[neomutt-users] Recommended way to avoid sending $imap_pass to alternative IMAP server?

Pietro Cerutti gahr at freebsd.org
Mon Oct 5 22:32:24 CEST 2020

> On 5 Oct 2020, at 18:05, James Cook <falsifian at falsifian.org> wrote:
> Thank you, Pietro,
> This made me realize I have one more requirement I didn't mention, which
> I think wouldn't work with the configuration you listed: I want *all* my
> sent emails to be stored in my main account's "Sent" IMAP folder. So,
> even when I'm using my Gmail password to connect to Gmail's IMAP server,
> I still want to use my other IMAP account's password to store things in
> that account's Sent folder.
> The reason for this requirement is: I want to respond to people from
> my new (non-Gmail) email account, even if they emailed my Gmail account.

Sounds like a migration: how I usually did this in the past was by setting up a cron to sync (using mbsync from the isync project) all email from gmail into my new account.

This way I’d be left with a single account to care for.

Anyway, you might be able to set recors = imaps://user@your-main-account/Sent and use a folder-hook to change the imap pass.. I don’t use folder-hooks so much so I fear I can’t give you any more details than this. :-/

> James
>> On Sun, Oct 04, 2020 at 10:46:35AM +0200, Pietro Cerutti wrote:
>> Hi James,
>> this might fit your needs:
>> https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-June/000802.html
>> -- 
>> Pietro Cerutti
>>> On 2 Oct 2020, at 23:43, James Cook <falsifian at falsifian.org> wrote:
>>> Hi neomutt-users (please cc me on reply),
>>> I have the following in my .neomuttrc:
>>> set folder=imaps://exoco.falsifian.org/
>>> set imap_user=falsifian
>>> set imap_pass=`cat "$HOME/org/misc-sec/exoco_mail_password"`
>>> set spoolfile=+INBOX  # Show IMAP inbox on startup.
>>> set ssl_force_tls=yes
>>> # The problem:
>>> Occasionally I check a different email account by pressing "c" and
>>> entering a different IMAP url. However, I'm pretty sure I've accidentally
>>> sent my exoco.falsifian.org password to the other IMAP server by doing
>>> so. I'd rather not do that.
>>> # My question
>>> Am I correct that neomutt will leak my $imap_pass to whatever IMAP server
>>> I point it to? How do you recommend I avoid this? I listed some solutions
>>> below but wonder if I'm missing something simpler.
>>> # Solutions I'm aware of:
>>> I can think of the following solutions:
>>> 1. Put the password in the folder URL instead of setting imap_pass. I
>>> tried this and it didn't seem to work (set folder=imaps://falsifian:`cat
>>> ...`@exoco.falsifian.org/) and I found
>>> https://github.com/neomutt/neomutt/issues/1435 saying this is not
>>> recommended anyway.
>>> 2. As suggested on that Github issue, use account-hook somehow to clear
>>> the imap_pass variable whenever I connect to anything other than
>>> exoco.falsifian.org. This seems tricky and error-prone, and the result
>>> of failure is that I've leaked my password again (and I might not even
>>> be able to tell that it's happened). I'd prefer a setup where the result
>>> of misconfiguration is to not be able to open my email, rather than my
>>> password being leaked.
>>> 3. Manually enter my password every time I start neomutt. Slow, and I
>>> don't want to memorize yet another password.
>>> 4. Use something other than password authentication, so that even if I
>>> accidentally try to authenticate to imap.gmail.com with my
>>> exoco.falsifian.org password, there's no harm done. I guess this is the
>>> best in terms of security, but it means I'll have to spend some time
>>> figuring out how to set it up on the backend.
>>> 5. (My current workaround:) Manually comment out my imap_pass setting and
>>> restart neomutt every time I want to check the other account.
>>> -- 
>>> James

More information about the neomutt-users mailing list