Under Development

Password Manager

Password Manager#

Install the password tool you plan to use (pass, GPG, GNOME Keyring, or macOS Keychain).
Confirm NeoMutt can access your mail servers without hard-coded passwords.

set imap_pass = "`pass show mail/example`"
set smtp_pass = "`pass show mail/example`"

Expected result: NeoMutt retrieves credentials from pass at startup.

set imap_pass = "`gpg --batch -q --decrypt ~/.neomutt/account.gpg`"
set smtp_pass = "`gpg --batch -q --decrypt ~/.neomutt/account.gpg`"

Expected result: NeoMutt decrypts the password at startup.

set imap_pass = "`secret-tool lookup service imap user you@example.com`"

Expected result: the password is retrieved from the keyring on demand.

set imap_pass = "`security find-generic-password -w -s \"Mail IMAP\" -a \"you@example.com\"`"

Expected result: NeoMutt reads the password from Keychain.

account_command lets NeoMutt call a script that returns credentials for IMAP/POP/SMTP. This avoids storing secrets in config options.

username: you@example.com
password: your-password

set account_command = "/path/to/cred-helper.sh"

Expected result: NeoMutt uses your script to populate account credentials.

See the account_command section in the manual for the full interface.

If you cannot use account_command, backticks are the next best option. Any command that prints the password to stdout can be used:

set imap_pass = "`your-command-here`"
set smtp_pass = "`your-command-here`"

Avoid storing plaintext passwords in config files.
Use password managers or $account_command to keep credentials out of :set output.
Restrict permissions on token files and keyrings.