You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New inbox tabs: Primary, Newsletters, Social, Notifications, and Other automatically sort incoming mail by type using header detection and sender heuristics
Unified inbox view shows all mail across tabs
AI-powered classify button reclassifies a message when the automatic detection gets it wrong
Unsubscribe button appears directly in the message pane for detected newsletters — one click sends the unsubscribe request or opens the unsubscribe URL
AI assistant
Integrated AI assistant powered by any OpenAI-compatible provider (configure your own endpoint and API key in admin settings)
Summarize long email threads, draft replies, and ask questions about a message
AI assist button added to the mobile compose toolbar
AI tab in admin settings is clearly marked Beta
Spam feedback (v0.1)
Mark any message as spam or not spam from the context menu, message pane toolbar, or bulk actions
Feedback is stored and will feed into automated filtering in a future release
Available in all 7 supported languages
Password recovery
Users can now recover their account via a recovery email address set in profile settings
Three-tier SMTP fallback ensures delivery even when the primary sending account is misconfigured (#176)
Compose improvements
Image resize handles in the rich-text editor (#182)
Pasting Excel tables now converts them to HTML tables (#182)
Todoist integration
Tasks created from emails now include a deep link back to the original message (#180)
Mark as unread
Mark messages as unread from the message pane toolbar and the mobile action menu (#183)
Security hardening
TOTP replay prevention: one-time codes can no longer be reused within their validity window
SSRF improvements: IMAP host validation now resolves DNS and blocks 6to4 and Teredo IPv6 tunnel addresses that embed private IPv4 ranges
CSS exfiltration prevention: external url() references in email <style> blocks are stripped at sanitization time
Password reset race condition: the token is now consumed atomically so two concurrent reset requests cannot both succeed
Signature sanitization: edited signatures are sanitized on send and draft save, not only at storage time
AI and subscription URL validation: custom AI base URLs and category subscription URLs are now validated through the same SSRF-safe host validator used for IMAP
Encryption key guard: the server now refuses to start and throws on encrypt rather than silently storing plaintext if ENCRYPTION_KEY is missing
Microsoft 365 id_token issuer validation: multi-tenant OAuth flows now verify the iss claim matches the tenant in the token
Trusted device cookie cleared on logout
Security headers: X-Frame-Options: DENY and Referrer-Policy: same-origin added to all responses
Double-send prevention: idempotency key support on the send endpoint prevents duplicate emails on network retry
Reliability improvements
Database migrations: all migrations are now idempotent (IF NOT EXISTS) and run without a statement timeout so large deployments don't fail mid-migration
IMAP connection leak fix: failed sync attempts now correctly close and remove the stale connection instead of leaving zombie TCP sockets
WebSocket broadcast isolation: a failing client socket no longer aborts delivery to other connected clients
Inbox rules N+1 fix: folder resolution for delete and archive rules is now cached across the message batch instead of re-queried per message
Shared Redis client: session store, TOTP replay prevention, and send idempotency now share a single Redis connection
Upgrade notes
No manual migration steps required. All schema changes apply automatically on first startup.
If you are running without ENCRYPTION_KEY set, the server will now refuse to start rather than silently degrading. Set ENCRYPTION_KEY to a 64-character hex string (openssl rand -hex 32) before upgrading.