Merge branch 'release/v1.26.0'

2025-08-15 20:13:16 +02:00 · 2025-06-06 19:05:40 +12:00
parent 56739ceac2 803adf29ac
commit 72e92d2d1e
11 changed files with 1113 additions and 617 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@

 Notable changes to Mailpit will be documented in this file.

+## [v1.26.0]
+
+### Feature
+- Send API allow separate auth ([#504](https://github.com/axllent/mailpit/issues/504))
+- Add Prometheus exporter ([#505](https://github.com/axllent/mailpit/issues/505))
+
+### Chore
+- Add MP_DATA_FILE deprecation warning
+- Update Go dependencies
+- Update node dependencies
+
+### Fix
+- Ignore basic auth for OPTIONS requests to API when CORS is set
+- Fix sendmail symlink detection for macOS ([#514](https://github.com/axllent/mailpit/issues/514))
+
+
 ## [v1.25.1]

 ### Chore
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -9,6 +9,7 @@ import (
 	"github.com/axllent/mailpit/config"
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/prometheus"
 	"github.com/axllent/mailpit/internal/smtpd"
 	"github.com/axllent/mailpit/internal/smtpd/chaos"
 	"github.com/axllent/mailpit/internal/storage"
@@ -39,6 +40,14 @@ Documentation:
 			os.Exit(1)
 		}

+		// Start Prometheus metrics if enabled
+		switch prometheus.GetMode() {
+		case "integrated":
+			prometheus.StartUpdater()
+		case "separate":
+			go prometheus.StartSeparateServer()
+		}
+
 		go server.Listen()

 		if err := smtpd.Listen(); err != nil {
@@ -108,6 +117,10 @@ func init() {
 	rootCmd.Flags().BoolVar(&config.DisableHTTPCompression, "disable-http-compression", config.DisableHTTPCompression, "Disable HTTP compression support (web UI & API)")
 	rootCmd.Flags().BoolVar(&config.HideDeleteAllButton, "hide-delete-all-button", config.HideDeleteAllButton, "Hide the \"Delete all\" button in the web UI")

+	// Send API
+	rootCmd.Flags().StringVar(&config.SendAPIAuthFile, "send-api-auth-file", config.SendAPIAuthFile, "A password file for Send API authentication")
+	rootCmd.Flags().BoolVar(&config.SendAPIAuthAcceptAny, "send-api-auth-accept-any", config.SendAPIAuthAcceptAny, "Accept any username and password for the Send API endpoint, including none")
+
 	// SMTP server
 	rootCmd.Flags().StringVarP(&config.SMTPListen, "smtp", "s", config.SMTPListen, "SMTP bind interface and port")
 	rootCmd.Flags().StringVar(&config.SMTPAuthFile, "smtp-auth-file", config.SMTPAuthFile, "A password file for SMTP authentication")
@@ -146,6 +159,9 @@ func init() {
 	rootCmd.Flags().BoolVar(&tools.TagsTitleCase, "tags-title-case", tools.TagsTitleCase, "TitleCase new tags generated from plus-addresses and X-Tags")
 	rootCmd.Flags().StringVar(&config.TagsDisable, "tags-disable", config.TagsDisable, "Disable auto-tagging, comma separated (eg: plus-addresses,x-tags)")

+	// Prometheus metrics
+	rootCmd.Flags().StringVar(&config.PrometheusListen, "enable-prometheus", config.PrometheusListen, "Enable Prometheus metrics: true|false|<ip:port> (eg:'0.0.0.0:9090')")
+
 	// Webhook
 	rootCmd.Flags().StringVar(&config.WebhookURL, "webhook-url", config.WebhookURL, "Send a webhook request for new messages")
 	rootCmd.Flags().IntVar(&webhook.RateLimit, "webhook-limit", webhook.RateLimit, "Limit webhook requests per second")
@@ -249,6 +265,15 @@ func initConfigFromEnv() {
 		config.HideDeleteAllButton = true
 	}

+	// Send API
+	config.SendAPIAuthFile = os.Getenv("MP_SEND_API_AUTH_FILE")
+	if err := auth.SetSendAPIAuth(os.Getenv("MP_SEND_API_AUTH")); err != nil {
+		logger.Log().Error(err.Error())
+	}
+	if getEnabledFromEnv("MP_SEND_API_AUTH_ACCEPT_ANY") {
+		config.SendAPIAuthAcceptAny = true
+	}
+
 	// SMTP server
 	if len(os.Getenv("MP_SMTP_BIND_ADDR")) > 0 {
 		config.SMTPListen = os.Getenv("MP_SMTP_BIND_ADDR")
@@ -346,6 +371,11 @@ func initConfigFromEnv() {
 	tools.TagsTitleCase = getEnabledFromEnv("MP_TAGS_TITLE_CASE")
 	config.TagsDisable = os.Getenv("MP_TAGS_DISABLE")

+	// Prometheus metrics
+	if len(os.Getenv("MP_ENABLE_PROMETHEUS")) > 0 {
+		config.PrometheusListen = os.Getenv("MP_ENABLE_PROMETHEUS")
+	}
+
 	// Webhook
 	if len(os.Getenv("MP_WEBHOOK_URL")) > 0 {
 		config.WebhookURL = os.Getenv("MP_WEBHOOK_URL")
@@ -362,9 +392,9 @@ func initConfigFromEnv() {
 func initDeprecatedConfigFromEnv() {
 	// deprecated 2024/04/12 - but will not be removed to maintain backwards compatibility
 	if len(os.Getenv("MP_DATA_FILE")) > 0 {
+		logger.Log().Warn("ENV MP_DATA_FILE has been deprecated, use MP_DATABASE")
 		config.Database = os.Getenv("MP_DATA_FILE")
 	}
-
 	// deprecated 2023/03/12
 	if len(os.Getenv("MP_UI_SSL_CERT")) > 0 {
 		logger.Log().Warn("ENV MP_UI_SSL_CERT has been deprecated, use MP_UI_TLS_CERT")
--- a/config/config.go
+++ b/config/config.go
@@ -72,6 +72,12 @@ var (
 	// DisableHTTPCompression will explicitly disable HTTP compression in the web UI and API
 	DisableHTTPCompression bool

+	// SendAPIAuthFile for Send API authentication
+	SendAPIAuthFile string
+
+	// SendAPIAuthAcceptAny accepts any username/password for the send API endpoint, including none
+	SendAPIAuthAcceptAny bool
+
 	// SMTPTLSCert file
 	SMTPTLSCert string

@@ -185,6 +191,10 @@ var (
 	// AllowUntrustedTLS allows untrusted HTTPS connections link checking & screenshot generation
 	AllowUntrustedTLS bool

+	// PrometheusListen address for Prometheus metrics server
+	// Empty = disabled, true= use existing web server, address = separate server
+	PrometheusListen string
+
 	// Version is the default application version, updated on release
 	Version = "dev"

@@ -289,6 +299,7 @@ func VerifyConfig() error {
 		return errors.New("[ui] HTTP bind should be in the format of <ip>:<port>")
 	}

+	// Web UI & API
 	if UIAuthFile != "" {
 		UIAuthFile = filepath.Clean(UIAuthFile)

@@ -323,6 +334,49 @@ func VerifyConfig() error {
 		}
 	}

+	// Send API
+	if SendAPIAuthFile != "" {
+		SendAPIAuthFile = filepath.Clean(SendAPIAuthFile)
+
+		if !isFile(SendAPIAuthFile) {
+			return fmt.Errorf("[send-api] password file not found or readable: %s", SendAPIAuthFile)
+		}
+
+		b, err := os.ReadFile(SendAPIAuthFile)
+		if err != nil {
+			return err
+		}
+
+		if err := auth.SetSendAPIAuth(string(b)); err != nil {
+			return err
+		}
+
+		logger.Log().Info("[send-api] enabling basic authentication")
+	}
+
+	if auth.SendAPICredentials != nil && SendAPIAuthAcceptAny {
+		return errors.New("[send-api] authentication cannot use both credentials and --send-api-auth-accept-any")
+	}
+
+	if SendAPIAuthAcceptAny && auth.UICredentials != nil {
+		logger.Log().Info("[send-api] disabling authentication")
+	}
+
+	// Prometheus configuration validation
+	if PrometheusListen != "" {
+		mode := strings.ToLower(strings.TrimSpace(PrometheusListen))
+		if mode != "true" && mode != "false" {
+			// Validate as address for separate server mode
+			_, err := net.ResolveTCPAddr("tcp", PrometheusListen)
+			if err != nil {
+				return fmt.Errorf("[prometheus] %s", err.Error())
+			}
+		} else if mode == "true" {
+			logger.Log().Info("[prometheus] enabling metrics")
+		}
+	}
+
+	// SMTP server
 	if SMTPTLSCert != "" && SMTPTLSKey == "" || SMTPTLSCert == "" && SMTPTLSKey != "" {
 		return errors.New("[smtp] you must provide both an SMTP TLS certificate and a key")
 	}
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/PuerkitoBio/goquery v1.10.3
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/axllent/semver v0.0.1
-	github.com/goccy/go-yaml v1.17.1
+	github.com/goccy/go-yaml v1.18.0
 	github.com/gomarkdown/markdown v0.0.0-20250311123330-531bef5e742b
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
@@ -21,22 +21,26 @@ require (
 	github.com/leporo/sqlf v1.4.0
 	github.com/lithammer/shortuuid/v4 v4.2.0
 	github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62
+	github.com/prometheus/client_golang v1.22.0
 	github.com/rqlite/gorqlite v0.0.0-20250128004930-114c7828b55a
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/tg123/go-htpasswd v1.2.4
 	github.com/vanng822/go-premailer v1.24.0
-	golang.org/x/net v0.40.0
-	golang.org/x/text v0.25.0
-	golang.org/x/time v0.11.0
+	golang.org/x/crypto v0.39.0
+	golang.org/x/net v0.41.0
+	golang.org/x/text v0.26.0
+	golang.org/x/time v0.12.0
 	modernc.org/sqlite v1.37.1
 )

 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -45,20 +49,24 @@ require (
 	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
-	github.com/olekukonko/tablewriter v1.0.6 // indirect
+	github.com/olekukonko/tablewriter v1.0.7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.64.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/reiver/go-oi v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vanng822/css v1.0.1 // indirect
-	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
-	golang.org/x/image v0.27.0 // indirect
+	golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 // indirect
+	golang.org/x/image v0.28.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
-	modernc.org/libc v1.65.8 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	modernc.org/libc v1.65.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -8,8 +8,12 @@ github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhP
 github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
 github.com/axllent/semver v0.0.1 h1:QqF+KSGxgj8QZzSXAvKFqjGWE5792ksOnQhludToK8E=
 github.com/axllent/semver v0.0.1/go.mod h1:2xSPzvG8n9mRfdtxSvWvfTfQGWfHsMsHO1iZnKATMSc=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/ztvmWKFcI7UGb5/HQT7B+i3a2myKgI=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -18,13 +22,15 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/goccy/go-yaml v1.17.1 h1:LI34wktB2xEE3ONG/2Ar54+/HJVBriAGJ55PHls4YuY=
-github.com/goccy/go-yaml v1.17.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gomarkdown/markdown v0.0.0-20250311123330-531bef5e742b h1:EY/KpStFl60qA17CptGXhwfZ+k1sFNJIUNR8DdbcuUk=
 github.com/gomarkdown/markdown v0.0.0-20250311123330-531bef5e742b/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -45,6 +51,8 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kovidgoyal/imaging v1.6.4 h1:K0idhRPXnRrJBKnBYcTfI1HTWSNDeAn7hYDvf9I0dCk=
 github.com/kovidgoyal/imaging v1.6.4/go.mod h1:bEIgsaZmXlvFfkv/CUxr9rJook6AQkJnpB5EPosRfRY=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leporo/sqlf v1.4.0 h1:SyWnX/8GSGOzVmanG0Ub1c04mR9nNl6Tq3IeFKX2/4c=
 github.com/leporo/sqlf v1.4.0/go.mod h1:pgN9yKsAnQ+2ewhbZogr98RcasUjPsHF3oXwPPhHvBw=
 github.com/lithammer/shortuuid/v4 v4.2.0 h1:LMFOzVB3996a7b8aBuEXxqOBflbfPQAiVzkIcHO0h8c=
@@ -59,6 +67,8 @@ github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwp
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62 h1:XMG5DklHoioVYysfYglOB7vRBg/LOUJZy2mq2QyedLg=
 github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62/go.mod h1:niAM5cni0I/47IFA995xQfeK58Mkbb7FHJjacY4OGQg=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
@@ -67,6 +77,14 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=
+github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/reiver/go-oi v1.0.0 h1:nvECWD7LF+vOs8leNGV/ww+F2iZKf3EYjYZ527turzM=
 github.com/reiver/go-oi v1.0.0/go.mod h1:RrDBct90BAhoDTxB1fenZwfykqeGvhI6LsNfStJoEkI=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@@ -111,19 +129,19 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
-golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
-golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 h1:bsqhLWFR6G6xiQcb+JoGqdKdRU6WzPWmK8E0jxTjzo4=
+golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
+golang.org/x/image v0.28.0 h1:gdem5JW1OLS4FbkWgLO+7ZeFzYtL3xClb97GaUzYMFE=
+golang.org/x/image v0.28.0/go.mod h1:GUJYXtnGKEUgggyzh+Vxt+AviiCcyiwpsl8iQ8MvwGY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -133,8 +151,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -142,8 +160,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -177,19 +195,21 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -198,12 +218,12 @@ modernc.org/cc/v4 v4.26.1 h1:+X5NtzVBn0KgsBCBe+xkDC7twLb/jNVj9FPgiwSQO3s=
 modernc.org/cc/v4 v4.26.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=
 modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=
-modernc.org/fileutil v1.3.1 h1:8vq5fe7jdtEvoCf3Zf9Nm0Q05sH6kGx0Op2CPx1wTC8=
-modernc.org/fileutil v1.3.1/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/fileutil v1.3.3 h1:3qaU+7f7xxTUmvU1pJTZiDLAIoJVdUSSauJNHg9yXoA=
+modernc.org/fileutil v1.3.3/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/libc v1.65.8 h1:7PXRJai0TXZ8uNA3srsmYzmTyrLoHImV5QxHeni108Q=
-modernc.org/libc v1.65.8/go.mod h1:011EQibzzio/VX3ygj1qGFt5kMjP0lHb0qCW5/D/pQU=
+modernc.org/libc v1.65.10 h1:ZwEk8+jhW7qBjHIT+wd0d9VjitRyQef9BnzlzGwMODc=
+modernc.org/libc v1.65.10/go.mod h1:StFvYpx7i/mXtBAfVOjaU0PWZOvIRoZSgXhrwXzr8Po=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -11,6 +11,8 @@ import (
 var (
 	// UICredentials passwords
 	UICredentials *htpasswd.File
+	// SendAPICredentials passwords
+	SendAPICredentials *htpasswd.File
 	// SMTPCredentials passwords
 	SMTPCredentials *htpasswd.File
 	// POP3Credentials passwords
@@ -36,6 +38,25 @@ func SetUIAuth(s string) error {
 	return nil
 }

+// SetSendAPIAuth will set Send API credentials
+func SetSendAPIAuth(s string) error {
+	var err error
+
+	credentials := credentialsFromString(s)
+	if len(credentials) == 0 {
+		return nil
+	}
+
+	r := strings.NewReader(strings.Join(credentials, "\n"))
+
+	SendAPICredentials, err = htpasswd.NewFromReader(r, htpasswd.DefaultSystems, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // SetSMTPAuth will set SMTP credentials
 func SetSMTPAuth(s string) error {
 	var err error
--- a/internal/prometheus/metrics.go
+++ b/internal/prometheus/metrics.go
@@ -0,0 +1,190 @@
+// Package prometheus provides Prometheus metrics for Mailpit
+package prometheus
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
+	"github.com/axllent/mailpit/internal/stats"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+var (
+	// Registry is the Prometheus registry for Mailpit metrics
+	Registry = prometheus.NewRegistry()
+
+	// Metrics
+	totalMessages    prometheus.Gauge
+	unreadMessages   prometheus.Gauge
+	databaseSize     prometheus.Gauge
+	messagesDeleted  prometheus.Counter
+	smtpAccepted     prometheus.Counter
+	smtpRejected     prometheus.Counter
+	smtpIgnored      prometheus.Counter
+	smtpAcceptedSize prometheus.Counter
+	uptime           prometheus.Gauge
+	memoryUsage      prometheus.Gauge
+	tagCounters      *prometheus.GaugeVec
+)
+
+// InitMetrics initializes all Prometheus metrics
+func InitMetrics() {
+	// Create metrics
+	totalMessages = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_messages",
+		Help: "Total number of messages in the database",
+	})
+
+	unreadMessages = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_messages_unread",
+		Help: "Number of unread messages in the database",
+	})
+
+	databaseSize = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_database_size_bytes",
+		Help: "Size of the database in bytes",
+	})
+
+	messagesDeleted = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_messages_deleted_total",
+		Help: "Total number of messages deleted",
+	})
+
+	smtpAccepted = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_accepted_total",
+		Help: "Total number of SMTP messages accepted",
+	})
+
+	smtpRejected = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_rejected_total",
+		Help: "Total number of SMTP messages rejected",
+	})
+
+	smtpIgnored = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_ignored_total",
+		Help: "Total number of SMTP messages ignored (duplicates)",
+	})
+
+	smtpAcceptedSize = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "mailpit_smtp_accepted_size_bytes_total",
+		Help: "Total size of accepted SMTP messages in bytes",
+	})
+
+	uptime = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_uptime_seconds",
+		Help: "Uptime of Mailpit in seconds",
+	})
+
+	memoryUsage = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "mailpit_memory_usage_bytes",
+		Help: "Memory usage in bytes",
+	})
+
+	tagCounters = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: "mailpit_tag_messages",
+			Help: "Number of messages per tag",
+		},
+		[]string{"tag"},
+	)
+
+	// Register metrics
+	Registry.MustRegister(totalMessages)
+	Registry.MustRegister(unreadMessages)
+	Registry.MustRegister(databaseSize)
+	Registry.MustRegister(messagesDeleted)
+	Registry.MustRegister(smtpAccepted)
+	Registry.MustRegister(smtpRejected)
+	Registry.MustRegister(smtpIgnored)
+	Registry.MustRegister(smtpAcceptedSize)
+	Registry.MustRegister(uptime)
+	Registry.MustRegister(memoryUsage)
+	Registry.MustRegister(tagCounters)
+}
+
+// UpdateMetrics updates all metrics with current values
+func UpdateMetrics() {
+	info := stats.Load()
+
+	totalMessages.Set(float64(info.Messages))
+	unreadMessages.Set(float64(info.Unread))
+	databaseSize.Set(float64(info.DatabaseSize))
+	messagesDeleted.Add(float64(info.RuntimeStats.MessagesDeleted))
+	smtpAccepted.Add(float64(info.RuntimeStats.SMTPAccepted))
+	smtpRejected.Add(float64(info.RuntimeStats.SMTPRejected))
+	smtpIgnored.Add(float64(info.RuntimeStats.SMTPIgnored))
+	smtpAcceptedSize.Add(float64(info.RuntimeStats.SMTPAcceptedSize))
+	uptime.Set(float64(info.RuntimeStats.Uptime))
+	memoryUsage.Set(float64(info.RuntimeStats.Memory))
+
+	// Reset tag counters
+	tagCounters.Reset()
+
+	// Update tag counters
+	for tag, count := range info.Tags {
+		tagCounters.WithLabelValues(tag).Set(float64(count))
+	}
+}
+
+// Returns the Prometheus handler & disables double compression in middleware
+func GetHandler() http.Handler {
+	return promhttp.HandlerFor(Registry, promhttp.HandlerOpts{
+		DisableCompression: true,
+	})
+}
+
+// StartUpdater starts the periodic metrics update routine
+func StartUpdater() {
+	InitMetrics()
+	UpdateMetrics()
+
+	// Start periodic updates
+	go func() {
+		ticker := time.NewTicker(15 * time.Second)
+		defer ticker.Stop()
+
+		for range ticker.C {
+			UpdateMetrics()
+		}
+	}()
+}
+
+// StartSeparateServer starts a separate HTTP server for Prometheus metrics
+func StartSeparateServer() {
+	StartUpdater()
+
+	logger.Log().Infof("[prometheus] metrics server listening on %s", config.PrometheusListen)
+
+	// Create a dedicated mux for the metrics server
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.HandlerFor(Registry, promhttp.HandlerOpts{}))
+
+	// Create a dedicated server instance
+	server := &http.Server{
+		Addr:    config.PrometheusListen,
+		Handler: mux,
+	}
+
+	// Start HTTP server
+	if err := server.ListenAndServe(); err != nil {
+		logger.Log().Errorf("[prometheus] metrics server error: %s", err.Error())
+	}
+}
+
+// GetMode returns the Prometheus run mode
+func GetMode() string {
+	mode := strings.ToLower(strings.TrimSpace(config.PrometheusListen))
+
+	switch {
+	case mode == "false", mode == "":
+		return "disabled"
+	case mode == "true":
+		return "integrated"
+	default:
+		return "separate"
+	}
+}
--- a/main.go
+++ b/main.go
@@ -1,3 +1,4 @@
+// Package main is the entrypoint
 package main

 import (
@@ -10,26 +11,11 @@ import (
 )

 func main() {
-	exec, err := os.Executable()
-	if err != nil {
-		panic(err)
-	}
-
-	// running directly
-	if normalize(filepath.Base(exec)) == normalize(filepath.Base(os.Args[0])) ||
-		!strings.Contains(filepath.Base(os.Args[0]), "sendmail") {
-		cmd.Execute()
-	} else {
-		// symlinked as "*sendmail*"
+	// if the command executable contains "send" in the name (eg: sendmail), then run the sendmail command
+	if strings.Contains(strings.ToLower(filepath.Base(os.Args[0])), "send") {
 		sendmail.Run()
+	} else {
+		// else run mailpit
+		cmd.Execute()
 	}
 }
-
-// Normalize returns a lowercase string stripped of the file extension (if exists).
-// Used for detecting Windows commands which ignores letter casing and `.exe`.
-// eg: "MaIlpIT.Exe" returns "mailpit"
-func normalize(s string) string {
-	s = strings.ToLower(s)
-
-	return strings.TrimSuffix(s, filepath.Ext(s))
-}
--- a/package-lock.json
+++ b/package-lock.json
--- a/server/server.go
+++ b/server/server.go
@@ -19,6 +19,7 @@ import (
 	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/pop3"
+	"github.com/axllent/mailpit/internal/prometheus"
 	"github.com/axllent/mailpit/internal/stats"
 	"github.com/axllent/mailpit/internal/storage"
 	"github.com/axllent/mailpit/internal/tools"
@@ -158,7 +159,7 @@ func apiRoutes() *mux.Router {
 	r.HandleFunc(config.Webroot+"api/v1/messages", middleWareFunc(apiv1.DeleteMessages)).Methods("DELETE")
 	r.HandleFunc(config.Webroot+"api/v1/search", middleWareFunc(apiv1.Search)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/search", middleWareFunc(apiv1.DeleteSearch)).Methods("DELETE")
-	r.HandleFunc(config.Webroot+"api/v1/send", middleWareFunc(apiv1.SendMessageHandler)).Methods("POST")
+	r.HandleFunc(config.Webroot+"api/v1/send", sendAPIAuthMiddleware(apiv1.SendMessageHandler)).Methods("POST")
 	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.GetAllTags)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/tags", middleWareFunc(apiv1.SetMessageTags)).Methods("PUT")
 	r.HandleFunc(config.Webroot+"api/v1/tags/{tag}", middleWareFunc(apiv1.RenameTag)).Methods("PUT")
@@ -182,6 +183,13 @@ func apiRoutes() *mux.Router {
 	r.HandleFunc(config.Webroot+"api/v1/chaos", middleWareFunc(apiv1.GetChaos)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/chaos", middleWareFunc(apiv1.SetChaos)).Methods("PUT")

+	// Prometheus metrics (if enabled and using existing server)
+	if prometheus.GetMode() == "integrated" {
+		r.HandleFunc(config.Webroot+"metrics", middleWareFunc(func(w http.ResponseWriter, r *http.Request) {
+			prometheus.GetHandler().ServeHTTP(w, r)
+		})).Methods("GET")
+	}
+
 	// web UI websocket
 	r.HandleFunc(config.Webroot+"api/events", apiWebsocket).Methods("GET")

@@ -198,6 +206,48 @@ func basicAuthResponse(w http.ResponseWriter) {
 	_, _ = w.Write([]byte("Unauthorised.\n"))
 }

+// sendAPIAuthMiddleware handles authentication specifically for the send API endpoint
+// It can use dedicated send API authentication or accept any credentials based on configuration
+func sendAPIAuthMiddleware(fn http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// If send API auth accept any is enabled, bypass all authentication
+		if config.SendAPIAuthAcceptAny {
+			// Temporarily disable UI auth for this request
+			originalCredentials := auth.UICredentials
+			auth.UICredentials = nil
+			defer func() { auth.UICredentials = originalCredentials }()
+			// Call the standard middleware
+			middleWareFunc(fn)(w, r)
+			return
+		}
+
+		// If Send API credentials are configured, only accept those credentials
+		if auth.SendAPICredentials != nil {
+			user, pass, ok := r.BasicAuth()
+
+			if !ok {
+				basicAuthResponse(w)
+				return
+			}
+
+			if !auth.SendAPICredentials.Match(user, pass) {
+				basicAuthResponse(w)
+				return
+			}
+
+			// Valid Send API credentials - bypass UI auth and call function directly
+			originalCredentials := auth.UICredentials
+			auth.UICredentials = nil
+			defer func() { auth.UICredentials = originalCredentials }()
+			middleWareFunc(fn)(w, r)
+			return
+		}
+
+		// No Send API credentials configured - fall back to UI auth
+		middleWareFunc(fn)(w, r)
+	}
+}
+
 type gzipResponseWriter struct {
 	io.Writer
 	http.ResponseWriter
@@ -239,7 +289,9 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 			w.Header().Set("Access-Control-Allow-Headers", "*")
 		}

-		if auth.UICredentials != nil {
+		// Check basic authentication headers if configured.
+		// OPTIONS requests are skipped if CORS is enabled, since browsers omit credentials for preflight.
+		if !(AccessControlAllowOrigin != "" && r.Method == http.MethodOptions) && auth.UICredentials != nil {
 			user, pass, ok := r.BasicAuth()

 			if !ok {
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -13,10 +13,12 @@ import (
 	"testing"

 	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/auth"
 	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
 	"github.com/axllent/mailpit/server/apiv1"
 	"github.com/jhillyerd/enmime/v2"
+	"golang.org/x/crypto/bcrypt"
 )

 var (
@@ -24,6 +26,18 @@ var (
 		Read bool
 		IDs  []string
 	}
+
+	// Shared test message structure for consistency
+	testSendMessage = map[string]interface{}{
+		"From": map[string]string{
+			"Email": "test@example.com",
+		},
+		"To": []map[string]string{
+			{"Email": "recipient@example.com"},
+		},
+		"Subject": "Test",
+		"Text":    "Test message",
+	}
 )

 func TestAPIv1Messages(t *testing.T) {
@@ -312,6 +326,157 @@ func TestAPIv1Send(t *testing.T) {
 	assertEqual(t, `This is a plain text attachment`, string(attachmentBytes), "wrong Attachment content")
 }

+func TestSendAPIAuthMiddleware(t *testing.T) {
+	setup()
+	defer storage.Close()
+
+	// Test 1: Send API with accept-any enabled (should bypass all auth)
+	t.Run("SendAPIAuthAcceptAny", func(t *testing.T) {
+		// Set up UI auth and enable accept-any for send API
+		originalSendAPIAuthAcceptAny := config.SendAPIAuthAcceptAny
+		originalUICredentials := auth.UICredentials
+		defer func() {
+			config.SendAPIAuthAcceptAny = originalSendAPIAuthAcceptAny
+			auth.UICredentials = originalUICredentials
+		}()
+
+		// Enable accept-any for send API
+		config.SendAPIAuthAcceptAny = true
+
+		// Set up UI auth that would normally block requests
+		testHash, _ := bcrypt.GenerateFromPassword([]byte("testpass"), bcrypt.DefaultCost)
+		auth.SetUIAuth("testuser:" + string(testHash))
+
+		r := apiRoutes()
+		ts := httptest.NewServer(r)
+		defer ts.Close()
+
+		// Should succeed without any auth headers
+		jsonData, _ := json.Marshal(testSendMessage)
+		_, err := clientPost(ts.URL+"/api/v1/send", string(jsonData))
+		if err != nil {
+			t.Errorf("Expected send to succeed with accept-any, got error: %s", err.Error())
+		}
+	})
+
+	// Test 2: Send API with dedicated credentials
+	t.Run("SendAPIWithDedicatedCredentials", func(t *testing.T) {
+		originalSendAPIAuthAcceptAny := config.SendAPIAuthAcceptAny
+		originalUICredentials := auth.UICredentials
+		originalSendAPICredentials := auth.SendAPICredentials
+		defer func() {
+			config.SendAPIAuthAcceptAny = originalSendAPIAuthAcceptAny
+			auth.UICredentials = originalUICredentials
+			auth.SendAPICredentials = originalSendAPICredentials
+		}()
+
+		config.SendAPIAuthAcceptAny = false
+
+		// Set up UI auth
+		uiHash, _ := bcrypt.GenerateFromPassword([]byte("uipass"), bcrypt.DefaultCost)
+		auth.SetUIAuth("uiuser:" + string(uiHash))
+
+		// Set up dedicated Send API auth
+		sendHash, _ := bcrypt.GenerateFromPassword([]byte("sendpass"), bcrypt.DefaultCost)
+		auth.SetSendAPIAuth("senduser:" + string(sendHash))
+
+		r := apiRoutes()
+		ts := httptest.NewServer(r)
+		defer ts.Close()
+
+		jsonData, _ := json.Marshal(testSendMessage)
+
+		// Should succeed with correct Send API credentials
+		_, err := clientPostWithAuth(ts.URL+"/api/v1/send", string(jsonData), "senduser", "sendpass")
+		if err != nil {
+			t.Errorf("Expected send to succeed with correct Send API credentials, got error: %s", err.Error())
+		}
+
+		// Should fail with wrong Send API credentials
+		_, err = clientPostWithAuth(ts.URL+"/api/v1/send", string(jsonData), "senduser", "wrongpass")
+		if err == nil {
+			t.Error("Expected send to fail with wrong Send API credentials")
+		}
+
+		// Should fail with UI credentials when Send API credentials are set
+		_, err = clientPostWithAuth(ts.URL+"/api/v1/send", string(jsonData), "uiuser", "uipass")
+		if err == nil {
+			t.Error("Expected send to fail with UI credentials when Send API credentials are required")
+		}
+	})
+
+	// Test 3: Send API fallback to UI auth when no Send API auth is configured
+	t.Run("SendAPIFallbackToUIAuth", func(t *testing.T) {
+		originalSendAPIAuthAcceptAny := config.SendAPIAuthAcceptAny
+		originalUICredentials := auth.UICredentials
+		originalSendAPICredentials := auth.SendAPICredentials
+		defer func() {
+			config.SendAPIAuthAcceptAny = originalSendAPIAuthAcceptAny
+			auth.UICredentials = originalUICredentials
+			auth.SendAPICredentials = originalSendAPICredentials
+		}()
+
+		config.SendAPIAuthAcceptAny = false
+		auth.SendAPICredentials = nil
+
+		// Set up only UI auth
+		uiHash, _ := bcrypt.GenerateFromPassword([]byte("uipass"), bcrypt.DefaultCost)
+		auth.SetUIAuth("uiuser:" + string(uiHash))
+
+		r := apiRoutes()
+		ts := httptest.NewServer(r)
+		defer ts.Close()
+
+		jsonData, _ := json.Marshal(testSendMessage)
+
+		// Should succeed with UI credentials when no Send API auth is configured
+		_, err := clientPostWithAuth(ts.URL+"/api/v1/send", string(jsonData), "uiuser", "uipass")
+		if err != nil {
+			t.Errorf("Expected send to succeed with UI credentials when no Send API auth configured, got error: %s", err.Error())
+		}
+
+		// Should fail without any credentials
+		_, err = clientPost(ts.URL+"/api/v1/send", string(jsonData))
+		if err == nil {
+			t.Error("Expected send to fail without credentials when UI auth is required")
+		}
+	})
+
+	// Test 4: Regular API endpoints should not be affected by Send API auth settings
+	t.Run("RegularAPINotAffectedBySendAPIAuth", func(t *testing.T) {
+		originalSendAPIAuthAcceptAny := config.SendAPIAuthAcceptAny
+		originalUICredentials := auth.UICredentials
+		originalSendAPICredentials := auth.SendAPICredentials
+		defer func() {
+			config.SendAPIAuthAcceptAny = originalSendAPIAuthAcceptAny
+			auth.UICredentials = originalUICredentials
+			auth.SendAPICredentials = originalSendAPICredentials
+		}()
+
+		// Set up UI auth and Send API auth
+		uiHash, _ := bcrypt.GenerateFromPassword([]byte("uipass"), bcrypt.DefaultCost)
+		auth.SetUIAuth("uiuser:" + string(uiHash))
+		sendHash, _ := bcrypt.GenerateFromPassword([]byte("sendpass"), bcrypt.DefaultCost)
+		auth.SetSendAPIAuth("senduser:" + string(sendHash))
+
+		r := apiRoutes()
+		ts := httptest.NewServer(r)
+		defer ts.Close()
+
+		// Regular API endpoint should require UI credentials, not Send API credentials
+		_, err := clientGetWithAuth(ts.URL+"/api/v1/messages", "uiuser", "uipass")
+		if err != nil {
+			t.Errorf("Expected regular API to work with UI credentials, got error: %s", err.Error())
+		}
+
+		// Regular API endpoint should fail with Send API credentials
+		_, err = clientGetWithAuth(ts.URL+"/api/v1/messages", "senduser", "sendpass")
+		if err == nil {
+			t.Error("Expected regular API to fail with Send API credentials")
+		}
+	})
+}
+
 func setup() {
 	logger.NoLogging = true
 	config.MaxMessages = 0
@@ -521,6 +686,59 @@ func clientPost(url, body string) ([]byte, error) {
 	return data, err
 }

+func clientPostWithAuth(url, body, username, password string) ([]byte, error) {
+	client := new(http.Client)
+
+	b := strings.NewReader(body)
+	req, err := http.NewRequest("POST", url, b)
+	if err != nil {
+		return nil, err
+	}
+
+	req.SetBasicAuth(username, password)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s returned status %d", url, resp.StatusCode)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+
+	return data, err
+}
+
+func clientGetWithAuth(url, username, password string) ([]byte, error) {
+	client := new(http.Client)
+
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.SetBasicAuth(username, password)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("%s returned status %d", url, resp.StatusCode)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+
+	return data, err
+}
+
 func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
 	if a == b {
 		return