diff --git a/mail/inc/class.mail_compose.inc.php b/mail/inc/class.mail_compose.inc.php
index b4c979d100..15cb345903 100644
--- a/mail/inc/class.mail_compose.inc.php
+++ b/mail/inc/class.mail_compose.inc.php
@@ -1785,27 +1785,37 @@ class mail_compose
 
 	function getAttachment()
 	{
-		if(isset($_GET['tmpname'])) $attachment['tmp_name']	= $_GET['tmpname'];
-		if(isset($_GET['name'])) $attachment['name']	= $_GET['name'];
-		//if(isset($_GET['size'])) $attachment['size']	= $_GET['size'];
-		if(isset($_GET['type'])) $attachment['type']	= $_GET['type'];
+		// read attachment data from etemplate request, use tmpname only to identify it
+		if (($request = etemplate_request::read($_GET['etemplate_exec_id'])))
+		{
+			foreach($request->preserv['attachments'] as $attachment)
+			{
+				if ($_GET['tmpname'] === $attachment['tmp_name']) break;
+			}
+		}
+		if (!$request || $_GET['tmpname'] !== $attachment['tmp_name'])
+		{
+			header('HTTP/1.1 404 Not found');
+			die('Attachment '.htmlspecialchars($_GET['tmpname']).' NOT found!');
+		}
 
 		//error_log(__METHOD__.__LINE__.array2string($_GET));
-		if (isset($attachment['tmp_name']) && parse_url($attachment['tmp_name'],PHP_URL_SCHEME) == 'vfs')
+		if (parse_url($attachment['tmp_name'],PHP_URL_SCHEME) == 'vfs')
 		{
 			egw_vfs::load_wrapper('vfs');
-			$attachment['attachment'] = file_get_contents($attachment['tmp_name']);
 		}
 		// attachment data in temp_dir, only use basename of given name, to not allow path traversal
-		elseif(!file_exists($tmp_path = $GLOBALS['egw_info']['server']['temp_dir'].SEP.basename($attachment['tmp_name'])))
+		else
+		{
+			$attachment['tmp_name'] = $GLOBALS['egw_info']['server']['temp_dir'].SEP.basename($attachment['tmp_name']);
+		}
+		if(!file_exists($attachment['tmp_name']))
 		{
 			header('HTTP/1.1 404 Not found');
 			die('Attachment '.htmlspecialchars($attachment['tmp_name']).' NOT found!');
 		}
-		else
-		{
-			$attachment['attachment'] = file_get_contents($tmp_path);
-		}
+		$attachment['attachment'] = file_get_contents($attachment['tmp_name']);
+
 		//error_log(__METHOD__.__LINE__.' FileSize:'.filesize($attachment['tmp_name']));
 		if ($_GET['mode'] != "save")
 		{
diff --git a/mail/js/app.js b/mail/js/app.js
index 12333abfa3..bf590420eb 100644
--- a/mail/js/app.js
+++ b/mail/js/app.js
@@ -2348,10 +2348,14 @@ app.classes.mail = AppJS.extend(
 			this.displayAttachment(tag_info, widget, true);
 			return;
 		}
-		var url = window.egw_webserverUrl+'/index.php?';
+		var get_param = {
+			menuaction: 'mail.mail_compose.getAttachment',	// todo compose for Draft folder
+			tmpname: attgrid.tmp_name,
+			etemplate_exec_id: this.et2._inst.etemplate_exec_id
+		};
 		var width;
 		var height;
-		var windowName ='mail';
+		var windowName ='maildisplayAttachment_'+attgrid.file.replace(/\//g,"_");
 		switch(attgrid.type.toUpperCase())
 		{
 			case 'IMAGE/JPEG':
@@ -2362,29 +2366,10 @@ app.classes.mail = AppJS.extend(
 			case 'TEXT/PLAIN':
 			case 'TEXT/HTML':
 			case 'TEXT/DIRECTORY':
-/*
-				$sfxMimeType = $value['mimeType'];
-				$buff = explode('.',$value['name']);
-				$suffix = '';
-				if (is_array($buff)) $suffix = array_pop($buff); // take the last extension to check with ext2mime
-				if (!empty($suffix)) $sfxMimeType = mime_magic::ext2mime($suffix);
-				if (strtoupper($sfxMimeType) == 'TEXT/VCARD' || strtoupper($sfxMimeType) == 'TEXT/X-VCARD')
-				{
-					$attachments[$key]['mimeType'] = $sfxMimeType;
-					$value['mimeType'] = strtoupper($sfxMimeType);
-				}
-*/
 			case 'TEXT/X-VCARD':
 			case 'TEXT/VCARD':
 			case 'TEXT/CALENDAR':
 			case 'TEXT/X-VCALENDAR':
-				url += 'menuaction=mail.mail_compose.getAttachment';	// todo compose for Draft folder
-				url += '&tmpname='+attgrid.tmp_name;
-				url += '&name='+attgrid.name;
-				//url += '&size='+attgrid.size;
-				url += '&type='+attgrid.type;
-
-				windowName = windowName+'displayAttachment_'+attgrid.file.replace(/\//g,"_");
 				var reg = '800x600';
 				var reg2;
 				// handle calendar/vcard
@@ -2411,30 +2396,13 @@ app.classes.mail = AppJS.extend(
 				height = w_h[1];
 				break;
 			case 'MESSAGE/RFC822':
-/*
-				url += 'menuaction=mail.mail_ui.displayMessage';	// todo compose for Draft folder
-				url += '&id='+mailid;
-				url += '&part='+attgrid.partID;
-				url += '&is_winmail='+attgrid.winmailFlag;
-				windowName = windowName+'displayMessage_'+mailid+'_'+attgrid.partID;
-				width = 870;
-				height = egw_getWindowOuterHeight();
-				break;
-*/
 			default:
-				url += 'menuaction=mail.mail_compose.getAttachment';	// todo compose for Draft folder
-				url += '&tmpname='+attgrid.tmp_name;
-				url += '&name='+attgrid.name;
-				//url += '&size='+attgrid.size;
-				url += '&type='+attgrid.type;
-				url += '&mode='+'save';
-
-				windowName = windowName+'displayAttachment_'+attgrid.file.replace(/\//g,"_");
+				get_param.mode = 'save';
 				width = 870;
 				height = 600;
 				break;
 		}
-		egw_openWindowCentered(url,windowName,width,height);
+		egw.openPopup(egw.link('/index.php', get_param), width, height, windowName);
 	},
 
 	saveAttachment: function(tag_info, widget)