../blog

Configure mutt to use pass for your email credentials

At Northern.tech we use pass (https://www.passwordstore.org/) as a shared secret system. It is possible to encrypt each password entry to any number of gpg keys and so we can authorize exactly who needs each entry. I rather enjoy the simplicity of pass as well as the fact that the command line tools are wonderful in my opinion. That's the only way I use pass! :)

I was using KeePass for a long time for personal password management so decided to migrate over to pass a while ago and in the process decided to try and use pass for more things: like managing my personal email credentials! But how to leverage the email credentials entry for use with my email client?

I wanted to have a good way of logging into my email with mutt (http://www.mutt.org/). Normally you might just put the password as plain text in your ~/.muttrc file. But this is not a good idea even if you change permissions to be more protective.

I setup .muttrc to use imaps and smtps with something like:

set spoolfile="imaps://user@mailhost:993/INBOX"
set smtp_url="smtps://user@mailhost:465/"

I added an entry in my pass store at "user@mailhost" with:

pass generate user@mailhost

Then added the following two lines to have mutt call pass when it needs the password:

set imap_pass="`pass user@mailhost`"
set smtp_pass="`pass user@mailhost`"

Because pass uses gpg and I want to stay on the console I configure gpg-agent to use the curses based pinentry (program to enter your gpg passphrase).

In the file ~/.gnupg/gpg-agent.conf:

pinentry-timeout 0
pinentry-program /usr/bin/pinentry-curses

Now when I startup mutt and I haven't unlocked my password store recently I get a challenge and have to enter my gpg passphrase.

After that mutt logs into my email and everything "just works". :)

p.s. It is also rather easy once you have a gpg key to setup signing and opportunistic encrypting with mutt.

See this article: https://gitlab.com/muttmua/mutt/wikis/MuttGuide/UseGPG