 25; i++ {
+		if err := c.Dele(i); err != nil {
+			t.Error(err.Error())
+			return
+		}
+	}
+
+	t.Log("Undeleting messages")
+
+	if err := c.Rset(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	c, err = connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	count, _, err = c.Stat()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	assertEqual(t, count, 25, "incorrect message count")
+
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+}
+
+func TestAuthentication(t *testing.T) {
+	// commands only allowed after authentication
+	authCommands := make(map[string]bool)
+	authCommands["STAT"] = false
+	authCommands["LIST"] = true
+	authCommands["NOOP"] = false
+	authCommands["RSET"] = false
+	authCommands["RETR 1"] = true
+
+	t.Log("Testing authenticated commands while not logged in")
+	setup()
+	defer storage.Close()
+
+	insertEmailData(t) // insert 50 messages
+
+	// non-authenticated connection
+	c, err := connect()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	for cmd, multi := range authCommands {
+		if _, err := c.Cmd(cmd, multi); err == nil {
+			t.Errorf("%s should require authentication", cmd)
+			return
+		}
+
+		if _, err := c.Cmd(strings.ToLower(cmd), multi); err == nil {
+			t.Errorf("%s should require authentication", cmd)
+			return
+		}
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	t.Log("Testing authenticated commands while logged in")
+
+	// authenticated connection
+	c, err = connectAuth()
+	if err != nil {
+		t.Error(err.Error())
+		return
+	}
+
+	for cmd, multi := range authCommands {
+		if _, err := c.Cmd(cmd, multi); err != nil {
+			t.Errorf("%s should work when authenticated", cmd)
+			return
+		}
+
+		if _, err := c.Cmd(strings.ToLower(cmd), multi); err != nil {
+			t.Errorf("%s should work when authenticated", cmd)
+			return
+		}
+	}
+
+	if err := c.Quit(); err != nil {
+		t.Error(err.Error())
+		return
+	}
+}
+
+func setup() {
+	if err := auth.SetPOP3Auth("username:password"); err != nil {
+		panic(err)
+	}
+	logger.NoLogging = true
+	config.MaxMessages = 0
+	config.Database = os.Getenv("MP_DATABASE")
+	var foundPort bool
+	for !foundPort {
+		testingPort = randRange(1111, 2000)
+		if portFree(testingPort) {
+			foundPort = true
+		}
+	}
+
+	config.POP3Listen = fmt.Sprintf("localhost:%d", testingPort)
+
+	if err := storage.InitDB(); err != nil {
+		panic(err)
+	}
+
+	if err := storage.DeleteAllMessages(); err != nil {
+		panic(err)
+	}
+
+	go Run()
+
+	time.Sleep(time.Second)
+}
+
+// connect and authenticate
+func connectAuth() (*pop3client.Conn, error) {
+	c, err := connect()
+	if err != nil {
+		return c, err
+	}
+
+	err = c.Auth("username", "password")
+
+	return c, err
+}
+
+// connect and authenticate
+func connectBadAuth() (*pop3client.Conn, error) {
+	c, err := connect()
+	if err != nil {
+		return c, err
+	}
+
+	err = c.Auth("username", "notPassword")
+
+	return c, err
+}
+
+// connect but do not authenticate
+func connect() (*pop3client.Conn, error) {
+	p := pop3client.New(pop3client.Opt{
+		Host:       "localhost",
+		Port:       testingPort,
+		TLSEnabled: false,
+	})
+
+	c, err := p.NewConn()
+	if err != nil {
+		return c, err
+	}
+
+	return c, err
+}
+
+func portFree(port int) bool {
+	ln, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
+	if err != nil {
+		return false
+	}
+
+	if err := ln.Close(); err != nil {
+		panic(err)
+	}
+
+	return true
+}
+
+func randRange(min, max int) int {
+	return rand.IntN(max-min) + min
+}
+
+func insertEmailData(t *testing.T) {
+	for i := 0; i < 50; i++ {
+		msg := enmime.Builder().
+			From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
+			Subject(fmt.Sprintf("Subject line %d end", i)).
+			Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
+			To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i))
+
+		env, err := msg.Build()
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		buf := new(bytes.Buffer)
+
+		if err := env.Encode(buf); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		bufBytes := buf.Bytes()
+
+		id, err := storage.Store(&bufBytes, nil)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		if _, err := storage.SetMessageTags(id, []string{fmt.Sprintf("Test tag %03d", i)}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+	}
+}
+
+func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a == b {
+		return
+	}
+	message = fmt.Sprintf("%s: \"%v\" != \"%v\"", message, a, b)
+	t.Fatal(message)
+}
--- a/internal/pop3/server.go
+++ b/internal/pop3/server.go
@@ -0,0 +1,350 @@
+// Package pop3 is a simple POP3 server for Mailpit.
+// By default it is disabled unless password credentials have been loaded.
+//
+// References: https://github.com/r0stig/golang-pop3 | https://github.com/inbucket/inbucket
+// See RFC: https://datatracker.ietf.org/doc/html/rfc1939
+package pop3
+
+import (
+	"bufio"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/auth"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/server/websockets"
+)
+
+const (
+	// AUTHORIZATION is the initial state
+	AUTHORIZATION = 1
+	// TRANSACTION is the state after login
+	TRANSACTION = 2
+	// UPDATE is the state before closing
+	UPDATE = 3
+)
+
+// Run will start the POP3 server if enabled
+func Run() {
+	if auth.POP3Credentials == nil || config.POP3Listen == "" {
+		// POP3 server is disabled without authentication
+		return
+	}
+
+	var listener net.Listener
+	var err error
+
+	if config.POP3TLSCert != "" {
+		cer, err2 := tls.LoadX509KeyPair(config.POP3TLSCert, config.POP3TLSKey)
+		if err2 != nil {
+			logger.Log().Errorf("[pop3] %s", err2.Error())
+			return
+		}
+
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cer},
+			MinVersion:   tls.VersionTLS12,
+		}
+
+		listener, err = tls.Listen("tcp", config.POP3Listen, tlsConfig)
+	} else {
+		// unencrypted
+		listener, err = net.Listen("tcp", config.POP3Listen)
+	}
+
+	if err != nil {
+		logger.Log().Errorf("[pop3] %s", err.Error())
+		return
+	}
+
+	logger.Log().Infof("[pop3] starting on %s", config.POP3Listen)
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			logger.Log().Errorf("[pop3] accept error: %s", err.Error())
+			continue
+		}
+
+		// run as goroutine
+		go handleClient(conn)
+	}
+}
+
+type message struct {
+	ID   string
+	Size uint64
+}
+
+func handleClient(conn net.Conn) {
+	var (
+		user     = ""
+		state    = AUTHORIZATION // Start with AUTHORIZATION state
+		toDelete []string        // Track messages marked for deletion
+		messages []message
+	)
+
+	defer func() {
+		if state == UPDATE {
+			if len(toDelete) > 0 {
+				if err := storage.DeleteMessages(toDelete); err != nil {
+					logger.Log().Errorf("[pop3] error deleting: %s", err.Error())
+				}
+				// Update web UI to remove deleted messages
+				websockets.Broadcast("prune", nil)
+			}
+		}
+
+		if err := conn.Close(); err != nil {
+			logger.Log().Errorf("[pop3] %s", err.Error())
+		}
+	}()
+
+	reader := bufio.NewReader(conn)
+
+	logger.Log().Debugf("[pop3] connection opened by %s", conn.RemoteAddr().String())
+
+	// First welcome the new connection
+	serverName := "Mailpit"
+	if config.Label != "" {
+		serverName = fmt.Sprintf("Mailpit (%s)", config.Label)
+	}
+	sendResponse(conn, fmt.Sprintf("+OK %s POP3 server", serverName))
+
+	// Set 10 minutes timeout according to RFC1939
+	timeoutDuration := 600 * time.Second
+
+	for {
+		// Set read deadline
+		if err := conn.SetReadDeadline(time.Now().Add(timeoutDuration)); err != nil {
+			logger.Log().Errorf("[pop3] %s", err.Error())
+			return
+		}
+
+		// Reads a line from the client
+		rawLine, err := reader.ReadString('\n')
+		if err != nil {
+			if err == io.EOF {
+				logger.Log().Debugf("[pop3] client disconnected: %s", conn.RemoteAddr().String())
+			} else {
+				logger.Log().Errorf("[pop3] read error: %s", err.Error())
+			}
+			return
+		}
+
+		// Parses the command
+		cmd, args := getCommand(rawLine)
+		cmd = strings.ToUpper(cmd) // Commands in the POP3 are case-insensitive
+
+		logger.Log().Debugf("[pop3] received: %s (%s)", strings.TrimSpace(rawLine), conn.RemoteAddr().String())
+
+		switch cmd {
+		case "CAPA":
+			// List our capabilities per RFC2449
+			sendResponse(conn, "+OK capability list follows")
+			sendResponse(conn, "TOP")
+			sendResponse(conn, "USER")
+			sendResponse(conn, "UIDL")
+			sendResponse(conn, "IMPLEMENTATION Mailpit")
+			sendResponse(conn, ".")
+		case "USER":
+			if state == AUTHORIZATION {
+				if len(args) != 1 {
+					sendResponse(conn, "-ERR must supply a user")
+					return
+				}
+				sendResponse(conn, "+OK")
+				user = args[0]
+			} else {
+				sendResponse(conn, "-ERR user already specified")
+			}
+		case "PASS":
+			if state == AUTHORIZATION {
+				if user == "" {
+					sendResponse(conn, "-ERR must supply a user")
+					return
+				}
+				if len(args) != 1 {
+					sendResponse(conn, "-ERR must supply a password")
+					return
+				}
+
+				pass := args[0]
+				if authUser(user, pass) {
+					sendResponse(conn, "+OK signed in")
+					var err error
+					messages, err = getMessages()
+					if err != nil {
+						logger.Log().Errorf("[pop3] %s", err.Error())
+					}
+					state = TRANSACTION
+				} else {
+					sendResponse(conn, "-ERR invalid password")
+					logger.Log().Warnf("[pop3] failed login: %s", user)
+				}
+			} else {
+				sendResponse(conn, "-ERR user not specified")
+			}
+		case "STAT", "LIST", "UIDL", "RETR", "TOP", "NOOP", "DELE", "RSET":
+			if state == TRANSACTION {
+				handleTransactionCommand(conn, cmd, args, messages, &toDelete)
+			} else {
+				sendResponse(conn, "-ERR user not authenticated")
+			}
+		case "QUIT":
+			sendResponse(conn, "+OK goodbye")
+			state = UPDATE
+			return
+		default:
+			sendResponse(conn, "-ERR unknown command")
+		}
+	}
+}
+
+func handleTransactionCommand(conn net.Conn, cmd string, args []string, messages []message, toDelete *[]string) {
+	switch cmd {
+	case "STAT":
+		totalSize := uint64(0)
+		for _, m := range messages {
+			totalSize += m.Size
+		}
+		sendResponse(conn, fmt.Sprintf("+OK %d %d", len(messages), totalSize))
+	case "LIST":
+		totalSize := uint64(0)
+		for _, m := range messages {
+			totalSize += m.Size
+		}
+
+		if len(args) > 0 {
+			arg, _ := getSafeArg(args, 0)
+			nr, err := strconv.Atoi(arg)
+			if err != nil || nr < 1 || nr > len(messages) {
+				sendResponse(conn, "-ERR no such message")
+				return
+			}
+			sendResponse(conn, fmt.Sprintf("+OK %d %d", nr, messages[nr-1].Size))
+		} else {
+			sendResponse(conn, fmt.Sprintf("+OK %d messages (%d octets)", len(messages), totalSize))
+
+			for row, m := range messages {
+				sendResponse(conn, fmt.Sprintf("%d %d", row+1, m.Size))
+			}
+			sendResponse(conn, ".")
+		}
+	case "UIDL":
+		if len(args) > 1 {
+			sendResponse(conn, "-ERR UIDL takes at most one argument")
+		} else if len(args) == 1 {
+			nr, err := strconv.Atoi(args[0])
+			if err != nil {
+				sendResponse(conn, "-ERR no such message")
+				return
+			}
+
+			if nr < 1 || nr > len(messages) {
+				sendResponse(conn, "-ERR no such message")
+				return
+			}
+
+			m := messages[nr-1]
+
+			sendResponse(conn, fmt.Sprintf("+OK %d %s", nr, m.ID))
+		} else {
+			sendResponse(conn, "+OK unique-id listing follows")
+			for row, m := range messages {
+				sendResponse(conn, fmt.Sprintf("%d %s", row+1, m.ID))
+			}
+			sendResponse(conn, ".")
+		}
+
+	case "RETR":
+		if len(args) != 1 {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		nr, err := strconv.Atoi(args[0])
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		m := messages[nr-1]
+		raw, err := storage.GetMessageRaw(m.ID)
+		if err != nil {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+		size := len(raw)
+		sendResponse(conn, fmt.Sprintf("+OK %d octets", size))
+
+		// When all lines of the response have been sent, a
+		// final line is sent, consisting of a termination octet (decimal code
+		// 046, ".") and a CRLF pair. If any line of the multi-line response
+		// begins with the termination octet, the line is "byte-stuffed" by
+		// pre-pending the termination octet to that line of the response.
+		// @see: https://www.ietf.org/rfc/rfc1939.txt
+		sendData(conn, strings.ReplaceAll(string(raw), "\n.", "\n.."))
+		sendResponse(conn, ".")
+	case "TOP":
+		arg, err := getSafeArg(args, 0)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+		nr, err := strconv.Atoi(arg)
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		arg2, err := getSafeArg(args, 1)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+
+		lines, err := strconv.Atoi(arg2)
+		if err != nil {
+			sendResponse(conn, "-ERR TOP requires two arguments")
+			return
+		}
+
+		m := messages[nr-1]
+		headers, body, err := getTop(m.ID, lines)
+		if err != nil {
+			sendResponse(conn, err.Error())
+			return
+		}
+
+		sendResponse(conn, "+OK top of message follows")
+		sendData(conn, headers+"\r\n")
+		sendData(conn, body)
+		sendResponse(conn, ".")
+	case "NOOP":
+		sendResponse(conn, "+OK")
+	case "DELE":
+		arg, _ := getSafeArg(args, 0)
+		nr, err := strconv.Atoi(arg)
+		if err != nil || nr < 1 || nr > len(messages) {
+			sendResponse(conn, "-ERR no such message")
+			return
+		}
+
+		m := messages[nr-1]
+		*toDelete = append(*toDelete, m.ID)
+		sendResponse(conn, "+OK message marked for deletion")
+	case "RSET":
+		*toDelete = []string{}
+		sendResponse(conn, "+OK")
+	default:
+		sendResponse(conn, "-ERR unknown command")
+	}
+}
--- a/internal/pop3client/client.go
+++ b/internal/pop3client/client.go
@@ -0,0 +1,453 @@
+// Package pop3client is borrowed directly from https://github.com/knadh/go-pop3 to reduce dependencies.
+// This is used solely for testing the POP3 server
+package pop3client
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Client implements a Client e-mail client.
+type Client struct {
+	opt    Opt
+	dialer Dialer
+}
+
+// Conn is a stateful connection with the POP3 server/
+type Conn struct {
+	conn net.Conn
+	r    *bufio.Reader
+	w    *bufio.Writer
+}
+
+// Opt represents the client configuration.
+type Opt struct {
+	// Host name
+	Host string `json:"host"`
+	// Port number
+	Port int `json:"port"`
+	// DialTimeout default is 3 seconds.
+	DialTimeout time.Duration `json:"dial_timeout"`
+	// Dialer
+	Dialer Dialer `json:"-"`
+	// TLSEnabled sets whether SLS is enabled
+	TLSEnabled bool `json:"tls_enabled"`
+	// TLSSkipVerify skips TLS verification (ie: self-signed)
+	TLSSkipVerify bool `json:"tls_skip_verify"`
+}
+
+// Dialer interface
+type Dialer interface {
+	Dial(network, address string) (net.Conn, error)
+}
+
+// MessageID contains the ID and size of an individual message.
+type MessageID struct {
+	// ID is the numerical index (non-unique) of the message.
+	ID int
+	// Size in bytes
+	Size int
+	// UID is only present if the response is to the UIDL command.
+	UID string
+}
+
+var (
+	lineBreak   = []byte("\r\n")
+	respOK      = []byte("+OK")   // `+OK` without additional info
+	respOKInfo  = []byte("+OK ")  // `+OK <info>`
+	respErr     = []byte("-ERR")  // `-ERR` without additional info
+	respErrInfo = []byte("-ERR ") // `-ERR <info>`
+)
+
+// New returns a new client object using an existing connection.
+func New(opt Opt) *Client {
+	if opt.DialTimeout < time.Millisecond {
+		opt.DialTimeout = time.Second * 3
+	}
+
+	c := &Client{
+		opt:    opt,
+		dialer: opt.Dialer,
+	}
+
+	if c.dialer == nil {
+		c.dialer = &net.Dialer{Timeout: opt.DialTimeout}
+	}
+
+	return c
+}
+
+// NewConn creates and returns live POP3 server connection.
+func (c *Client) NewConn() (*Conn, error) {
+	var (
+		addr = fmt.Sprintf("%s:%d", c.opt.Host, c.opt.Port)
+	)
+
+	conn, err := c.dialer.Dial("tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	// No TLS.
+	if c.opt.TLSEnabled {
+		// Skip TLS host verification.
+		tlsCfg := tls.Config{} // #nosec
+		if c.opt.TLSSkipVerify {
+			tlsCfg.InsecureSkipVerify = c.opt.TLSSkipVerify // #nosec
+		} else {
+			tlsCfg.ServerName = c.opt.Host
+		}
+
+		conn = tls.Client(conn, &tlsCfg)
+	}
+
+	pCon := &Conn{
+		conn: conn,
+		r:    bufio.NewReader(conn),
+		w:    bufio.NewWriter(conn),
+	}
+
+	// Verify the connection by reading the welcome +OK greeting.
+	if _, err := pCon.ReadOne(); err != nil {
+		return nil, err
+	}
+
+	return pCon, nil
+}
+
+// Send sends a POP3 command to the server. The given comand is suffixed with "\r\n".
+func (c *Conn) Send(b string) error {
+	if _, err := c.w.WriteString(b + "\r\n"); err != nil {
+		return err
+	}
+
+	return c.w.Flush()
+}
+
+// Cmd sends a command to the server. POP3 responses are either single line or multi-line.
+// The first line always with -ERR in case of an error or +OK in case of a successful operation.
+// OK+ is always followed by a response on the same line which is either the actual response data
+// in case of single line responses, or a help message followed by multiple lines of actual response
+// data in case of multiline responses.
+// See https://www.shellhacks.com/retrieve-email-pop3-server-command-line/ for examples.
+func (c *Conn) Cmd(cmd string, isMulti bool, args ...interface{}) (*bytes.Buffer, error) {
+	var cmdLine string
+
+	// Repeat a %v to format each arg.
+	if len(args) > 0 {
+		format := " " + strings.TrimRight(strings.Repeat("%v ", len(args)), " ")
+
+		// CMD arg1 argn ...\r\n
+		cmdLine = fmt.Sprintf(cmd+format, args...)
+	} else {
+		cmdLine = cmd
+	}
+
+	if err := c.Send(cmdLine); err != nil {
+		return nil, err
+	}
+
+	// Read the first line of response to get the +OK/-ERR status.
+	b, err := c.ReadOne()
+	if err != nil {
+		return nil, err
+	}
+
+	// Single line response.
+	if !isMulti {
+		return bytes.NewBuffer(b), err
+	}
+
+	buf, err := c.ReadAll()
+	return buf, err
+}
+
+// ReadOne reads a single line response from the conn.
+func (c *Conn) ReadOne() ([]byte, error) {
+	b, _, err := c.r.ReadLine()
+	if err != nil {
+		return nil, err
+	}
+
+	r, err := parseResp(b)
+	return r, err
+}
+
+// ReadAll reads all lines from the connection until the POP3 multiline terminator "." is encountered
+// and returns a bytes.Buffer of all the read lines.
+func (c *Conn) ReadAll() (*bytes.Buffer, error) {
+	buf := &bytes.Buffer{}
+
+	for {
+		b, _, err := c.r.ReadLine()
+		if err != nil {
+			return nil, err
+		}
+
+		// "." indicates the end of a multi-line response.
+		if bytes.Equal(b, []byte(".")) {
+			break
+		}
+
+		if _, err := buf.Write(b); err != nil {
+			return nil, err
+		}
+		if _, err := buf.Write(lineBreak); err != nil {
+			return nil, err
+		}
+	}
+
+	return buf, nil
+}
+
+// Auth authenticates the given credentials with the server.
+func (c *Conn) Auth(user, password string) error {
+	if err := c.User(user); err != nil {
+		return err
+	}
+
+	if err := c.Pass(password); err != nil {
+		return err
+	}
+
+	// Issue a NOOP to force the server to respond to the auth.
+	// Courtesy: github.com/TheCreeper/go-pop3
+	return c.Noop()
+}
+
+// User sends the username to the server.
+func (c *Conn) User(s string) error {
+	_, err := c.Cmd("USER", false, s)
+
+	return err
+}
+
+// Pass sends the password to the server.
+func (c *Conn) Pass(s string) error {
+	_, err := c.Cmd("PASS", false, s)
+
+	return err
+}
+
+// Stat returns the number of messages and their total size in bytes in the inbox.
+func (c *Conn) Stat() (int, int, error) {
+	b, err := c.Cmd("STAT", false)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	// count size
+	f := bytes.Fields(b.Bytes())
+
+	// Total number of messages.
+	count, err := strconv.Atoi(string(f[0]))
+	if err != nil {
+		return 0, 0, err
+	}
+	if count == 0 {
+		return 0, 0, nil
+	}
+
+	// Total size of all messages in bytes.
+	size, err := strconv.Atoi(string(f[1]))
+	if err != nil {
+		return 0, 0, err
+	}
+
+	return count, size, nil
+}
+
+// List returns a list of (message ID, message Size) pairs.
+// If the optional msgID > 0, then only that particular message is listed.
+// The message IDs are sequential, 1 to N.
+func (c *Conn) List(msgID int) ([]MessageID, error) {
+	var (
+		buf *bytes.Buffer
+		err error
+	)
+
+	if msgID <= 0 {
+		// Multiline response listing all messages.
+		buf, err = c.Cmd("LIST", true)
+	} else {
+		// Single line response listing one message.
+		buf, err = c.Cmd("LIST", false, msgID)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		out   []MessageID
+		lines = bytes.Split(buf.Bytes(), lineBreak)
+	)
+
+	for _, l := range lines {
+		// id size
+		f := bytes.Fields(l)
+		if len(f) == 0 {
+			break
+		}
+
+		id, err := strconv.Atoi(string(f[0]))
+		if err != nil {
+			return nil, err
+		}
+
+		size, err := strconv.Atoi(string(f[1]))
+		if err != nil {
+			return nil, err
+		}
+
+		out = append(out, MessageID{ID: id, Size: size})
+	}
+
+	return out, nil
+}
+
+// Uidl returns a list of (message ID, message UID) pairs. If the optional msgID
+// is > 0, then only that particular message is listed. It works like Top() but only works on
+// servers that support the UIDL command. Messages size field is not available in the UIDL response.
+func (c *Conn) Uidl(msgID int) ([]MessageID, error) {
+	var (
+		buf *bytes.Buffer
+		err error
+	)
+
+	if msgID <= 0 {
+		// Multiline response listing all messages.
+		buf, err = c.Cmd("UIDL", true)
+	} else {
+		// Single line response listing one message.
+		buf, err = c.Cmd("UIDL", false, msgID)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		out   []MessageID
+		lines = bytes.Split(buf.Bytes(), lineBreak)
+	)
+
+	for _, l := range lines {
+		// id size
+		f := bytes.Fields(l)
+		if len(f) == 0 {
+			break
+		}
+
+		id, err := strconv.Atoi(string(f[0]))
+		if err != nil {
+			return nil, err
+		}
+
+		out = append(out, MessageID{ID: id, UID: string(f[1])})
+	}
+
+	return out, nil
+}
+
+// Retr downloads a message by the given msgID, parses it and returns it as a *mail.Message.
+func (c *Conn) Retr(msgID int) (*mail.Message, error) {
+	b, err := c.Cmd("RETR", true, msgID)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := mail.ReadMessage(b)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// RetrRaw downloads a message by the given msgID and returns the raw []byte
+// of the entire message.
+func (c *Conn) RetrRaw(msgID int) (*bytes.Buffer, error) {
+	b, err := c.Cmd("RETR", true, msgID)
+	return b, err
+}
+
+// Top retrieves a message by its ID with full headers and numLines lines of the body.
+func (c *Conn) Top(msgID int, numLines int) (*mail.Message, error) {
+	b, err := c.Cmd("TOP", true, msgID, numLines)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := mail.ReadMessage(b)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// Dele deletes one or more messages. The server only executes the
+// deletions after a successful Quit().
+func (c *Conn) Dele(msgID ...int) error {
+	for _, id := range msgID {
+		_, err := c.Cmd("DELE", false, id)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Rset clears the messages marked for deletion in the current session.
+func (c *Conn) Rset() error {
+	_, err := c.Cmd("RSET", false)
+	return err
+}
+
+// Noop issues a do-nothing NOOP command to the server. This is useful for
+// prolonging open connections.
+func (c *Conn) Noop() error {
+	_, err := c.Cmd("NOOP", false)
+	return err
+}
+
+// Quit sends the QUIT command to server and gracefully closes the connection.
+// Message deletions (DELE command) are only executed by the server on a graceful
+// quit and close.
+func (c *Conn) Quit() error {
+	defer func() { _ = c.conn.Close() }()
+
+	if _, err := c.Cmd("QUIT", false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// parseResp checks if the response is an error that starts with `-ERR`
+// and returns an error with the message that succeeds the error indicator.
+// For success `+OK` messages, it returns the remaining response bytes.
+func parseResp(b []byte) ([]byte, error) {
+	if len(b) == 0 {
+		return nil, nil
+	}
+
+	if bytes.Equal(b, respOK) {
+		return nil, nil
+	} else if bytes.HasPrefix(b, respOKInfo) {
+		return bytes.TrimPrefix(b, respOKInfo), nil
+	} else if bytes.Equal(b, respErr) {
+		return nil, errors.New("unknown error (no info specified in response)")
+	} else if bytes.HasPrefix(b, respErrInfo) {
+		return nil, errors.New(string(bytes.TrimPrefix(b, respErrInfo)))
+	}
+
+	return nil, fmt.Errorf("unknown response: %s. Neither -ERR, nor +OK", string(b))
+}
--- a/internal/prometheus/metrics.go
+++ b/internal/prometheus/metrics.go
@@ -0,0 +1,191 @@
+// Package prometheus provides Prometheus metrics for Mailpit
+package prometheus
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/stats"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+var (
+	// Registry is the Prometheus registry for Mailpit metrics
+	Registry = prometheus.NewRegistry()
+
+	// Metrics
+	totalMessages    prometheus.Gauge
+	unreadMessages   prometheus.Gauge
+	databaseSize     prometheus.Gauge
+	messagesDeleted  prometheus.Counter
+	smtpAccepted     prometheus.Counter
+	smtpRejected     prometheus.Counter
+	smtpIgnored      prometheus.Counter
+	smtpAcceptedSize prometheus.Counter
+	uptime           prometheus.Gauge
+	memoryUsage      prometheus.Gauge
+	tagCounters      *prometheus.GaugeVec
+)
+
+// InitMetrics initializes all Prometheus metrics
+func initMetrics() {
+	// Create metrics
+	totalMessages = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_messages",
+		Help: "Total number of messages in the database",
+	})
+
+	unreadMessages = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_messages_unread",
+		Help: "Number of unread messages in the database",
+	})
+
+	databaseSize = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_database_size_bytes",
+		Help: "Size of the database in bytes",
+	})
+
+	messagesDeleted = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_messages_deleted_total",
+		Help: "Total number of messages deleted",
+	})
+
+	smtpAccepted = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_accepted_total",
+		Help: "Total number of SMTP messages accepted",
+	})
+
+	smtpRejected = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_rejected_total",
+		Help: "Total number of SMTP messages rejected",
+	})
+
+	smtpIgnored = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_ignored_total",
+		Help: "Total number of SMTP messages ignored (duplicates)",
+	})
+
+	smtpAcceptedSize = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_accepted_size_bytes_total",
+		Help: "Total size of accepted SMTP messages in bytes",
+	})
+
+	uptime = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_uptime_seconds",
+		Help: "Uptime of Mailpit in seconds",
+	})
+
+	memoryUsage = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_memory_usage_bytes",
+		Help: "Memory usage in bytes",
+	})
+
+	tagCounters = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: "mailpit_tag_messages",
+			Help: "Number of messages per tag",
+		},
+		[]string{"tag"},
+	)
+
+	// Register metrics
+	Registry.MustRegister(totalMessages)
+	Registry.MustRegister(unreadMessages)
+	Registry.MustRegister(databaseSize)
+	Registry.MustRegister(messagesDeleted)
+	Registry.MustRegister(smtpAccepted)
+	Registry.MustRegister(smtpRejected)
+	Registry.MustRegister(smtpIgnored)
+	Registry.MustRegister(smtpAcceptedSize)
+	Registry.MustRegister(uptime)
+	Registry.MustRegister(memoryUsage)
+	Registry.MustRegister(tagCounters)
+}
+
+// UpdateMetrics updates all metrics with current values
+func updateMetrics() {
+	info := stats.Load(false)
+
+	totalMessages.Set(float64(info.Messages))
+	unreadMessages.Set(float64(info.Unread))
+	databaseSize.Set(float64(info.DatabaseSize))
+	messagesDeleted.Add(float64(info.RuntimeStats.MessagesDeleted))
+	smtpAccepted.Add(float64(info.RuntimeStats.SMTPAccepted))
+	smtpRejected.Add(float64(info.RuntimeStats.SMTPRejected))
+	smtpIgnored.Add(float64(info.RuntimeStats.SMTPIgnored))
+	smtpAcceptedSize.Add(float64(info.RuntimeStats.SMTPAcceptedSize))
+	uptime.Set(float64(info.RuntimeStats.Uptime))
+	memoryUsage.Set(float64(info.RuntimeStats.Memory))
+
+	// Reset tag counters
+	tagCounters.Reset()
+
+	// Update tag counters
+	for tag, count := range info.Tags {
+		tagCounters.WithLabelValues(tag).Set(float64(count))
+	}
+}
+
+// GetHandler returns the Prometheus handler & disables double compression in middleware
+func GetHandler() http.Handler {
+	return promhttp.HandlerFor(Registry, promhttp.HandlerOpts{
+		DisableCompression: true,
+	})
+}
+
+// StartUpdater starts the periodic metrics update routine
+func StartUpdater() {
+	initMetrics()
+	updateMetrics()
+
+	// Start periodic updates
+	go func() {
+		ticker := time.NewTicker(15 * time.Second)
+		defer ticker.Stop()
+
+		for range ticker.C {
+			updateMetrics()
+		}
+	}()
+}
+
+// StartSeparateServer starts a separate HTTP server for Prometheus metrics
+func StartSeparateServer() {
+	StartUpdater()
+
+	logger.Log().Infof("[prometheus] metrics server listening on %s", config.PrometheusListen)
+
+	// Create a dedicated mux for the metrics server
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.HandlerFor(Registry, promhttp.HandlerOpts{}))
+
+	// Create a dedicated server instance
+	server := &http.Server{
+		Addr:              config.PrometheusListen,
+		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
+
+	// Start HTTP server
+	if err := server.ListenAndServe(); err != nil {
+		logger.Log().Errorf("[prometheus] metrics server error: %s", err.Error())
+	}
+}
+
+// GetMode returns the Prometheus run mode
+func GetMode() string {
+	mode := strings.ToLower(strings.TrimSpace(config.PrometheusListen))
+
+	switch mode {
+	case "false", "":
+		return "disabled"
+	case "true":
+		return "integrated"
+	default:
+		return "separate"
+	}
+}
--- a/internal/smtpd/chaos/chaos.go
+++ b/internal/smtpd/chaos/chaos.go
@@ -0,0 +1,123 @@
+// Package chaos is used to simulate Chaos engineering (random failures) in the SMTPD server.
+// See https://en.wikipedia.org/wiki/Chaos_engineering
+// See https://mailpit.axllent.org/docs/integration/chaos/
+package chaos
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/logger"
+)
+
+var (
+	// Enabled is a flag to enable or disable support for chaos
+	Enabled = false
+
+	// Config is the global Chaos configuration
+	Config = Triggers{
+		Sender:         Trigger{ErrorCode: 451, Probability: 0},
+		Recipient:      Trigger{ErrorCode: 451, Probability: 0},
+		Authentication: Trigger{ErrorCode: 535, Probability: 0},
+	}
+)
+
+// Triggers for the Chaos configuration
+//
+// swagger:model ChaosTriggers
+type Triggers struct {
+	// Sender trigger to fail on From, Sender
+	Sender Trigger
+	// Recipient trigger to fail on To, Cc, Bcc
+	Recipient Trigger
+	// Authentication trigger to fail while authenticating (auth must be configured)
+	Authentication Trigger
+}
+
+// Trigger for Chaos
+//
+// swagger:model ChaosTrigger
+type Trigger struct {
+	// SMTP error code to return. The value must range from 400 to 599.
+	// required: true
+	// example: 451
+	ErrorCode int
+
+	// Probability (chance) of triggering the error. The value must range from 0 to 100.
+	// required: true
+	// example: 5
+	Probability int
+}
+
+// SetFromStruct will set a whole map of chaos configurations (ie: API)
+func SetFromStruct(c Triggers) error {
+	if c.Sender.ErrorCode == 0 {
+		c.Sender.ErrorCode = 451 // default
+	}
+
+	if c.Recipient.ErrorCode == 0 {
+		c.Recipient.ErrorCode = 451 // default
+	}
+
+	if c.Authentication.ErrorCode == 0 {
+		c.Authentication.ErrorCode = 535 // default
+	}
+
+	if err := Set("Sender", c.Sender.ErrorCode, c.Sender.Probability); err != nil {
+		return err
+	}
+	if err := Set("Recipient", c.Recipient.ErrorCode, c.Recipient.Probability); err != nil {
+		return err
+	}
+	if err := Set("Authentication", c.Authentication.ErrorCode, c.Authentication.Probability); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Set will set the chaos configuration for the given key (CLI & setMap())
+func Set(key string, errorCode int, probability int) error {
+	Enabled = true
+	if errorCode < 400 || errorCode > 599 {
+		return fmt.Errorf("error code must be between 400 and 599")
+	}
+
+	if probability > 100 || probability < 0 {
+		return fmt.Errorf("probability must be between 0 and 100")
+	}
+
+	key = strings.ToLower(key)
+
+	switch key {
+	case "sender":
+		Config.Sender = Trigger{ErrorCode: errorCode, Probability: probability}
+		logger.Log().Infof("[chaos] Sender to return %d error with %d%% probability", errorCode, probability)
+	case "recipient", "recipients":
+		Config.Recipient = Trigger{ErrorCode: errorCode, Probability: probability}
+		logger.Log().Infof("[chaos] Recipient to return %d error with %d%% probability", errorCode, probability)
+	case "auth", "authentication":
+		Config.Authentication = Trigger{ErrorCode: errorCode, Probability: probability}
+		logger.Log().Infof("[chaos] Authentication to return %d error with %d%% probability", errorCode, probability)
+	default:
+		return fmt.Errorf("unknown key %s", key)
+	}
+
+	return nil
+}
+
+// Trigger will return whether the Chaos rule is triggered based on the configuration
+// and a randomly-generated percentage value.
+func (c Trigger) Trigger() (bool, int) {
+	if !Enabled || c.Probability == 0 {
+		return false, 0
+	}
+
+	nBig, _ := rand.Int(rand.Reader, big.NewInt(100))
+
+	// rand.IntN(100) will return 0-99, whereas probability is 1-100,
+	// so value must be less than (not <=) to the probability to trigger
+	return int(nBig.Int64()) < c.Probability, c.ErrorCode
+}
--- a/internal/smtpd/forward.go
+++ b/internal/smtpd/forward.go
@@ -0,0 +1,155 @@
+package smtpd
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/smtp"
+	"os"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/pkg/errors"
+)
+
+// Wrapper to forward messages if configured
+func autoForwardMessage(from string, data *[]byte) error {
+	if config.SMTPForwardConfig.Host == "" {
+		return nil
+	}
+
+	if err := forward(from, *data); err != nil {
+		return errors.WithMessage(err, "[forward] error: %s")
+	}
+
+	logger.Log().Debugf(
+		"[forward] message from %s to %s via %s:%d",
+		from, config.SMTPForwardConfig.To, config.SMTPForwardConfig.Host, config.SMTPForwardConfig.Port,
+	)
+
+	return nil
+}
+
+func createForwardingSMTPClient(config config.SMTPForwardConfigStruct, addr string) (*smtp.Client, error) {
+	if config.TLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		conn, err := tls.Dial("tcp", addr, tlsConf)
+		if err != nil {
+			return nil, fmt.Errorf("TLS dial error: %v", err)
+		}
+
+		client, err := smtp.NewClient(conn, tlsConf.ServerName)
+		if err != nil {
+			_ = conn.Close()
+			return nil, fmt.Errorf("SMTP client error: %v", err)
+		}
+
+		// Note: The caller is responsible for closing the client
+		return client, nil
+	}
+
+	client, err := smtp.Dial(addr)
+	if err != nil {
+		return nil, fmt.Errorf("error connecting to %s: %v", addr, err)
+	}
+
+	// Set the hostname for HELO/EHLO
+	if hostname, err := os.Hostname(); err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return nil, fmt.Errorf("error saying HELO/EHLO to %s: %v", addr, err)
+		}
+	}
+
+	if config.STARTTLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		if err = client.StartTLS(tlsConf); err != nil {
+			_ = client.Close()
+			return nil, fmt.Errorf("error creating StartTLS config: %v", err)
+		}
+	}
+
+	// Note: The caller is responsible for closing the client
+	return client, nil
+}
+
+// Forward will connect to a pre-configured SMTP server and send a message to one or more recipients.
+func forward(from string, msg []byte) error {
+	addr := fmt.Sprintf("%s:%d", config.SMTPForwardConfig.Host, config.SMTPForwardConfig.Port)
+
+	c, err := createForwardingSMTPClient(config.SMTPForwardConfig, addr)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = c.Close() }()
+
+	auth := forwardAuthFromConfig()
+
+	if auth != nil {
+		if err = c.Auth(auth); err != nil {
+			return fmt.Errorf("error response to AUTH command: %s", err.Error())
+		}
+	}
+
+	if config.SMTPForwardConfig.OverrideFrom != "" {
+		msg, err = tools.OverrideFromHeader(msg, config.SMTPForwardConfig.OverrideFrom)
+		if err != nil {
+			return fmt.Errorf("error overriding From header: %s", err.Error())
+		}
+
+		from = config.SMTPForwardConfig.OverrideFrom
+	}
+
+	if err = c.Mail(from); err != nil {
+		return fmt.Errorf("error response to MAIL command: %s", err.Error())
+	}
+
+	to := strings.Split(config.SMTPForwardConfig.To, ",")
+
+	for _, addr := range to {
+		if err = c.Rcpt(addr); err != nil {
+			logger.Log().Warnf("error response to RCPT command for %s: %s", addr, err.Error())
+			if config.SMTPForwardConfig.ForwardSMTPErrors {
+				return errors.WithMessagef(err, "error response to RCPT command for %s", addr)
+			}
+		}
+	}
+
+	w, err := c.Data()
+	if err != nil {
+		return fmt.Errorf("error response to DATA command: %s", err.Error())
+	}
+
+	if _, err := w.Write(msg); err != nil {
+		return fmt.Errorf("error sending message: %s", err.Error())
+	}
+
+	if err := w.Close(); err != nil {
+		return fmt.Errorf("error closing connection: %s", err.Error())
+	}
+
+	return c.Quit()
+}
+
+// Return the SMTP forwarding authentication based on config
+func forwardAuthFromConfig() smtp.Auth {
+	var a smtp.Auth
+
+	if config.SMTPForwardConfig.Auth == "plain" {
+		a = smtp.PlainAuth("", config.SMTPForwardConfig.Username, config.SMTPForwardConfig.Password, config.SMTPForwardConfig.Host)
+	}
+
+	if config.SMTPForwardConfig.Auth == "login" {
+		a = LoginAuth(config.SMTPForwardConfig.Username, config.SMTPForwardConfig.Password)
+	}
+
+	if config.SMTPForwardConfig.Auth == "cram-md5" {
+		a = smtp.CRAMMD5Auth(config.SMTPForwardConfig.Username, config.SMTPForwardConfig.Secret)
+	}
+
+	return a
+}
--- a/internal/smtpd/main.go
+++ b/internal/smtpd/main.go
@@ -14,23 +14,28 @@ import (
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/stats"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/websockets"
 	"github.com/lithammer/shortuuid/v4"
-	"github.com/mhale/smtpd"
+	"github.com/pkg/errors"
 )

 var (
 	// DisableReverseDNS allows rDNS to be disabled
 	DisableReverseDNS bool
+
+	warningResponse = regexp.MustCompile(`^4\d\d `)
+	errorResponse   = regexp.MustCompile(`^5\d\d `)
 )

 // MailHandler handles the incoming message to store in the database
-func mailHandler(origin net.Addr, from string, to []string, data []byte) (string, error) {
-	return Store(origin, from, to, data)
+func mailHandler(origin net.Addr, from string, to []string, data []byte, smtpUser *string) (string, error) {
+	return SaveToDatabase(origin, from, to, data, smtpUser)
 }

-// Store will attempt to save a message to the database
-func Store(origin net.Addr, from string, to []string, data []byte) (string, error) {
-	if !config.SMTPStrictRFCHeaders {
+// SaveToDatabase will attempt to save a message to the database
+func SaveToDatabase(origin net.Addr, from string, to []string, data []byte, smtpUser *string) (string, error) {
+	if !config.SMTPStrictRFCHeaders && bytes.Contains(data, []byte("\r\r\n")) {
 		// replace all <CR><CR><LF> (\r\r\n) with <CR><LF> (\r\n)
 		// @see https://github.com/axllent/mailpit/issues/87 & https://github.com/axllent/mailpit/issues/153
 		data = bytes.ReplaceAll(data, []byte("\r\r\n"), []byte("\r\n"))
@@ -38,7 +43,7 @@ func Store(origin net.Addr, from string, to []string, data []byte) (string, erro

 	msg, err := mail.ReadMessage(bytes.NewReader(data))
 	if err != nil {
-		logger.Log().Errorf("[smtpd] error parsing message: %s", err.Error())
+		logger.Log().Warnf("[smtpd] error parsing message: %s", err.Error())
 		stats.LogSMTPRejected()
 		return "", err
 	}
@@ -46,32 +51,20 @@ func Store(origin net.Addr, from string, to []string, data []byte) (string, erro
 	// check / set the Return-Path based on SMTP from
 	returnPath := strings.Trim(msg.Header.Get("Return-Path"), "<>")
 	if returnPath != from {
-		if returnPath != "" {
-			// replace Return-Path
-			re := regexp.MustCompile(`(?i)(^|\n)(Return\-Path: .*\n)`)
-			replaced := false
-			data = re.ReplaceAllFunc(data, func(r []byte) []byte {
-				if replaced {
-					return r
-				}
-				replaced = true // only replace first occurrence
-
-				return re.ReplaceAll(r, []byte("${1}Return-Path: <"+from+">\r\n"))
-			})
-		} else {
-			// add Return-Path
-			data = append([]byte("Return-Path: <"+from+">\r\n"), data...)
+		data, err = tools.SetMessageHeader(data, "Return-Path", "<"+from+">")
+		if err != nil {
+			return "", err
 		}
 	}

-	messageID := strings.Trim(msg.Header.Get("Message-Id"), "<>")
+	messageID := strings.Trim(msg.Header.Get("Message-ID"), "<>")

 	// add a message ID if not set
 	if messageID == "" {
 		// generate unique ID
 		messageID = shortuuid.New() + "@mailpit"
 		// add unique ID
-		data = append([]byte("Message-Id: <"+messageID+">\r\n"), data...)
+		data = append([]byte("Message-ID: <"+messageID+">\r\n"), data...)
 	} else if config.IgnoreDuplicateIDs {
 		if storage.MessageIDExists(messageID) {
 			logger.Log().Debugf("[smtpd] duplicate message found, ignoring %s", messageID)
@@ -81,7 +74,36 @@ func Store(origin net.Addr, from string, to []string, data []byte) (string, erro
 	}

 	// if enabled, this may conditionally relay the email through to the preconfigured smtp server
-	autoRelayMessage(from, to, &data)
+	if relayErr := autoRelayMessage(from, to, &data); relayErr != nil {
+		logger.Log().Error(relayErr.Error())
+
+		if config.SMTPRelayConfig.ForwardSMTPErrors {
+			for {
+				unwrappedErr := errors.Unwrap(relayErr)
+				if unwrappedErr == nil {
+					break
+				}
+				relayErr = unwrappedErr
+			}
+			return "", relayErr
+		}
+	}
+
+	// if enabled, this will forward a copy to preconfigured addresses
+	if forwardErr := autoForwardMessage(from, &data); forwardErr != nil {
+		logger.Log().Error(forwardErr.Error())
+
+		if config.SMTPForwardConfig.ForwardSMTPErrors {
+			for {
+				unwrappedErr := errors.Unwrap(forwardErr)
+				if unwrappedErr == nil {
+					break
+				}
+				forwardErr = unwrappedErr
+			}
+			return "", forwardErr
+		}
+	}

 	// build array of all addresses in the header to compare to the []to array
 	emails, hasBccHeader := scanAddressesInHeader(msg.Header)
@@ -101,29 +123,21 @@ func Store(origin net.Addr, from string, to []string, data []byte) (string, erro

 	// add missing email addresses to Bcc (eg: Laravel doesn't include these in the headers)
 	if len(missingAddresses) > 0 {
+		bccVal := strings.Join(missingAddresses, ", ")
 		if hasBccHeader {
-			// email already has Bcc header, add to existing addresses
-			re := regexp.MustCompile(`(?i)(^|\n)(Bcc: )`)
-			replaced := false
-			data = re.ReplaceAllFunc(data, func(r []byte) []byte {
-				if replaced {
-					return r
-				}
-				replaced = true // only replace first occurrence
+			b := msg.Header.Get("Bcc")
+			bccVal = ", " + b
+		}

-				return re.ReplaceAll(r, []byte("${1}Bcc: "+strings.Join(missingAddresses, ", ")+", "))
-			})
-
-		} else {
-			// prepend new Bcc header
-			bcc := []byte(fmt.Sprintf("Bcc: %s\r\n", strings.Join(missingAddresses, ", ")))
-			data = append(bcc, data...)
+		data, err = tools.SetMessageHeader(data, "Bcc", bccVal)
+		if err != nil {
+			return "", err
 		}

 		logger.Log().Debugf("[smtpd] added missing addresses to Bcc header: %s", strings.Join(missingAddresses, ", "))
 	}

-	id, err := storage.Store(&data)
+	id, err := storage.Store(&data, smtpUser)
 	if err != nil {
 		logger.Log().Errorf("[db] error storing message: %s", err.Error())
 		return "", err
@@ -189,50 +203,76 @@ func Listen() error {
 		}
 	}

-	smtpType := "no encryption"
-
-	if config.SMTPTLSCert != "" {
-		if config.SMTPRequireSTARTTLS {
-			smtpType = "STARTTLS required"
-		} else if config.SMTPRequireTLS {
-			smtpType = "SSL/TLS required"
-		} else {
-			smtpType = "STARTTLS optional"
-			if !config.SMTPAuthAllowInsecure && auth.SMTPCredentials != nil {
-				smtpType = "STARTTLS required"
-			}
-		}
-
-	}
-
-	logger.Log().Infof("[smtpd] starting on %s (%s)", config.SMTPListen, smtpType)
-
 	return listenAndServe(config.SMTPListen, mailHandler, authHandler)
 }

-func listenAndServe(addr string, handler smtpd.MsgIDHandler, authHandler smtpd.AuthHandler) error {
-	srv := &smtpd.Server{
-		Addr:              addr,
-		MsgIDHandler:      handler,
-		HandlerRcpt:       handlerRcpt,
-		Appname:           "Mailpit",
-		Hostname:          "",
-		AuthHandler:       nil,
-		AuthRequired:      false,
-		MaxRecipients:     config.SMTPMaxRecipients,
-		DisableReverseDNS: DisableReverseDNS,
+// Translate the smtpd verb from READ/WRITE
+func verbLogTranslator(verb string) string {
+	if verb == "READ" {
+		return "received"
+	}
+
+	return "response"
+}
+
+func listenAndServe(addr string, handler MsgIDHandler, authHandler AuthHandler) error {
+
+	socketAddr, perm, isSocket := tools.UnixSocket(addr)
+
+	Debug = true // to enable Mailpit logging
+	srv := &Server{
+		Addr:                     addr,
+		MsgIDHandler:             handler,
+		HandlerRcpt:              handlerRcpt,
+		AppName:                  "Mailpit",
+		Hostname:                 "",
+		AuthHandler:              nil,
+		AuthRequired:             false,
+		MaxRecipients:            config.SMTPMaxRecipients,
+		IgnoreRejectedRecipients: config.SMTPIgnoreRejectedRecipients,
+		DisableReverseDNS:        DisableReverseDNS,
+		LogRead: func(remoteIP, verb, line string) {
+			logger.Log().Debugf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+		},
+		LogWrite: func(remoteIP, verb, line string) {
+			if warningResponse.MatchString(line) {
+				logger.Log().Warnf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+				websockets.BroadCastClientError("warning", "smtpd", remoteIP, line)
+			} else if errorResponse.MatchString(line) {
+				logger.Log().Errorf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+				websockets.BroadCastClientError("error", "smtpd", remoteIP, line)
+			} else {
+				logger.Log().Debugf("[smtpd] %s (%s) %s", verbLogTranslator(verb), remoteIP, line)
+			}
+		},
+	}
+
+	if config.Label != "" {
+		srv.AppName = fmt.Sprintf("Mailpit (%s)", config.Label)
 	}

 	if config.SMTPAuthAllowInsecure {
-		srv.AuthMechs = map[string]bool{"CRAM-MD5": false, "PLAIN": true, "LOGIN": true}
+		srv.AuthMechs = map[string]bool{
+			"CRAM-MD5": false,
+			"PLAIN":    true,
+			"LOGIN":    true,
+		}
 	}

 	if auth.SMTPCredentials != nil {
-		srv.AuthMechs = map[string]bool{"CRAM-MD5": false, "PLAIN": true, "LOGIN": true}
+		srv.AuthMechs = map[string]bool{
+			"CRAM-MD5": false,
+			"PLAIN":    true,
+			"LOGIN":    true,
+		}
 		srv.AuthHandler = authHandler
 		srv.AuthRequired = true
 	} else if config.SMTPAuthAcceptAny {
-		srv.AuthMechs = map[string]bool{"CRAM-MD5": false, "PLAIN": true, "LOGIN": true}
+		srv.AuthMechs = map[string]bool{
+			"CRAM-MD5": false,
+			"PLAIN":    true,
+			"LOGIN":    true,
+		}
 		srv.AuthHandler = authHandlerAny
 	}

@@ -244,6 +284,39 @@ func listenAndServe(addr string, handler smtpd.MsgIDHandler, authHandler smtpd.A
 		}
 	}

+	if isSocket {
+		srv.Addr = socketAddr
+		srv.Protocol = "unix"
+		srv.SocketPerm = perm
+
+		if err := tools.PrepareSocket(srv.Addr); err != nil {
+			storage.Close()
+			return err
+		}
+
+		// delete the Unix socket file on exit
+		storage.AddTempFile(srv.Addr)
+
+		logger.Log().Infof("[smtpd] starting on %s", config.SMTPListen)
+	} else {
+		smtpType := "no encryption"
+
+		if config.SMTPTLSCert != "" {
+			if config.SMTPRequireTLS {
+				smtpType = "SSL/TLS required"
+			} else if config.SMTPRequireSTARTTLS {
+				smtpType = "STARTTLS required"
+			} else {
+				smtpType = "STARTTLS optional"
+				if !config.SMTPAuthAllowInsecure && auth.SMTPCredentials != nil {
+					smtpType = "STARTTLS required"
+				}
+			}
+		}
+
+		logger.Log().Infof("[smtpd] starting on %s (%s)", config.SMTPListen, smtpType)
+	}
+
 	return srv.ListenAndServe()
 }

--- a/internal/smtpd/relay.go
+++ b/internal/smtpd/relay.go
@@ -0,0 +1,221 @@
+package smtpd
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/smtp"
+	"os"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/pkg/errors"
+)
+
+// Wrapper to auto relay messages if configured
+func autoRelayMessage(from string, to []string, data *[]byte) error {
+	if config.SMTPRelayConfig.BlockedRecipientsRegexp != nil {
+		filteredTo := []string{}
+		for _, address := range to {
+			if config.SMTPRelayConfig.BlockedRecipientsRegexp.MatchString(address) {
+				logger.Log().Debugf("[relay] ignoring auto-relay to %s: found in blocklist", address)
+				continue
+			}
+
+			filteredTo = append(filteredTo, address)
+		}
+		to = filteredTo
+	}
+
+	if len(to) == 0 {
+		return nil
+	}
+
+	if config.SMTPRelayAll {
+		if err := Relay(from, to, *data); err != nil {
+			return errors.WithMessage(err, "[relay] error")
+		}
+
+		logger.Log().Debugf(
+			"[relay] sent message to %s from %s via %s:%d",
+			strings.Join(to, ", "), from, config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port,
+		)
+	} else if config.SMTPRelayMatchingRegexp != nil {
+		filtered := []string{}
+		for _, t := range to {
+			if config.SMTPRelayMatchingRegexp.MatchString(t) {
+				filtered = append(filtered, t)
+			}
+		}
+
+		if len(filtered) == 0 {
+			return nil
+		}
+
+		if err := Relay(from, filtered, *data); err != nil {
+			return errors.WithMessage(err, "[relay] error")
+		}
+
+		logger.Log().Debugf(
+			"[relay] auto-relay message to %s from %s via %s:%d",
+			strings.Join(filtered, ", "), from, config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port,
+		)
+	}
+
+	return nil
+}
+
+func createRelaySMTPClient(config config.SMTPRelayConfigStruct, addr string) (*smtp.Client, error) {
+	if config.TLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		conn, err := tls.Dial("tcp", addr, tlsConf)
+		if err != nil {
+			return nil, fmt.Errorf("TLS dial error: %v", err)
+		}
+
+		client, err := smtp.NewClient(conn, tlsConf.ServerName)
+		if err != nil {
+			_ = conn.Close()
+			return nil, fmt.Errorf("SMTP client error: %v", err)
+		}
+
+		// Note: The caller is responsible for closing the client
+		return client, nil
+	}
+
+	client, err := smtp.Dial(addr)
+	if err != nil {
+		return nil, fmt.Errorf("error connecting to %s: %v", addr, err)
+	}
+
+	// Set the hostname for HELO/EHLO
+	if hostname, err := os.Hostname(); err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return nil, fmt.Errorf("error saying HELO/EHLO to %s: %v", addr, err)
+		}
+	}
+
+	if config.STARTTLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		if err = client.StartTLS(tlsConf); err != nil {
+			_ = client.Close()
+			return nil, fmt.Errorf("error creating StartTLS config: %v", err)
+		}
+	}
+
+	// Note: The caller is responsible for closing the client
+	return client, nil
+}
+
+// Relay will connect to a pre-configured SMTP server and send a message to one or more recipients.
+func Relay(from string, to []string, msg []byte) error {
+	addr := fmt.Sprintf("%s:%d", config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)
+
+	c, err := createRelaySMTPClient(config.SMTPRelayConfig, addr)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = c.Close() }()
+
+	auth := relayAuthFromConfig()
+
+	if auth != nil {
+		if err = c.Auth(auth); err != nil {
+			return fmt.Errorf("error response to AUTH command: %s", err.Error())
+		}
+	}
+
+	if config.SMTPRelayConfig.OverrideFrom != "" {
+		msg, err = tools.OverrideFromHeader(msg, config.SMTPRelayConfig.OverrideFrom)
+		if err != nil {
+			return fmt.Errorf("error overriding From header: %s", err.Error())
+		}
+
+		from = config.SMTPRelayConfig.OverrideFrom
+	}
+
+	if err = c.Mail(from); err != nil {
+		return errors.WithMessage(err, "error sending MAIL command")
+	}
+
+	for _, addr := range to {
+		if err = c.Rcpt(addr); err != nil {
+			logger.Log().Warnf("error response to RCPT command for %s: %s", addr, err.Error())
+			if config.SMTPRelayConfig.ForwardSMTPErrors {
+				return errors.WithMessagef(err, "error response to RCPT command for %s", addr)
+			}
+		}
+	}
+
+	w, err := c.Data()
+	if err != nil {
+		return errors.WithMessage(err, "error response to DATA command")
+	}
+
+	if _, err := w.Write(msg); err != nil {
+		return errors.WithMessage(err, "error sending message")
+	}
+
+	if err := w.Close(); err != nil {
+		return errors.WithMessage(err, "error closing connection")
+	}
+
+	return c.Quit()
+}
+
+// Return the SMTP relay authentication based on config
+func relayAuthFromConfig() smtp.Auth {
+	var a smtp.Auth
+
+	if config.SMTPRelayConfig.Auth == "plain" {
+		a = smtp.PlainAuth("", config.SMTPRelayConfig.Username, config.SMTPRelayConfig.Password, config.SMTPRelayConfig.Host)
+	}
+
+	if config.SMTPRelayConfig.Auth == "login" {
+		a = LoginAuth(config.SMTPRelayConfig.Username, config.SMTPRelayConfig.Password)
+	}
+
+	if config.SMTPRelayConfig.Auth == "cram-md5" {
+		a = smtp.CRAMMD5Auth(config.SMTPRelayConfig.Username, config.SMTPRelayConfig.Secret)
+	}
+
+	return a
+}
+
+// Custom implementation of LOGIN SMTP authentication
+// @see https://gist.github.com/andelf/5118732
+type loginAuth struct {
+	username, password string
+}
+
+// LoginAuth authentication
+func LoginAuth(username, password string) smtp.Auth {
+	return &loginAuth{
+		username,
+		password,
+	}
+}
+
+func (a *loginAuth) Start(_ *smtp.ServerInfo) (string, []byte, error) {
+	return "LOGIN", []byte{}, nil
+}
+
+func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if more {
+		switch string(fromServer) {
+		case "Username:":
+			return []byte(a.username), nil
+		case "Password:":
+			return []byte(a.password), nil
+		default:
+			return nil, errors.New("unknown fromServer")
+		}
+	}
+
+	return nil, nil
+}
--- a/internal/smtpd/smtpd.go
+++ b/internal/smtpd/smtpd.go
--- a/internal/smtpd/smtpd_test.go
+++ b/internal/smtpd/smtpd_test.go
--- a/internal/snakeoil/snakeoil.go
+++ b/internal/snakeoil/snakeoil.go
@@ -0,0 +1,196 @@
+// Package snakeoil provides functionality to generate a temporary self-signed certificates
+// for testing purposes. It generates a public and private key pair, stores them in the
+// OS's temporary directory, returning the paths to these files.
+package snakeoil
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"math/big"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+)
+
+var keys = make(map[string]KeyPair)
+
+// KeyPair holds the public and private key paths for a self-signed certificate.
+type KeyPair struct {
+	Public  string
+	Private string
+}
+
+// Certificates returns all configured self-signed certificates in use,
+// used for file deletion on exit.
+func Certificates() map[string]KeyPair {
+	return keys
+}
+
+// Public returns the path to a generated PEM-encoded RSA public key.
+func Public(str string) string {
+	domains, key, err := parse(str)
+	if err != nil {
+		logger.Log().Errorf("[tls] failed to parse domains: %v", err)
+		return ""
+	}
+
+	if pair, ok := keys[key]; ok {
+		return pair.Public
+	}
+
+	private, public, err := generate(domains)
+	if err != nil {
+		logger.Log().Errorf("[tls] failed to generate public certificate: %v", err)
+		return ""
+	}
+
+	keys[key] = KeyPair{
+		Public:  public,
+		Private: private,
+	}
+
+	return public
+}
+
+// Private returns the path to a generated PEM-encoded RSA private key.
+func Private(str string) string {
+	domains, key, err := parse(str)
+	if err != nil {
+		logger.Log().Errorf("[tls] failed to parse domains: %v", err)
+		return ""
+	}
+
+	if pair, ok := keys[key]; ok {
+		return pair.Private
+	}
+
+	private, public, err := generate(domains)
+	if err != nil {
+		logger.Log().Errorf("[tls] failed to generate public certificate: %v", err)
+		return ""
+	}
+
+	keys[key] = KeyPair{
+		Public:  public,
+		Private: private,
+	}
+
+	return private
+}
+
+// Parse takes the original string input, removes the "sans:" prefix,
+// splits the result into individual domains, and returns a slice of unique domains,
+// along with a unique key that is a comma-separated list of these domains.
+func parse(str string) ([]string, string, error) {
+	// remove "sans:" prefix
+	str = str[5:]
+	var domains []string
+	// split the string by commas and trim whitespace
+	for domain := range strings.SplitSeq(str, ",") {
+		domain = strings.ToLower(strings.TrimSpace(domain))
+		if domain != "" && !tools.InArray(domain, domains) {
+			domains = append(domains, domain)
+		}
+	}
+
+	if len(domains) == 0 {
+		return domains, "", errors.New("no valid domains provided")
+	}
+
+	// generate sha256 hash of the domains to create a unique key
+	hasher := sha256.New()
+	hasher.Write([]byte(strings.Join(domains, ",")))
+	key := base64.URLEncoding.EncodeToString(hasher.Sum(nil))
+
+	return domains, key, nil
+}
+
+// Generate a new self-signed certificate and return a public & private key paths.
+func generate(domains []string) (string, string, error) {
+	logger.Log().Infof("[tls] generating temp self-signed certificate for: %s", strings.Join(domains, ","))
+	key, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return "", "", err
+	}
+
+	keyBytes := x509.MarshalPKCS1PrivateKey(key)
+	// PEM encoding of private key
+	keyPEM := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: keyBytes,
+		},
+	)
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(365 * 24 * time.Hour)
+
+	// create certificate template
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(0),
+		Subject: pkix.Name{
+			CommonName:   domains[0],
+			Organization: []string{"Mailpit self-signed certificate"},
+		},
+		DNSNames:              domains,
+		SignatureAlgorithm:    x509.SHA256WithRSA,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		BasicConstraintsValid: true,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	}
+
+	// create certificate using template
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+	if err != nil {
+		return "", "", err
+
+	}
+
+	// PEM encoding of certificate
+	certPem := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: derBytes,
+		},
+	)
+
+	// Store the paths to the generated keys
+	priv, err := os.CreateTemp("", ".mailpit-*-private.pem")
+	if err != nil {
+		return "", "", err
+	}
+
+	if _, err := priv.Write(keyPEM); err != nil {
+		return "", "", err
+	}
+
+	if err := priv.Close(); err != nil {
+		return "", "", err
+	}
+
+	pub, err := os.CreateTemp("", ".mailpit-*-public.pem")
+	if err != nil {
+		return "", "", err
+	}
+
+	if _, err := pub.Write(certPem); err != nil {
+		return "", "", err
+	}
+
+	if err := pub.Close(); err != nil {
+		return "", "", err
+	}
+
+	return priv.Name(), pub.Name(), nil
+}
--- a/internal/spamassassin/postmark/postmark.go
+++ b/internal/spamassassin/postmark/postmark.go
@@ -59,7 +59,7 @@ func Check(email []byte, timeout int) (Response, error) {
 		return r, err
 	}

-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	err = json.NewDecoder(resp.Body).Decode(&r)

--- a/internal/spamassassin/spamassassin.go
+++ b/internal/spamassassin/spamassassin.go
@@ -57,13 +57,6 @@ func SetService(s string) {
 	}
 }

-// SetTimeout defines the timeout
-func SetTimeout(t int) {
-	if t > 0 {
-		timeout = t
-	}
-}
-
 // Ping returns whether a service is active or not
 func Ping() error {
 	if service == "postmark" {
@@ -71,7 +64,7 @@ func Ping() error {
 	}

 	var client *spamc.Client
-	if strings.HasPrefix("unix:", service) {
+	if strings.HasPrefix(service, "unix:") {
 		client = spamc.NewUnix(strings.TrimLeft(service, "unix:"))
 	} else {
 		client = spamc.NewTCP(service, timeout)
@@ -112,7 +105,7 @@ func Check(msg []byte) (Result, error) {
 		}
 	} else {
 		var client *spamc.Client
-		if strings.HasPrefix("unix:", service) {
+		if strings.HasPrefix(service, "unix:") {
 			client = spamc.NewUnix(strings.TrimLeft(service, "unix:"))
 		} else {
 			client = spamc.NewTCP(service, timeout)
--- a/internal/spamassassin/spamc/spamc.go
+++ b/internal/spamassassin/spamc/spamc.go
@@ -13,6 +13,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/axllent/mailpit/internal/tools"
 )

 // ProtoVersion is the protocol version
@@ -68,20 +70,22 @@ type Result struct {

 // dial connects to spamd through TCP or a Unix socket.
 func (c *Client) dial() (connection, error) {
-	if c.net == "tcp" {
+	switch c.net {
+	case "tcp":
 		tcpAddr, err := net.ResolveTCPAddr("tcp", c.addr)
 		if err != nil {
 			return nil, err
 		}
 		return net.DialTCP("tcp", nil, tcpAddr)
-	} else if c.net == "unix" {
+	case "unix":
 		unixAddr, err := net.ResolveUnixAddr("unix", c.addr)
 		if err != nil {
 			return nil, err
 		}
 		return net.DialUnix("unix", nil, unixAddr)
+	default:
+		return nil, fmt.Errorf("unsupported network type: %s", c.net)
 	}
-	panic("Client.net must be either \"tcp\" or \"unix\"")
 }

 // Report checks if message is spam or not, and returns score plus report
@@ -100,33 +104,32 @@ func (c *Client) report(email []byte) ([]string, error) {
 		return nil, err
 	}

-	defer conn.Close()
+	defer func() { _ = conn.Close() }()

 	if err := conn.SetDeadline(time.Now().Add(time.Duration(c.timeout) * time.Second)); err != nil {
 		return nil, err
 	}

 	bw := bufio.NewWriter(conn)
-	_, err = bw.WriteString("REPORT SPAMC/" + ProtoVersion + "\r\n")
-	if err != nil {
+	if _, err := bw.WriteString("REPORT SPAMC/" + ProtoVersion + "\r\n"); err != nil {
 		return nil, err
 	}
-	_, err = bw.WriteString("Content-length: " + strconv.Itoa(len(email)) + "\r\n\r\n")
-	if err != nil {
+
+	if _, err := bw.WriteString("Content-length: " + strconv.Itoa(len(email)) + "\r\n\r\n"); err != nil {
 		return nil, err
 	}
-	_, err = bw.Write(email)
-	if err != nil {
+
+	if _, err := bw.Write(email); err != nil {
 		return nil, err
 	}
-	err = bw.Flush()
-	if err != nil {
+
+	if err := bw.Flush(); err != nil {
 		return nil, err
 	}
+
 	// Client is supposed to close its writing side of the connection
 	// after sending its request.
-	err = conn.CloseWrite()
-	if err != nil {
+	if err := conn.CloseWrite(); err != nil {
 		return nil, err
 	}

@@ -134,6 +137,7 @@ func (c *Client) report(email []byte) ([]string, error) {
 		lines []string
 		br    = bufio.NewReader(conn)
 	)
+
 	for {
 		line, err := br.ReadString('\n')
 		if err == io.EOF {
@@ -171,11 +175,12 @@ func (c *Client) parseOutput(output []string) Result {
 				continue
 			}
 		}
+
 		// summary
 		if spamMainRe.MatchString(row) {
 			res := spamMainRe.FindStringSubmatch(row)
 			if len(res) == 4 {
-				if strings.ToLower(res[1]) == "true" || strings.ToLower(res[1]) == "yes" {
+				if tools.InArray(res[1], []string{"true", "yes"}) {
 					result.Spam = true
 				} else {
 					result.Spam = false
@@ -197,8 +202,8 @@ func (c *Client) parseOutput(output []string) Result {
 			reachedRules = true
 			continue
 		}
+
 		// details
-		// row = strings.Trim(row, " \t\r\n")
 		if reachedRules && spamDetailsRe.MatchString(row) {
 			res := spamDetailsRe.FindStringSubmatch(row)
 			if len(res) == 5 {
@@ -207,6 +212,7 @@ func (c *Client) parseOutput(output []string) Result {
 			}
 		}
 	}
+
 	return result
 }

@@ -216,18 +222,17 @@ func (c *Client) Ping() error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
+	defer func() { _ = conn.Close() }()

 	if err := conn.SetDeadline(time.Now().Add(time.Duration(c.timeout) * time.Second)); err != nil {
 		return err
 	}

-	_, err = io.WriteString(conn, fmt.Sprintf("PING SPAMC/%s\r\n\r\n", ProtoVersion))
-	if err != nil {
+	if _, err := io.WriteString(conn, fmt.Sprintf("PING SPAMC/%s\r\n\r\n", ProtoVersion)); err != nil {
 		return err
 	}
-	err = conn.CloseWrite()
-	if err != nil {
+
+	if err := conn.CloseWrite(); err != nil {
 		return err
 	}

@@ -241,5 +246,6 @@ func (c *Client) Ping() error {
 			return err
 		}
 	}
+
 	return nil
 }
--- a/internal/stats/stats.go
+++ b/internal/stats/stats.go
@@ -7,23 +7,36 @@ import (
 	"time"

 	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
-	"github.com/axllent/mailpit/internal/updater"
+	"github.com/axllent/mailpit/internal/tools"
 )

+// Stores cached version  along with its expiry time and error count.
+// Used to minimize repeated version lookups and track consecutive errors.
+type versionCache struct {
+	// github version string
+	value string
+	// time to expire the cache
+	expiry time.Time
+	// count of consecutive errors
+	errCount int
+}
+
 var (
-	// to prevent hammering Github for latest version
-	latestVersionCache string
+	// Version cache storing the latest GitHub version
+	vCache versionCache

 	// StartedAt is set to the current ime when Mailpit starts
 	startedAt time.Time

+	// sync mutex to prevent race condition with simultaneous requests
 	mu sync.RWMutex

-	smtpAccepted     float64
-	smtpAcceptedSize float64
-	smtpRejected     float64
-	smtpIgnored      float64
+	smtpAccepted     uint64
+	smtpAcceptedSize uint64
+	smtpRejected     uint64
+	smtpIgnored      uint64
 )

 // AppInformation struct
@@ -36,34 +49,40 @@ type AppInformation struct {
 	// Database path
 	Database string
 	// Database size in bytes
-	DatabaseSize float64
+	DatabaseSize uint64
 	// Total number of messages in the database
-	Messages float64
+	Messages uint64
 	// Total number of messages in the database
-	Unread float64
+	Unread uint64
 	// Tags and message totals per tag
 	Tags map[string]int64
 	// Runtime statistics
 	RuntimeStats struct {
 		// Mailpit server uptime in seconds
-		Uptime float64
+		Uptime uint64
 		// Current memory usage in bytes
 		Memory uint64
 		// Database runtime messages deleted
-		MessagesDeleted float64
+		MessagesDeleted uint64
 		// Accepted runtime SMTP messages
-		SMTPAccepted float64
+		SMTPAccepted uint64
 		// Total runtime accepted messages size in bytes
-		SMTPAcceptedSize float64
+		SMTPAcceptedSize uint64
 		// Rejected runtime SMTP messages
-		SMTPRejected float64
+		SMTPRejected uint64
 		// Ignored runtime SMTP messages (when using --ignore-duplicate-ids)
-		SMTPIgnored float64
+		SMTPIgnored uint64
 	}
 }

+// Calculates exponential backoff duration based on the error count.
+func getBackoff(errCount int) time.Duration {
+	backoff := min(time.Duration(1<<errCount)*time.Minute, 30*time.Minute)
+	return backoff
+}
+
 // Load the current statistics
-func Load() AppInformation {
+func Load(detectLatestVersion bool) AppInformation {
 	info := AppInformation{}
 	info.Version = config.Version

@@ -71,26 +90,42 @@ func Load() AppInformation {
 	runtime.ReadMemStats(&m)

 	info.RuntimeStats.Memory = m.Sys - m.HeapReleased
-	info.RuntimeStats.Uptime = time.Since(startedAt).Seconds()
+	info.RuntimeStats.Uptime = uint64(time.Since(startedAt).Seconds())
 	info.RuntimeStats.MessagesDeleted = storage.StatsDeleted
 	info.RuntimeStats.SMTPAccepted = smtpAccepted
 	info.RuntimeStats.SMTPAcceptedSize = smtpAcceptedSize
 	info.RuntimeStats.SMTPRejected = smtpRejected
 	info.RuntimeStats.SMTPIgnored = smtpIgnored

-	if latestVersionCache != "" {
-		info.LatestVersion = latestVersionCache
-	} else {
-		latest, _, _, err := updater.GithubLatest(config.Repo, config.RepoBinaryName)
-		if err == nil {
-			info.LatestVersion = latest
-			latestVersionCache = latest
+	if config.DisableVersionCheck {
+		info.LatestVersion = "disabled"
+	} else if detectLatestVersion {
+		mu.RLock()
+		cacheValid := time.Now().Before(vCache.expiry)
+		cacheValue := vCache.value
+		mu.RUnlock()

-			// clear latest version cache after 5 minutes
-			go func() {
-				time.Sleep(5 * time.Minute)
-				latestVersionCache = ""
-			}()
+		if cacheValid {
+			info.LatestVersion = cacheValue
+		} else {
+			mu.Lock()
+			// Re-check after acquiring write lock in case another goroutine refreshed it
+			if time.Now().Before(vCache.expiry) {
+				info.LatestVersion = vCache.value
+			} else {
+				latest, err := config.GHRUConfig.Latest()
+				if err == nil {
+					vCache = versionCache{value: latest.Tag, expiry: time.Now().Add(15 * time.Minute)}
+					info.LatestVersion = latest.Tag
+				} else {
+					logger.Log().Errorf("Failed to fetch latest version: %v", err)
+					vCache.errCount++
+					vCache.value = ""
+					vCache.expiry = time.Now().Add(getBackoff(vCache.errCount))
+					info.LatestVersion = ""
+				}
+			}
+			mu.Unlock()
 		}
 	}

@@ -112,7 +147,7 @@ func Track() {
 func LogSMTPAccepted(size int) {
 	mu.Lock()
 	smtpAccepted = smtpAccepted + 1
-	smtpAcceptedSize = smtpAcceptedSize + float64(size)
+	smtpAcceptedSize = smtpAcceptedSize + tools.SafeUint64(size)
 	mu.Unlock()
 }

--- a/internal/storage/cron.go
+++ b/internal/storage/cron.go
@@ -9,6 +9,7 @@ import (

 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
 	"github.com/axllent/mailpit/server/websockets"
 	"github.com/leporo/sqlf"
 )
@@ -31,7 +32,7 @@ func dbCron() {
 				if total == 0 {
 					deletedPercent = 100
 				} else {
-					deletedPercent = deletedSize * 100 / total
+					deletedPercent = float64(deletedSize * 100 / total)
 				}
 				// only vacuum the DB if at least 1% of mail storage size has been deleted
 				if deletedPercent >= 1 {
@@ -48,34 +49,73 @@ func dbCron() {
 // PruneMessages will auto-delete the oldest messages if messages > config.MaxMessages.
 // Set config.MaxMessages to 0 to disable.
 func pruneMessages() {
-	if config.MaxMessages < 1 {
+	if config.MaxMessages < 1 && config.MaxAgeInHours == 0 {
 		return
 	}

 	start := time.Now()

-	q := sqlf.Select("ID, Size").
-		From(tenant("mailbox")).
-		OrderBy("Created DESC").
-		Limit(5000).
-		Offset(config.MaxMessages)
-
 	ids := []string{}
-	var prunedSize int64
-	var size float64
-	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-		var id string
+	var prunedSize uint64
+	var size float64 // use float64 for rqlite compatibility

-		if err := row.Scan(&id, &size); err != nil {
+	// prune using `--max` if set
+	if config.MaxMessages > 0 && CountTotal() > uint64(config.MaxMessages) {
+		offset := config.MaxMessages
+		if config.DemoMode {
+			offset = 500
+		}
+		q := sqlf.Select("ID, Size").
+			From(tenant("mailbox")).
+			OrderBy("Created DESC").
+			Limit(5000).
+			Offset(offset)
+
+		if err := q.QueryAndClose(
+			context.TODO(), db, func(row *sql.Rows) {
+				var id string
+
+				if err := row.Scan(&id, &size); err != nil {
+					logger.Log().Errorf("[db] %s", err.Error())
+					return
+				}
+				ids = append(ids, id)
+				prunedSize = prunedSize + uint64(size)
+
+			},
+		); err != nil {
 			logger.Log().Errorf("[db] %s", err.Error())
 			return
 		}
-		ids = append(ids, id)
-		prunedSize = prunedSize + int64(size)
+	}

-	}); err != nil {
-		logger.Log().Errorf("[db] %s", err.Error())
-		return
+	// prune using `--max-age` if set
+	if config.MaxAgeInHours > 0 {
+		// now() minus the number of hours
+		ts := time.Now().Add(time.Duration(-config.MaxAgeInHours) * time.Hour).UnixMilli()
+
+		q := sqlf.Select("ID, Size").
+			From(tenant("mailbox")).
+			Where("Created < ?", ts).
+			Limit(5000)
+
+		if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+			var id string
+
+			if err := row.Scan(&id, &size); err != nil {
+				logger.Log().Errorf("[db] %s", err.Error())
+				return
+			}
+
+			if !tools.InArray(id, ids) {
+				ids = append(ids, id)
+				prunedSize = prunedSize + uint64(size)
+			}
+
+		}); err != nil {
+			logger.Log().Errorf("[db] %s", err.Error())
+			return
+		}
 	}

 	if len(ids) == 0 {
@@ -132,6 +172,10 @@ func pruneMessages() {

 	logMessagesDeleted(len(ids))

+	if config.DemoMode {
+		vacuumDb()
+	}
+
 	websockets.Broadcast("prune", nil)
 }

--- a/internal/storage/database.go
+++ b/internal/storage/database.go
@@ -27,26 +27,51 @@ import (

 var (
 	db           *sql.DB
-	dbFile       string
-	dbIsTemp     bool
 	sqlDriver    string
 	dbLastAction time.Time

 	// zstd compression encoder & decoder
-	dbEncoder, _ = zstd.NewWriter(nil)
+	dbEncoder    *zstd.Encoder
 	dbDecoder, _ = zstd.NewReader(nil)
+
+	temporaryFiles = []string{}
 )

 // InitDB will initialise the database
 func InitDB() error {
+	// dbEncoder
+	var (
+		dsn string
+		err error
+	)
+
+	if config.Compression > 0 {
+		var compression zstd.EncoderLevel
+		switch config.Compression {
+		case 1:
+			compression = zstd.SpeedFastest
+		case 2:
+			compression = zstd.SpeedDefault
+		case 3:
+			compression = zstd.SpeedBestCompression
+		}
+		dbEncoder, err = zstd.NewWriter(nil, zstd.WithEncoderLevel(compression))
+		if err != nil {
+			return err
+		}
+		logger.Log().Debugf("[db] storing messages with compression: %s", compression.String())
+	} else {
+		logger.Log().Debug("[db] storing messages with no compression")
+	}
+
 	p := config.Database
-	var dsn string

 	if p == "" {
 		// when no path is provided then we create a temporary file
 		// which will get deleted on Close(), SIGINT or SIGTERM
 		p = fmt.Sprintf("%s-%d.db", path.Join(os.TempDir(), "mailpit"), time.Now().UnixNano())
-		dbIsTemp = true
+		// delete the Unix socket file on exit
+		AddTempFile(p)
 		sqlDriver = "sqlite"
 		dsn = p
 		logger.Log().Debugf("[db] using temporary database: %s", p)
@@ -74,8 +99,6 @@ func InitDB() error {
 		}
 	}

-	var err error
-
 	db, err = sql.Open(sqlDriver, dsn)
 	if err != nil {
 		return err
@@ -96,8 +119,13 @@ func InitDB() error {
 	db.SetMaxOpenConns(1)

 	if sqlDriver == "sqlite" {
-		// SQLite performance tuning (https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)
-		_, err = db.Exec("PRAGMA journal_mode = WAL; PRAGMA synchronous = normal;")
+		if config.DisableWAL {
+			// disable WAL mode for SQLite, allows NFS mounted DBs
+			_, err = db.Exec("PRAGMA journal_mode=DELETE; PRAGMA synchronous=NORMAL;")
+		} else {
+			// SQLite performance tuning (https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)
+			_, err = db.Exec("PRAGMA journal_mode=WAL; PRAGMA synchronous=NORMAL;")
+		}
 		if err != nil {
 			return err
 		}
@@ -110,7 +138,6 @@ func InitDB() error {

 	LoadTagFilters()

-	dbFile = p
 	dbLastAction = time.Now()

 	sigs := make(chan os.Signal, 1)
@@ -154,12 +181,8 @@ func Close() {
 	// allow SQLite to finish closing DB & write WAL logs if local
 	time.Sleep(100 * time.Millisecond)

-	if dbIsTemp && isFile(dbFile) {
-		logger.Log().Debugf("[db] deleting temporary file %s", dbFile)
-		if err := os.Remove(dbFile); err != nil {
-			logger.Log().Errorf("[db] %s", err.Error())
-		}
-	}
+	// delete all temporary files
+	deleteTempFiles()
 }

 // Ping the database connection and return an error if unsuccessful
@@ -185,65 +208,51 @@ func StatsGet() MailboxStats {
 }

 // CountTotal returns the number of emails in the database
-func CountTotal() float64 {
-	var total float64
+func CountTotal() uint64 {
+	var total float64 // use float64 for rqlite compatibility

 	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
 		QueryRowAndClose(context.TODO(), db)

-	return total
+	return uint64(total)
 }

 // CountUnread returns the number of emails in the database that are unread.
-func CountUnread() float64 {
-	var total float64
+func CountUnread() uint64 {
+	var total float64 // use float64 for rqlite compatibility

 	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
 		Where("Read = ?", 0).
 		QueryRowAndClose(context.TODO(), db)

-	return total
+	return uint64(total)
 }

 // CountRead returns the number of emails in the database that are read.
-func CountRead() float64 {
-	var total float64
+func CountRead() uint64 {
+	var total float64 // use float64 for rqlite compatibility

 	_ = sqlf.From(tenant("mailbox")).
 		Select("COUNT(*)").To(&total).
 		Where("Read = ?", 1).
 		QueryRowAndClose(context.TODO(), db)

-	return total
+	return uint64(total)
 }

 // DbSize returns the size of the SQLite database.
-func DbSize() float64 {
-	var total sql.NullFloat64
+func DbSize() uint64 {
+	var total sql.NullFloat64 // use float64 for rqlite compatibility

 	err := db.QueryRow("SELECT page_count * page_size AS size FROM pragma_page_count(), pragma_page_size()").Scan(&total)

 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
-		return total.Float64
 	}

-	return total.Float64
-}
-
-// IsUnread returns whether a message is unread or not.
-func IsUnread(id string) bool {
-	var unread int
-
-	_ = sqlf.From(tenant("mailbox")).
-		Select("COUNT(*)").To(&unread).
-		Where("Read = ?", 0).
-		Where("ID = ?", id).
-		QueryRowAndClose(context.TODO(), db)
-
-	return unread == 1
+	return uint64(total.Float64)
 }

 // MessageIDExists checks whether a Message-ID exists in the DB
--- a/internal/storage/functions_test.go
+++ b/internal/storage/functions_test.go
@@ -16,10 +16,11 @@ var (
 	testRuns      = 100
 )

-func setup() {
+func setup(tenantID string) {
 	logger.NoLogging = true
 	config.MaxMessages = 0
 	config.Database = os.Getenv("MP_DATABASE")
+	config.TenantID = config.DBTenantID(tenantID)

 	if err := InitDB(); err != nil {
 		panic(err)
@@ -58,11 +59,11 @@ func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {

 func assertEqualStats(t *testing.T, total int, unread int) {
 	s := StatsGet()
-	if float64(total) != s.Total {
+	if uint64(total) != s.Total {
 		t.Fatalf("Incorrect total mailbox stats: \"%v\" != \"%v\"", total, s.Total)
 	}

-	if float64(unread) != s.Unread {
+	if uint64(unread) != s.Unread {
 		t.Fatalf("Incorrect unread mailbox stats: \"%v\" != \"%v\"", unread, s.Unread)
 	}
 }
--- a/internal/storage/messages.go
+++ b/internal/storage/messages.go
@@ -3,6 +3,9 @@ package storage
 import (
 	"bytes"
 	"context"
+	"crypto/md5"  // #nosec
+	"crypto/sha1" // #nosec
+	"crypto/sha256"
 	"database/sql"
 	"encoding/base64"
 	"encoding/hex"
@@ -19,16 +22,19 @@ import (
 	"github.com/axllent/mailpit/internal/tools"
 	"github.com/axllent/mailpit/server/webhook"
 	"github.com/axllent/mailpit/server/websockets"
-	"github.com/jhillyerd/enmime"
+	"github.com/jhillyerd/enmime/v2"
 	"github.com/leporo/sqlf"
 	"github.com/lithammer/shortuuid/v4"
 )

 // Store will save an email to the database tables.
+// The username is the authentication username of either the SMTP or HTTP client (blank for none).
 // Returns the database ID of the saved message.
-func Store(body *[]byte) (string, error) {
+func Store(body *[]byte, username *string) (string, error) {
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
 	// Parse message body with enmime
-	env, err := enmime.ReadEnvelope(bytes.NewReader(*body))
+	env, err := parser.ReadEnvelope(bytes.NewReader(*body))
 	if err != nil {
 		logger.Log().Warnf("[message] %s", err.Error())
 		return "", nil
@@ -42,15 +48,18 @@ func Store(body *[]byte) (string, error) {
 		from = &mail.Address{Name: env.GetHeader("From")}
 	}

-	obj := DBMailSummary{
+	obj := Metadata{
 		From:    from,
 		To:      addressToSlice(env, "To"),
 		Cc:      addressToSlice(env, "Cc"),
 		Bcc:     addressToSlice(env, "Bcc"),
 		ReplyTo: addressToSlice(env, "Reply-To"),
 	}
+	if username != nil {
+		obj.Username = *username
+	}

-	messageID := strings.Trim(env.Root.Header.Get("Message-ID"), "<>")
+	messageID := strings.Trim(env.GetHeader("Message-ID"), "<>")
 	created := time.Now()

 	// use message date instead of created date
@@ -80,17 +89,17 @@ func Store(body *[]byte) (string, error) {
 	}

 	// roll back if it fails
-	defer tx.Rollback()
+	defer func() { _ = tx.Rollback() }()

 	subject := env.GetHeader("Subject")
-	size := float64(len(*body))
+	size := uint64(len(*body))
 	inline := len(env.Inlines)
 	attachments := len(env.Attachments)
 	snippet := tools.CreateSnippet(env.Text, env.HTML)

 	sql := fmt.Sprintf(`INSERT INTO %s 
-		(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Snippet) 
-		VALUES(?,?,?,?,?,?,?,?,?,0,?)`,
+    	(Created, ID, MessageID, Subject, Metadata, Size, Inline, Attachments, SearchText, Read, Snippet) 
+	    VALUES(?,?,?,?,?,?,?,?,?,0,?)`,
 		tenant("mailbox"),
 	) // #nosec

@@ -100,10 +109,23 @@ func Store(body *[]byte) (string, error) {
 		return "", err
 	}

-	// insert compressed raw message
-	encoded := dbEncoder.EncodeAll(*body, make([]byte, 0, int(size)))
-	hexStr := hex.EncodeToString(encoded)
-	_, err = tx.Exec(fmt.Sprintf(`INSERT INTO %s (ID, Email) VALUES(?, x'%s')`, tenant("mailbox_data"), hexStr), id) // #nosec
+	if config.Compression > 0 {
+		// insert compressed raw message
+		compressed := dbEncoder.EncodeAll(*body, make([]byte, 0, size))
+
+		if sqlDriver == "rqlite" {
+			// rqlite does not support binary data in query, so we need to encode the compressed message into hexadecimal
+			// string and then generate the SQL query, which is more memory intensive, especially with large messages
+			hexStr := hex.EncodeToString(compressed)
+			_, err = tx.Exec(fmt.Sprintf(`INSERT INTO %s (ID, Email, Compressed) VALUES(?, x'%s', 1)`, tenant("mailbox_data"), hexStr), id) // #nosec
+		} else {
+			_, err = tx.Exec(fmt.Sprintf(`INSERT INTO %s (ID, Email, Compressed) VALUES(?, ?, 1)`, tenant("mailbox_data")), id, compressed) // #nosec
+		}
+	} else {
+		// insert uncompressed raw message
+		_, err = tx.Exec(fmt.Sprintf(`INSERT INTO %s (ID, Email, Compressed) VALUES(?, ?, 0)`, tenant("mailbox_data")), id, string(*body)) // #nosec
+	}
+
 	if err != nil {
 		return "", err
 	}
@@ -112,23 +134,34 @@ func Store(body *[]byte) (string, error) {
 		return "", err
 	}

-	// extract tags from body matches
-	rawTags := findTagsInRawMessage(body)
-	// extract plus addresses tags from enmime.Envelope
-	plusTags := obj.tagsFromPlusAddresses()
-	// extract tags from X-Tags header
-	xTags := tools.SetTagCasing(strings.Split(strings.TrimSpace(env.Root.Header.Get("X-Tags")), ","))
-	// extract tags from search matches
-	searchTags := tagFilterMatches(id)
+	// extract tags using pre-set tag filters, empty slice if not set
+	tags := findTagsInRawMessage(body)

-	// combine all tags into one slice
-	tags := append(rawTags, plusTags...)
-	tags = append(tags, xTags...)
-	// sort and extract only unique tags
-	tags = sortedUniqueTags(append(tags, searchTags...))
+	if !config.TagsDisableXTags {
+		xTagsHdr := env.GetHeader("X-Tags")
+		if xTagsHdr != "" {
+			// extract tags from X-Tags header
+			tags = append(tags, tools.SetTagCasing(strings.Split(strings.TrimSpace(xTagsHdr), ","))...)
+		}
+	}

+	if !config.TagsDisablePlus {
+		// get tags from plus-addresses
+		tags = append(tags, obj.tagsFromPlusAddresses()...)
+	}
+
+	// auto-tag by username if enabled
+	if config.TagsUsername && username != nil && *username != "" {
+		tags = append(tags, *username)
+	}
+
+	// extract tags from search matches, and sort and extract unique tags
+	tags = sortedUniqueTags(append(tags, tagFilterMatches(id)...))
+
+	setTags := []string{}
 	if len(tags) > 0 {
-		if err := SetMessageTags(id, tags); err != nil {
+		setTags, err = SetMessageTags(id, tags)
+		if err != nil {
 			return "", err
 		}
 	}
@@ -138,13 +171,31 @@ func Store(body *[]byte) (string, error) {
 		return "", err
 	}

+	// we do not want to to broadcast null values for MetaData else this does not align
+	// with the message summary documented in the API docs, so we set them to empty slices.
+	if c.From == nil {
+		c.From = &mail.Address{}
+	}
+	if c.To == nil {
+		c.To = []*mail.Address{}
+	}
+	if c.Cc == nil {
+		c.Cc = []*mail.Address{}
+	}
+	if c.Bcc == nil {
+		c.Bcc = []*mail.Address{}
+	}
+	if c.ReplyTo == nil {
+		c.ReplyTo = []*mail.Address{}
+	}
+
 	c.Created = created
 	c.ID = id
 	c.MessageID = messageID
 	c.Attachments = attachments
 	c.Subject = subject
 	c.Size = size
-	c.Tags = tags
+	c.Tags = setTags
 	c.Snippet = snippet

 	websockets.Broadcast("new", c)
@@ -154,48 +205,65 @@ func Store(body *[]byte) (string, error) {

 	BroadcastMailboxStats()

+	logger.Log().Debugf("[db] saved message %s (%d bytes)", id, size)
+
 	return id, nil
 }

 // List returns a subset of messages from the mailbox,
 // sorted latest to oldest
-func List(start, limit int) ([]MessageSummary, error) {
+func List(start int, beforeTS int64, limit int) ([]MessageSummary, error) {
 	results := []MessageSummary{}
 	tsStart := time.Now()

 	q := sqlf.From(tenant("mailbox") + " m").
 		Select(`m.Created, m.ID, m.MessageID, m.Subject, m.Metadata, m.Size, m.Attachments, m.Read, m.Snippet`).
-		OrderBy("m.Created DESC").
-		Limit(limit).
-		Offset(start)
+		OrderBy("m.Created DESC")
+
+	if limit > 0 {
+		q = q.Limit(limit).Offset(start)
+	}
+
+	if beforeTS > 0 {
+		q = q.Where("Created < ?", beforeTS)
+	}

 	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-		var created float64
+		var created float64 // use float64 for rqlite compatibility
 		var id string
 		var messageID string
 		var subject string
-		var metadata string
-		var size float64
+		var metadataJSON string
+		var size float64 // use float64 for rqlite compatibility
 		var attachments int
 		var read int
 		var snippet string
 		em := MessageSummary{}
+		var meta Metadata

-		if err := row.Scan(&created, &id, &messageID, &subject, &metadata, &size, &attachments, &read, &snippet); err != nil {
+		err := row.Scan(&created, &id, &messageID, &subject, &metadataJSON, &size, &attachments, &read, &snippet)
+		if err != nil {
 			logger.Log().Errorf("[db] %s", err.Error())
 			return
 		}

-		if err := json.Unmarshal([]byte(metadata), &em); err != nil {
+		if err := json.Unmarshal([]byte(metadataJSON), &meta); err != nil {
 			logger.Log().Errorf("[json] %s", err.Error())
 			return
 		}

+		em.From = meta.From
+		em.To = meta.To
+		em.Cc = meta.Cc
+		em.Bcc = meta.Bcc
+		em.ReplyTo = meta.ReplyTo
+		em.Username = meta.Username
+
 		em.Created = time.UnixMilli(int64(created))
 		em.ID = id
 		em.MessageID = messageID
 		em.Subject = subject
-		em.Size = size
+		em.Size = uint64(size)
 		em.Attachments = attachments
 		em.Read = read == 1
 		em.Snippet = snippet
@@ -233,17 +301,27 @@ func GetMessage(id string) (*Message, error) {

 	r := bytes.NewReader(raw)

-	env, err := enmime.ReadEnvelope(r)
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
+	env, err := parser.ReadEnvelope(r)
 	if err != nil {
 		return nil, err
 	}

-	var from *mail.Address
-	fromData := addressToSlice(env, "From")
-	if len(fromData) > 0 {
-		from = fromData[0]
-	} else if env.GetHeader("From") != "" {
-		from = &mail.Address{Name: env.GetHeader("From")}
+	// Load metadata from DB
+	meta, err := GetMetadata(id)
+	if err != nil {
+		meta = Metadata{}
+	}
+
+	from := meta.From
+	if from == nil {
+		fromData := addressToSlice(env, "From")
+		if len(fromData) > 0 {
+			from = fromData[0]
+		} else if env.GetHeader("From") != "" {
+			from = &mail.Address{Name: env.GetHeader("From")}
+		}
 	}

 	messageID := strings.Trim(env.GetHeader("Message-ID"), "<>")
@@ -261,7 +339,7 @@ func GetMessage(id string) (*Message, error) {
 			Where(`ID = ?`, id)

 		if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-			var created float64
+			var created float64 // use float64 for rqlite compatibility

 			if err := row.Scan(&created); err != nil {
 				logger.Log().Errorf("[db] %s", err.Error())
@@ -269,7 +347,6 @@ func GetMessage(id string) (*Message, error) {
 			}

 			logger.Log().Debugf("[db] %s does not contain a date header, using received datetime", id)
-
 			date = time.UnixMilli(int64(created))
 		}); err != nil {
 			logger.Log().Errorf("[db] %s", err.Error())
@@ -288,10 +365,10 @@ func GetMessage(id string) (*Message, error) {
 		ReturnPath: returnPath,
 		Subject:    env.GetHeader("Subject"),
 		Tags:       getMessageTags(id),
-		Size:       float64(len(raw)),
+		Size:       uint64(len(raw)),
 		Text:       env.Text,
+		Username:   meta.Username,
 	}
-
 	obj.HTML = env.HTML
 	obj.Inline = []Attachment{}
 	obj.Attachments = []Attachment{}
@@ -329,7 +406,7 @@ func GetMessage(id string) (*Message, error) {
 	}

 	// mark message as read
-	if err := MarkRead(id); err != nil {
+	if err := MarkRead([]string{id}); err != nil {
 		return &obj, err
 	}

@@ -340,11 +417,12 @@ func GetMessage(id string) (*Message, error) {

 // GetMessageRaw returns an []byte of the full message
 func GetMessageRaw(id string) ([]byte, error) {
-	var i string
-	var msg string
+	var i, msg string
+	var compressed int
 	q := sqlf.From(tenant("mailbox_data")).
 		Select(`ID`).To(&i).
 		Select(`Email`).To(&msg).
+		Select(`Compressed`).To(&compressed).
 		Where(`ID = ?`, id)
 	err := q.QueryRowAndClose(context.Background(), db)
 	if err != nil {
@@ -356,7 +434,7 @@ func GetMessageRaw(id string) ([]byte, error) {
 	}

 	var data []byte
-	if sqlDriver == "rqlite" {
+	if sqlDriver == "rqlite" && compressed == 1 {
 		data, err = base64.StdEncoding.DecodeString(msg)
 		if err != nil {
 			return nil, fmt.Errorf("error decoding base64 message: %w", err)
@@ -365,14 +443,18 @@ func GetMessageRaw(id string) ([]byte, error) {
 		data = []byte(msg)
 	}

-	raw, err := dbDecoder.DecodeAll(data, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error decompressing message: %s", err.Error())
-	}
-
 	dbLastAction = time.Now()

-	return raw, err
+	if compressed == 1 {
+		raw, err := dbDecoder.DecodeAll(data, nil)
+		if err != nil {
+			return nil, fmt.Errorf("error decompressing message: %s", err.Error())
+		}
+
+		return raw, err
+	}
+
+	return data, nil
 }

 // GetAttachmentPart returns an *enmime.Part (attachment or inline) from a message
@@ -384,7 +466,9 @@ func GetAttachmentPart(id, partID string) (*enmime.Part, error) {

 	r := bytes.NewReader(raw)

-	env, err := enmime.ReadEnvelope(r)
+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
+	env, err := parser.ReadEnvelope(r)
 	if err != nil {
 		return nil, err
 	}
@@ -412,6 +496,29 @@ func GetAttachmentPart(id, partID string) (*enmime.Part, error) {
 	return nil, errors.New("attachment not found")
 }

+// AttachmentSummary returns a summary of the attachment without any binary data
+func AttachmentSummary(a *enmime.Part) Attachment {
+	o := Attachment{}
+	o.PartID = a.PartID
+	o.FileName = a.FileName
+	if o.FileName == "" {
+		o.FileName = a.ContentID
+	}
+	o.ContentType = a.ContentType
+	o.ContentID = a.ContentID
+	o.Size = uint64(len(a.Content))
+
+	md5Hash := md5.Sum(a.Content)   // #nosec
+	sha1Hash := sha1.Sum(a.Content) // #nosec
+	sha256Hash := sha256.Sum256(a.Content)
+
+	o.Checksums.MD5 = hex.EncodeToString(md5Hash[:])
+	o.Checksums.SHA1 = hex.EncodeToString(sha1Hash[:])
+	o.Checksums.SHA256 = hex.EncodeToString(sha256Hash[:])
+
+	return o
+}
+
 // LatestID returns the latest message ID
 //
 // If a query argument is set in the request the function will return the
@@ -422,12 +529,12 @@ func LatestID(r *http.Request) (string, error) {

 	search := strings.TrimSpace(r.URL.Query().Get("query"))
 	if search != "" {
-		messages, _, err = Search(search, r.URL.Query().Get("tz"), 0, 1)
+		messages, _, err = Search(search, r.URL.Query().Get("tz"), 0, 0, 1)
 		if err != nil {
 			return "", err
 		}
 	} else {
-		messages, err = List(0, 1)
+		messages, err = List(0, 0, 1)
 		if err != nil {
 			return "", err
 		}
@@ -440,23 +547,28 @@ func LatestID(r *http.Request) (string, error) {
 }

 // MarkRead will mark a message as read
-func MarkRead(id string) error {
-	if !IsUnread(id) {
-		return nil
-	}
+func MarkRead(ids []string) error {
+	for _, id := range ids {
+		_, err := sqlf.Update(tenant("mailbox")).
+			Set("Read", 1).
+			Where("ID = ?", id).
+			ExecAndClose(context.Background(), db)

-	_, err := sqlf.Update(tenant("mailbox")).
-		Set("Read", 1).
-		Where("ID = ?", id).
-		ExecAndClose(context.Background(), db)
+		if err == nil {
+			logger.Log().Debugf("[db] marked message %s as read", id)
+		}

-	if err == nil {
-		logger.Log().Debugf("[db] marked message %s as read", id)
+		d := struct {
+			ID   string
+			Read bool
+		}{ID: id, Read: true}
+
+		websockets.Broadcast("update", d)
 	}

 	BroadcastMailboxStats()

-	return err
+	return nil
 }

 // MarkAllRead will mark all messages as read
@@ -510,25 +622,30 @@ func MarkAllUnread() error {
 }

 // MarkUnread will mark a message as unread
-func MarkUnread(id string) error {
-	if IsUnread(id) {
-		return nil
+func MarkUnread(ids []string) error {
+	for _, id := range ids {
+		_, err := sqlf.Update(tenant("mailbox")).
+			Set("Read", 0).
+			Where("ID = ?", id).
+			ExecAndClose(context.Background(), db)
+
+		if err == nil {
+			logger.Log().Debugf("[db] marked message %s as unread", id)
+		}
+
+		dbLastAction = time.Now()
+
+		d := struct {
+			ID   string
+			Read bool
+		}{ID: id, Read: false}
+
+		websockets.Broadcast("update", d)
 	}

-	_, err := sqlf.Update(tenant("mailbox")).
-		Set("Read", 0).
-		Where("ID = ?", id).
-		ExecAndClose(context.Background(), db)
-
-	if err == nil {
-		logger.Log().Debugf("[db] marked message %s as unread", id)
-	}
-
-	dbLastAction = time.Now()
-
 	BroadcastMailboxStats()

-	return err
+	return nil
 }

 // DeleteMessages deletes one or more messages in bulk
@@ -549,19 +666,21 @@ func DeleteMessages(ids []string) error {
 	if err != nil {
 		return err
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()

 	toDelete := []string{}
-	var totalSize float64
+	var totalSize uint64

 	for rows.Next() {
 		var id string
-		var size float64
+		var size float64 // use float64 for rqlite compatibility
+
 		if err := rows.Scan(&id, &size); err != nil {
 			return err
 		}
+
 		toDelete = append(toDelete, id)
-		totalSize = totalSize + size
+		totalSize = totalSize + uint64(size)
 	}

 	if err = rows.Err(); err != nil {
@@ -593,10 +712,12 @@ func DeleteMessages(ids []string) error {
 		}
 	}

-	err = tx.Commit()
+	if err := tx.Commit(); err != nil {
+		return err
+	}

 	dbLastAction = time.Now()
-	addDeletedSize(int64(totalSize))
+	addDeletedSize(totalSize)

 	logMessagesDeleted(len(toDelete))

@@ -613,6 +734,15 @@ func DeleteMessages(ids []string) error {

 	BroadcastMailboxStats()

+	// broadcast individual message deletions
+	for _, id := range toDelete {
+		d := struct {
+			ID string
+		}{ID: id}
+
+		websockets.Broadcast("delete", d)
+	}
+
 	return nil
 }

@@ -635,7 +765,7 @@ func DeleteAllMessages() error {
 	}

 	// roll back if it fails
-	defer tx.Rollback()
+	defer func() { _ = tx.Rollback() }()

 	tables := []string{"mailbox", "mailbox_data", "tags", "message_tags"}

@@ -663,8 +793,23 @@ func DeleteAllMessages() error {

 	logMessagesDeleted(total)

-	websockets.Broadcast("prune", nil)
 	BroadcastMailboxStats()

+	websockets.Broadcast("truncate", nil)
+
 	return err
 }
+
+// GetMetadata retrieves the metadata for a message by its ID
+func GetMetadata(id string) (Metadata, error) {
+	var metadataJSON string
+	row := db.QueryRow(fmt.Sprintf("SELECT Metadata FROM %s WHERE ID = ?", tenant("mailbox")), id)
+	if err := row.Scan(&metadataJSON); err != nil {
+		return Metadata{}, err
+	}
+	var meta Metadata
+	if err := json.Unmarshal([]byte(metadataJSON), &meta); err != nil {
+		return Metadata{}, err
+	}
+	return meta, nil
+}
--- a/internal/storage/messages_test.go
+++ b/internal/storage/messages_test.go
@@ -1,12 +1,15 @@
 package storage

 import (
+	"os"
 	"testing"
 	"time"
+
+	"github.com/axllent/mailpit/config"
 )

 func TestTextEmailInserts(t *testing.T) {
-	setup()
+	setup("")
 	defer Close()

 	t.Log("Testing text email storage")
@@ -14,13 +17,13 @@ func TestTextEmailInserts(t *testing.T) {
 	start := time.Now()

 	for i := 0; i < testRuns; i++ {
-		if _, err := Store(&testTextEmail); err != nil {
+		if _, err := Store(&testTextEmail, nil); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
 	}

-	assertEqual(t, CountTotal(), float64(testRuns), "Incorrect number of text emails stored")
+	assertEqual(t, CountTotal(), uint64(testRuns), "Incorrect number of text emails stored")

 	t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))

@@ -30,7 +33,7 @@ func TestTextEmailInserts(t *testing.T) {
 		t.Fail()
 	}

-	assertEqual(t, CountTotal(), float64(0), "incorrect number of text emails deleted")
+	assertEqual(t, CountTotal(), uint64(0), "incorrect number of text emails deleted")

 	t.Logf("deleted %d text emails in %s", testRuns, time.Since(delStart))

@@ -38,117 +41,152 @@ func TestTextEmailInserts(t *testing.T) {
 }

 func TestMimeEmailInserts(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing mime email storage")
+		setup(tenantID)

-	start := time.Now()
+		if tenantID == "" {
+			t.Log("Testing mime email storage")
+		} else {
+			t.Logf("Testing mime email storage (tenant %s)", tenantID)
+		}

-	for i := 0; i < testRuns; i++ {
-		if _, err := Store(&testMimeEmail); err != nil {
+		start := time.Now()
+
+		for i := 0; i < testRuns; i++ {
+			if _, err := Store(&testMimeEmail, nil); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		assertEqual(t, CountTotal(), uint64(testRuns), "Incorrect number of mime emails stored")
+
+		t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))
+
+		delStart := time.Now()
+		if err := DeleteAllMessages(); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+
+		assertEqual(t, CountTotal(), uint64(0), "incorrect number of mime emails deleted")
+
+		t.Logf("Deleted %d mime emails in %s", testRuns, time.Since(delStart))
+
+		Close()
 	}
-
-	assertEqual(t, CountTotal(), float64(testRuns), "Incorrect number of mime emails stored")
-
-	t.Logf("Inserted %d text emails in %s", testRuns, time.Since(start))
-
-	delStart := time.Now()
-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, CountTotal(), float64(0), "incorrect number of mime emails deleted")
-
-	t.Logf("Deleted %d mime emails in %s", testRuns, time.Since(delStart))
 }

 func TestRetrieveMimeEmail(t *testing.T) {
-	setup()
-	defer Close()
+	compressionLevels := []int{0, 1, 2, 3}

-	t.Log("Testing mime email retrieval")
+	for _, compressionLevel := range compressionLevels {
+		t.Logf("Testing compression level: %d", compressionLevel)
+		for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+			tenantID = config.DBTenantID(tenantID)
+			config.Compression = compressionLevel
+			setup(tenantID)

-	id, err := Store(&testMimeEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
+			if tenantID == "" {
+				t.Log("Testing mime email retrieval")
+			} else {
+				t.Logf("Testing mime email retrieval (tenant %s)", tenantID)
+			}
+
+			id, err := Store(&testMimeEmail, nil)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			msg, err := GetMessage(id)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
+			assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
+			assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
+			assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
+			assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
+			assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
+			assertEqual(t, len(msg.Attachments), 1, "incorrect number of attachments")
+			assertEqual(t, msg.Attachments[0].FileName, "Sample PDF.pdf", "attachment filename does not match")
+			assertEqual(t, len(msg.Inline), 1, "incorrect number of inline attachments")
+			assertEqual(t, msg.Inline[0].FileName, "inline-image.jpg", "inline attachment filename does not match")
+
+			attachmentData, err := GetAttachmentPart(id, msg.Attachments[0].PartID)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			assertEqual(t, uint64(len(attachmentData.Content)), msg.Attachments[0].Size, "attachment size does not match")
+
+			inlineData, err := GetAttachmentPart(id, msg.Inline[0].PartID)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			assertEqual(t, uint64(len(inlineData.Content)), msg.Inline[0].Size, "inline attachment size does not match")
+
+			Close()
+		}
 	}

-	msg, err := GetMessage(id)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
-	assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
-	assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
-	assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
-	assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
-	assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
-	assertEqual(t, len(msg.Attachments), 1, "incorrect number of attachments")
-	assertEqual(t, msg.Attachments[0].FileName, "Sample PDF.pdf", "attachment filename does not match")
-	assertEqual(t, len(msg.Inline), 1, "incorrect number of inline attachments")
-	assertEqual(t, msg.Inline[0].FileName, "inline-image.jpg", "inline attachment filename does not match")
-
-	attachmentData, err := GetAttachmentPart(id, msg.Attachments[0].PartID)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, float64(len(attachmentData.Content)), msg.Attachments[0].Size, "attachment size does not match")
-
-	inlineData, err := GetAttachmentPart(id, msg.Inline[0].PartID)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, float64(len(inlineData.Content)), msg.Inline[0].Size, "inline attachment size does not match")
+	// reset compression
+	config.Compression = 1
 }

 func TestMessageSummary(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing message summary")
+		setup(tenantID)

-	if _, err := Store(&testMimeEmail); err != nil {
-		t.Log("error ", err)
-		t.Fail()
+		if tenantID == "" {
+			t.Log("Testing message summary")
+		} else {
+			t.Logf("Testing message summary (tenant %s)", tenantID)
+		}
+
+		if _, err := Store(&testMimeEmail, nil); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		summaries, err := List(0, 0, 1)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, len(summaries), 1, "Expected 1 result")
+
+		msg := summaries[0]
+
+		assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
+		assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
+		assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
+		assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
+		assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
+		assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
+		assertEqual(t, msg.Snippet, "Message with inline image and attachment:", "\"Snippet\" does does not match")
+		assertEqual(t, msg.Attachments, 1, "Expected 1 attachment")
+		assertEqual(t, msg.MessageID, "33af2ac1-c33d-9738-35e3-a6daf90bbd89@gmail.com", "\"MessageID\" does not match")
+
+		Close()
 	}
-
-	summaries, err := List(0, 1)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, len(summaries), 1, "Expected 1 result")
-
-	msg := summaries[0]
-
-	assertEqual(t, msg.From.Name, "Sender Smith", "\"From\" name does not match")
-	assertEqual(t, msg.From.Address, "sender2@example.com", "\"From\" address does not match")
-	assertEqual(t, msg.Subject, "inline + attachment", "subject does not match")
-	assertEqual(t, len(msg.To), 1, "incorrect number of recipients")
-	assertEqual(t, msg.To[0].Name, "Recipient Ross", "\"To\" name does not match")
-	assertEqual(t, msg.To[0].Address, "recipient2@example.com", "\"To\" address does not match")
-	assertEqual(t, msg.Snippet, "Message with inline image and attachment:", "\"Snippet\" does does not match")
-	assertEqual(t, msg.Attachments, 1, "Expected 1 attachment")
-	assertEqual(t, msg.MessageID, "33af2ac1-c33d-9738-35e3-a6daf90bbd89@gmail.com", "\"MessageID\" does not match")
 }

 func BenchmarkImportText(b *testing.B) {
-	setup()
+	setup("")
 	defer Close()

 	for i := 0; i < b.N; i++ {
-		if _, err := Store(&testTextEmail); err != nil {
+		if _, err := Store(&testTextEmail, nil); err != nil {
 			b.Log("error ", err)
 			b.Fail()
 		}
@@ -156,14 +194,110 @@ func BenchmarkImportText(b *testing.B) {
 }

 func BenchmarkImportMime(b *testing.B) {
-	setup()
+	setup("")
 	defer Close()

 	for i := 0; i < b.N; i++ {
-		if _, err := Store(&testMimeEmail); err != nil {
+		if _, err := Store(&testMimeEmail, nil); err != nil {
 			b.Log("error ", err)
 			b.Fail()
 		}
 	}

 }
+
+func TestInlineImageContentIdHandling(t *testing.T) {
+	setup("")
+	defer Close()
+	t.Log("Testing inline content handling")
+	// Test case: Proper inline image with Content-Disposition: inline
+	inlineAttachment, err := os.ReadFile("testdata/inline-attachment.eml")
+	if err != nil {
+		t.Fatalf("Failed to read test email: %v", err)
+	}
+	storedMessage, err := Store(&inlineAttachment, nil)
+	if err != nil {
+		t.Fatal("Failed to store test case 1:", err)
+	}
+
+	msg, err := GetMessage(storedMessage)
+	if err != nil {
+		t.Fatal("Failed to retrieve test case 1:", err)
+	}
+	// Assert
+	if len(msg.Inline) != 1 {
+		t.Errorf("Test case 1: Expected 1 inline attachment, got %d", len(msg.Inline))
+	}
+	if len(msg.Attachments) != 0 {
+		t.Errorf("Test case 1: Expected 0 regular attachments, got %d", len(msg.Attachments))
+	}
+	if msg.Inline[0].ContentID != "test1@example.com" {
+		t.Errorf("Test case 1: Expected ContentID 'test1@example.com', got '%s'", msg.Inline[0].ContentID)
+	}
+}
+
+func TestRegularAttachmentHandling(t *testing.T) {
+	setup("")
+	defer Close()
+	t.Log("Testing regular attachment handling")
+	// Test case: Regular attachment without Content-ID
+	regularAttachment, err := os.ReadFile("testdata/regular-attachment.eml")
+	if err != nil {
+		t.Fatalf("Failed to read test email: %v", err)
+	}
+	storedMessage, err := Store(&regularAttachment, nil)
+	if err != nil {
+		t.Fatal("Failed to store test case 3:", err)
+	}
+	msg, err := GetMessage(storedMessage)
+	if err != nil {
+		t.Fatal("Failed to retrieve test case 3:", err)
+	}
+	// Assert
+	if len(msg.Inline) != 0 {
+		t.Errorf("Test case 3: Expected 0 inline attachments, got %d", len(msg.Inline))
+	}
+	if len(msg.Attachments) != 1 {
+		t.Errorf("Test case 3: Expected 1 regular attachment, got %d", len(msg.Attachments))
+	}
+	if msg.Attachments[0].ContentID != "" {
+		t.Errorf("Test case 3: Expected empty ContentID, got '%s'", msg.Attachments[0].ContentID)
+	}
+
+	// Checksum tests
+	assertEqual(t, msg.Attachments[0].Checksums.MD5, "b04930eb1ba0c62066adfa87e5d262c4", "Attachment MD5 checksum does not match")
+	assertEqual(t, msg.Attachments[0].Checksums.SHA1, "15605d6a2fca44e966209d1701f16ecf816df880", "Attachment SHA1 checksum does not match")
+	assertEqual(t, msg.Attachments[0].Checksums.SHA256, "92c4ccff376003381bd9054d3da7b32a3c5661905b55e3b0728c17aba6d223ec", "Attachment SHA256 checksum does not match")
+}
+
+func TestMixedAttachmentHandling(t *testing.T) {
+	setup("")
+	defer Close()
+	t.Log("Testing mixed attachment handling")
+	// Mixed scenario with both inline and regular attachment
+	mixedAttachment, err := os.ReadFile("testdata/mixed-attachment.eml")
+	if err != nil {
+		t.Fatalf("Failed to read test email: %v", err)
+	}
+	storedMessage, err := Store(&mixedAttachment, nil)
+	if err != nil {
+		t.Fatal("Failed to store test case 4:", err)
+	}
+	msg, err := GetMessage(storedMessage)
+	if err != nil {
+		t.Fatal("Failed to retrieve test case 4:", err)
+	}
+	// Assert: Should have 1 inline (with ContentID) and 1 attachment (without ContentID)
+	if len(msg.Inline) != 1 {
+		t.Errorf("Test case 4: Expected 1 inline attachment, got %d", len(msg.Inline))
+	}
+	if len(msg.Attachments) != 1 {
+		t.Errorf("Test case 4: Expected 1 regular attachment, got %d", len(msg.Attachments))
+	}
+	if msg.Inline[0].ContentID != "inline@example.com" {
+		t.Errorf("Test case 4: Expected inline ContentID 'inline@example.com', got '%s'", msg.Inline[0].ContentID)
+	}
+	if msg.Attachments[0].ContentID != "" {
+		t.Errorf("Test case 4: Expected attachment ContentID to be empty, got '%s'", msg.Attachments[0].ContentID)
+	}
+}
--- a/internal/storage/notifications.go
+++ b/internal/storage/notifications.go
@@ -24,8 +24,8 @@ func BroadcastMailboxStats() {
 		time.Sleep(250 * time.Millisecond)
 		bcStatsDelay = false
 		b := struct {
-			Total   float64
-			Unread  float64
+			Total   uint64
+			Unread  uint64
 			Version string
 		}{
 			Total:   CountTotal(),
--- a/internal/storage/reindex.go
+++ b/internal/storage/reindex.go
@@ -11,7 +11,7 @@ import (

 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
-	"github.com/jhillyerd/enmime"
+	"github.com/jhillyerd/enmime/v2"
 	"github.com/leporo/sqlf"
 )

@@ -27,7 +27,7 @@ func ReindexAll() {
 	err := sqlf.Select("ID").To(&i).
 		From(tenant("mailbox")).
 		OrderBy("Created DESC").
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {
 			ids = append(ids, i)
 		})

@@ -43,12 +43,18 @@ func ReindexAll() {
 	logger.Log().Infof("reindexing %d messages", total)

 	type updateStruct struct {
-		ID         string
+		// ID in database
+		ID string
+		// SearchText for searching
 		SearchText string
-		Snippet    string
-		Metadata   string
+		// Snippet for UI
+		Snippet string
+		// Metadata info
+		Metadata string
 	}

+	parser := enmime.NewParser(enmime.DisableCharacterDetection(true))
+
 	for _, ids := range chunks {
 		updates := []updateStruct{}

@@ -61,29 +67,28 @@ func ReindexAll() {

 			r := bytes.NewReader(raw)

-			env, err := enmime.ReadEnvelope(r)
+			env, err := parser.ReadEnvelope(r)
 			if err != nil {
 				logger.Log().Errorf("[message] %s", err.Error())
 				continue
 			}

-			from := &mail.Address{}
+			meta, _ := GetMetadata(id)
+
 			fromJSON := addressToSlice(env, "From")
 			if len(fromJSON) > 0 {
-				from = fromJSON[0]
+				meta.From = fromJSON[0]
 			} else if env.GetHeader("From") != "" {
-				from = &mail.Address{Name: env.GetHeader("From")}
+				meta.From = &mail.Address{Name: env.GetHeader("From")}
+			} else {
+				meta.From = nil
 			}
+			meta.To = addressToSlice(env, "To")
+			meta.Cc = addressToSlice(env, "Cc")
+			meta.Bcc = addressToSlice(env, "Bcc")
+			meta.ReplyTo = addressToSlice(env, "Reply-To")

-			obj := DBMailSummary{
-				From:    from,
-				To:      addressToSlice(env, "To"),
-				Cc:      addressToSlice(env, "Cc"),
-				Bcc:     addressToSlice(env, "Bcc"),
-				ReplyTo: addressToSlice(env, "Reply-To"),
-			}
-
-			MetadataJSON, err := json.Marshal(obj)
+			MetadataJSON, err := json.Marshal(meta)
 			if err != nil {
 				logger.Log().Errorf("[message] %s", err.Error())
 				continue
@@ -109,7 +114,7 @@ func ReindexAll() {
 		}

 		// roll back if it fails
-		defer tx.Rollback()
+		defer func() { _ = tx.Rollback() }()

 		// insert mail summary data
 		for _, u := range updates {
@@ -135,5 +140,6 @@ func chunkBy[T any](items []T, chunkSize int) (chunks [][]T) {
 	for chunkSize < len(items) {
 		items, chunks = items[chunkSize:], append(chunks, items[0:chunkSize:chunkSize])
 	}
+
 	return append(chunks, items)
 }
--- a/internal/storage/schemas.go
+++ b/internal/storage/schemas.go
@@ -2,20 +2,15 @@ package storage

 import (
 	"bytes"
-	"context"
-	"database/sql"
 	"embed"
-	"encoding/json"
 	"log"
 	"path"
 	"sort"
 	"strings"
 	"text/template"
-	"time"

 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/semver"
-	"github.com/leporo/sqlf"
 )

 //go:embed schemas/*
@@ -63,13 +58,6 @@ func dbApplySchemas() error {
 				}
 			}
 		}
-
-		// delete legacy migration database after 01/10/2024
-		if time.Now().After(time.Date(2024, 10, 1, 0, 0, 0, 0, time.Local)) {
-			if _, err := db.Exec(`DROP TABLE IF EXISTS ` + tenant("darwin_migrations")); err != nil {
-				return err
-			}
-		}
 	}

 	schemaFiles, err := schemaScripts.ReadDir("schemas")
@@ -137,7 +125,9 @@ func dbApplySchemas() error {

 		buf := new(bytes.Buffer)

-		err = t1.Execute(buf, nil)
+		if err := t1.Execute(buf, nil); err != nil {
+			return err
+		}

 		if _, err := db.Exec(buf.String()); err != nil {
 			return err
@@ -159,64 +149,4 @@ func dataMigrations() {
 	if SettingGet("DeletedSize") == "" {
 		_ = SettingPut("DeletedSize", "0")
 	}
-
-	migrateTagsToManyMany()
-}
-
-// Migrate tags to ManyMany structure
-// Migration task implemented 12/2023
-// TODO: Can be removed end 06/2024 and Tags column & index dropped from mailbox
-func migrateTagsToManyMany() {
-	toConvert := make(map[string][]string)
-	q := sqlf.
-		Select("ID, Tags").
-		From(tenant("mailbox")).
-		Where("Tags != ?", "[]").
-		Where("Tags IS NOT NULL")
-
-	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-		var id string
-		var jsonTags string
-		if err := row.Scan(&id, &jsonTags); err != nil {
-			logger.Log().Errorf("[migration] %s", err.Error())
-			return
-		}
-
-		tags := []string{}
-
-		if err := json.Unmarshal([]byte(jsonTags), &tags); err != nil {
-			logger.Log().Errorf("[json] %s", err.Error())
-			return
-		}
-
-		toConvert[id] = tags
-	}); err != nil {
-		logger.Log().Errorf("[migration] %s", err.Error())
-	}
-
-	if len(toConvert) > 0 {
-		logger.Log().Infof("[migration] converting %d message tags", len(toConvert))
-		for id, tags := range toConvert {
-			if err := SetMessageTags(id, tags); err != nil {
-				logger.Log().Errorf("[migration] %s", err.Error())
-			} else {
-				if _, err := sqlf.Update(tenant("mailbox")).
-					Set("Tags", nil).
-					Where("ID = ?", id).
-					ExecAndClose(context.TODO(), db); err != nil {
-					logger.Log().Errorf("[migration] %s", err.Error())
-				}
-			}
-		}
-
-		logger.Log().Info("[migration] tags conversion complete")
-	}
-
-	// set all legacy `[]` tags to NULL
-	if _, err := sqlf.Update(tenant("mailbox")).
-		Set("Tags", nil).
-		Where("Tags = ?", "[]").
-		ExecAndClose(context.TODO(), db); err != nil {
-		logger.Log().Errorf("[migration] %s", err.Error())
-	}
 }
--- a/internal/storage/schemas/1.21.2.sql
+++ b/internal/storage/schemas/1.21.2.sql
@@ -0,0 +1,6 @@
+-- DROP LEGACY MIGRATION TABLE
+DROP TABLE IF EXISTS {{ tenant "darwin_migrations" }};
+
+-- DROP LEGACY TAGS COLUMN
+DROP INDEX IF EXISTS {{ tenant "idx_tags" }};
+ALTER TABLE {{ tenant "mailbox" }} DROP COLUMN Tags;
--- a/internal/storage/schemas/1.21.8.sql
+++ b/internal/storage/schemas/1.21.8.sql
@@ -0,0 +1,22 @@
+-- Rebuild message_tags to remove FOREIGN KEY REFERENCES
+PRAGMA foreign_keys=OFF;
+
+DROP INDEX IF EXISTS {{ tenant "idx_message_tag_id" }};
+DROP INDEX IF EXISTS {{ tenant "idx_message_tag_tagid" }};
+
+ALTER TABLE {{ tenant "message_tags" }} RENAME TO _{{ tenant "message_tags" }}_old;
+
+CREATE TABLE IF NOT EXISTS {{ tenant "message_tags" }} (
+	Key INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	ID TEXT NOT NULL,
+	TagID INTEGER NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_message_tags_id" }} ON {{ tenant "message_tags" }} (ID);
+CREATE INDEX IF NOT EXISTS {{ tenant "idx_message_tags_tagid" }} ON {{ tenant "message_tags" }} (TagID);
+
+INSERT INTO {{ tenant "message_tags" }} SELECT * FROM _{{ tenant "message_tags" }}_old;
+
+DROP TABLE IF EXISTS _{{ tenant "message_tags" }}_old;
+
+PRAGMA foreign_keys=ON;
--- a/internal/storage/schemas/1.23.0.sql
+++ b/internal/storage/schemas/1.23.0.sql
@@ -0,0 +1,5 @@
+-- CREATE Compressed COLUMN IN mailbox_data
+ALTER TABLE {{ tenant "mailbox_data" }} ADD COLUMN Compressed INTEGER NOT NULL DEFAULT '0';
+
+-- SET Compressed = 1 for all existing data
+UPDATE {{ tenant "mailbox_data" }} SET Compressed = 1;
--- a/internal/storage/search.go
+++ b/internal/storage/search.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"

 	"github.com/araddon/dateparse"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/websockets"
 	"github.com/leporo/sqlf"
 )

@@ -18,7 +21,7 @@ import (
 // The search is broken up by segments (exact phrases can be quoted), and interprets specific terms such as:
 // is:read, is:unread, has:attachment, to:<term>, from:<term> & subject:<term>
 // Negative searches also also included by prefixing the search term with a `-` or `!`
-func Search(search, timezone string, start, limit int) ([]MessageSummary, int, error) {
+func Search(search, timezone string, start int, beforeTS int64, limit int) ([]MessageSummary, int, error) {
 	results := []MessageSummary{}
 	allResults := []MessageSummary{}
 	tsStart := time.Now()
@@ -28,15 +31,20 @@ func Search(search, timezone string, start, limit int) ([]MessageSummary, int, e
 	}

 	q := searchQueryBuilder(search, timezone)
+
+	if beforeTS > 0 {
+		q = q.Where(`Created < ?`, beforeTS)
+	}
+
 	var err error

 	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-		var created float64
+		var created float64 // use float64 for rqlite compatibility
 		var id string
 		var messageID string
 		var subject string
 		var metadata string
-		var size float64
+		var size float64 // use float64 for rqlite compatibility
 		var attachments int
 		var snippet string
 		var read int
@@ -57,7 +65,7 @@ func Search(search, timezone string, start, limit int) ([]MessageSummary, int, e
 		em.ID = id
 		em.MessageID = messageID
 		em.Subject = subject
-		em.Size = size
+		em.Size = uint64(size)
 		em.Attachments = attachments
 		em.Read = read == 1
 		em.Snippet = snippet
@@ -92,6 +100,39 @@ func Search(search, timezone string, start, limit int) ([]MessageSummary, int, e
 	return results, nrResults, err
 }

+// SearchUnreadCount returns the number of unread messages matching a search.
+// This is run one at a time to allow connected browsers to be updated.
+func SearchUnreadCount(search, timezone string, beforeTS int64) (int64, error) {
+	tsStart := time.Now()
+
+	q := searchQueryBuilder(search, timezone)
+
+	if beforeTS > 0 {
+		q = q.Where(`Created < ?`, beforeTS)
+	}
+
+	var unread float64 // use float64 for rqlite compatibility
+
+	q = q.Where("Read = 0").Select(`COUNT(*)`)
+
+	err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		var ignore sql.NullString
+		if err := row.Scan(&ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &ignore, &unread); err != nil {
+			logger.Log().Errorf("[db] %s", err.Error())
+			return
+		}
+
+	})
+
+	dbLastAction = time.Now()
+
+	elapsed := time.Since(tsStart)
+
+	logger.Log().Debugf("[db] counted %d unread for \"%s\" in %s", int64(unread), search, elapsed)
+
+	return int64(unread), err
+}
+
 // DeleteSearch will delete all messages for search terms.
 // The search is broken up by segments (exact phrases can be quoted), and interprets specific terms such as:
 // is:read, is:unread, has:attachment, to:<term>, from:<term> & subject:<term>
@@ -100,15 +141,15 @@ func DeleteSearch(search, timezone string) error {
 	q := searchQueryBuilder(search, timezone)

 	ids := []string{}
-	deleteSize := float64(0)
+	deleteSize := uint64(0)

 	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-		var created float64
+		var created float64 // use float64 for rqlite compatibility
 		var id string
 		var messageID string
 		var subject string
 		var metadata string
-		var size float64
+		var size float64 // use float64 for rqlite compatibility
 		var attachments int
 		var read int
 		var snippet string
@@ -120,7 +161,7 @@ func DeleteSearch(search, timezone string) error {
 		}

 		ids = append(ids, id)
-		deleteSize = deleteSize + size
+		deleteSize = deleteSize + uint64(size)
 	}); err != nil {
 		return err
 	}
@@ -152,7 +193,7 @@ func DeleteSearch(search, timezone string) error {
 		}

 		// roll back if it fails
-		defer tx.Rollback()
+		defer func() { _ = tx.Rollback() }()

 		for _, ids := range chunks {
 			delIDs := make([]interface{}, len(ids))
@@ -182,18 +223,31 @@ func DeleteSearch(search, timezone string) error {
 			}
 		}

-		err = tx.Commit()
+		if err := tx.Commit(); err != nil {
+			return err
+		}

 		if err := pruneUnusedTags(); err != nil {
 			return err
 		}

-		if err == nil {
-			logger.Log().Debugf("[db] deleted %d messages matching %s", total, search)
-		}
+		logger.Log().Debugf("[db] deleted %d messages matching %s", total, search)

 		dbLastAction = time.Now()
-		addDeletedSize(int64(deleteSize))
+
+		// broadcast changes
+		if len(ids) > 200 {
+			websockets.Broadcast("prune", nil)
+		} else {
+			for _, id := range ids {
+				d := struct {
+					ID string
+				}{ID: id}
+				websockets.Broadcast("delete", d)
+			}
+		}
+
+		addDeletedSize(deleteSize)

 		logMessagesDeleted(total)

@@ -203,6 +257,47 @@ func DeleteSearch(search, timezone string) error {
 	return nil
 }

+// SetSearchReadStatus marks all messages matching the search as read or unread
+func SetSearchReadStatus(search, timezone string, read bool) error {
+	q := searchQueryBuilder(search, timezone).Where("Read = ?", !read)
+
+	ids := []string{}
+
+	if err := q.QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		var created float64 // use float64 for rqlite compatibility
+		var id string
+		var messageID string
+		var subject string
+		var metadata string
+		var size float64 // use float64 for rqlite compatibility
+		var attachments int
+		var read int
+		var snippet string
+		var ignore string
+
+		if err := row.Scan(&created, &id, &messageID, &subject, &metadata, &size, &attachments, &read, &snippet, &ignore, &ignore, &ignore, &ignore, &ignore); err != nil {
+			logger.Log().Errorf("[db] %s", err.Error())
+			return
+		}
+
+		ids = append(ids, id)
+	}); err != nil {
+		return err
+	}
+
+	if read {
+		if err := MarkRead(ids); err != nil {
+			return err
+		}
+	} else {
+		if err := MarkUnread(ids); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // SearchParser returns the SQL syntax for the database search based on the search arguments
 func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {
 	// group strings with quotes as a single argument and remove quotes
@@ -244,8 +339,8 @@ func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {
 			lw = lw[1:]
 		}

-		re := regexp.MustCompile(`[a-zA-Z0-9]+`)
-		if !re.MatchString(w) {
+		// ignore blank searches
+		if len(w) == 0 {
 			continue
 		}

@@ -349,6 +444,12 @@ func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {
 			} else {
 				q.Where(`m.ID IN (SELECT DISTINCT mt.ID FROM ` + tenant("message_tags") + ` mt JOIN tags t ON mt.TagID = t.ID)`)
 			}
+		} else if lw == "has:inline" || lw == "has:inlines" {
+			if exclude {
+				q.Where("Inline = 0")
+			} else {
+				q.Where("Inline > 0")
+			}
 		} else if lw == "has:attachment" || lw == "has:attachments" {
 			if exclude {
 				q.Where("Attachments = 0")
@@ -385,6 +486,22 @@ func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {
 					}
 				}
 			}
+		} else if strings.HasPrefix(lw, "larger:") && sizeToBytes(cleanString(w[7:])) > 0 {
+			w = cleanString(w[7:])
+			size := sizeToBytes(w)
+			if exclude {
+				q.Where("Size < ?", size)
+			} else {
+				q.Where("Size > ?", size)
+			}
+		} else if strings.HasPrefix(lw, "smaller:") && sizeToBytes(cleanString(w[8:])) > 0 {
+			w = cleanString(w[8:])
+			size := sizeToBytes(w)
+			if exclude {
+				q.Where("Size > ?", size)
+			} else {
+				q.Where("Size < ?", size)
+			}
 		} else {
 			// search text
 			if exclude {
@@ -397,3 +514,39 @@ func searchQueryBuilder(searchString, timezone string) *sqlf.Stmt {

 	return q
 }
+
+// Simple function to return a size in bytes, eg 2kb, 4MB or 1.5m.
+//
+// K, k, Kb, KB, kB and kb are treated as Kilobytes.
+// M, m, Mb, MB and mb are treated as Megabytes.
+func sizeToBytes(v string) uint64 {
+	v = strings.ToLower(v)
+	re := regexp.MustCompile(`^(\d+)(\.\d+)?\s?([a-z]{1,2})?$`)
+
+	m := re.FindAllStringSubmatch(v, -1)
+	if len(m) == 0 {
+		return 0
+	}
+
+	val := fmt.Sprintf("%s%s", m[0][1], m[0][2])
+	unit := m[0][3]
+
+	i, err := strconv.ParseFloat(strings.TrimSpace(val), 64)
+	if err != nil {
+		return 0
+	}
+
+	if unit == "" {
+		return uint64(i)
+	}
+
+	if unit == "k" || unit == "kb" {
+		return uint64(i * 1024)
+	}
+
+	if unit == "m" || unit == "mb" {
+		return uint64(i * 1024 * 1024)
+	}
+
+	return 0
+}
--- a/internal/storage/search_test.go
+++ b/internal/storage/search_test.go
@@ -6,144 +6,165 @@ import (
 	"math/rand"
 	"testing"

-	"github.com/jhillyerd/enmime"
+	"github.com/axllent/mailpit/config"
+	"github.com/jhillyerd/enmime/v2"
 )

 func TestSearch(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing search")
-	for i := 0; i < testRuns; i++ {
-		msg := enmime.Builder().
-			From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
-			CC(fmt.Sprintf("CC %d", i), fmt.Sprintf("cc-%d@example.com", i)).
-			CC(fmt.Sprintf("CC2 %d", i), fmt.Sprintf("cc2-%d@example.com", i)).
-			Subject(fmt.Sprintf("Subject line %d end", i)).
-			Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
-			To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i)).
-			To(fmt.Sprintf("To2 %d", i), fmt.Sprintf("to2-%d@example.com", i)).
-			ReplyTo(fmt.Sprintf("Reply To %d", i), fmt.Sprintf("reply-to-%d@example.com", i))
+		setup(tenantID)

-		env, err := msg.Build()
+		if tenantID == "" {
+			t.Log("Testing search")
+		} else {
+			t.Logf("Testing search (tenant %s)", tenantID)
+		}
+
+		for i := 0; i < testRuns; i++ {
+			msg := enmime.Builder().
+				From(fmt.Sprintf("From %d", i), fmt.Sprintf("from-%d@example.com", i)).
+				CC(fmt.Sprintf("CC %d", i), fmt.Sprintf("cc-%d@example.com", i)).
+				CC(fmt.Sprintf("CC2 %d", i), fmt.Sprintf("cc2-%d@example.com", i)).
+				Subject(fmt.Sprintf("Subject line %d end", i)).
+				Text([]byte(fmt.Sprintf("This is the email body %d <jdsauk;dwqmdqw;>.", i))).
+				To(fmt.Sprintf("To %d", i), fmt.Sprintf("to-%d@example.com", i)).
+				To(fmt.Sprintf("To2 %d", i), fmt.Sprintf("to2-%d@example.com", i)).
+				ReplyTo(fmt.Sprintf("Reply To %d", i), fmt.Sprintf("reply-to-%d@example.com", i))
+
+			env, err := msg.Build()
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			buf := new(bytes.Buffer)
+
+			if err := env.Encode(buf); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			bufBytes := buf.Bytes()
+
+			if _, err := Store(&bufBytes, nil); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		for i := 1; i < 51; i++ {
+			// search a random something that will return a single result
+			uniqueSearches := []string{
+				fmt.Sprintf("from-%d@example.com", i),
+				fmt.Sprintf("from:from-%d@example.com", i),
+				fmt.Sprintf("to-%d@example.com", i),
+				fmt.Sprintf("to:to-%d@example.com", i),
+				fmt.Sprintf("to2-%d@example.com", i),
+				fmt.Sprintf("to:to2-%d@example.com", i),
+				fmt.Sprintf("cc-%d@example.com", i),
+				fmt.Sprintf("cc:cc-%d@example.com", i),
+				fmt.Sprintf("cc2-%d@example.com", i),
+				fmt.Sprintf("cc:cc2-%d@example.com", i),
+				fmt.Sprintf("reply-to-%d@example.com", i),
+				fmt.Sprintf("reply-to:\"reply-to-%d@example.com\"", i),
+				fmt.Sprintf("\"Subject line %d end\"", i),
+				fmt.Sprintf("subject:\"Subject line %d end\"", i),
+				fmt.Sprintf("\"the email body %d jdsauk dwqmdqw\"", i),
+			}
+			searchIdx := rand.Intn(len(uniqueSearches))
+
+			search := uniqueSearches[searchIdx]
+
+			summaries, _, err := Search(search, "", 0, 0, 100)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			assertEqual(t, len(summaries), 1, "search result expected")
+
+			assertEqual(t, summaries[0].From.Name, fmt.Sprintf("From %d", i), "\"From\" name does not match")
+			assertEqual(t, summaries[0].From.Address, fmt.Sprintf("from-%d@example.com", i), "\"From\" address does not match")
+			assertEqual(t, summaries[0].To[0].Name, fmt.Sprintf("To %d", i), "\"To\" name does not match")
+			assertEqual(t, summaries[0].To[0].Address, fmt.Sprintf("to-%d@example.com", i), "\"To\" address does not match")
+			assertEqual(t, summaries[0].Subject, fmt.Sprintf("Subject line %d end", i), "\"Subject\" does not match")
+		}
+
+		// search something that will return 200 results
+		summaries, _, err := Search("This is the email body", "", 0, 0, testRuns)
 		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+		assertEqual(t, len(summaries), testRuns, "search results expected")

-		buf := new(bytes.Buffer)
-
-		if err := env.Encode(buf); err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
-
-		bufBytes := buf.Bytes()
-
-		if _, err := Store(&bufBytes); err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
+		Close()
 	}
-
-	for i := 1; i < 51; i++ {
-		// search a random something that will return a single result
-		uniqueSearches := []string{
-			fmt.Sprintf("from-%d@example.com", i),
-			fmt.Sprintf("from:from-%d@example.com", i),
-			fmt.Sprintf("to-%d@example.com", i),
-			fmt.Sprintf("to:to-%d@example.com", i),
-			fmt.Sprintf("to2-%d@example.com", i),
-			fmt.Sprintf("to:to2-%d@example.com", i),
-			fmt.Sprintf("cc-%d@example.com", i),
-			fmt.Sprintf("cc:cc-%d@example.com", i),
-			fmt.Sprintf("cc2-%d@example.com", i),
-			fmt.Sprintf("cc:cc2-%d@example.com", i),
-			fmt.Sprintf("reply-to-%d@example.com", i),
-			fmt.Sprintf("reply-to:\"reply-to-%d@example.com\"", i),
-			fmt.Sprintf("\"Subject line %d end\"", i),
-			fmt.Sprintf("subject:\"Subject line %d end\"", i),
-			fmt.Sprintf("\"the email body %d jdsauk dwqmdqw\"", i),
-		}
-		searchIdx := rand.Intn(len(uniqueSearches))
-
-		search := uniqueSearches[searchIdx]
-
-		summaries, _, err := Search(search, "", 0, 100)
-		if err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
-
-		assertEqual(t, len(summaries), 1, "search result expected")
-
-		assertEqual(t, summaries[0].From.Name, fmt.Sprintf("From %d", i), "\"From\" name does not match")
-		assertEqual(t, summaries[0].From.Address, fmt.Sprintf("from-%d@example.com", i), "\"From\" address does not match")
-		assertEqual(t, summaries[0].To[0].Name, fmt.Sprintf("To %d", i), "\"To\" name does not match")
-		assertEqual(t, summaries[0].To[0].Address, fmt.Sprintf("to-%d@example.com", i), "\"To\" address does not match")
-		assertEqual(t, summaries[0].Subject, fmt.Sprintf("Subject line %d end", i), "\"Subject\" does not match")
-	}
-
-	// search something that will return 200 results
-	summaries, _, err := Search("This is the email body", "", 0, testRuns)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	assertEqual(t, len(summaries), testRuns, "search results expected")
 }

 func TestSearchDelete100(t *testing.T) {
-	setup()
-	defer Close()
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)

-	t.Log("Testing search delete of 100 messages")
-	for i := 0; i < 100; i++ {
-		if _, err := Store(&testTextEmail); err != nil {
+		setup(tenantID)
+
+		if tenantID == "" {
+			t.Log("Testing search delete of 100 messages")
+		} else {
+			t.Logf("Testing search delete of 100 messages (tenant %s)", tenantID)
+		}
+
+		for i := 0; i < 100; i++ {
+			if _, err := Store(&testTextEmail, nil); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			if _, err := Store(&testMimeEmail, nil); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		_, total, err := Search("from:sender@example.com", "", 0, 0, 100)
+		if err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
-		if _, err := Store(&testMimeEmail); err != nil {
+
+		assertEqual(t, total, 100, "100 search results expected")
+
+		if err := DeleteSearch("from:sender@example.com", ""); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
+
+		_, total, err = Search("from:sender@example.com", "", 0, 0, 100)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		assertEqual(t, total, 0, "0 search results expected")
+
+		Close()
 	}
-
-	_, total, err := Search("from:sender@example.com", "", 0, 100)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, total, 100, "100 search results expected")
-
-	if err := DeleteSearch("from:sender@example.com", ""); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	_, total, err = Search("from:sender@example.com", "", 0, 100)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	assertEqual(t, total, 0, "0 search results expected")
 }

 func TestSearchDelete1100(t *testing.T) {
-	setup()
+	setup("")
 	defer Close()

 	t.Log("Testing search delete of 1100 messages")
 	for i := 0; i < 1100; i++ {
-		if _, err := Store(&testTextEmail); err != nil {
+		if _, err := Store(&testTextEmail, nil); err != nil {
 			t.Log("error ", err)
 			t.Fail()
 		}
 	}

-	_, total, err := Search("from:sender@example.com", "", 0, 100)
+	_, total, err := Search("from:sender@example.com", "", 0, 0, 100)
 	if err != nil {
 		t.Log("error ", err)
 		t.Fail()
@@ -156,7 +177,7 @@ func TestSearchDelete1100(t *testing.T) {
 		t.Fail()
 	}

-	_, total, err = Search("from:sender@example.com", "", 0, 100)
+	_, total, err = Search("from:sender@example.com", "", 0, 0, 100)
 	if err != nil {
 		t.Log("error ", err)
 		t.Fail()
@@ -180,3 +201,25 @@ func TestEscPercentChar(t *testing.T) {
 		assertEqual(t, res, expected, "no match")
 	}
 }
+
+func TestSizeToBytes(t *testing.T) {
+	tests := map[string]uint64{}
+	tests["1m"] = 1048576
+	tests["1mb"] = 1048576
+	tests["1 M"] = 1048576
+	tests["1 MB"] = 1048576
+	tests["1k"] = 1024
+	tests["1kb"] = 1024
+	tests["1 K"] = 1024
+	tests["1 kB"] = 1024
+	tests["1.5M"] = 1572864
+	tests["1234567890"] = 1234567890
+	tests["invalid"] = 0
+	tests["1.2.3"] = 0
+	tests["1.2.3M"] = 0
+
+	for search, expected := range tests {
+		res := sizeToBytes(search)
+		assertEqual(t, res, expected, "size does not match")
+	}
+}
--- a/internal/storage/settings.go
+++ b/internal/storage/settings.go
@@ -15,7 +15,7 @@ func SettingGet(k string) string {
 		Select("Value").To(&result).
 		Where("Key = ?", k).
 		Limit(1).
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return ""
@@ -35,37 +35,37 @@ func SettingPut(k, v string) error {
 }

 // The total deleted message size as an int64 value
-func getDeletedSize() float64 {
-	var result sql.NullFloat64
+func getDeletedSize() uint64 {
+	var result sql.NullFloat64 // use float64 for rqlite compatibility
 	err := sqlf.From(tenant("settings")).
 		Select("Value").To(&result).
 		Where("Key = ?", "DeletedSize").
 		Limit(1).
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return 0
 	}

-	return result.Float64
+	return uint64(result.Float64)
 }

 // The total raw non-compressed messages size in bytes of all messages in the database
-func totalMessagesSize() float64 {
+func totalMessagesSize() uint64 {
 	var result sql.NullFloat64
 	err := sqlf.From(tenant("mailbox")).
 		Select("SUM(Size)").To(&result).
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {})
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {})
 	if err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 		return 0
 	}

-	return result.Float64
+	return uint64(result.Float64)
 }

 // AddDeletedSize will add the value to the DeletedSize setting
-func addDeletedSize(v int64) {
+func addDeletedSize(v uint64) {
 	if _, err := db.Exec(`INSERT OR IGNORE INTO `+tenant("settings")+` (Key, Value) VALUES(?, ?)`, "DeletedSize", 0); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}
--- a/internal/storage/structs.go
+++ b/internal/storage/structs.go
@@ -3,8 +3,6 @@ package storage
 import (
 	"net/mail"
 	"time"
-
-	"github.com/jhillyerd/enmime"
 )

 // Message data excluding physical attachments
@@ -30,25 +28,27 @@ type Message struct {
 	// Message subject
 	Subject string
 	// List-Unsubscribe header information
-	// swagger:ignore
 	ListUnsubscribe ListUnsubscribe
-	// Message date if set, else date received
+	// Message RFC3339Nano date & time (if set), else date & time received
+	// ([extended RFC3339](https://tools.ietf.org/html/rfc3339#section-5.6) format with optional nano seconds)
 	Date time.Time
 	// Message tags
 	Tags []string
+	// Username used for authentication (if provided) with the SMTP or Send API
+	Username string
 	// Message body text
 	Text string
 	// Message body HTML
 	HTML string
 	// Message size in bytes
-	Size float64
+	Size uint64
 	// Inline message attachments
 	Inline []Attachment
 	// Message attachments
 	Attachments []Attachment
 }

-// Attachment struct for inline and attachments
+// Attachment struct for inline images and attachments
 //
 // swagger:model Attachment
 type Attachment struct {
@@ -61,7 +61,16 @@ type Attachment struct {
 	// Content ID
 	ContentID string
 	// Size in bytes
-	Size float64
+	Size uint64
+	// File checksums
+	Checksums struct {
+		// MD5 checksum hash of file
+		MD5 string
+		// SHA1 checksum hash of file
+		SHA1 string
+		// SHA256 checksum hash of file
+		SHA256 string
+	}
 }

 // MessageSummary struct for frontend messages
@@ -86,12 +95,14 @@ type MessageSummary struct {
 	ReplyTo []*mail.Address
 	// Email subject
 	Subject string
-	// Created time
+	// Received RFC3339Nano date & time ([extended RFC3339](https://tools.ietf.org/html/rfc3339#section-5.6) format with optional nano seconds)
 	Created time.Time
+	// Username used for authentication (if provided) with the SMTP or Send API
+	Username string
 	// Message tags
 	Tags []string
 	// Message size in bytes (total)
-	Size float64
+	Size uint64
 	// Whether the message has any attachments
 	Attachments int
 	// Message snippet includes up to 250 characters
@@ -100,33 +111,19 @@ type MessageSummary struct {

 // MailboxStats struct for quick mailbox total/read lookups
 type MailboxStats struct {
-	Total  float64
-	Unread float64
+	Total  uint64
+	Unread uint64
 	Tags   []string
 }

-// DBMailSummary struct for storing mail summary
-type DBMailSummary struct {
-	From    *mail.Address
-	To      []*mail.Address
-	Cc      []*mail.Address
-	Bcc     []*mail.Address
-	ReplyTo []*mail.Address
-}
-
-// AttachmentSummary returns a summary of the attachment without any binary data
-func AttachmentSummary(a *enmime.Part) Attachment {
-	o := Attachment{}
-	o.PartID = a.PartID
-	o.FileName = a.FileName
-	if o.FileName == "" {
-		o.FileName = a.ContentID
-	}
-	o.ContentType = a.ContentType
-	o.ContentID = a.ContentID
-	o.Size = float64(len(a.Content))
-
-	return o
+// Metadata struct for storing message metadata
+type Metadata struct {
+	From     *mail.Address   `json:"From,omitempty"`
+	To       []*mail.Address `json:"To,omitempty"`
+	Cc       []*mail.Address `json:"Cc,omitempty"`
+	Bcc      []*mail.Address `json:"Bcc,omitempty"`
+	ReplyTo  []*mail.Address `json:"ReplyTo,omitempty"`
+	Username string          `json:"Username,omitempty"`
 }

 // ListUnsubscribe contains a summary of List-Unsubscribe & List-Unsubscribe-Post headers
@@ -134,10 +131,10 @@ func AttachmentSummary(a *enmime.Part) Attachment {
 type ListUnsubscribe struct {
 	// List-Unsubscribe header value
 	Header string
-	// Detected links, maximum one email and one HTTP(S)
+	// Detected links, maximum one email and one HTTP(S) link
 	Links []string
-	// Validation errors if any
+	// Validation errors (if any)
 	Errors string
-	// List-Unsubscribe-Post value if set
+	// List-Unsubscribe-Post value (if set)
 	HeaderPost string
 }
--- a/internal/storage/tagfilters.go
+++ b/internal/storage/tagfilters.go
@@ -13,9 +13,12 @@ import (

 // TagFilter struct
 type TagFilter struct {
+	// Match is the user-defined match
 	Match string
-	SQL   *sqlf.Stmt
-	Tags  []string
+	// SQL represents the SQL equivalent of Match
+	SQL *sqlf.Stmt
+	// Tags to add on match
+	Tags []string
 }

 var tagFilters = []TagFilter{}
@@ -30,7 +33,7 @@ func LoadTagFilters() {
 			logger.Log().Warnf("[tags] ignoring tag item with missing 'match'")
 			continue
 		}
-		if t.Tags == nil || len(t.Tags) == 0 {
+		if len(t.Tags) == 0 {
 			logger.Log().Warnf("[tags] ignoring tag items with missing 'tags' array")
 			continue
 		}
--- a/internal/storage/tags.go
+++ b/internal/storage/tags.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"database/sql"
+	"fmt"
 	"regexp"
 	"sort"
 	"strings"
@@ -12,6 +13,7 @@ import (
 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/tools"
+	"github.com/axllent/mailpit/server/websockets"
 	"github.com/leporo/sqlf"
 )

@@ -21,7 +23,7 @@ var (
 )

 // SetMessageTags will set the tags for a given database ID, removing any not in the array
-func SetMessageTags(id string, tags []string) error {
+func SetMessageTags(id string, tags []string) ([]string, error) {
 	applyTags := []string{}
 	for _, t := range tags {
 		t = tools.CleanTag(t)
@@ -30,6 +32,7 @@ func SetMessageTags(id string, tags []string) error {
 		}
 	}

+	tagNames := []string{}
 	currentTags := getMessageTags(id)
 	origTagCount := len(currentTags)

@@ -38,9 +41,12 @@ func SetMessageTags(id string, tags []string) error {
 			continue
 		}

-		if err := AddMessageTag(id, t); err != nil {
-			return err
+		name, err := addMessageTag(id, t)
+		if err != nil {
+			return []string{}, err
 		}
+
+		tagNames = append(tagNames, name)
 	}

 	if origTagCount > 0 {
@@ -48,43 +54,52 @@ func SetMessageTags(id string, tags []string) error {

 		for _, t := range currentTags {
 			if !tools.InArray(t, applyTags) {
-				if err := DeleteMessageTag(id, t); err != nil {
-					return err
+				if err := deleteMessageTag(id, t); err != nil {
+					return []string{}, err
 				}
 			}
 		}
 	}

-	return nil
+	d := struct {
+		ID   string
+		Tags []string
+	}{ID: id, Tags: applyTags}
+
+	websockets.Broadcast("update", d)
+
+	return tagNames, nil
 }

 // AddMessageTag adds a tag to a message
-func AddMessageTag(id, name string) error {
+func addMessageTag(id, name string) (string, error) {
 	// prevent two identical tags being added at the same time
 	addTagMutex.Lock()

 	var tagID int
+	var foundName sql.NullString

 	q := sqlf.From(tenant("tags")).
 		Select("ID").To(&tagID).
+		Select("Name").To(&foundName).
 		Where("Name = ?", name)

 	// if tag exists - add tag to message
 	if err := q.QueryRowAndClose(context.TODO(), db); err == nil {
 		addTagMutex.Unlock()
 		// check message does not already have this tag
-		var count int
+		var exists int

 		if err := sqlf.From(tenant("message_tags")).
-			Select("COUNT(ID)").To(&count).
+			Select("COUNT(ID)").To(&exists).
 			Where("ID = ?", id).
 			Where("TagID = ?", tagID).
 			QueryRowAndClose(context.Background(), db); err != nil {
-			return err
+			return "", err
 		}
-		if count > 0 {
+		if exists > 0 {
 			// already exists
-			return nil
+			return foundName.String, nil
 		}

 		logger.Log().Debugf("[tags] adding tag \"%s\" to %s", name, id)
@@ -93,7 +108,8 @@ func AddMessageTag(id, name string) error {
 			Set("ID", id).
 			Set("TagID", tagID).
 			ExecAndClose(context.TODO(), db)
-		return err
+
+		return foundName.String, err
 	}

 	// new tag, add to the database
@@ -101,31 +117,20 @@ func AddMessageTag(id, name string) error {
 		Set("Name", name).
 		ExecAndClose(context.TODO(), db); err != nil {
 		addTagMutex.Unlock()
-		return err
+		return name, err
 	}

 	addTagMutex.Unlock()

 	// add tag to the message
-	return AddMessageTag(id, name)
+	return addMessageTag(id, name)
 }

-// DeleteMessageTag deleted a tag from a message
-func DeleteMessageTag(id, name string) error {
-	if _, err := sqlf.DeleteFrom(tenant("message_tags")).
-		Where(tenant("message_tags.ID")+" = ?", id).
-		Where(tenant("message_tags.Key")+` IN (SELECT Key FROM `+tenant("message_tags")+` LEFT JOIN tags ON `+tenant("TagID")+"="+tenant("tags.ID")+` WHERE Name = ?)`, name).
-		ExecAndClose(context.TODO(), db); err != nil {
-		return err
-	}
-
-	return pruneUnusedTags()
-}
-
-// DeleteAllMessageTags deleted all tags from a message
-func DeleteAllMessageTags(id string) error {
+// DeleteMessageTag deletes a tag from a message
+func deleteMessageTag(id, name string) error {
 	if _, err := sqlf.DeleteFrom(tenant("message_tags")).
 		Where(tenant("message_tags.ID")+" = ?", id).
+		Where(tenant("message_tags.Key")+` IN (SELECT Key FROM `+tenant("message_tags")+` LEFT JOIN `+tenant("tags")+` ON TagID=`+tenant("tags.ID")+` WHERE Name = ?)`, name).
 		ExecAndClose(context.TODO(), db); err != nil {
 		return err
 	}
@@ -142,7 +147,7 @@ func GetAllTags() []string {
 		Select(`DISTINCT Name`).
 		From(tenant("tags")).To(&name).
 		OrderBy("Name").
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {
 			tags = append(tags, name)
 		}); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
@@ -155,7 +160,7 @@ func GetAllTags() []string {
 func GetAllTagsCount() map[string]int64 {
 	var tags = make(map[string]int64)
 	var name string
-	var total int64
+	var total float64 // use float64 for rqlite compatibility

 	if err := sqlf.
 		Select(`Name`).To(&name).
@@ -164,9 +169,8 @@ func GetAllTagsCount() map[string]int64 {
 		LeftJoin(tenant("message_tags"), tenant("tags.ID")+" = "+tenant("message_tags.TagID")).
 		GroupBy(tenant("message_tags.TagID")).
 		OrderBy("Name").
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
-			tags[name] = total
-			// tags = append(tags, name)
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {
+			tags[name] = int64(total)
 		}); err != nil {
 		logger.Log().Errorf("[db] %s", err.Error())
 	}
@@ -174,6 +178,79 @@ func GetAllTagsCount() map[string]int64 {
 	return tags
 }

+// RenameTag renames a tag
+func RenameTag(from, to string) error {
+	to = tools.CleanTag(to)
+	if to == "" || !config.ValidTagRegexp.MatchString(to) {
+		return fmt.Errorf("invalid tag name: %s", to)
+	}
+
+	if from == to {
+		return nil // ignore
+	}
+
+	var id, existsID int
+
+	q := sqlf.From(tenant("tags")).
+		Select(`ID`).To(&id).
+		Where(`Name = ?`, from).
+		Limit(1)
+	err := q.QueryRowAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("tag not found: %s", from)
+	}
+
+	// check if another tag by this name already exists
+	q = sqlf.From(tenant("tags")).
+		Select("ID").To(&existsID).
+		Where(`Name = ?`, to).
+		Where(`ID != ?`, id).
+		Limit(1)
+	err = q.QueryRowAndClose(context.Background(), db)
+	if err == nil || existsID != 0 {
+		return fmt.Errorf("tag already exists: %s", to)
+	}
+
+	q = sqlf.Update(tenant("tags")).
+		Set("Name", to).
+		Where("ID = ?", id)
+	_, err = q.ExecAndClose(context.Background(), db)
+
+	return err
+}
+
+// DeleteTag deleted a tag and removed all references to the tag
+func DeleteTag(tag string) error {
+	var id int
+
+	q := sqlf.From(tenant("tags")).
+		Select(`ID`).To(&id).
+		Where(`Name = ?`, tag).
+		Limit(1)
+	err := q.QueryRowAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("tag not found: %s", tag)
+	}
+
+	// delete all references
+	q = sqlf.DeleteFrom(tenant("message_tags")).
+		Where(`TagID = ?`, id)
+	_, err = q.ExecAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("error deleting tag references: %s", err.Error())
+	}
+
+	// delete tag
+	q = sqlf.DeleteFrom(tenant("tags")).
+		Where(`ID = ?`, id)
+	_, err = q.ExecAndClose(context.Background(), db)
+	if err != nil {
+		return fmt.Errorf("error deleting tag: %s", err.Error())
+	}
+
+	return nil
+}
+
 // PruneUnusedTags will delete all unused tags from the database
 func pruneUnusedTags() error {
 	q := sqlf.From(tenant("tags")).
@@ -235,7 +312,7 @@ func findTagsInRawMessage(message *[]byte) []string {
 }

 // Returns tags found in email plus addresses (eg: test+tagname@example.com)
-func (d DBMailSummary) tagsFromPlusAddresses() []string {
+func (d Metadata) tagsFromPlusAddresses() []string {
 	tags := []string{}
 	for _, c := range d.To {
 		matches := addressPlusRe.FindAllStringSubmatch(c.Address, 1)
@@ -275,7 +352,7 @@ func getMessageTags(id string) []string {
 		LeftJoin(tenant("message_tags"), tenant("Tags.ID")+"="+tenant("message_tags.TagID")).
 		Where(tenant("message_tags.ID")+` = ?`, id).
 		OrderBy("Name").
-		QueryAndClose(context.TODO(), db, func(row *sql.Rows) {
+		QueryAndClose(context.TODO(), db, func(_ *sql.Rows) {
 			tags = append(tags, name)
 		}); err != nil {
 		logger.Log().Errorf("[tags] %s", err.Error())
--- a/internal/storage/tags_test.go
+++ b/internal/storage/tags_test.go
@@ -1,130 +1,201 @@
 package storage

 import (
+	"context"
 	"fmt"
 	"strings"
 	"testing"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/leporo/sqlf"
 )

 func TestTags(t *testing.T) {
-	setup()
+
+	for _, tenantID := range []string{"", "MyServer 3", "host.example.com"} {
+		tenantID = config.DBTenantID(tenantID)
+
+		setup(tenantID)
+
+		if tenantID == "" {
+			t.Log("Testing tags")
+		} else {
+			t.Logf("Testing tags (tenant %s)", tenantID)
+		}
+
+		ids := []string{}
+
+		for i := 0; i < 10; i++ {
+			id, err := Store(&testMimeEmail, nil)
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+			ids = append(ids, id)
+		}
+
+		for i := 0; i < 10; i++ {
+			if _, err := SetMessageTags(ids[i], []string{fmt.Sprintf("Tag-%d", i)}); err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+		}
+
+		for i := 0; i < 10; i++ {
+			message, err := GetMessage(ids[i])
+			if err != nil {
+				t.Log("error ", err)
+				t.Fail()
+			}
+
+			if len(message.Tags) != 1 || message.Tags[0] != fmt.Sprintf("Tag-%d", i) {
+				t.Fatal("Message tags do not match")
+			}
+		}
+
+		if err := DeleteAllMessages(); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// test 20 tags
+		id, err := Store(&testMimeEmail, nil)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		newTags := []string{}
+		for i := 0; i < 20; i++ {
+			// pad number with 0 to ensure they are returned alphabetically
+			newTags = append(newTags, fmt.Sprintf("AnotherTag %02d", i))
+		}
+		if _, err := SetMessageTags(id, newTags); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags := getMessageTags(id)
+		assertEqual(t, strings.Join(newTags, "|"), strings.Join(returnedTags, "|"), "Message tags do not match")
+
+		// remove first tag
+		if err := deleteMessageTag(id, newTags[0]); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, strings.Join(newTags[1:], "|"), strings.Join(returnedTags, "|"), "Message tags do not match after deleting 1")
+
+		// remove all tags
+		if err := deleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "", strings.Join(returnedTags, "|"), "Message tags should be empty")
+
+		// apply the same tag twice
+		if _, err := SetMessageTags(id, []string{"Duplicate Tag", "Duplicate Tag"}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "Duplicate Tag", strings.Join(returnedTags, "|"), "Message tags should be duplicated")
+		if err := deleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// apply tag with invalid characters
+		if _, err := SetMessageTags(id, []string{"Dirty! \"Tag\""}); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "Dirty Tag", strings.Join(returnedTags, "|"), "Dirty message tag did not clean as expected")
+		if err := deleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// Check deleted message tags also prune the tags database
+		allTags := GetAllTags()
+		assertEqual(t, "", strings.Join(allTags, "|"), "Tags did not delete as expected")
+
+		if err := DeleteAllMessages(); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		// test 20 tags
+		id, err = Store(&testTagEmail, nil)
+		if err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		returnedTags = getMessageTags(id)
+		assertEqual(t, "BccTag|CcTag|FromFag|ToTag|X-tag1|X-tag2", strings.Join(returnedTags, "|"), "Tags not detected correctly")
+		if err := deleteAllMessageTags(id); err != nil {
+			t.Log("error ", err)
+			t.Fail()
+		}
+
+		Close()
+	}
+
+}
+func TestUsernameAutoTagging(t *testing.T) {
+	setup("")
 	defer Close()

-	t.Log("Testing tags")
+	username := "testuser"

-	ids := []string{}
-
-	for i := 0; i < 10; i++ {
-		id, err := Store(&testMimeEmail)
+	t.Run("Auto-tagging enabled", func(t *testing.T) {
+		config.TagsUsername = true
+		id, err := Store(&testTextEmail, &username)
 		if err != nil {
-			t.Log("error ", err)
-			t.Fail()
+			t.Fatalf("Store failed: %v", err)
 		}
-		ids = append(ids, id)
-	}
-
-	for i := 0; i < 10; i++ {
-		if err := SetMessageTags(ids[i], []string{fmt.Sprintf("Tag-%d", i)}); err != nil {
-			t.Log("error ", err)
-			t.Fail()
-		}
-	}
-
-	for i := 0; i < 10; i++ {
-		message, err := GetMessage(ids[i])
+		msg, err := GetMessage(id)
 		if err != nil {
-			t.Log("error ", err)
-			t.Fail()
+			t.Fatalf("GetMessage failed: %v", err)
 		}
-
-		if len(message.Tags) != 1 || message.Tags[0] != fmt.Sprintf("Tag-%d", i) {
-			t.Fatal("Message tags do not match")
+		found := false
+		for _, tag := range msg.Tags {
+			if tag == username {
+				found = true
+				break
+			}
 		}
-	}
+		if !found {
+			t.Errorf("Expected username '%s' in tags, got %v", username, msg.Tags)
+		}
+	})

-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// test 20 tags
-	id, err := Store(&testMimeEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	newTags := []string{}
-	for i := 0; i < 20; i++ {
-		// pad number with 0 to ensure they are returned alphabetically
-		newTags = append(newTags, fmt.Sprintf("AnotherTag %02d", i))
-	}
-	if err := SetMessageTags(id, newTags); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags := getMessageTags(id)
-	assertEqual(t, strings.Join(newTags, "|"), strings.Join(returnedTags, "|"), "Message tags do not match")
-
-	// remove first tag
-	if err := DeleteMessageTag(id, newTags[0]); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, strings.Join(newTags[1:], "|"), strings.Join(returnedTags, "|"), "Message tags do not match after deleting 1")
-
-	// remove all tags
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "", strings.Join(returnedTags, "|"), "Message tags should be empty")
-
-	// apply the same tag twice
-	if err := SetMessageTags(id, []string{"Duplicate Tag", "Duplicate Tag"}); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "Duplicate Tag", strings.Join(returnedTags, "|"), "Message tags should be duplicated")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// apply tag with invalid characters
-	if err := SetMessageTags(id, []string{"Dirty! \"Tag\""}); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "Dirty Tag", strings.Join(returnedTags, "|"), "Dirty message tag did not clean as expected")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// Check deleted message tags also prune the tags database
-	allTags := GetAllTags()
-	assertEqual(t, "", strings.Join(allTags, "|"), "Tags did not delete as expected")
-
-	if err := DeleteAllMessages(); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	// test 20 tags
-	id, err = Store(&testTagEmail)
-	if err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
-
-	returnedTags = getMessageTags(id)
-	assertEqual(t, "BccTag|CcTag|FromFag|ToTag|X-tag1|X-tag2", strings.Join(returnedTags, "|"), "Tags not detected correctly")
-	if err := DeleteAllMessageTags(id); err != nil {
-		t.Log("error ", err)
-		t.Fail()
-	}
+	t.Run("Auto-tagging disabled", func(t *testing.T) {
+		config.TagsUsername = false
+		id, err := Store(&testTextEmail, &username)
+		if err != nil {
+			t.Fatalf("Store failed: %v", err)
+		}
+		msg, err := GetMessage(id)
+		if err != nil {
+			t.Fatalf("GetMessage failed: %v", err)
+		}
+		for _, tag := range msg.Tags {
+			if tag == username {
+				t.Errorf("Did not expect username '%s' in tags when disabled, got %v", username, msg.Tags)
+			}
+		}
+	})
+}
+
+// DeleteAllMessageTags deleted all tags from a message
+func deleteAllMessageTags(id string) error {
+	if _, err := sqlf.DeleteFrom(tenant("message_tags")).
+		Where(tenant("message_tags.ID")+" = ?", id).
+		ExecAndClose(context.TODO(), db); err != nil {
+		return err
+	}
+
+	return pruneUnusedTags()
 }
--- a/internal/storage/testdata/inline-attachment.eml
+++ b/internal/storage/testdata/inline-attachment.eml
@@ -0,0 +1,20 @@
+From: sender@example.com
+To: recipient@example.com
+Subject: Test inline image proper
+MIME-Version: 1.0
+Content-Type: multipart/related; boundary="boundary123"
+
+--boundary123
+Content-Type: text/html; charset=utf-8
+
+<html><body><img src="cid:test1@example.com" alt="Test"/></body></html>
+
+--boundary123
+Content-Type: image/png; name="test1.png"
+Content-Disposition: inline; filename="test1.png"
+Content-ID: <test1@example.com>
+Content-Transfer-Encoding: base64
+
+iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg==
+
+--boundary123--
--- a/internal/storage/testdata/mixed-attachment.eml
+++ b/internal/storage/testdata/mixed-attachment.eml
@@ -0,0 +1,27 @@
+From: sender@example.com
+To: recipient@example.com
+Subject: Test mixed attachments
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="boundary111"
+
+--boundary111
+Content-Type: text/html; charset=utf-8
+
+<html><body><img src="cid:inline@example.com" alt="Inline"/><p>Document attached</p></body></html>
+
+--boundary111
+Content-Type: image/png; name="inline.png"
+Content-Disposition: inline; filename="inline.png"
+Content-ID: <inline@example.com>
+Content-Transfer-Encoding: base64
+
+iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg==
+
+--boundary111
+Content-Type: application/pdf; name="document.pdf"
+Content-Disposition: attachment; filename="document.pdf"
+Content-Transfer-Encoding: base64
+
+JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQo=
+
+--boundary111--
--- a/internal/storage/testdata/regular-attachment.eml
+++ b/internal/storage/testdata/regular-attachment.eml
@@ -0,0 +1,19 @@
+From: sender@example.com
+To: recipient@example.com
+Subject: Test regular attachment
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="boundary789"
+
+--boundary789
+Content-Type: text/html; charset=utf-8
+
+<html><body><p>Message with regular attachment</p></body></html>
+
+--boundary789
+Content-Type: application/pdf; name="document.pdf"
+Content-Disposition: attachment; filename="document.pdf"
+Content-Transfer-Encoding: base64
+
+JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQo=
+
+--boundary789--
--- a/internal/storage/utils.go
+++ b/internal/storage/utils.go
@@ -8,16 +8,32 @@ import (
 	"sync"

 	"github.com/axllent/mailpit/internal/html2text"
-	"github.com/jhillyerd/enmime"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/tools"
+	"github.com/jhillyerd/enmime/v2"
 )

 var (
 	// for stats to prevent import cycle
 	mu sync.RWMutex
 	// StatsDeleted for counting the number of messages deleted
-	StatsDeleted float64
+	StatsDeleted uint64
 )

+// AddTempFile adds a file to the slice of files to delete on exit
+func AddTempFile(s string) {
+	temporaryFiles = append(temporaryFiles, s)
+}
+
+// DeleteTempFiles will delete files added via AddTempFiles
+func deleteTempFiles() {
+	for _, f := range temporaryFiles {
+		if err := os.Remove(f); err == nil {
+			logger.Log().Debugf("removed temporary file: %s", f)
+		}
+	}
+}
+
 // Return a header field as a []*mail.Address, or "null" is not found/empty
 func addressToSlice(env *enmime.Envelope, key string) []*mail.Address {
 	data, err := env.AddressList(key)
@@ -73,7 +89,7 @@ func cleanString(str string) string {
 // LogMessagesDeleted logs the number of messages deleted
 func logMessagesDeleted(n int) {
 	mu.Lock()
-	StatsDeleted = StatsDeleted + float64(n)
+	StatsDeleted = StatsDeleted + tools.SafeUint64(n)
 	mu.Unlock()
 }

--- a/internal/tools/fs.go
+++ b/internal/tools/fs.go
@@ -0,0 +1,23 @@
+package tools
+
+import (
+	"os"
+	"path/filepath"
+)
+
+// IsFile returns whether a file exists and is readable
+func IsFile(path string) bool {
+	f, err := os.Open(filepath.Clean(path))
+	defer func() { _ = f.Close() }()
+	return err == nil
+}
+
+// IsDir returns whether a path is a directory
+func IsDir(path string) bool {
+	info, err := os.Stat(path)
+	if err != nil || os.IsNotExist(err) || !info.IsDir() {
+		return false
+	}
+
+	return true
+}
--- a/internal/tools/headers.go
+++ b/internal/tools/headers.go
@@ -0,0 +1,160 @@
+// Package tools provides various methods for various things
+package tools
+
+import (
+	"bufio"
+	"bytes"
+	"net/mail"
+	"regexp"
+	"strings"
+
+	"github.com/axllent/mailpit/internal/logger"
+)
+
+// RemoveMessageHeaders scans a message for headers, if found them removes them.
+// It will only remove a single instance of any given message header.
+func RemoveMessageHeaders(msg []byte, headers []string) ([]byte, error) {
+	reader := bytes.NewReader(msg)
+	m, err := mail.ReadMessage(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	reBlank := regexp.MustCompile(`^\s+`)
+
+	for _, hdr := range headers {
+		// case-insensitive
+		reHdr := regexp.MustCompile(`(?i)^` + regexp.QuoteMeta(hdr+":"))
+
+		// header := []byte(hdr + ":")
+		if m.Header.Get(hdr) != "" {
+			scanner := bufio.NewScanner(bytes.NewReader(msg))
+			found := false
+			hdr := []byte("")
+			for scanner.Scan() {
+				line := scanner.Bytes()
+				if !found && reHdr.Match(line) {
+					// add the first line starting with <header>:
+					hdr = append(hdr, line...)
+					hdr = append(hdr, []byte("\r\n")...)
+					found = true
+				} else if found && reBlank.Match(line) {
+					// add any following lines starting with a whitespace (tab or space)
+					hdr = append(hdr, line...)
+					hdr = append(hdr, []byte("\r\n")...)
+				} else if found {
+					// stop scanning, we have the full <header>
+					break
+				}
+			}
+
+			if len(hdr) > 0 {
+				logger.Log().Debugf("[relay] removed %s header", hdr)
+				msg = bytes.Replace(msg, hdr, []byte(""), 1)
+			}
+		}
+	}
+
+	return msg, nil
+}
+
+// SetMessageHeader scans a message for a header and updates its value if found.
+// It does not consider multiple instances of the same header.
+// If not found it will add the header to the beginning of the message.
+func SetMessageHeader(msg []byte, header, value string) ([]byte, error) {
+	reader := bytes.NewReader(msg)
+	m, err := mail.ReadMessage(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	if m.Header.Get(header) != "" {
+		reBlank := regexp.MustCompile(`^\s+`)
+		reHdr := regexp.MustCompile(`(?i)^` + regexp.QuoteMeta(header+":"))
+
+		scanner := bufio.NewScanner(bytes.NewReader(msg))
+		found := false
+		hdr := []byte("")
+		for scanner.Scan() {
+			line := scanner.Bytes()
+			if !found && reHdr.Match(line) {
+				// add the first line starting with <header>:
+				hdr = append(hdr, line...)
+				hdr = append(hdr, []byte("\r\n")...)
+				found = true
+			} else if found && reBlank.Match(line) {
+				// add any following lines starting with a whitespace (tab or space)
+				hdr = append(hdr, line...)
+				hdr = append(hdr, []byte("\r\n")...)
+			} else if found {
+				// stop scanning, we have the full <header>
+				break
+			}
+		}
+
+		return bytes.Replace(msg, hdr, []byte(header+": "+value+"\r\n"), 1), nil
+	}
+
+	// no header, so add one to beginning
+	return append([]byte(header+": "+value+"\r\n"), msg...), nil
+}
+
+// OverrideFromHeader scans a message for the From header and replaces it with a different email address.
+func OverrideFromHeader(msg []byte, address string) ([]byte, error) {
+	reader := bytes.NewReader(msg)
+	m, err := mail.ReadMessage(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	if m.Header.Get("From") != "" {
+		reBlank := regexp.MustCompile(`^\s+`)
+		reHdr := regexp.MustCompile(`(?i)^` + regexp.QuoteMeta("From:"))
+
+		scanner := bufio.NewScanner(bytes.NewReader(msg))
+		found := false
+		hdr := []byte("")
+		for scanner.Scan() {
+			line := scanner.Bytes()
+			if !found && reHdr.Match(line) {
+				// add the first line starting with <header>:
+				hdr = append(hdr, line...)
+				hdr = append(hdr, []byte("\r\n")...)
+				found = true
+			} else if found && reBlank.Match(line) {
+				// add any following lines starting with a whitespace (tab or space)
+				hdr = append(hdr, line...)
+				hdr = append(hdr, []byte("\r\n")...)
+			} else if found {
+				// stop scanning, we have the full <header>
+				break
+			}
+		}
+
+		if len(hdr) > 0 {
+			originalFrom := strings.TrimRight(string(hdr[5:]), "\r\n")
+
+			from, err := mail.ParseAddress(originalFrom)
+			if err != nil {
+				// error parsing the from address, so just replace the whole line
+				msg = bytes.Replace(msg, hdr, []byte("From: "+address+"\r\n"), 1)
+			} else {
+				originalFrom = from.Address
+				// replace the from email, but keep the original name
+				from.Address = address
+				msg = bytes.Replace(msg, hdr, []byte("From: "+from.String()+"\r\n"), 1)
+			}
+
+			// insert the original From header as X-Original-From
+			msg = append([]byte("X-Original-From: "+originalFrom+"\r\n"), msg...)
+
+			logger.Log().Debugf("[relay] Replaced From email address with %s", address)
+		}
+	} else {
+		// no From header, so add one
+		msg = append([]byte("From: "+address+"\r\n"), msg...)
+		logger.Log().Debugf("[relay] Added From email: %s", address)
+	}
+
+	return msg, nil
+}
--- a/internal/tools/html.go
+++ b/internal/tools/html.go
@@ -17,3 +17,34 @@ func GetHTMLAttributeVal(e *html.Node, key string) (string, error) {

 	return "", fmt.Errorf("%s not found", key)
 }
+
+// SetHTMLAttributeVal sets an attribute on a node.
+func SetHTMLAttributeVal(n *html.Node, key, val string) {
+	for i := range n.Attr {
+		a := &n.Attr[i]
+		if a.Key == key {
+			a.Val = val
+			return
+		}
+	}
+	n.Attr = append(n.Attr, html.Attribute{
+		Key: key,
+		Val: val,
+	})
+}
+
+// WalkHTML traverses the entire HTML tree and calls fn on each node.
+func WalkHTML(n *html.Node, fn func(*html.Node)) {
+	if n == nil {
+		return
+	}
+
+	fn(n)
+
+	// Each node has a pointer to its first child and next sibling. To traverse
+	// all children of a node, we need to start from its first child and then
+	// traverse the next sibling until nil.
+	for c := n.FirstChild; c != nil; c = c.NextSibling {
+		WalkHTML(c, fn)
+	}
+}
--- a/internal/tools/listunsubscribeparser.go
+++ b/internal/tools/listunsubscribeparser.go
@@ -27,7 +27,7 @@ func ListUnsubscribeParser(v string) ([]string, error) {
 	comments := reComments.FindAllStringSubmatch(v, -1)
 	for _, c := range comments {
 		// strip comments
-		v = strings.Replace(v, c[0], "", -1)
+		v = strings.ReplaceAll(v, c[0], "")
 		v = strings.TrimSpace(v)
 	}

--- a/internal/tools/message.go
+++ b/internal/tools/message.go
@@ -1,99 +0,0 @@
-// Package tools provides various methods for various things
-package tools
-
-import (
-	"bufio"
-	"bytes"
-	"net/mail"
-	"regexp"
-
-	"github.com/axllent/mailpit/internal/logger"
-)
-
-// RemoveMessageHeaders scans a message for headers, if found them removes them.
-// It will only remove a single instance of any given message header.
-func RemoveMessageHeaders(msg []byte, headers []string) ([]byte, error) {
-	reader := bytes.NewReader(msg)
-	m, err := mail.ReadMessage(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	reBlank := regexp.MustCompile(`^\s+`)
-
-	for _, hdr := range headers {
-		// case-insensitive
-		reHdr := regexp.MustCompile(`(?i)^` + regexp.QuoteMeta(hdr+":"))
-
-		// header := []byte(hdr + ":")
-		if m.Header.Get(hdr) != "" {
-			scanner := bufio.NewScanner(bytes.NewReader(msg))
-			found := false
-			hdr := []byte("")
-			for scanner.Scan() {
-				line := scanner.Bytes()
-				if !found && reHdr.Match(line) {
-					// add the first line starting with <header>:
-					hdr = append(hdr, line...)
-					hdr = append(hdr, []byte("\r\n")...)
-					found = true
-				} else if found && reBlank.Match(line) {
-					// add any following lines starting with a whitespace (tab or space)
-					hdr = append(hdr, line...)
-					hdr = append(hdr, []byte("\r\n")...)
-				} else if found {
-					// stop scanning, we have the full <header>
-					break
-				}
-			}
-
-			if len(hdr) > 0 {
-				logger.Log().Debugf("[release] removed %s header", hdr)
-				msg = bytes.Replace(msg, hdr, []byte(""), 1)
-			}
-		}
-	}
-
-	return msg, nil
-}
-
-// UpdateMessageHeader scans a message for a header and updates its value if found.
-func UpdateMessageHeader(msg []byte, header, value string) ([]byte, error) {
-	reader := bytes.NewReader(msg)
-	m, err := mail.ReadMessage(reader)
-	if err != nil {
-		return nil, err
-	}
-
-	if m.Header.Get(header) != "" {
-		reBlank := regexp.MustCompile(`^\s+`)
-		reHdr := regexp.MustCompile(`(?i)^` + regexp.QuoteMeta(header+":"))
-
-		scanner := bufio.NewScanner(bytes.NewReader(msg))
-		found := false
-		hdr := []byte("")
-		for scanner.Scan() {
-			line := scanner.Bytes()
-			if !found && reHdr.Match(line) {
-				// add the first line starting with <header>:
-				hdr = append(hdr, line...)
-				hdr = append(hdr, []byte("\r\n")...)
-				found = true
-			} else if found && reBlank.Match(line) {
-				// add any following lines starting with a whitespace (tab or space)
-				hdr = append(hdr, line...)
-				hdr = append(hdr, []byte("\r\n")...)
-			} else if found {
-				// stop scanning, we have the full <header>
-				break
-			}
-		}
-
-		if len(hdr) > 0 {
-			logger.Log().Debugf("[release] replaced %s header", hdr)
-			msg = bytes.Replace(msg, hdr, []byte(header+": "+value+"\r\n"), 1)
-		}
-	}
-
-	return msg, nil
-}
--- a/internal/tools/net.go
+++ b/internal/tools/net.go
@@ -0,0 +1,28 @@
+package tools
+
+import (
+	"net"
+	"net/url"
+)
+
+// IsInternalIP checks if the given IP address is an internal IP address (e.g., loopback, private, link-local, or multicast).
+// IsLoopback — 127.0.0.0/8, ::1
+// IsPrivate — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7
+// IsLinkLocalUnicast — 169.254.0.0/16, fe80::/10 (covers cloud metadata 169.254.169.254)
+// IsLinkLocalMulticast — 224.0.0.0/24, ff02::/16
+// IsUnspecified — 0.0.0.0, ::
+// IsMulticast — 224.0.0.0/4, ff00::/8
+func IsInternalIP(ip net.IP) bool {
+	return ip.IsLoopback() ||
+		ip.IsPrivate() ||
+		ip.IsLinkLocalUnicast() ||
+		ip.IsLinkLocalMulticast() ||
+		ip.IsUnspecified() ||
+		ip.IsMulticast()
+}
+
+// IsValidLinkURL checks if the provided string is a valid URL with http or https scheme and a non-empty hostname.
+func IsValidLinkURL(str string) bool {
+	u, err := url.Parse(str)
+	return err == nil && (u.Scheme == "http" || u.Scheme == "https") && u.Hostname() != ""
+}
--- a/internal/tools/snippets.go
+++ b/internal/tools/snippets.go
@@ -26,7 +26,7 @@ func CreateSnippet(text, html string) string {
 			return data
 		}

-		return data[0:limit] + "..."
+		return truncate(data, limit) + "..."
 	}

 	if text != "" {
@@ -37,8 +37,33 @@ func CreateSnippet(text, html string) string {
 			return text
 		}

-		return text[0:limit] + "..."
+		return truncate(text, limit) + "..."
 	}

 	return ""
 }
+
+// Truncate a string allowing for multi-byte encoding.
+// Shamelessly borrowed from Tailscale.
+// See https://github.com/tailscale/tailscale/blob/main/util/truncate/truncate.go
+func truncate(s string, n int) string {
+	if n >= len(s) {
+		return s
+	}
+
+	// Back up until we find the beginning of a UTF-8 encoding.
+	for n > 0 && s[n-1]&0xc0 == 0x80 { // 0x10... is a continuation byte
+		n--
+	}
+
+	// If we're at the beginning of a multi-byte encoding, back up one more to
+	// skip it. It's possible the value was already complete, but it's simpler
+	// if we only have to check in one direction.
+	//
+	// Otherwise, we have a single-byte code (0x00... or 0x01...).
+	if n > 0 && s[n-1]&0xc0 == 0xc0 { // 0x11... starts a multibyte encoding
+		n--
+	}
+
+	return s[:n]
+}
--- a/internal/tools/tags.go
+++ b/internal/tools/tags.go
@@ -10,7 +10,7 @@ import (

 var (
 	// Invalid tag characters regex
-	tagsInvalidChars = regexp.MustCompile(`[^a-zA-Z0-9\-\ \_\.]`)
+	tagsInvalidChars = regexp.MustCompile(`[^a-zA-Z0-9\-\ \_\.@]`)

 	// Regex to catch multiple spaces
 	multiSpaceRe = regexp.MustCompile(`(\s+)`)
@@ -19,14 +19,21 @@ var (
 	TagsTitleCase bool
 )

-// CleanTag returns a clean tag, trimming whitespace and replacing invalid characters
+// CleanTag returns a clean tag, trimming whitespace and replacing invalid characters.
+// If the tag is longer than 100 characters, it is truncated.
 func CleanTag(s string) string {
-	return strings.TrimSpace(
+	t := strings.TrimSpace(
 		multiSpaceRe.ReplaceAllString(
 			tagsInvalidChars.ReplaceAllString(s, " "),
 			" ",
 		),
 	)
+
+	if len(t) > 100 {
+		return t[:100]
+	}
+
+	return t
 }

 // SetTagCasing returns the slice of tags, title-casing if set
--- a/internal/tools/tools_test.go
+++ b/internal/tools/tools_test.go
@@ -33,7 +33,8 @@ func TestCleanTag(t *testing.T) {
 	tests["thiS IS a Test :-)"] = "thiS IS a Test -"
 	tests["  thiS 99     IS a Test :-)"] = "thiS 99 IS a Test -"
 	tests["this_is-a test "] = "this_is-a test"
-	tests["this_is-a&^%%(*)@ test"] = "this_is-a test"
+	tests["this_is-a&^%%(*)@ test"] = "this_is-a @ test"
+	tests["this is a long tag title with more than 100 characters, which should get automatically truncated to 100 characters"] = "this is a long tag title with more than 100 characters which should get automatically truncated to 1"

 	for search, expected := range tests {
 		res := CleanTag(search)
--- a/internal/tools/unixsocket.go
+++ b/internal/tools/unixsocket.go
@@ -0,0 +1,49 @@
+package tools
+
+import (
+	"fmt"
+	"io/fs"
+	"net"
+	"os"
+	"path"
+	"regexp"
+	"strconv"
+)
+
+// UnixSocket returns a path and a FileMode if the address is in
+// the format of unix:<path>:<permission>
+func UnixSocket(address string) (string, fs.FileMode, bool) {
+	re := regexp.MustCompile(`^unix:(.*):(\d\d\d\d?)$`)
+
+	var f fs.FileMode
+
+	if !re.MatchString(address) {
+		return "", f, false
+	}
+
+	m := re.FindAllStringSubmatch(address, 1)
+
+	modeVal, err := strconv.ParseUint(m[0][2], 8, 32)
+
+	if err != nil {
+		return "", f, false
+	}
+
+	return path.Clean(m[0][1]), fs.FileMode(modeVal), true
+}
+
+// PrepareSocket returns an error if an active socket file already exists
+func PrepareSocket(address string) error {
+	address = path.Clean(address)
+	if _, err := os.Stat(address); os.IsNotExist(err) {
+		// does not exist, OK
+		return nil
+	}
+
+	if _, err := net.Dial("unix", address); err == nil {
+		// socket is listening
+		return fmt.Errorf("socket already in use: %s", address)
+	}
+
+	return os.Remove(address)
+}
--- a/internal/tools/utils.go
+++ b/internal/tools/utils.go
@@ -2,6 +2,7 @@ package tools

 import (
 	"fmt"
+	"regexp"
 	"strings"
 )

@@ -10,17 +11,47 @@ func Plural(total int, singular, plural string) string {
 	if total == 1 {
 		return fmt.Sprintf("%d %s", total, singular)
 	}
+
 	return fmt.Sprintf("%d %s", total, plural)
 }

 // InArray tests if a string is within an array. It is not case sensitive.
 func InArray(k string, arr []string) bool {
-	k = strings.ToLower(k)
 	for _, v := range arr {
-		if strings.ToLower(v) == k {
+		if strings.EqualFold(v, k) {
 			return true
 		}
 	}

 	return false
 }
+
+// Normalize will remove any extra spaces, remove newlines, and trim leading and trailing spaces
+func Normalize(s string) string {
+	nlRe := regexp.MustCompile(`\r?\r`)
+	re := regexp.MustCompile(`\s+`)
+
+	s = nlRe.ReplaceAllString(s, " ")
+	s = re.ReplaceAllString(s, " ")
+
+	return strings.TrimSpace(s)
+}
+
+// SafeUint64 converts an int or int64 to uint64, ensuring it does not exceed the maximum value for uint64.
+func SafeUint64(i any) uint64 {
+	switch v := i.(type) {
+	case int:
+		if v < 0 {
+			return 0
+		}
+		return uint64(v)
+	case int64:
+		if v < 0 {
+			return 0
+		}
+		return uint64(v)
+	default:
+		// only accepts int or int64
+		return 0
+	}
+}
--- a/internal/updater/targz.go
+++ b/internal/updater/targz.go
@@ -1,218 +0,0 @@
-package updater
-
-import (
-	"archive/tar"
-	"bufio"
-	"compress/gzip"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-)
-
-// TarGZExtract extracts a archive from the file inputFilePath.
-// It tries to create the directory structure outputFilePath contains if it doesn't exist.
-// It returns potential errors to be checked or nil if everything works.
-func TarGZExtract(inputFilePath, outputFilePath string) (err error) {
-	outputFilePath = stripTrailingSlashes(outputFilePath)
-	inputFilePath, outputFilePath, err = makeAbsolute(inputFilePath, outputFilePath)
-	if err != nil {
-		return err
-	}
-	undoDir, err := mkdirAll(outputFilePath, 0750)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err != nil {
-			undoDir()
-		}
-	}()
-
-	return extract(inputFilePath, outputFilePath)
-}
-
-// Creates all directories with os.MakedirAll and returns a function to remove the first created directory so cleanup is possible.
-func mkdirAll(dirPath string, perm os.FileMode) (func(), error) {
-	var undoDir string
-
-	for p := dirPath; ; p = filepath.Dir(p) {
-		finfo, err := os.Stat(p)
-		if err == nil {
-			if finfo.IsDir() {
-				break
-			}
-
-			finfo, err = os.Lstat(p)
-			if err != nil {
-				return nil, err
-			}
-
-			if finfo.IsDir() {
-				break
-			}
-
-			return nil, fmt.Errorf("mkdirAll (%s): %v", p, syscall.ENOTDIR)
-		}
-
-		if os.IsNotExist(err) {
-			undoDir = p
-		} else {
-			return nil, err
-		}
-	}
-
-	if undoDir == "" {
-		return func() {}, nil
-	}
-
-	if err := os.MkdirAll(dirPath, perm); err != nil {
-		return nil, err
-	}
-
-	return func() {
-		if err := os.RemoveAll(undoDir); err != nil {
-			panic(err)
-		}
-	}, nil
-}
-
-// Remove trailing slash if any.
-func stripTrailingSlashes(path string) string {
-	if len(path) > 0 && path[len(path)-1] == '/' {
-		path = path[0 : len(path)-1]
-	}
-
-	return path
-}
-
-// Make input and output paths absolute.
-func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error) {
-	inputFilePath, err := filepath.Abs(inputFilePath)
-	if err == nil {
-		outputFilePath, err = filepath.Abs(outputFilePath)
-	}
-
-	return inputFilePath, outputFilePath, err
-}
-
-// Extract the file in filePath to directory.
-func extract(filePath string, directory string) error {
-	file, err := os.Open(filepath.Clean(filePath))
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		if err := file.Close(); err != nil {
-			fmt.Printf("Error closing file: %s\n", err)
-		}
-	}()
-
-	gzipReader, err := gzip.NewReader(bufio.NewReader(file))
-	if err != nil {
-		return err
-	}
-	defer gzipReader.Close()
-
-	tarReader := tar.NewReader(gzipReader)
-
-	// Post extraction directory permissions & timestamps
-	type DirInfo struct {
-		Path   string
-		Header *tar.Header
-	}
-
-	// slice to add all extracted directory info for post-processing
-	postExtraction := []DirInfo{}
-
-	for {
-		header, err := tarReader.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return err
-		}
-
-		fileInfo := header.FileInfo()
-		// paths could contain a '..', is used in a file system operations
-		if strings.Contains(fileInfo.Name(), "..") {
-			continue
-		}
-		dir := filepath.Join(directory, filepath.Dir(header.Name))
-		filename := filepath.Join(dir, fileInfo.Name())
-
-		if fileInfo.IsDir() {
-			// create the directory 755 in case writing permissions prohibit writing before files added
-			if err := os.MkdirAll(filename, 0750); err != nil {
-				return err
-			}
-
-			// set file ownership (if allowed)
-			// Chtimes() && Chmod() only set after once extraction is complete
-			_ = os.Chown(filename, header.Uid, header.Gid)
-
-			// add directory info to slice to process afterwards
-			postExtraction = append(postExtraction, DirInfo{filename, header})
-			continue
-		}
-
-		// make sure parent directory exists (may not be included in tar)
-		if !fileInfo.IsDir() && !isDir(dir) {
-			err = os.MkdirAll(dir, 0750)
-			if err != nil {
-				return err
-			}
-		}
-
-		file, err := os.Create(filepath.Clean(filename))
-		if err != nil {
-			return err
-		}
-
-		writer := bufio.NewWriter(file)
-
-		buffer := make([]byte, 4096)
-		for {
-			n, err := tarReader.Read(buffer)
-			if err != nil && err != io.EOF {
-				panic(err)
-			}
-			if n == 0 {
-				break
-			}
-
-			_, err = writer.Write(buffer[:n])
-			if err != nil {
-				return err
-			}
-		}
-
-		err = writer.Flush()
-		if err != nil {
-			return err
-		}
-
-		err = file.Close()
-		if err != nil {
-			return err
-		}
-
-		// set file permissions, timestamps & uid/gid
-		_ = os.Chmod(filename, os.FileMode(header.Mode))
-		_ = os.Chtimes(filename, header.AccessTime, header.ModTime)
-		_ = os.Chown(filename, header.Uid, header.Gid)
-	}
-
-	if len(postExtraction) > 0 {
-		for _, dir := range postExtraction {
-			_ = os.Chtimes(dir.Path, dir.Header.AccessTime, dir.Header.ModTime)
-			_ = os.Chmod(dir.Path, dir.Header.FileInfo().Mode().Perm())
-		}
-	}
-
-	return nil
-}
--- a/internal/updater/unzip.go
+++ b/internal/updater/unzip.go
@@ -1,75 +0,0 @@
-package updater
-
-import (
-	"archive/zip"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// Unzip will decompress a zip archive, moving all files and folders
-// within the zip file (src) to an output directory (dest).
-func Unzip(src string, dest string) ([]string, error) {
-
-	var filenames []string
-
-	r, err := zip.OpenReader(src)
-	if err != nil {
-		return filenames, err
-	}
-	defer r.Close()
-
-	for _, f := range r.File {
-
-		// Store filename/path for returning and using later on
-		fpath := filepath.Join(dest, filepath.Clean(f.Name))
-
-		// Check for ZipSlip. More Info: http://bit.ly/2MsjAWE
-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
-			return filenames, fmt.Errorf("%s: illegal file path", fpath)
-		}
-
-		filenames = append(filenames, fpath)
-
-		if f.FileInfo().IsDir() {
-			// Make Folder
-			if err := os.MkdirAll(fpath, os.ModePerm); err != nil {
-				return filenames, err
-			}
-			continue
-		}
-
-		// Make File
-		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
-			return filenames, err
-		}
-
-		outFile, err := os.OpenFile(filepath.Clean(fpath), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
-		if err != nil {
-			return filenames, err
-		}
-
-		rc, err := f.Open()
-		if err != nil {
-			return filenames, err
-		}
-
-		_, err = io.Copy(outFile, rc) // #nosec - file is streamed from zip to file
-
-		// Close the file without defer to close before next iteration of loop
-		if err := outFile.Close(); err != nil {
-			return filenames, err
-		}
-
-		if err := rc.Close(); err != nil {
-			return filenames, err
-		}
-
-		if err != nil {
-			return filenames, err
-		}
-	}
-	return filenames, nil
-}
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -1,346 +0,0 @@
-// package Updater checks and downloads new versions
-package updater
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"time"
-
-	"github.com/axllent/mailpit/config"
-	"github.com/axllent/mailpit/internal/logger"
-	"github.com/axllent/semver"
-)
-
-var (
-	// AllowPrereleases defines whether pre-releases may be included
-	AllowPrereleases = false
-
-	tempDir string
-)
-
-// Releases struct for Github releases json
-type Releases []struct {
-	Name       string `json:"name"`       // release name
-	Tag        string `json:"tag_name"`   // release tag
-	Prerelease bool   `json:"prerelease"` // Github pre-release
-	Assets     []struct {
-		BrowserDownloadURL string `json:"browser_download_url"`
-		ID                 int64  `json:"id"`
-		Name               string `json:"name"`
-		Size               int64  `json:"size"`
-	} `json:"assets"`
-}
-
-// Release struct contains the file data for downloadable release
-type Release struct {
-	Name string
-	Tag  string
-	URL  string
-	Size int64
-}
-
-// GithubLatest fetches the latest release info & returns release tag, filename & download url
-func GithubLatest(repo, name string) (string, string, string, error) {
-	releaseURL := fmt.Sprintf("https://api.github.com/repos/%s/releases", repo)
-
-	timeout := time.Duration(5 * time.Second)
-
-	client := http.Client{
-		Timeout: timeout,
-	}
-
-	req, err := http.NewRequest("GET", releaseURL, nil)
-	if err != nil {
-		return "", "", "", err
-	}
-
-	req.Header.Set("User-Agent", "Mailpit/"+config.Version)
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", "", "", err
-	}
-
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-
-	if err != nil {
-		return "", "", "", err
-	}
-
-	linkOS := runtime.GOOS
-	linkArch := runtime.GOARCH
-	linkExt := ".tar.gz"
-	if linkOS == "windows" {
-		// Windows uses .zip instead
-		linkExt = ".zip"
-	}
-
-	var allReleases = []Release{}
-
-	var releases Releases
-
-	if err := json.Unmarshal(body, &releases); err != nil {
-		return "", "", "", err
-	}
-
-	archiveName := fmt.Sprintf("%s-%s-%s%s", name, linkOS, linkArch, linkExt)
-
-	// loop through releases
-	for _, r := range releases {
-		if !semver.IsValid(r.Tag) {
-			// Invalid semversion, skip
-			continue
-		}
-
-		if !AllowPrereleases && (semver.Prerelease(r.Tag) != "" || r.Prerelease) {
-			// we don't accept AllowPrereleases, skip
-			continue
-		}
-
-		for _, a := range r.Assets {
-			if a.Name == archiveName {
-				thisRelease := Release{a.Name, r.Tag, a.BrowserDownloadURL, a.Size}
-				allReleases = append(allReleases, thisRelease)
-				break
-			}
-		}
-	}
-
-	if len(allReleases) == 0 {
-		// no releases with suitable assets found
-		return "", "", "", fmt.Errorf("No binary releases found")
-	}
-
-	var latestRelease = Release{}
-
-	for _, r := range allReleases {
-		// detect the latest release
-		if semver.Compare(r.Tag, latestRelease.Tag) == 1 {
-			latestRelease = r
-		}
-	}
-
-	return latestRelease.Tag, latestRelease.Name, latestRelease.URL, nil
-}
-
-// GreaterThan compares the current version to a different version
-// returning < 1 not upgradeable
-func GreaterThan(toVer, fromVer string) bool {
-	return semver.Compare(toVer, fromVer) == 1
-}
-
-// GithubUpdate the running binary with the latest release binary from Github
-func GithubUpdate(repo, appName, currentVersion string) (string, error) {
-	ver, filename, downloadURL, err := GithubLatest(repo, appName)
-
-	if err != nil {
-		return "", err
-	}
-
-	if ver == currentVersion {
-		return "", fmt.Errorf("No new release found")
-	}
-
-	if semver.Compare(ver, currentVersion) < 1 {
-		return "", fmt.Errorf("No newer releases found (latest %s)", ver)
-	}
-
-	tmpDir := getTempDir()
-
-	// outFile can be a tar.gz or a zip, depending on architecture
-	outFile := filepath.Join(tmpDir, filename)
-
-	if err := downloadToFile(downloadURL, outFile); err != nil {
-		return "", err
-	}
-
-	newExec := filepath.Join(tmpDir, "mailpit")
-
-	if runtime.GOOS == "windows" {
-		if _, err := Unzip(outFile, tmpDir); err != nil {
-			return "", err
-		}
-		newExec = filepath.Join(tmpDir, "mailpit.exe")
-	} else {
-		if err := TarGZExtract(outFile, tmpDir); err != nil {
-			return "", err
-		}
-	}
-
-	if runtime.GOOS != "windows" {
-		err := os.Chmod(newExec, 0755) // #nosec
-		if err != nil {
-			return "", err
-		}
-	}
-
-	// ensure the new binary is executable (mainly for inconsistent darwin builds)
-	/* #nosec G204 */
-	cmd := exec.Command(newExec, "-h")
-	if err := cmd.Run(); err != nil {
-		return "", err
-	}
-
-	// get the running binary
-	oldExec, err := os.Executable()
-	if err != nil {
-		return "", err
-	}
-
-	if err = replaceFile(oldExec, newExec); err != nil {
-		return "", err
-	}
-
-	return ver, nil
-}
-
-// DownloadToFile downloads a URL to a file
-func downloadToFile(url, fileName string) error {
-	// Get the data
-	resp, err := http.Get(url) // #nosec
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	// Create the file
-	out, err := os.Create(filepath.Clean(fileName))
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		if err := out.Close(); err != nil {
-			logger.Log().Errorf("error closing file: %s", err.Error())
-		}
-	}()
-
-	// Write the body to file
-	_, err = io.Copy(out, resp.Body)
-
-	return err
-}
-
-// ReplaceFile replaces one file with another.
-// Running files cannot be overwritten, so it has to be moved
-// and the new binary saved to the original path. This requires
-// read & write permissions to both the original file and directory.
-// Note, on Windows it is not possible to delete a running program,
-// so the old exe is renamed and moved to os.TempDir()
-func replaceFile(dst, src string) error {
-	// open the source file for reading
-	source, err := os.Open(filepath.Clean(src))
-	if err != nil {
-		return err
-	}
-
-	// destination directory eg: /usr/local/bin
-	dstDir := filepath.Dir(dst)
-	// binary filename
-	binaryFilename := filepath.Base(dst)
-	// old binary tmp name
-	dstOld := fmt.Sprintf("%s.old", binaryFilename)
-	// new binary tmp name
-	dstNew := fmt.Sprintf("%s.new", binaryFilename)
-	// absolute path of new tmp file
-	newTmpAbs := filepath.Join(dstDir, dstNew)
-	// absolute path of old tmp file
-	oldTmpAbs := filepath.Join(dstDir, dstOld)
-
-	// get src permissions
-	fi, _ := os.Stat(dst)
-	srcPerms := fi.Mode().Perm()
-
-	// create the new file
-	tmpNew, err := os.OpenFile(filepath.Clean(newTmpAbs), os.O_CREATE|os.O_RDWR, srcPerms) // #nosec
-	if err != nil {
-		return err
-	}
-
-	// copy new binary to <binary>.new
-	if _, err := io.Copy(tmpNew, source); err != nil {
-		return err
-	}
-
-	// close immediately else Windows has a fit
-	if err := tmpNew.Close(); err != nil {
-		return err
-	}
-
-	if err := source.Close(); err != nil {
-		return err
-	}
-
-	// rename the current executable to <binary>.old
-	if err := os.Rename(dst, oldTmpAbs); err != nil {
-		return err
-	}
-
-	// rename the <binary>.new to current executable
-	if err := os.Rename(newTmpAbs, dst); err != nil {
-		return err
-	}
-
-	// delete the old binary
-	if runtime.GOOS == "windows" {
-		tmpDir := os.TempDir()
-		delFile := filepath.Join(tmpDir, filepath.Base(oldTmpAbs))
-		if err := os.Rename(oldTmpAbs, delFile); err != nil {
-			return err
-		}
-	} else {
-		if err := os.Remove(oldTmpAbs); err != nil {
-			return err
-		}
-	}
-
-	// remove the src file
-	return os.Remove(src)
-}
-
-// GetTempDir will create & return a temporary directory if one has not been specified
-func getTempDir() string {
-	if tempDir == "" {
-		randBytes := make([]byte, 6)
-		if _, err := rand.Read(randBytes); err != nil {
-			panic(err)
-		}
-		tempDir = filepath.Join(os.TempDir(), "updater-"+hex.EncodeToString(randBytes))
-	}
-	if err := mkDirIfNotExists(tempDir); err != nil {
-		// need a better way to exit
-		logger.Log().Errorf("error: %s", err.Error())
-		os.Exit(2)
-	}
-
-	return tempDir
-}
-
-// MkDirIfNotExists will create a directory if it doesn't exist
-func mkDirIfNotExists(path string) error {
-	if !isDir(path) {
-		return os.MkdirAll(path, os.ModePerm)
-	}
-
-	return nil
-}
-
-// IsDir returns if a path is a directory
-func isDir(path string) bool {
-	info, err := os.Stat(path)
-	if os.IsNotExist(err) || !info.IsDir() {
-		return false
-	}
-
-	return true
-}
--- a/Show More
+++ b/Show More