[neomutt-users] Recommended way to avoid sending $imap_pass to alternative IMAP server?

Pietro Cerutti gahr at FreeBSD.org
Sun Oct 4 10:46:35 CEST 2020

Hi James,

this might fit your needs:


Pietro Cerutti

> On 2 Oct 2020, at 23:43, James Cook <falsifian at falsifian.org> wrote:
> Hi neomutt-users (please cc me on reply),
> I have the following in my .neomuttrc:
> set folder=imaps://exoco.falsifian.org/
> set imap_user=falsifian
> set imap_pass=`cat "$HOME/org/misc-sec/exoco_mail_password"`
> set spoolfile=+INBOX  # Show IMAP inbox on startup.
> set ssl_force_tls=yes
> # The problem:
> Occasionally I check a different email account by pressing "c" and
> entering a different IMAP url. However, I'm pretty sure I've accidentally
> sent my exoco.falsifian.org password to the other IMAP server by doing
> so. I'd rather not do that.
> # My question
> Am I correct that neomutt will leak my $imap_pass to whatever IMAP server
> I point it to? How do you recommend I avoid this? I listed some solutions
> below but wonder if I'm missing something simpler.
> # Solutions I'm aware of:
> I can think of the following solutions:
> 1. Put the password in the folder URL instead of setting imap_pass. I
> tried this and it didn't seem to work (set folder=imaps://falsifian:`cat
> ...`@exoco.falsifian.org/) and I found
> https://github.com/neomutt/neomutt/issues/1435 saying this is not
> recommended anyway.
> 2. As suggested on that Github issue, use account-hook somehow to clear
> the imap_pass variable whenever I connect to anything other than
> exoco.falsifian.org. This seems tricky and error-prone, and the result
> of failure is that I've leaked my password again (and I might not even
> be able to tell that it's happened). I'd prefer a setup where the result
> of misconfiguration is to not be able to open my email, rather than my
> password being leaked.
> 3. Manually enter my password every time I start neomutt. Slow, and I
> don't want to memorize yet another password.
> 4. Use something other than password authentication, so that even if I
> accidentally try to authenticate to imap.gmail.com with my
> exoco.falsifian.org password, there's no harm done. I guess this is the
> best in terms of security, but it means I'll have to spend some time
> figuring out how to set it up on the backend.
> 5. (My current workaround:) Manually comment out my imap_pass setting and
> restart neomutt every time I want to check the other account.
> -- 
> James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/attachments/20201004/464c2da4/attachment.html>

More information about the neomutt-users mailing list