[neomutt-users] Recommended way to avoid sending $imap_pass to alternative IMAP server?
falsifian at falsifian.org
Mon Oct 5 18:05:32 CEST 2020
Thank you, Pietro,
This made me realize I have one more requirement I didn't mention, which
I think wouldn't work with the configuration you listed: I want *all* my
sent emails to be stored in my main account's "Sent" IMAP folder. So,
even when I'm using my Gmail password to connect to Gmail's IMAP server,
I still want to use my other IMAP account's password to store things in
that account's Sent folder.
The reason for this requirement is: I want to respond to people from
my new (non-Gmail) email account, even if they emailed my Gmail account.
On Sun, Oct 04, 2020 at 10:46:35AM +0200, Pietro Cerutti wrote:
> Hi James,
> this might fit your needs:
> Pietro Cerutti
> > On 2 Oct 2020, at 23:43, James Cook <falsifian at falsifian.org> wrote:
> > Hi neomutt-users (please cc me on reply),
> > I have the following in my .neomuttrc:
> > set folder=imaps://exoco.falsifian.org/
> > set imap_user=falsifian
> > set imap_pass=`cat "$HOME/org/misc-sec/exoco_mail_password"`
> > set spoolfile=+INBOX # Show IMAP inbox on startup.
> > set ssl_force_tls=yes
> > # The problem:
> > Occasionally I check a different email account by pressing "c" and
> > entering a different IMAP url. However, I'm pretty sure I've accidentally
> > sent my exoco.falsifian.org password to the other IMAP server by doing
> > so. I'd rather not do that.
> > # My question
> > Am I correct that neomutt will leak my $imap_pass to whatever IMAP server
> > I point it to? How do you recommend I avoid this? I listed some solutions
> > below but wonder if I'm missing something simpler.
> > # Solutions I'm aware of:
> > I can think of the following solutions:
> > 1. Put the password in the folder URL instead of setting imap_pass. I
> > tried this and it didn't seem to work (set folder=imaps://falsifian:`cat
> > ...`@exoco.falsifian.org/) and I found
> > https://github.com/neomutt/neomutt/issues/1435 saying this is not
> > recommended anyway.
> > 2. As suggested on that Github issue, use account-hook somehow to clear
> > the imap_pass variable whenever I connect to anything other than
> > exoco.falsifian.org. This seems tricky and error-prone, and the result
> > of failure is that I've leaked my password again (and I might not even
> > be able to tell that it's happened). I'd prefer a setup where the result
> > of misconfiguration is to not be able to open my email, rather than my
> > password being leaked.
> > 3. Manually enter my password every time I start neomutt. Slow, and I
> > don't want to memorize yet another password.
> > 4. Use something other than password authentication, so that even if I
> > accidentally try to authenticate to imap.gmail.com with my
> > exoco.falsifian.org password, there's no harm done. I guess this is the
> > best in terms of security, but it means I'll have to spend some time
> > figuring out how to set it up on the backend.
> > 5. (My current workaround:) Manually comment out my imap_pass setting and
> > restart neomutt every time I want to check the other account.
> > --
> > James
More information about the neomutt-users