diff --git a/var/www/common.php b/var/www/common.php
index 5e42f1f..a996a7d 100644
--- a/var/www/common.php
+++ b/var/www/common.php
@@ -277,10 +277,11 @@ function send_captcha() {
 }
 
 function check_login(){
+	session_start();
 	if(empty($_SESSION['csrf_token'])){
 		$_SESSION['csrf_token']=sha1(uniqid());
 	}
-	if(empty($_SESSION['hosting_username'])){
+	if(empty($_SESSION['hosting_username']) || !empty($_SESSION['2fa_code'])){
 		header('Location: login.php');
 		session_destroy();
 		exit;
@@ -569,16 +570,31 @@ function rewrite_nginx_config(){
 
 	}
 	file_put_contents("/etc/nginx/sites-enabled/hosted_sites", $nginx);
-	$nginx='';
+	unset($nginx);
+	$nginx_mysql='';
+	$nginx_mail='';
 	$stmt=$db->query("SELECT system_account FROM users WHERE id NOT IN (SELECT user_id FROM new_account) AND todelete!=1;");
 	while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
-		$nginx.="server {
+		$nginx_mysql.="server {
 	listen unix:/home/$tmp[system_account]/var/run/mysqld/mysqld.sock;
 	proxy_pass unix:/var/run/mysqld/mysqld.sock;
 }
 ";
+		$nginx_mail.="server {
+	listen unix:/home/$tmp[system_account]/var/run/mail.sock;
+	root /var/www/mail;
+	location / {
+		include snippets/fastcgi-php.conf;
+		fastcgi_param MAIL_USER $tmp[system_account];
+		fastcgi_param DOCUMENT_ROOT /var/www/mail;
+		fastcgi_param SCRIPT_FILENAME /var/www/mail\$fastcgi_script_name;
+		fastcgi_pass unix:/var/run/php/7.4-mail;
 	}
-	file_put_contents("/etc/nginx/streams-enabled/hosted_sites", $nginx);
+}
+";
+	}
+	file_put_contents("/etc/nginx/streams-enabled/hosted_sites", $nginx_mysql);
+	file_put_contents("/etc/nginx/sites-enabled/hosted_sites_mail", $nginx_mail);
 	exec('systemctl reload nginx');
 }
 
@@ -613,6 +629,7 @@ php_admin_value[disable_functions] = pcntl_alarm,pcntl_async_signals,pcntl_exec,
 php_admin_value[upload_tmp_dir] = /tmp
 php_admin_value[soap.wsdl_cache_dir] = /tmp
 php_admin_value[session.save_path] = /tmp
+php_admin_value[sendmail_path] = '/usr/bin/php -r eval\(base64_decode\(\\\"JGM9Y3VybF9pbml0KCcxJyk7Y3VybF9zZXRvcHRfYXJyYXkoJGMsW0NVUkxPUFRfVU5JWF9TT0NLRVRfUEFUSD0+Jy92YXIvcnVuL21haWwuc29jaycsQ1VSTE9QVF9QT1NURklFTERTPT5bJ2NvbnRlbnQnPT5maWxlX2dldF9jb250ZW50cygncGhwOi8vc3RkaW4nKV1dKTtjdXJsX2V4ZWMoJGMpOwo=\\\"\)\)\;'
 env[HOME]=/
 ";
 		}
diff --git a/var/www/html/delete.php b/var/www/html/delete.php
index 32d0cb9..d14ce83 100644
--- a/var/www/html/delete.php
+++ b/var/www/html/delete.php
@@ -1,7 +1,6 @@
 <?php
 include('../common.php');
 $db = get_db_instance();
-session_start();
 $user=check_login();
 $msg='';
 if($_SERVER['REQUEST_METHOD']==='POST'){
diff --git a/var/www/html/files.php b/var/www/html/files.php
index 2b4ffc9..9f7bddf 100644
--- a/var/www/html/files.php
+++ b/var/www/html/files.php
@@ -1,7 +1,6 @@
 <?php
 include('../common.php');
 $db = get_db_instance();
-session_start();
 $user=check_login();
 if(!empty($_POST['ftp_pass'])){
 	$_SESSION['ftp_pass']=$_POST['ftp_pass'];
diff --git a/var/www/html/home.php b/var/www/html/home.php
index 6b7e8d4..c63b36f 100644
--- a/var/www/html/home.php
+++ b/var/www/html/home.php
@@ -1,7 +1,6 @@
 <?php
 include('../common.php');
 $db = get_db_instance();
-session_start();
 $user=check_login();
 header('Content-Type: text/html; charset=UTF-8');
 if(isset($_POST['action']) && $_POST['action']==='add_db'){
@@ -326,7 +325,7 @@ $usage_text = bytes_to_human_readable($quota['quota_size_used'] * 1024) . ' of '
 $usage_files_text = "$quota[quota_files_used]  of $quota[quota_files] - " . round($quota_files_usage * 100, 2).'%';
 ?>
 <p>Your disk usage: <meter value="<?php echo round($quota_usage, 2); ?>"><?php echo $usage_text; ?></meter> - <?php echo $usage_text; ?> (updated hourly) <a href="upgrade.php?upgrade=1g_quota">Upgrade</a></p>
-<p>Your file number usage: <meter value="<?php echo round($quota_file_usage, 2); ?>"><?php echo $usage_files_text; ?></meter> - <?php echo $usage_files_text; ?> (updated hourly) <a href="upgrade.php?upgrade=100k_files_quota">Upgrade</a></p>
+<p>Your file number usage: <meter value="<?php echo round($quota_files_usage, 2); ?>"><?php echo $usage_files_text; ?></meter> - <?php echo $usage_files_text; ?> (updated hourly) <a href="upgrade.php?upgrade=100k_files_quota">Upgrade</a></p>
 <h3>Logs</h3>
 <table border="1">
 <tr><th>Date</th><th>access.log</th><th>error.log</th></tr>
diff --git a/var/www/html/index.php b/var/www/html/index.php
index 58dbf26..cfdb024 100644
--- a/var/www/html/index.php
+++ b/var/www/html/index.php
@@ -25,7 +25,7 @@ header('X-Accel-Expires: 60');
 <li>FTP and SFTP access</li>
 <li>command line access to shell via SSH</li>
 <li>1GB disk quota and a maximum of 100.000 files. - upgradable</li>
-<li>mail() can send e-mails from your.onion@<?php echo ADDRESS; ?> (your.onion@hosting.danwin1210.me for clearnet) - not yet working but will return in future, use <a href="https://github.com/PHPMailer/PHPMailer" target="_blank">https://github.com/PHPMailer/PHPMailer</a> or similar for now</li>
+<li>mail() can send e-mails from your_system_account@<?php echo ADDRESS; ?> (your_system_account@hosting.danwin1210.me for clearnet)</li>
 <li>Webmail and IMAP, POP3 and SMTP access to your mail account</li>
 <li>Mail sent to anything@your.onion gets automatically redirected to your inbox</li>
 <li>Your own .onion domains</li>
diff --git a/var/www/html/log.php b/var/www/html/log.php
index 97e31d3..874de84 100644
--- a/var/www/html/log.php
+++ b/var/www/html/log.php
@@ -1,6 +1,5 @@
 <?php
 include('../common.php');
-session_start();
 $user=check_login();
 if(!isset($_REQUEST['old']) || $_REQUEST['old']==0){
 	$old='';
diff --git a/var/www/html/login.php b/var/www/html/login.php
index 241f9f4..7e24eea 100644
--- a/var/www/html/login.php
+++ b/var/www/html/login.php
@@ -3,7 +3,7 @@ include('../common.php');
 $db = get_db_instance();
 header('Content-Type: text/html; charset=UTF-8');
 session_start();
-if(!empty($_SESSION['hosting_username'])){
+if(!empty($_SESSION['hosting_username']) && empty($_SESSION['2fa_code'])){
 	header('Location: home.php');
 	exit;
 }
diff --git a/var/www/html/password.php b/var/www/html/password.php
index 1ad12da..ca2fabd 100644
--- a/var/www/html/password.php
+++ b/var/www/html/password.php
@@ -1,7 +1,6 @@
 <?php
 include('../common.php');
 $db = get_db_instance();
-session_start();
 $user=check_login();
 if(!isset($_REQUEST['type'])){
 	$_REQUEST['type']='acc';
diff --git a/var/www/html/upgrade.php b/var/www/html/upgrade.php
index cdc6811..76e44c8 100644
--- a/var/www/html/upgrade.php
+++ b/var/www/html/upgrade.php
@@ -1,6 +1,5 @@
 <?php
 require('../common.php');
-session_start();
 $user=check_login();
 use chillerlan\QRCode\QRCode;
 use chillerlan\QRCode\QROptions;
@@ -27,7 +26,11 @@ if($rates === false){
 	<select name="upgrade">
 	<?php
 	foreach(ACCOUNT_UPGRADES as $name => $upgrade){
-		echo '<option value="'.htmlspecialchars($name).'">'.htmlspecialchars($upgrade['name']).' ($'.$upgrade['usd_price'].')</option>';
+		echo '<option value="'.htmlspecialchars($name).'"';
+		if(isset($_REQUEST['upgrade']) && $name===$_REQUEST['upgrade']){
+			echo ' selected';
+		}
+		echo '>'.htmlspecialchars($upgrade['name']).' ($'.$upgrade['usd_price'].')</option>';
 	}
 	?>
 	</td></tr>
diff --git a/var/www/mail/index.php b/var/www/mail/index.php
new file mode 100644
index 0000000..6e2f649
--- /dev/null
+++ b/var/www/mail/index.php
@@ -0,0 +1,16 @@
+<?php
+$head = true;
+$content = str_replace("\r\n", "\n", $_POST['content']);
+$lines = explode("\n", $content);
+$mail = '';
+foreach($lines as $line){
+	if($head && stripos(ltrim($line), 'FROM')===0){
+		continue;
+	}
+	if($head && $line===''){
+		$head = false;
+		$mail .= "From: $_SERVER[MAIL_USER]\r\n";
+	}
+	$mail .= "$line\r\n";
+}
+exec('echo ' . escapeshellarg($mail). ' | sendmail -t -f ' . $_SERVER['MAIL_USER']);
diff --git a/var/www/setup.php b/var/www/setup.php
index cf666c4..4e0903c 100644
--- a/var/www/setup.php
+++ b/var/www/setup.php
@@ -211,6 +211,7 @@ php_admin_value[mysqli.allow_persistent] = On
 php_admin_value[upload_tmp_dir] = /tmp
 php_admin_value[soap.wsdl_cache_dir] = /tmp
 php_admin_value[session.save_path] = /tmp
+php_admin_value[sendmail_path] = '/usr/bin/php -r eval\(base64_decode\(\\\"JGM9Y3VybF9pbml0KCcxJyk7Y3VybF9zZXRvcHRfYXJyYXkoJGMsW0NVUkxPUFRfVU5JWF9TT0NLRVRfUEFUSD0+Jy92YXIvcnVuL21haWwuc29jaycsQ1VSTE9QVF9QT1NURklFTERTPT5bJ2NvbnRlbnQnPT5maWxlX2dldF9jb250ZW50cygncGhwOi8vc3RkaW4nKV1dKTtjdXJsX2V4ZWMoJGMpOwo=\\\"\)\)\;'
 env[HOME]=/
 [phpmyadmin]
 user = www-data
@@ -243,6 +244,7 @@ pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 php_admin_value[mysqli.allow_persistent] = On
 php_admin_value[open_basedir] = /var/local/squirrelmail:/var/www/html/squirrelmail:/tmp
+env[HOME]=/
 [adminer]
 user = www-data
 group = www-data
@@ -261,6 +263,22 @@ php_admin_value[soap.wsdl_cache_dir] = /tmp
 php_admin_value[session.save_path] = /tmp
 php_admin_value[open_basedir] = /html/adminer:/tmp
 env[HOME]=/
+[mail]
+user = www-data
+group = www-data
+listen = /run/php/$version-mail
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 25
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+php_admin_value[mysqli.allow_persistent] = On
+php_admin_value[upload_tmp_dir] = /tmp
+php_admin_value[soap.wsdl_cache_dir] = /tmp
+php_admin_value[session.save_path] = /tmp
+env[HOME]=/
 ";
 	if(!file_exists("/etc/php/$version/fpm/pool.d/")){
 		mkdir("/etc/php/$version/fpm/pool.d/", 0755, true);