Recipe 8.12 Securing POP/IMAP with SSL and mutt

8.12.1 Problem

You want to secure your POP or IMAP email session. Your mail client is mutt, and your mail server supports SSL.

8.12.2 Solution

If you want a POP connection, use SSL-port, since mutt does not support STARTTLS over POP. (See SSL for Securing Mail for definitions.)

$ MAIL=pops://[email protected]/   mutt

For an IMAP connection, test whether you can use STARTTLS:

$ MAIL=imap://[email protected]/   mutt

If this works, mutt will flash a message about setting up a "TLS/SSL" connection, confirming your success. If not, then try SSL-port:

$ MAIL=imaps://[email protected]/  mutt

If none of this works, your ISP does not appear to support IMAP over SSL in any form; try SSH instead. [Recipe 8.15]

8.12.3 Discussion

Many SSL-related configuration variables in mutt affect its behavior; we are assuming the defaults here.

Mutt uses the systemwide trusted certificate list in /usr/share/ssl/cert.pem, which contains certificates from widely recognized Certifying Authorities, such as Verisign, Equifax, and Thawte. If this file does not contain a certificate chain sufficient to validate your mail server's SSL certificate, mutt will complain about the certificate. It will then prompt you to accept or reject the connection. You can alter this behavior by setting:

~/.muttrc:
set certificate_file=~/.mutt/certificates

Now mutt will further offer to accept the connection either "once" or "always." If you choose "always," mutt will store the certificate in ~/.mutt/certificates and accept it automatically from then on. Be cautious before doing this, however: it allows a man-in-the-middle attack on the first connection. A far better solution is to add the appropriate, trusted issuer certificates to cert.pem.

8.12.4 See Also

mutt(1).