[m.m@xxxxxxxxxxxxx: Re: mutt and plaintext passwords : muttrc encryption ?]

[Michele Martone <m.m@xxxxxxxxxxxxx>]

Hi,
for some reason, this message I sent to the mutt-users@xxxxxxxx list
gets filtered out!

Maybe you could forward this message on behalf of me or just read it.
I appreciated your help, and I hope to contribute in the future.

 michele

--- Begin Message ---

• To: mutt-users <mutt-users@xxxxxxxx>
• Subject: Re: mutt and plaintext passwords : muttrc encryption ?
• From: Michele Martone <m.m@xxxxxxxxxxxxx>
• Date: Tue, 29 Jul 2008 10:01:27 +0100
• In-reply-to: <20080728214353.GD15524@localhost>
• References: <20080728161249.GA9106@localhost> <20080728175800.GE23674@xxxxxxxxxxxxx> <20080728205341.GB15524@localhost> <20080728212907.GH25396@xxxxxxxxxxxxxxxxx> <20080728214353.GD15524@localhost>
• User-agent: Mutt/1.5.11

Unfortunately, the msmtp configuration part didn't go so well as I
wished it to go.

msmtp from version 1.4.15 has stdin password reading disabled, or at
least 'deprecated'; from the ChangeLog: 
"- Do not let getpass() read from stdin, because we read the mail from
  there."
In fact, the password reading code will execute, but it will interfer
with the email message being read meanwhile, so a workaround patch 
for msmtp should be written (maybe styled in the same way vim handles
actions like "date | vim -", namely file description duplication).

But this is OT here I suppose, and would not solve fully 'our' combined
problem of laziness and encryption needs.


So I followed Kyle's advice and tried mutt-1.5.18 :

        ./configure --enable-smtp --enable-imap --enable-pop
        --with-ssl=/usr/include/gnutls/ --with-sasl=/usr/include/sasl

And then overriding the 'sendmail' command by setting :

        smtp[s]://[user[:pass]@]host[:port]/ 

All easy, straightforward. No odds with certificates, as they are
handled by mutt directly. And all of the configuration (er.. except
fetchmail and isync AFAIK) is in plaintext muttrc and some gpg encrypted
helper muttrc chunk.


So Michael's solution :
> > source "gpg -d sensitivestuff.gpg |"
fits perfectly with a gpg - encrypted sensitive muttrc portion.
Once decrypted, no environment variables nor exotic configuration is
required!


One last thing : since the 'gpg' command itself could be sensitive to
the shell environment, I recommend running it with X cut off (fording
the DISPLAY variable being unset):
        
        source "DISPLAY= gpg -d sensitivestuff.gpg |"

This will prevent funny situations I noticed while experimenting with
mutt sessions ran under screen and multiple screen attachments (multi
display screen mode), like some Pinentry window asking me for a
passphrase on the X terminal and attached screen i was not phisically
working on :) .

I've been trying cleaning up the gpg environment completely using 

    source "env --ignore-environment gpg -d sensitivestuff.gpg |"

but this in turn breaks gpg functionality, because unsets variables like
GNUPGHOME or HOME or other ones.

By setting selectively environment variables cited in `man 1 gpg` or 
`man gpg-agent` I wasn't able to find a working minimal gpg environment:

 source "env -i HOME=/home/user COLUMNS=10 LINES=10 GPG_AGENT_INFO=
 PINENTRY_USER_DATA= GPG_TTY=`tty` gpg  --homedir /home/dez/.gnupg -d
 ~/.mutt/private.accounts.gpg|"

So I guess PATH , LD_LIBRARY_PATH environment and some other are still
missing.. so my safe solution is :

        source "DISPLAY= gpg -d sensitivestuff.gpg |"

On 20080728@22:43, Michele Martone wrote:
> `figlet "yes, this is THE solution, working. perfect."`
> 
> thank you guys, now I'll learn to use mutt with smtp features (hope
> tls/ssl is in) and I'll drop some line if Kyle won't do this already :)
> 
> On 20080728@21:29, Michael Kjorling wrote:
> > On 28 Jul 2008 21:53 +0100, by m.m@xxxxxxxxxxxxx (Michele Martone):
> > ...
> > source "gpg -d sensitivestuff.gpg |"
> > 
> > and sensitivestuff being just another muttrc snippet.

--- End Message ---