[neomutt-users] Recommended way to avoid sending $imap_pass to alternative IMAP server?

James Cook falsifian at falsifian.org
Fri Oct 2 23:43:11 CEST 2020

Hi neomutt-users (please cc me on reply),

I have the following in my .neomuttrc:

set folder=imaps://exoco.falsifian.org/
set imap_user=falsifian
set imap_pass=`cat "$HOME/org/misc-sec/exoco_mail_password"`
set spoolfile=+INBOX  # Show IMAP inbox on startup.
set ssl_force_tls=yes

# The problem:

Occasionally I check a different email account by pressing "c" and
entering a different IMAP url. However, I'm pretty sure I've accidentally
sent my exoco.falsifian.org password to the other IMAP server by doing
so. I'd rather not do that.

# My question

Am I correct that neomutt will leak my $imap_pass to whatever IMAP server
I point it to? How do you recommend I avoid this? I listed some solutions
below but wonder if I'm missing something simpler.

# Solutions I'm aware of:

I can think of the following solutions:

1. Put the password in the folder URL instead of setting imap_pass. I
tried this and it didn't seem to work (set folder=imaps://falsifian:`cat
...`@exoco.falsifian.org/) and I found
https://github.com/neomutt/neomutt/issues/1435 saying this is not
recommended anyway.

2. As suggested on that Github issue, use account-hook somehow to clear
the imap_pass variable whenever I connect to anything other than
exoco.falsifian.org. This seems tricky and error-prone, and the result
of failure is that I've leaked my password again (and I might not even
be able to tell that it's happened). I'd prefer a setup where the result
of misconfiguration is to not be able to open my email, rather than my
password being leaked.

3. Manually enter my password every time I start neomutt. Slow, and I
don't want to memorize yet another password.

4. Use something other than password authentication, so that even if I
accidentally try to authenticate to imap.gmail.com with my
exoco.falsifian.org password, there's no harm done. I guess this is the
best in terms of security, but it means I'll have to spend some time
figuring out how to set it up on the backend.

5. (My current workaround:) Manually comment out my imap_pass setting and
restart neomutt every time I want to check the other account.


More information about the neomutt-users mailing list