GoWebMail

A self-hosted, encrypted web email client written entirely in Go. Supports Gmail and Outlook via OAuth2, plus any standard IMAP/SMTP provider.

Notes:

• work still in progress ( gmail and hotmail email not tested yet, just prepared the app for it)
• AI is involved in making this work, as I do not have the skill and time to do it on my own
• looking for any advice and suggestions to improve it!

Features

• Unified inbox — view emails from all connected accounts in one stream
• Gmail & Outlook OAuth2 — modern, token-based auth (no storing raw passwords for these providers)
• IMAP/SMTP — connect any provider (ProtonMail Bridge, Fastmail, iCloud, etc.)
• AES-256-GCM encryption — all email content encrypted at rest in SQLite
• bcrypt password hashing — GoWebMail account passwords hashed with cost=12
• Send / Reply / Forward — full compose workflow
• Folder navigation — per-account folder/label browsing
• Full-text search — across all accounts locally
• Dark-themed web UI — clean, keyboard-shortcut-friendly interface

Quick Start

Option 1: Build executable

# 1. Clone / copy the project
git clone https://github.com/ghostersk/gowebmail && cd gowebmail
go build -o gowebmail ./cmd/server
# if you want smaller exe ( strip down debuginformation):
go build -ldflags="-s -w" -o gowebmail ./cmd/server
./gowebmail

Visit http://localhost:8080, default login admin/admin, register an account, then connect your email.

Option 2: Run directly

git clone https://github.com/ghostersk/gowebmail && cd gowebmail
go run ./cmd/server/main.go
# check ./data/gowebmail.conf what gets generated on first run if not exists, update as needed.
# then restart the app

Reset Admin password, MFA

# List all admins with MFA status
./gowebmail --list-admin

# USERNAME                  EMAIL                                 MFA
# --------                  -----                                 ---
# admin                     admin@example.com                     ON

# Reset an admin's password (min 8 chars)
./gowebmail --pw admin "NewSecurePass123"

# Disable MFA so a locked-out admin can log in again
./gowebmail --mfa-off admin

Setting up OAuth2

Gmail

1. Go to Google Cloud Console → New project
2. Enable Gmail API
3. Create OAuth 2.0 Client ID (Web application)
4. Add Authorized redirect URI: http://localhost:8080/auth/gmail/callback
5. Set env vars: GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET

Important: In the Google Cloud Console, add the scope https://mail.google.com/ to allow IMAP access. You'll also need to add test users while in "Testing" mode.

Outlook / Microsoft 365

1. Go to Azure portal → App registrations → New registration
2. Set redirect URI: http://localhost:8080/auth/outlook/callback
3. Under API permissions, add:
   • https://outlook.office.com/IMAP.AccessAsUser.All
   • https://outlook.office.com/SMTP.Send
   • offline_access, openid, profile, email
4. Create a Client secret
5. Set env vars: MICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET, MICROSOFT_TENANT_ID

Security Notes

• ENCRYPTION_KEY is critical — back it up. Without it, the encrypted SQLite database is unreadable.
• Email content (subject, from, to, body) is encrypted at rest using AES-256-GCM.
• OAuth2 tokens are stored encrypted in the database.
• Passwords for GoWebMail accounts are bcrypt hashed (cost=12).
• All HTTP responses include security headers (CSP, X-Frame-Options, etc.).
• In production, run behind HTTPS (nginx/Caddy) and set SECURE_COOKIE=true.

Dependencies

github.com/emersion/go-imap      IMAP client
github.com/emersion/go-smtp      SMTP client  
github.com/emersion/go-message   MIME parsing
github.com/gorilla/mux           HTTP routing
github.com/mattn/go-sqlite3      SQLite driver (CGO)
golang.org/x/crypto              bcrypt
golang.org/x/oauth2              OAuth2 + Google/Microsoft endpoints

Building for Production

CGO_ENABLED=1 GOOS=linux go build -ldflags="-s -w" -o gowebmail ./cmd/server

CGO is required by go-sqlite3. Cross-compilation requires a C cross-compiler.

License

This project is licensed under the GPL-3.0 license.