Conn Options

Notes:

Scope:

OpenSSL and GnuTLS only

Default:

set certificate_file = "~/.mutt_certificates"

Specify the file where trusted certificates are saved. When an unknown certificate is encountered, you are asked if you accept it or not. If you accept it, the certificate can also be saved in this file and further connections are automatically accepted.

You can also manually add CA certificates in this file. Any server certificate that is signed with one of these CA certificates is also automatically accepted.

`$entropy_file`#

Description:

File/device containing random data to initialise SSL

Type:

Notes:

Scope:

OpenSSL only

Default:

(empty)

set entropy_file = ""

The file which includes random data that is used to initialize SSL library functions.

`$preconnect`#

Description:

External command to run prior to opening a socket

Type:

String

Default:

(empty)

set preconnect = ""

If set, a shell command to be executed if NeoMutt fails to establish a connection to the server. This is useful for setting up secure connections, e.g. with ssh(1). If the command returns a nonzero status, NeoMutt gives up opening the server.

Example:

set preconnect = "ssh -f -q -L 1234:mailhost.net:143 mailhost.net \(rs sleep 20 < /dev/null > /dev/null"

Mailbox “foo” on “mailhost.net” can now be reached as “{localhost:1234}foo”.

Note

For this example to work, you must be able to log in to the remote machine without having to enter a password.

`$socket_timeout`#

Description:

Timeout for socket connect/read/write operations (-1 to wait indefinitely)

Type:

Number

Default:

set socket_timeout = 30

Causes NeoMutt to timeout any socket connect/read/write operation (for IMAP, POP or SMTP) after this many seconds. A negative value causes NeoMutt to wait indefinitely.

`$ssl_ca_certificates_file`#

Description:

File containing trusted CA certificates

Type:

Notes:

Scope:

GnuTLS only

Default:

(empty)

set ssl_ca_certificates_file = ""

Specify a file containing trusted CA certificates. Any server certificate that is signed with one of these CA certificates is also automatically accepted.

Example:

set ssl_ca_certificates_file = /etc/ssl/certs/ca-certificates.crt

`$ssl_ciphers`#

Description:

Ciphers to use when using SSL

Type:

String

Default:

(empty)

set ssl_ciphers = ""

Contains a colon-separated list of ciphers to use when using SSL. For OpenSSL, see ciphers(1) for the syntax of the string.

For GnuTLS, this option will be used in place of “NORMAL” at the start of the priority string. See gnutls_priority_init(3) for the syntax and more details. (Note: GnuTLS version 2.1.7 or higher is required.)

`$ssl_client_cert`#

Description:

File containing client certificates

Type:

Notes:

Default:

(empty)

set ssl_client_cert = ""

The file containing a client certificate and its associated private key.

`$ssl_force_tls`#

Description:

Require TLS encryption for all connections

Type:

Default:

set ssl_force_tls = yes

If this option is set, NeoMutt will require that all connections to remote servers be encrypted. Furthermore it will attempt to negotiate TLS even if the server does not advertise the capability, since it would otherwise have to abort the connection anyway. Supersedes $ssl_starttls.

`$ssl_min_dh_prime_bits`#

Description:

Minimum keysize for Diffie-Hellman key exchange

Type:

Number

Notes:

Not Negative

Scope:

GnuTLS only

Default:

set ssl_min_dh_prime_bits = 0

Specify the minimum acceptable prime size (in bits) for use in any Diffie-Hellman key exchange. A value of 0 will use the default from the GNUTLS library.

`$ssl_starttls`#

Description:

Use STARTTLS on servers advertising the capability

Type:

Quad-Option

Default:

set ssl_starttls = yes

If set (the default), NeoMutt will attempt to use STARTTLS on servers advertising the capability. When unset, NeoMutt will not attempt to use STARTTLS regardless of the server’s capabilities.

Note

STARTTLS is subject to many kinds of attacks, including the ability of a machine-in-the-middle to suppress the advertising of support. Setting $ssl_force_tls is recommended if you rely on STARTTLS.

`$ssl_use_system_certs`#

Description:

Use CA certificates in the system-wide store

Type:

Scope:

GnuTLS only

Default:

set ssl_use_system_certs = yes

If set to yes, NeoMutt will use CA certificates in the system-wide certificate store when checking if a server certificate is signed by a trusted CA.

`$ssl_use_tlsv1_2`#

Description:

Use TLSv1.2 for authentication

Type:

Default:

set ssl_use_tlsv1_2 = yes

If set, NeoMutt will use TLSv1.2 when communicating with servers that request it.

`$ssl_use_tlsv1_3`#

Description:

Use TLSv1.3 for authentication

Type:

Default:

set ssl_use_tlsv1_3 = yes

If set, NeoMutt will use TLSv1.3 when communicating with servers that request it.

`$ssl_verify_dates`#

Description:

Verify the dates on the server certificate

Type:

Default:

set ssl_verify_dates = yes

If set (the default), NeoMutt will not automatically accept a server certificate that is either not yet valid or already expired. You should only unset this for particular known hosts, using the :account-hook function.

`$ssl_verify_host`#

Description:

Verify the server’s hostname against the certificate

Type:

Default:

set ssl_verify_host = yes

If set (the default), NeoMutt will not automatically accept a server certificate whose host name does not match the host used in your folder URL. You should only unset this for particular known hosts, using the :account-hook function.

`$ssl_verify_partial_chains`#

Description:

Allow verification using partial certificate chains

Type:

Scope:

OpenSSL 1.0.2b and newer only

Default:

set ssl_verify_partial_chains = no

Do not change from the default unless you understand what you are doing.

Setting this option to yes will permit verifying partial certification chains, i.e. a certificate chain where not the root, but an intermediate certificate CA, or the host certificate, are marked trusted (in $certificate_file), without marking the root signing CA as trusted.

`$tunnel`#

Description:

Shell command to establish a tunnel

Type:

Command (String)

Default:

(empty)

set tunnel = ""

Setting this option will cause NeoMutt to open a pipe to a command instead of a raw socket. You may be able to use this to set up preauthenticated connections to your IMAP/POP3/SMTP server.

Example:

set tunnel = "ssh -q mailhost.net /usr/local/libexec/imapd"

Note

For this example to work you must be able to log in to the remote machine without having to enter a password.

When set, NeoMutt uses the tunnel for all remote connections.

`$tunnel_is_secure`#

Description:

Assume a tunneled connection is secure

Type:

Default:

set tunnel_is_secure = yes

When set, NeoMutt will assume the $tunnel connection does not need STARTTLS to be enabled. It will also allow IMAP PREAUTH server responses inside a $tunnel to proceed. This is appropriate if $tunnel uses ssh or directly invokes the server locally.

When unset, NeoMutt will negotiate STARTTLS according to the $ssl_starttls and $ssl_force_tls option. If $ssl_force_tls is set, NeoMutt will abort connecting if an IMAP server responds with PREAUTH. This setting is appropriate if $tunnel does not provide security and could be tampered with by attackers.

`$use_ipv6`#

Description:

Lookup IPv6 addresses when making connections

Type: