<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hi James,<div><br></div><div>this might fit your needs:</div><div><br></div><div><p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><span style="font-size: 12pt;"><a href="https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-June/000802.html">https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-June/000802.html</a></span></p><br><div id="AppleMailSignature" dir="ltr"><div>-- </div>Pietro Cerutti</div><div dir="ltr"><br>On 2 Oct 2020, at 23:43, James Cook <<a href="mailto:falsifian@falsifian.org">falsifian@falsifian.org</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><span>Hi neomutt-users (please cc me on reply),</span><br><span></span><br><span>I have the following in my .neomuttrc:</span><br><span></span><br><span>set folder=imaps://exoco.falsifian.org/</span><br><span>set imap_user=falsifian</span><br><span>set imap_pass=`cat "$HOME/org/misc-sec/exoco_mail_password"`</span><br><span>set spoolfile=+INBOX  # Show IMAP inbox on startup.</span><br><span>set ssl_force_tls=yes</span><br><span></span><br><span></span><br><span># The problem:</span><br><span></span><br><span>Occasionally I check a different email account by pressing "c" and</span><br><span>entering a different IMAP url. However, I'm pretty sure I've accidentally</span><br><span>sent my <a href="http://exoco.falsifian.org">exoco.falsifian.org</a> password to the other IMAP server by doing</span><br><span>so. I'd rather not do that.</span><br><span></span><br><span></span><br><span># My question</span><br><span></span><br><span>Am I correct that neomutt will leak my $imap_pass to whatever IMAP server</span><br><span>I point it to? How do you recommend I avoid this? I listed some solutions</span><br><span>below but wonder if I'm missing something simpler.</span><br><span></span><br><span></span><br><span># Solutions I'm aware of:</span><br><span></span><br><span>I can think of the following solutions:</span><br><span></span><br><span>1. Put the password in the folder URL instead of setting imap_pass. I</span><br><span>tried this and it didn't seem to work (set folder=imaps://falsifian:`cat</span><br><span>...`@exoco.falsifian.org/) and I found</span><br><span><a href="https://github.com/neomutt/neomutt/issues/1435">https://github.com/neomutt/neomutt/issues/1435</a> saying this is not</span><br><span>recommended anyway.</span><br><span></span><br><span>2. As suggested on that Github issue, use account-hook somehow to clear</span><br><span>the imap_pass variable whenever I connect to anything other than</span><br><span><a href="http://exoco.falsifian.org">exoco.falsifian.org</a>. This seems tricky and error-prone, and the result</span><br><span>of failure is that I've leaked my password again (and I might not even</span><br><span>be able to tell that it's happened). I'd prefer a setup where the result</span><br><span>of misconfiguration is to not be able to open my email, rather than my</span><br><span>password being leaked.</span><br><span></span><br><span>3. Manually enter my password every time I start neomutt. Slow, and I</span><br><span>don't want to memorize yet another password.</span><br><span></span><br><span>4. Use something other than password authentication, so that even if I</span><br><span>accidentally try to authenticate to <a href="http://imap.gmail.com">imap.gmail.com</a> with my</span><br><span><a href="http://exoco.falsifian.org">exoco.falsifian.org</a> password, there's no harm done. I guess this is the</span><br><span>best in terms of security, but it means I'll have to spend some time</span><br><span>figuring out how to set it up on the backend.</span><br><span></span><br><span>5. (My current workaround:) Manually comment out my imap_pass setting and</span><br><span>restart neomutt every time I want to check the other account.</span><br><span></span><br><span>-- </span><br><span>James</span><br></div></blockquote></div></body></html>