Cock-mail — yeah it's webmail with cocks

est. 2026

About

Cock-mail is the world's first fully client-side webmail client. It's what webmail should have been. Cock-mail connects directly to an IMAP server over WebSockets and manages the entire session in your browser from start to finish. This approach eliminates a broad stroke of security risks you take every time you use a server-side webmail application. Instead of relying on a crusty PHP or C backend to connect to IMAP for you and manage client state, cock-mail speaks IMAP natively and skips the middleman.

Another issue with webmail is the problem of how to convert an HTML e-mail into something that can be safely displayed in browsers. This is a hard problem and has been the source of innumerable XSS vulnerabilities in existing webmail applications. Cock-mail addresses this by refusing to convert HTML to anything other than plaintext. More specifically its HTML converter uses DOMParser to parse HTML message parts, extract links, and convert the untrusted code to plaintext with innerText. This way the features of modern browsers designed to handle untrusted input are used for their intended purpose.

This is not a hobby project; it's developed so our own users can access webmail. We shut down our previous choice of software after we briefly audited it and decided it was too dangerous to use. If we had another option we would have deployed it as a replacement. Extensive research over several months came up with nothing that met our requirements and so we started writing cock-mail instead.

Cock-mail's developers strongly believe the best e-mail client is a desktop client and aim to replicate one.

Features

Cock-mail is in alpha state. Notably there's no SMTP or filters support. Still, it has a number of features which make it comfortable to use:

IDLE support (watch for updates on new/deleted mail)
Basic actions like Mark un/read, Move to Trash, and Delete
Bulk mail controls with checkbox or Ctrl/Shift select
Convert HTML e-mail to plaintext and show extracted links
MIME decoding, split into inline/attachment parts
Display images/videos/messages inline or as attachment
Download raw e-mail to file
Complete charset support (intl+unicode headers, body, filenames)

In the future we plan on adding many more features to cock-mail:

Connection management (disconnect/reconnect)
Notifications (new mail, disconnected)
Storage management/indexedDB
Mobile/portrait layout
Composing e-mail/SMTP (beta goes here)
Full message actions (move, copy, flag)
Folder controls (create, rename, delete)
NOTIFY support (watch for updates on flag changes + multiple folders at once)
Filter support (v1.0 goes here)

Screenshots

Click on an image to enlarge it.

Screenshot: cock-mail showing two inline images

Screenshot: cock-mail showing an e-mail containing another e-mail as an attachment

Download

Current version: 0.0.5 (alpha)

Cock-mail is a single HTML file. You can get the latest source code from view-source:https://mail.cock.li/. Cock-mail is free to use under a permissive license which you can read about at the top of the file.

By default cock-mail connects via WebSockets to /imap on whatever host it's running on. To change this you can edit window.imap_server to be whatever you want at the very bottom of the file.

Opening a websocket to connect to IMAP is left as an exercise to the reader. Since cock-mail is deployed to production on HTTPS, IMAP SSL/STARTTLS has not been implemented. You may find your IMAP server doesn't allow you to pick one port to allow "insecure" connections and instead requires you to choose between forced encryption or not for the entire daemon. On a personal mail server this may not be an issue since you can easily ensure encryption is used by the mail clients of a small number of users. For more complicated deployments you will need to solve this problem yourself or wait for more complete instructions which will come at a later date.

Donate

You can support the development of cock-mail by donating to cock.li.