Ncrypt Options

Default:

set crypt_confirm_hook = yes

If set, then you will be prompted for confirmation of keys when using the crypt-hook command. If unset, no such confirmation prompt will be presented. This is generally considered unsafe, especially where typos are concerned.

`$crypt_encryption_info`#

Description:

Add an informative block with details about the encryption

Type:

Scope:

Crypto only

Default:

set crypt_encryption_info = yes

If set, NeoMutt will include an informative block before an encrypted part, with details about the encryption.

`$crypt_opportunistic_encrypt`#

Description:

Enable encryption when the recipient’s key is available

Type:

Scope:

Crypto only

Default:

set crypt_opportunistic_encrypt = no

Setting this option will cause NeoMutt to automatically enable and disable encryption, based on whether all message recipient keys can be located by NeoMutt.

When this option is enabled, NeoMutt will enable/disable encryption each time the To:, Cc:, and Bcc: lists are edited. If $edit_headers is set, NeoMutt will also do so each time the message is edited.

While this is set, encryption can’t be manually enabled/disabled. The pgp or smime menus provide a selection to temporarily disable this option for the current message.

If $crypt_auto_encrypt or $crypt_reply_encrypt enable encryption for a message, this option will be disabled for that message. It can be manually re-enabled in the pgp or smime menus.

`$crypt_opportunistic_encrypt_strong_keys`#

Description:

Enable encryption only when strong a key is available

Type:

Default:

set crypt_opportunistic_encrypt_strong_keys = no

When set, this modifies the behavior of $crypt_opportunistic_encrypt to only search for “strong keys”, that is, keys with full validity according to the web-of-trust algorithm. A key with marginal or no validity will not enable opportunistic encryption.

For S/MIME, the behavior depends on the backend. Classic S/MIME will filter for certificates with the t (trusted) flag in the .index file. The GPGME backend will use the same filters as with OpenPGP, and depends on GPGME’s logic for assigning the GPGME_VALIDITY_FULL and GPGME_VALIDITY_ULTIMATE validity flag.

`$crypt_protected_headers_read`#

Description:

Display protected headers (Memory Hole) in the pager

Type:

Scope:

Crypto only

Default:

set crypt_protected_headers_read = yes

When set, NeoMutt will display protected headers (“Memory Hole”) in the pager, and will update the index and header cache with revised headers.

Protected headers are stored inside the encrypted or signed part of an email, to prevent disclosure or tampering. For more information see autocrypt/protected-headers Currently NeoMutt only supports the Subject header.

Encrypted messages using protected headers often substitute the exposed Subject header with a dummy value (see $crypt_protected_headers_subject). NeoMutt will update its concept of the correct subject after the message is opened, i.e. via the <display-message> function. If you reply to a message before opening it, NeoMutt will end up using the dummy Subject header, so be sure to open such a message first.

`$crypt_protected_headers_save`#

Description:

Save the cleartext Subject: with the headers

Type:

Scope:

Crypto only

Default:

set crypt_protected_headers_save = no

When $crypt_protected_headers_read is set, and a message with a protected Subject is opened, NeoMutt will save the updated Subject into the header cache by default. This allows searching/limiting based on the protected Subject header if the mailbox is re-opened, without having to re-open the message each time. However, for mbox/mh mailbox types, or if header caching is not set up, you would need to re-open the message each time the mailbox was reopened before you could see or search/limit on the protected subject again.

When this option is set, NeoMutt additionally saves the protected Subject back in the clear-text message headers. This provides better usability, but with the tradeoff of reduced security. The protected Subject header, which may have previously been encrypted, is now stored in clear-text in the message headers. Copying the message elsewhere, via NeoMutt or external tools, could expose this previously encrypted data. Please make sure you understand the consequences of this before you enable this option.

`$crypt_protected_headers_subject`#

Description:

Use this as the subject for encrypted emails

Type:

Scope:

Crypto only

Default:

set crypt_protected_headers_subject = "..."

When $crypt_protected_headers_write is set, and the message is marked for encryption, this will be substituted into the Subject field in the message headers.

To prevent a subject from being substituted, unset this option, or set it to the empty string.

`$crypt_protected_headers_weed`#

Description:

Controls whether NeoMutt will weed protected header fields

Type:

Scope:

Crypto only

Default:

set crypt_protected_headers_weed = no

Controls whether NeoMutt will weed protected header fields.

`$crypt_protected_headers_write`#

Description:

Generate protected header (Memory Hole) for signed and encrypted emails

Type:

Scope:

Crypto only

Default:

set crypt_protected_headers_write = yes

When set, NeoMutt will generate protected headers for signed and encrypted emails.

Protected headers are stored inside the encrypted or signed part of an email, to prevent disclosure or tampering. For more information see autocrypt/protected-headers

Currently NeoMutt only supports the Subject header.

`$crypt_timestamp`#

Description:

Add a timestamp to PGP or SMIME output to prevent spoofing

Type:

Scope:

Crypto only

Default:

set crypt_timestamp = yes

If set, NeoMutt will include a time stamp in the lines surrounding PGP or S/MIME output, so spoofing such lines is more difficult. If you are using colors to mark these lines, and rely on these, you may unset this setting.

`$crypt_use_gpgme`#

Description:

Use GPGME crypto backend

Type:

Notes:

On Startup

Default:

set crypt_use_gpgme = yes

Control the use of the GPGME-enabled crypto backends. If it is set and NeoMutt was built with GPGME support, the gpgme code for S/MIME and PGP will be used instead of the classic code.

Note

You need to set this option in .neomuttrc; it won’t have any effect when used interactively.

Note

The GPGME backend does not support creating old-style inline (traditional) PGP encrypted or signed messages (see $pgp_auto_inline).

`$crypt_use_pka`#

Description:

Use GPGME to use PKA (lookup PGP keys using DNS)

Type:

Default:

set crypt_use_pka = no

Controls whether NeoMutt uses PKA during signature verification (only supported by the GPGME backend).

`$crypt_verify_sig`#

Description:

Verify PGP or SMIME signatures

Type:

Quad-Option

Scope:

Crypto only

Default:

set crypt_verify_sig = yes

Value	Meaning
`yes`	Always attempt to verify PGP or S/MIME signatures
`ask-*`	Ask whether or not to verify the signature
`no`	Never attempt to verify cryptographic signatures

`$envelope_from_address`#

Description:

Manually set the sender for outgoing messages

Type:

Address

Default:

(empty)

set envelope_from_address = ""

Manually sets the envelope sender for outgoing messages. This value is ignored if $use_envelope_from is unset.

`$pgp_auto_decode`#

Description:

Automatically decrypt PGP messages

Type:

Default:

set pgp_auto_decode = no

If set, NeoMutt will automatically attempt to decrypt traditional PGP messages whenever the user performs an operation which ordinarily would result in the contents of the message being operated on. For example, if the user displays a pgp-traditional message which has not been manually checked with the <check-traditional-pgp> function, NeoMutt will automatically check the message for traditional pgp.

`$pgp_auto_inline`#

Description:

Use old-style inline PGP messages (not recommended)

Type:

Scope:

PGP only

Default:

set pgp_auto_inline = no

Control whether NeoMutt generates old-style inline (traditional) PGP encrypted or signed messages under certain circumstances. This can be overridden by use of the pgp menu, when inline is not required. The GPGME backend does not support this option.

Note

NeoMutt might automatically use PGP/MIME for messages which consist of more than a single MIME part. NeoMutt can be configured to ask before sending PGP/MIME messages when inline (traditional) would not work.

See also

$pgp_mime_auto

Warning

Using the old-style PGP message format is strongly deprecated

`$pgp_check_exit`#

Description:

Check the exit code of PGP subprocess

Type:

Scope:

PGP only

Default:

set pgp_check_exit = yes

If set, NeoMutt will check the exit code of the PGP subprocess when signing or encrypting. A non-zero exit code means that the subprocess failed.

`$pgp_check_gpg_decrypt_status_fd`#

Description:

File descriptor used for status info

Type:

Scope:

PGP only

Default:

set pgp_check_gpg_decrypt_status_fd = yes

If set, NeoMutt will check the status file descriptor output of $pgp_decrypt_command and $pgp_decode_command for GnuPG status codes indicating successful decryption. This will check for the presence of DECRYPTION_OKAY, absence of DECRYPTION_FAILED, and that all PLAINTEXT occurs between the BEGIN_DECRYPTION and END_DECRYPTION status codes.

If unset, NeoMutt will instead match the status fd output against $pgp_decryption_okay.

`$pgp_clear_sign_command`#

Description:

External command to inline-sign a message

Type:

Scope:

PGP only

Default:

(empty)

set pgp_clear_sign_command = ""

Warning

This format is used to create an old-style “clearsigned” PGP message. Using the old-style PGP message format is strongly deprecated

Note

In this case, %r expands to the search string, which is a list of one or more quoted values such as email address, name, or keyid.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_decode_command`#

Description:

External command to decode a PGP attachment

Type:

Scope:

PGP only

Default:

(empty)

set pgp_decode_command = ""

Specify the format of a command used to decode application/pgp attachments.

Format Sequences

Short	Long Name	Description
`%a`	`%{sign-as}`	Value of `$pgp_sign_as` if set, otherwise the value of `$pgp_default_key`
`%f`	`%{file-message}`	Expands to the name of a file containing a message
`%p`	`%{need-pass}`	Expands to `PGPPASSFD=0` when a pass phrase is needed, to an empty string otherwise.
`%r`	`%{key-ids}`	One or more key IDs (or fingerprints if available) of a `multipart/signed` attachment when verifying it

`$pgp_decryption_okay`#

Description:

Text indicating a successful decryption

Type:

Regular Expression

Notes:

Smart Case

Scope:

PGP only

Default:

(empty)

set pgp_decryption_okay = ""

If you assign text to this option, then an encrypted PGP message is only considered successfully decrypted if the output from $pgp_decrypt_command contains the text. This is used to protect against a spoofed encrypted message, with multipart/encrypted headers but containing a block that is not actually encrypted. (e.g. simply signed and ascii armored text).

Note

If $pgp_check_gpg_decrypt_status_fd is set, this option is ignored.

`$pgp_decrypt_command`#

Description:

External command to decrypt a PGP message

Type:

Scope:

PGP only

Default:

(empty)

set pgp_decrypt_command = ""

This command is used to decrypt a PGP encrypted message.

Note

When decrypting messages using gpg, a pinentry program needs to be invoked unless the password is cached within gpg-agent.

Currently, the pinentry-tty program (usually distributed with gpg) isn’t suitable for being invoked by NeoMutt. You are encouraged to use a different pinentry-program when running NeoMutt in order to avoid problems.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference
neomutt/neomutt#1014

`$pgp_default_key`#

Description:

Default key to use for PGP operations

Type:

Scope:

PGP only

Default:

(empty)

set pgp_default_key = ""

This is the default key-pair to use for PGP operations. It will be used for encryption (see $postpone_encrypt and $pgp_self_encrypt).

It will also be used for signing unless $pgp_sign_as is set.

`$pgp_encrypt_only_command`#

Description:

External command to encrypt, but not sign a message

Type:

Scope:

PGP only

Default:

(empty)

set pgp_encrypt_only_command = ""

This command is used to encrypt a body part without signing it.

Note

In this case, %r expands to the search string, which is a list of one or more quoted values such as email address, name, or keyid.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_encrypt_sign_command`#

Description:

External command to encrypt and sign a message

Type:

Scope:

PGP only

Default:

(empty)

set pgp_encrypt_sign_command = ""

This command is used to both sign and encrypt a body part.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_entry_format`#

Description:

Format string for the PGP Key Dialog

Type:

Expando

Notes:

Not Empty, Pipe Support

Scope:

Crypto only or PGP only when GPGME disabled

Default:

set pgp_entry_format = "%4n %t%f %4l/0x%k %-4a %2c %u"

Alternative:

set pgp_entry_format = "%4{number} %{trust}%{key-flags} %4{key-length}/0x%{key-id} %-4{key-algorithm} %2{key-capabilities} %{user-id}"

Specify the format of the data displayed in the Pgp Dialog and Gpgme Dialog.

If $crypt_use_gpgme is set, then it applies to S/MIME key selection menu also.

Format Sequences

Short	Long Name	Description
`%a`	`%{key-algorithm}`	Algorithm
`%c`	`%{key-capabilities}`	Capabilities
`%f`	`%{key-flags}`	Flags
`%i`	`%{key-fingerprint}`	Key fingerprint (or long key id if non-existent)
`%k`	`%{key-id}`	Key id
`%l`	`%{key-length}`	Key length
`%n`	`%{number}`	Number
`%p`	`%{protocol}`	Protocol
`%t`	`%{trust}`	Trust/validity of the key-uid association
`%u`	`%{user-id}`	User id
`%A`	`%{pkey-algorithm}`	Primary Key Algorithm
`%C`	`%{pkey-capabilities}`	Primary Key Capabilities
`%F`	`%{pkey-flags}`	Primary Key Flags
`%I`	`%{pkey-fingerprint}`	Primary Key fingerprint (or long key id if non-existent)
`%K`	`%{pkey-id}`	Primary Key id
`%L`	`%{pkey-length}`	Primary Key length
`%[fmt]`	`%{date}`	Date of the key where `fmt` is an `strftime(3)` expression
`%*X`	`%{padding-soft:X}`	Soft-fill with character `X` as padding
`%>X`	`%{padding-hard:X}`	Right justify the rest of the string and pad with character `X`
`%\|X`	`%{padding-eol:X}`	Pad to the end of the line with character `X`

See the section “Sending Cryptographically Signed/Encrypted Messages” of the user manual for the meaning of the letters some of these sequences expand to.

`$pgp_export_command`#

Description:

External command to export a public key from the user’s keyring

Type:

Scope:

PGP only

Default:

(empty)

set pgp_export_command = ""

This command is used to export a public key from the user’s key ring.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_get_keys_command`#

Description:

External command to download a key for an email address

Type:

Scope:

PGP only

Default:

(empty)

set pgp_get_keys_command = ""

This command is invoked whenever NeoMutt needs to fetch the public key associated with an email address.

Note

Only The %r expando is used with this format. In this case, %r expands to the email address, not the public key ID (the key ID is unknown, which is why NeoMutt is invoking this command).

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_good_sign`#

Description:

Text indicating a good signature

Type:

Regular Expression

Notes:

Smart Case

Scope:

PGP only

Default:

(empty)

set pgp_good_sign = ""

If you assign a text to this option, then a PGP signature is only considered verified if the output from $pgp_verify_command contains the text. Use this option if the exit code from the command is 0 even for bad signatures.

`$pgp_ignore_subkeys`#

Description:

Only use the principal PGP key

Type:

Scope:

PGP only

Default:

set pgp_ignore_subkeys = yes

Setting this option will cause NeoMutt to ignore OpenPGP subkeys. Instead, the principal key will inherit the subkeys’ capabilities. Unset this if you want to play interesting key selection games.

`$pgp_import_command`#

Description:

External command to import a key into the user’s keyring

Type:

Scope:

PGP only

Default:

(empty)

set pgp_import_command = ""

This command is used to import a key from a message into the user’s public key ring.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_key_sort`#

Description:

Sort order for PGP keys

Type:

Sort Order

Notes:

Reverse

Scope:

PGP only

Default:

set pgp_key_sort = address

Specifies how the entries in the pgp menu are sorted.

Value	Sort by
`address`	Address
`date`	Date
`keyid`	Key id
`trust`	Trust level

`$pgp_list_pubring_command`#

Description:

External command to list the public keys in a user’s keyring

Type:

Scope:

PGP only

Default:

(empty)

set pgp_list_pubring_command = ""

This command is used to list the public key ring’s contents. The output format must be analogous to the one used by:

gpg --list-keys --with-colons --with-fingerprint

Note

gpg’s fixed-list-mode option should not be used. It produces a different date format which may result in NeoMutt showing incorrect key generation dates.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_list_secring_command`#

Description:

External command to list the private keys in a user’s keyring

Type:

Scope:

PGP only

Default:

(empty)

set pgp_list_secring_command = ""

This command is used to list the secret key ring’s contents. The output format must be analogous to the one used by:

gpg --list-keys --with-colons --with-fingerprint

Note

gpg’s fixed-list-mode option should not be used. It produces a different date format which may result in NeoMutt showing incorrect key generation dates.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_long_ids`#

Description:

Display long PGP key IDs to the user

Type:

Scope:

PGP only

Default:

set pgp_long_ids = yes

If set, use 64-bit PGP key IDs, if unset use the normal 32-bit key IDs.

Note

Internally, NeoMutt has transitioned to using fingerprints (or long key IDs as a fallback). Now only controls the display of key IDs in the key selection menu and a few other places.

`$pgp_mime_auto`#

Description:

Prompt the user to use MIME if inline PGP fails

Type:

Quad-Option

Scope:

PGP only

Default:

set pgp_mime_auto = ask-yes

Control whether NeoMutt prompts to automatically send a (signed/encrypted) message using PGP/MIME when inline (traditional) fails (for any reason).

Warning

Using the old-style PGP message format is strongly deprecated

`$pgp_retainable_sigs`#

Description:

Create nested multipart/signed or encrypted messages

Type:

Scope:

PGP only

Default:

set pgp_retainable_sigs = no

If set, signed and encrypted messages will consist of nested multipart/signed and multipart/encrypted body parts.

This is useful for applications like encrypted and signed mailing lists, where the outer layer (multipart/encrypted) can be easily removed, while the inner multipart/signed part is retained.

`$pgp_self_encrypt`#

Description:

Encrypted messages will also be encrypted to $pgp_default_key too

Type:

Scope:

PGP only

Default:

set pgp_self_encrypt = yes

When set, PGP encrypted messages will also be encrypted using the key in $pgp_default_key.

`$pgp_show_unusable`#

Description:

Show non-usable keys in the key selection

Type:

Scope:

PGP only

Default:

set pgp_show_unusable = yes

If set, NeoMutt will display non-usable keys on the PGP key selection menu. This includes keys which have been revoked, have expired, or have been marked as “disabled” by the user.

`$pgp_sign_as`#

Description:

Use this alternative key for signing messages

Type:

Scope:

PGP only

Default:

(empty)

set pgp_sign_as = ""

If you have a different key pair to use for signing, you should set this to the signing key. Most people will only need to set $pgp_default_key. It is recommended that you use the keyid form to specify your key (e.g. 0x00112233).

`$pgp_sign_command`#

Description:

External command to create a detached PGP signature

Type:

Scope:

PGP only

Default:

(empty)

set pgp_sign_command = ""

This command is used to create the detached PGP signature for a multipart/signed PGP/MIME body part.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_strict_enc`#

Description:

Encode PGP signed messages with quoted-printable (don’t unset)

Type:

Scope:

PGP only

Default:

set pgp_strict_enc = yes

If set, NeoMutt will automatically encode PGP/MIME signed messages as quoted-printable.

Warning

Unsetting this option may lead to problems with non-verifyable PGP signatures, so only change this if you know what you are doing

`$pgp_timeout`#

Description:

Time in seconds to cache a passphrase

Type:

Number (Long)

Notes:

Not Negative

Scope:

PGP only

Default:

set pgp_timeout = 300

The number of seconds after which a cached passphrase will expire if not used.

`$pgp_use_gpg_agent`#

Description:

Use a PGP agent for caching passwords

Type:

Scope:

PGP only

Default:

set pgp_use_gpg_agent = yes

If set, NeoMutt expects a gpg-agent(1) process will handle private key passphrase prompts. If unset, NeoMutt will prompt for the passphrase and pass it via stdin to the pgp command.

Note

As of version 2.1, GnuPG automatically spawns an agent and requires the agent be used for passphrase management. Since that version is increasingly prevalent, this option now defaults set.

NeoMutt works with a GUI or curses pinentry program. A TTY pinentry should not be used.

If you are using an older version of GnuPG without an agent running, or another encryption program without an agent, you will need to unset this option.

`$pgp_verify_command`#

Description:

External command to verify PGP signatures

Type:

Scope:

PGP only

Default:

(empty)

set pgp_verify_command = ""

This command is used to verify PGP signatures.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$pgp_verify_key_command`#

Description:

External command to verify key information

Type:

Scope:

PGP only

Default:

(empty)

set pgp_verify_key_command = ""

This command is used to verify key information from the key selection menu.

See also

$pgp_decode_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_ask_cert_label`#

Description:

Prompt the user for a label for SMIME certificates

Type:

Scope:

S/MIME only

Default:

set smime_ask_cert_label = yes

This flag controls whether you want to be asked to enter a label for a certificate about to be added to the database or not. It is set by default.

`$smime_ca_location`#

Description:

File containing trusted certificates

Type:

Path (String)

Notes:

File only

Scope:

S/MIME only

Default:

(empty)

set smime_ca_location = ""

Specify either a directory or a file containing trusted certificates for use with OpenSSL.

`$smime_certificates`#

Description:

File containing user’s public certificates

Type:

Path (String)

Notes:

Directory only

Scope:

S/MIME only

Default:

(empty)

set smime_certificates = ""

Since for S/MIME there is no pubring/secring as with PGP, NeoMutt has to handle storage and retrieval of keys by itself. This is very basic right now, and keys and certificates are stored in two different directories, both named as the hash-value retrieved from OpenSSL. There is an index file which contains mailbox-address keyid pairs, and which can be manually edited. Point to the location of the certificates.

`$smime_decrypt_command`#

Description:

External command to decrypt an SMIME message

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_decrypt_command = ""

Specify the format of a command used to decrypt application/pkcs7-mime attachments.

Format Sequences

Short	Long Name	Description
`%a`	`%{algorithm}`	Algorithm used for encryption
`%C`	`%{certificate-path}`	CA location: Depending on whether `$smime_ca_location` points to a directory or file,
		this expands to “-CApath `$smime_ca_location`” or “-CAfile `$smime_ca_location`”
`%c`	`%{certificate-ids}`	One or more certificate IDs
`%d`	`%{digest-algorithm}`	Message digest algorithm specified with `$smime_sign_digest_alg`
`%f`	`%{message-file}`	Expands to the name of a file containing a message
`%i`	`%{intermediate-ids}`	Intermediate certificates
`%k`	`%{key}`	Key-pair specified with `$smime_default_key`
`%s`	`%{signature-file}`	Expands to the name of a file containing the signature part
		of a `multipart/signed` attachment when verifying it

For examples on how to configure these formats, see the smime.rc in the samples/ subdirectory which has been installed on your system alongside the documentation.

`$smime_decrypt_use_default_key`#

Description:

Use the default key for decryption

Type:

Scope:

S/MIME only

Default:

set smime_decrypt_use_default_key = yes

If set (default) this tells NeoMutt to use the default key for decryption. Otherwise, if managing multiple certificate-key-pairs, NeoMutt will try to use the mailbox-address to determine the key to use. It will ask you to supply a key, if it can’t find one.

`$smime_default_key`#

Description:

Default key for SMIME operations

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_default_key = ""

This is the default key-pair to use for S/MIME operations, and must be set to the keyid (the hash-value that OpenSSL generates) to work properly.

It will be used for encryption (see $postpone_encrypt and $smime_self_encrypt). If GPGME is enabled, this is the key id displayed by gpgsm.

It will be used for decryption unless $smime_decrypt_use_default_key is unset.

It will also be used for signing unless $smime_sign_as is set.

`$smime_encrypt_command`#

Description:

External command to encrypt a message

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_encrypt_command = ""

This command is used to create encrypted S/MIME messages.

Encrypt the message to $smime_default_key too.

See also

$smime_decrypt_command for a full list of expandos Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_encrypt_with`#

Description:

Algorithm for encryption

Type:

Scope:

S/MIME only

Default:

set smime_encrypt_with = "aes256"

This sets the algorithm that should be used for encryption.

Algorithms	Notes
`aes256`	Recommended
`aes192`
`aes128`	Still strong
`des3`	Legacy fallback
`des`	Unsafe: Do not use
`rc2-40`	Unsafe: Do not use
`rc2-64`	Unsafe: Do not use
`rc2-128`	Unsafe: Do not use

`$smime_get_cert_command`#

Description:

External command to extract a certificate from a message

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_get_cert_command = ""

This command is used to extract X509 certificates from a PKCS7 structure.

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_get_cert_email_command`#

Description:

External command to get a certificate for an email

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_get_cert_email_command = ""

This command is used to extract the mail address(es) used for storing X509 certificates, and for verification purposes (to check whether the certificate was issued for the sender’s mailbox).

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_get_signer_cert_command`#

Description:

External command to extract a certificate from an email

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_get_signer_cert_command = ""

This command is used to extract only the signers X509 certificate from a S/MIME signature, so that the certificate’s owner may get compared to the email’s From: field.

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_import_cert_command`#

Description:

External command to import a certificate

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_import_cert_command = ""

This command is used to import a certificate via smime_keys.

Note

%c and %k will default to $smime_sign_as if set, otherwise $smime_default_key.

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_is_default`#

Description:

Use SMIME rather than PGP by default

Type:

Scope:

S/MIME only

Default:

set smime_is_default = no

The default behavior of NeoMutt is to use PGP on all auto-sign/encryption operations. To override and to use OpenSSL instead this must be set. However, this has no effect while replying, since NeoMutt will automatically select the same application that was used to sign/encrypt the original message.

Note

Can be overridden by unsetting $crypt_auto_smime

`$smime_keys`#

Description:

File containing user’s private certificates

Type:

Path (String)

Notes:

Directory only

Scope:

S/MIME only

Default:

(empty)

set smime_keys = ""

Since for S/MIME there is no pubring/secring as with PGP, NeoMutt has to handle storage and retrieval of keys/certs by itself. This is very basic right now, and stores keys and certificates in two different directories, both named as the hash-value retrieved from OpenSSL. There is an index file which contains mailbox-address keyid pair, and which can be manually edited. Point to the location of the private keys.

`$smime_pk7out_command`#

Description:

External command to extract a public certificate

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_pk7out_command = ""

This command is used to extract PKCS7 structures of S/MIME signatures, in order to extract the public X509 certificate(s).

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_self_encrypt`#

Description:

Encrypted messages will also be encrypt to $smime_default_key too

Type:

Scope:

S/MIME only

Default:

set smime_self_encrypt = yes

When set, S/MIME encrypted messages will also be encrypted using the certificate in $smime_default_key.

`$smime_sign_as`#

Description:

Use this alternative key for signing messages

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_sign_as = ""

If you have a separate key to use for signing, you should set this to the signing key. Most people will only need to set $smime_default_key.

`$smime_sign_command`#

Description:

External command to sign a message

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_sign_command = ""

This command is used to created S/MIME signatures of type multipart/signed, which can be read by all mail clients.

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_sign_digest_alg`#

Description:

Digest algorithm

Type:

Scope:

S/MIME only

Default:

set smime_sign_digest_alg = "sha256"

This sets the algorithm that should be used for the signature message digest.

Algorithms	Notes
`sha512`
`sha384`
`sha256`	Recommended default
`sha224`
`sha1`	Unsafe: Do not use
`md5`	Unsafe: Do not use

`$smime_timeout`#

Description:

Time in seconds to cache a passphrase

Type:

Number

Notes:

Not Negative

Scope:

S/MIME only

Default:

set smime_timeout = 300

The number of seconds after which a cached passphrase will expire if not used.

`$smime_verify_command`#

Description:

External command to verify a signed message

Type:

Scope:

S/MIME only

Default:

(empty)

set smime_verify_command = ""

This command is used to verify S/MIME signatures of type multipart/signed.

See also

$smime_decrypt_command for a full list of expandos
Expandos: Tutorial Conditional, Howto Conditional, Formatting, Reference

`$smime_verify_opaque_command`#

Description:

External command to verify a signature

Type: