$source_msg_id, 'uid' => $me['id']] ); if (!$source) { http_response_code(404); exit('Source message not found.'); } if (!$account_id) $account_id = (int)$source['account_id']; if ($source['body_text'] === null && $source['body_html'] === null) { try { $parts = email_fetch_body_on_demand([ 'imap_host' => $source['imap_host'], 'imap_port' => $source['imap_port'], 'imap_encryption' => $source['imap_encryption'], 'imap_username' => $source['imap_username'], 'imap_password' => $source['imap_password'], ], $source['folder'], (int)$source['uid']); $source['body_text'] = $parts['text'] ?: null; $source['body_html'] = $parts['html'] ?: null; } catch (Throwable $_) { /* best-effort */ } } } // Determine sending account $sending_acct = null; if ($account_id) { $sending_acct = db_row( "SELECT a.* FROM email_accounts a JOIN email_account_users u ON u.account_id = a.id WHERE a.id=:id AND u.user_id=:uid AND u.can_send = 1 AND a.is_active = 1", ['id' => $account_id, 'uid' => $me['id']] ); } if (!$sending_acct) { $sending_acct = db_row( "SELECT a.* FROM email_accounts a JOIN email_account_users u ON u.account_id = a.id WHERE u.user_id=:uid AND u.can_send = 1 AND a.is_active = 1 ORDER BY a.display_name LIMIT 1", ['uid' => $me['id']] ); } if (!$sending_acct) { http_response_code(403); exit('You don\'t have permission to send from any mailbox.'); } $my_accounts = db_all( "SELECT a.id, a.display_name, a.email_address, a.colour FROM email_accounts a JOIN email_account_users u ON u.account_id = a.id WHERE u.user_id=:uid AND u.can_send=1 AND a.is_active=1 ORDER BY a.display_name", ['uid' => $me['id']] ); // User's signature (already sanitised on save) $signature_html = (string)($me['email_signature'] ?? ''); // ── POST: send ────────────────────────────────────────────── $flash_error = ''; if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['action'] ?? '') === 'send') { csrf_verify(); $to_raw = trim((string)($_POST['to'] ?? '')); $cc_raw = trim((string)($_POST['cc'] ?? '')); $bcc_raw = trim((string)($_POST['bcc'] ?? '')); $subject = trim((string)($_POST['subject'] ?? '')); $body_html_raw = (string)($_POST['body_html'] ?? ''); $in_reply_to = (string)($_POST['in_reply_to'] ?? ''); $references = (string)($_POST['references'] ?? ''); $from_acct_id = (int)($_POST['from_account_id'] ?? $sending_acct['id']); $attachment_tokens = array_filter(explode(',', (string)($_POST['attachment_tokens'] ?? ''))); $send_acct = db_row( "SELECT a.* FROM email_accounts a JOIN email_account_users u ON u.account_id = a.id WHERE a.id=:id AND u.user_id=:uid AND u.can_send=1 AND a.is_active=1", ['id' => $from_acct_id, 'uid' => $me['id']] ); if (!$send_acct) { $flash_error = 'You can\'t send from that account.'; } elseif ($to_raw === '') { $flash_error = 'At least one recipient is required.'; } elseif ($subject === '' && trim(strip_tags($body_html_raw)) === '') { $flash_error = 'Empty message — add a subject or body.'; } else { $to = imc_normalize_addr_list($to_raw); $cc = imc_normalize_addr_list($cc_raw); $bcc = imc_normalize_addr_list($bcc_raw); if (empty($to)) { $flash_error = 'Invalid recipient address.'; } else { // Sanitise outgoing HTML (Word paste cleanup, security) $sanitised = email_sanitize_html($body_html_raw, true); $body_html = $sanitised['html']; // Convert URL-referenced images on our server into inline cid: parts // — Outlook/corporate clients block remote images by default, so // we embed them directly into the email. $inlined = imc_inline_referenced_images($body_html); $body_html = $inlined['html']; $inline_attachments = $inlined['inline_attachments']; // Generate a plain-text alternative from the HTML for clients // that prefer it (and for spam filters that look for both) $body_text = trim(html_entity_decode( preg_replace(['##i', '#

#i'], "\n", strip_tags($body_html)), ENT_QUOTES | ENT_HTML5, 'UTF-8' )); // Load attachment data (user-uploaded files) $attachments = []; foreach ($attachment_tokens as $token) { $token = trim($token); if ($token === '') continue; $att = imc_load_temp_attachment((int)$me['id'], $token); if ($att) $attachments[] = $att; } // Combine: inline images first, then regular attachments $all_attachments = array_merge($inline_attachments, $attachments); $msg_payload = [ 'to' => $to, 'cc' => $cc, 'bcc' => $bcc, 'subject' => $subject ?: '(no subject)', 'body_text' => $body_text, 'body_html' => $body_html, 'attachments' => $all_attachments, 'in_reply_to' => $in_reply_to !== '' ? $in_reply_to : null, 'references' => $references !== '' ? $references : null, ]; try { $message_id = imc_smtp_send($send_acct, $msg_payload); $sent_folder = $send_acct['imap_sent_folder'] ?: 'Sent'; $raw = imc_build_raw_message($send_acct, $msg_payload, $message_id); try { imc_append_to_folder($send_acct, $sent_folder, $raw); } catch (Throwable $e) { app_log("email: SMTP send OK but IMAP append failed: " . $e->getMessage()); } if ($source && in_array($mode, ['reply','reply_all'], true)) { db_exec('UPDATE email_messages SET is_answered=1 WHERE id=:id', ['id' => $source['id']]); try { $conn = imc_open([ 'imap_host' => $source['imap_host'], 'imap_port' => $source['imap_port'], 'imap_encryption' => $source['imap_encryption'], 'imap_username' => $source['imap_username'], 'imap_password' => $source['imap_password'], ], $source['folder']); @imap_setflag_full($conn, (string)$source['uid'], '\\Answered', ST_UID); imc_close($conn); } catch (Throwable $_e) { /* best-effort */ } } // Clean up temp attachment files imc_cleanup_temp_attachments((int)$me['id'], $attachment_tokens); header('Location: email.php?account=' . (int)$send_acct['id'] . '&msg=' . urlencode('Message sent.')); exit; } catch (Throwable $e) { $flash_error = 'Send failed: ' . $e->getMessage(); app_log('email send failed: ' . $e->getMessage()); } } } } // Build initial values based on mode $initial_to_emails = []; $initial_cc_emails = []; $initial_subject = ''; $initial_quote_html = ''; $initial_in_reply_to = ''; $initial_references = ''; if ($source) { $orig_to_list = $source['to_list'] ?: ''; $orig_cc_list = $source['cc_list'] ?: ''; $initial_in_reply_to = $source['message_id'] ?? ''; $initial_references = trim(($source['references'] ?? '') . ' ' . ($source['message_id'] ?? '')); // Build a quote block as HTML $orig_body_html = ''; if ($source['body_html']) { // Sanitise the original for safe embedding in the quote $orig_body_html = email_sanitize_html($source['body_html'], true)['html']; } elseif ($source['body_text']) { $orig_body_html = nl2br(htmlspecialchars((string)$source['body_text'])); } $sent_at_fmt = date('j M Y H:i', strtotime($source['sent_at'] ?? 'now')); $from_disp = htmlspecialchars(($source['from_name'] ?: $source['from_email'])); if ($mode === 'reply' || $mode === 'reply_all') { $initial_to_emails = [$source['from_email']]; if ($mode === 'reply_all') { $cc_parts = []; foreach (explode(',', $orig_to_list . ',' . $orig_cc_list) as $piece) { $piece = trim($piece); if ($piece === '') continue; if (preg_match('/<([^>]+)>/', $piece, $m)) $piece = $m[1]; if (strcasecmp($piece, $source['account_email']) === 0) continue; if (filter_var($piece, FILTER_VALIDATE_EMAIL)) $cc_parts[] = $piece; } $initial_cc_emails = array_values(array_unique($cc_parts)); } $initial_subject = (stripos($source['subject'] ?? '', 'Re:') === 0) ? $source['subject'] : 'Re: ' . ($source['subject'] ?: ''); $initial_quote_html = '

' . '

On ' . $sent_at_fmt . ', ' . $from_disp . ' wrote:

' . $orig_body_html . '
'; } elseif ($mode === 'forward') { $initial_subject = (stripos($source['subject'] ?? '', 'Fwd:') === 0) ? $source['subject'] : 'Fwd: ' . ($source['subject'] ?: ''); $initial_quote_html = '

' . '

Forwarded message

' . '

' . 'From: ' . $from_disp . '
' . 'Date: ' . $sent_at_fmt . '
' . 'Subject: ' . htmlspecialchars($source['subject'] ?: '(no subject)') . '
' . 'To: ' . htmlspecialchars($source['to_list'] ?: '') . '

' . '
' . $orig_body_html . '
'; } } // Resolve initial pills $initial_to_resolved = []; foreach ($initial_to_emails as $e) $initial_to_resolved[] = email_resolve_contact($e); $initial_cc_resolved = []; foreach ($initial_cc_emails as $e) $initial_cc_resolved[] = email_resolve_contact($e); // Build the initial editor content // Order: [user typing area] + signature + [quoted original] $initial_editor_html = '


'; // placeholder for cursor if ($signature_html !== '') { $initial_editor_html .= '
' . $signature_html . '
'; } if ($initial_quote_html !== '') { $initial_editor_html .= $initial_quote_html; } // Carry over POST values on error if ($flash_error && isset($_POST['body_html'])) { $initial_editor_html = (string)$_POST['body_html']; $to_post = trim((string)($_POST['to'] ?? '')); $cc_post = trim((string)($_POST['cc'] ?? '')); $initial_to_resolved = $to_post !== '' ? array_map('email_resolve_contact', array_filter(array_map('trim', explode(',', $to_post)))) : $initial_to_resolved; $initial_cc_resolved = $cc_post !== '' ? array_map('email_resolve_contact', array_filter(array_map('trim', explode(',', $cc_post)))) : $initial_cc_resolved; $initial_subject = $_POST['subject'] ?? $initial_subject; } $mode_label = ['new'=>'New message','reply'=>'Reply','reply_all'=>'Reply all','forward'=>'Forward'][$mode] ?? 'Compose'; $page_title = $mode_label; require __DIR__ . '/_guard.php'; ?>
← Cancel

✎ Edit signature
From
<>
To  · 
Cc
Bcc
Subject
Attachments

Max 25 MB per file.

Cancel
Signature auto-included · Inline images upload to server