Mutt: how to safely store password?

Question

My .muttrc file looks something like this one or see below a glimpse. I am hesitant with the password. How should I store my password to use it with mutt?

set imap_user = "[email protected]"
set imap_pass = "password"

set smtp_url = "smtp://[email protected]:587/"
set smtp_pass = "password"
set from = "[email protected]"
set realname = "Your Real Name"

In the post you linked, I already wrote "Make sure your ~/.muttrc isn’t world-readable; it contains your password. (Alternatively, you can leave them out and mutt will prompt you for the password each time.)" :-) — , Jul 18 '10 at 16:36

score 46 · Accepted Answer · answered Aug 28 '09 at 12:53

46

This tweak should get rid of your problem. Use gpg as suggested, or

set imap_pass=`getpassword email_id`

where you use pwsafe or passwords to fetch the passwords.

Edit: If mutt is built with IMAP support (--enable-imap), then mutt should prompt you for the password if you do not set it in the config file. From the manual:

imap_pass

Type: string Default: ""

Specifies the password for your IMAP account. If unset, Mutt will prompt you for your password when you invoke the fetch-mail function. Warning: you should only use this option when you are on a fairly secure machine, because the superuser can read your muttrc even if you are the only one who can read the file.

answered Aug 28 '09 at 12:53

nagul

636
6
2

10

+1 have mutt ask you for it. You should only have to enter it once per session. – David Mackintosh Aug 28 '09 at 14:08
2

Also, if you run `mutt` within `tmux`, your session can last a while. – Chris W. May 29 '13 at 17:03
What is this function `getpassword`? I do not have it in my Ubuntu 14.04.3 LTS (GNU/Linux) server. I think they are `pwsafe` or `passwords` but I should I use them? I would like to be logged into my mutt -account without password once I am logged into the server, since the password of the server is the same as the email's one. – Léo Léopold Hertz 준영 Oct 21 '15 at 11:58
2

You can use pass - https://www.passwordstore.org/ This tool can be used exactly the same way as described in the answer above. Passwords are stored in git repository encrypted by chosen GPG key. – Jakub Jindra Feb 12 '19 at 19:34
Worth mentioning, backticks do not expand mutt variables so `imap_pass=\`pass ${imap_user}\`` doesn't work. But using `setenv MUTT_IMAP_USER "${imap_user}"` you can then use `imap_pass=\`pass $MUTT_IMAP_USER\``. This is particularly handy with `mutt-oauth`. – drzraf Jul 04 '22 at 23:35

score 36 · Answer 2 · edited Oct 26 '15 at 09:31

36

Create a passwords file: ~/.mutt/passwords:

set imap_pass="password"
set smtp_pass="password"

This file can be encrypted using GPG. First, create a public/private key pair:

$ gpg --gen-key

Encrypt the passwords file:

$ gpg -r [email protected] -e ~/.mutt/passwords
$ ls ~/.mutt/passwords*
/home/user/.mutt/passwords   /home/user/.mutt/passwords.gpg
$ shred ~/.mutt/passwords
$ rm ~/.mutt/passwords

Add to your muttrc:

source "gpg -d ~/.mutt/passwords.gpg |"

via

See also Arch Wiki's Mutt entry.

edited Oct 26 '15 at 09:31

Richard Goulter

3
1

answered Aug 13 '15 at 22:07

DmitrySandalov

481
4
4

Should the public key in the passwords file or the shell script? I think the shell script should be in .muttrc. I get after running the gpg command `gpg: [email protected]: skipped: public key not found gpg: /u/77/masi/unix/.mutt/passwords: encryption failed: public key not found`. I did `cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/known_hosts` but it does not seem to be the problem. What do I do wrong? – Léo Léopold Hertz 준영 Oct 21 '15 at 11:58
1

Masi, you need to have a GPG (or PGP) key, not your SSH public key. More info on GPG keys here: https://fedoraproject.org/wiki/Creating_GPG_Keys and here: https://help.ubuntu.com/community/GnuPrivacyGuardHowto – DmitrySandalov Nov 12 '15 at 21:24
1

This is a perfect solution. Here is my config file for anyone who needs for reference: https://github.com/shubhamchaudhary/dotfiles/blob/master/home/.muttrc – Shubham Chaudhary Sep 05 '16 at 07:07
I thought this was a good solution, but then I typed `:set imap_pass` in mutt and got my password shown in cleartext. Can this be avoided? When mutt asks for the imap password itself, it doesn't show the caleartext password when typing :set ... – MacMartin Jul 27 '17 at 14:55
1

Did you create your GPG private key without password? If not `gpg -d` would require password. Why use password to encrypt a password when the goal is passwordless login... – sdaffa23fdsf Feb 25 '18 at 08:40

Gen.Stack · Answer 3 · 2018-11-22T16:18:12.203

Why not use a wallet manager like gnome-keyring or kwalletmanager with secret-tool?

apt install gnome-keyring secret-tool

.[neo]muttrc:

source 'echo "$( pw=$( secret-tool lookup user <USERNAME> domain <DOMAIN> ); echo set imap_pass=\"$pw\"; echo set smtp_pass=\"$pw\" )" |'

Store your imap and smtp passwd:

secret-tool store --label=imap user <USERNAME> domain <DOMAIN>

You could choose your own label if you wanted to.

Look up your creds using a shell:

secret-tool lookup user <USERNAME> domain <DOMAIN>

Fire up your [neo]mutt, connect & login to your imap srv. Enjoy.

This solution has advantages over gpg-based ones: it integrates well and there's no additional file left layin' around.

Bonus: Use libsecret or directly gnome-keyring as a git credential-helper as in git with libsecret and git with gnome-keyring. Both helpers need manual compilation. Yes, it's a bit awkward but it is working great.

karlsebal · Answer 4 · 2020-06-03T13:26:35.643

To store your imap password safely in GNOME Keyring

put

source ~/.muttrc-retrieve_password |

in your .muttrc with .muttrc-retrieve_password like

IMAP_PASS=$(secret-tool lookup user john_doe host mail.example)
echo "set imap_pass='$IMAP_PASS'"

where you need secret-tool to be installed via

$ apt-get install libsecret-tools -y

and the corresponding entry created like

$ secret-tool store --label=mutt user john_doe host mail.example service imap

at least for mutt 1.9.4 @ ubuntu bionic.

Update: Instead of source you may directly put the line

set imap_pass=`secret-tool lookup --label=mutt user john_doe host mail.example`

into .muttrc (mark the backticks!)

Matthias Braun · Answer 5 · 2020-07-23T06:31:05.527

1

You can read the password from an unencrypted file.

For example, put the password into ~/secrets/mail_pass:

the_secret_mail_password

Then

chmod 600 ~/secrets/mail_pass

In your muttrc:

# Read the password from a file and set it
set smtp_pass=`cat ~/secrets/mail_pass`

edited Jul 23 '20 at 06:31

answered Sep 22 '19 at 07:39

Matthias Braun

7,797
7
45
54

It is just much easier to `chmod 600 ~/.muttrc`. – dr_ Sep 23 '19 at 07:41
1

If you keep your passwords in `~/.muttrc` you won't be able to publish it by putting it on GitLab, etc. Also, if you use OfflineIMAP it needs the password too and can read it from the external password file as well. – Matthias Braun Sep 23 '19 at 08:35

score 0 · Answer 6 · answered Oct 21 '15 at 12:28

0

Based on ShreevatsaR's comment, I want to emphasize security. If password in $HOME/.muttrc, do

chmod go-r $HOME/.muttrc

However, I think this is not a secure option still. You should use some method which uses salt in storing passwords.

answered Oct 21 '15 at 12:28

Léo Léopold Hertz 준영

6,788
29
91
193

Mutt: how to safely store password?

6 Answers6

Linked