Optional Features

1. General Notes

1.1. Enabling/Disabling Features

NeoMutt supports several of optional features which can be enabled or disabled at compile-time by giving the configure script certain arguments. These are listed in the Optional features section of the configure --help output.

Which features are enabled or disabled can later be determined from the output of neomutt -v. If a compile option starts with + it is enabled and disabled if prefixed with -. For example, if NeoMutt was compiled using GnuTLS for encrypted communication instead of OpenSSL, neomutt -v would contain:

-openssl +gnutls

1.2. URL Syntax

NeoMutt optionally supports the IMAP, POP3 and SMTP protocols which require to access servers using URLs. The canonical syntax for specifying URLs in NeoMutt is (an item enclosed in [] means it is optional and may be omitted):

proto[s]://[username[:password]@]server[:port][/path]

proto is the communication protocol: imap for IMAP, pop for POP3 and smtp for SMTP. If s for secure communication is appended, NeoMutt will attempt to establish an encrypted communication using SSL or TLS.

Since all protocols supported by NeoMutt support/require authentication, login credentials may be specified in the URL. This has the advantage that multiple IMAP, POP3 or SMTP servers may be specified (which isn't possible using, for example, $imap_user). The username may contain the @ symbol being used by many mail systems as part of the login name. The special characters /( %2F ), :( %3A ) and %( %25 ) have to be URL-encoded in usernames using the %-notation.

A password can be given, too but is not recommended if the URL is specified in a configuration file on disk.

If no port number is given, NeoMutt will use the system's default for the given protocol (usually consulting /etc/services ).

The optional path is only relevant for IMAP and ignored elsewhere.

Example 6.1. URLs

pops://host/
imaps://user@host/INBOX/Sent
smtp://user@host:587/

2. SSL/TLS Support

If NeoMutt is compiled with IMAP, POP3 and/or SMTP support, it can also be compiled with support for SSL or TLS using either OpenSSL or GnuTLS (by running the configure script with the --ssl=... option for OpenSSL or --gnutls=... for GnuTLS). NeoMutt can then attempt to encrypt communication with remote servers if these protocols are suffixed with s for secure communication.

2.1. STARTTLS

When non-secure URL protocols imap://, pop://, and smtp:// are used, the initial connection to the server will be unencrypted. STARTTLS can be used to negotiate an encrypted connection after the initial unencrypted connection and exchange.

Two configuration variables control NeoMutt's behavior with STARTTLS. $ssl_starttls will initiate STARTTLS if the server advertises support for it. $ssl_force_tls will always try to initiate it, whether the server advertises support or not.

NeoMutt highly recommends setting $ssl_force_tls unless you need to connect to an unencrypted server. It's possible for an attacker to spoof interactions during the initial connection and hide support for STARTTLS. The only way to prevent these attacks is by forcing STARTTLS with the $ssl_force_tls configuration variable.

2.2. Tunnel

When connecting through a $tunnel and $tunnel_is_secure is set(the default), NeoMutt will assume the connection to the server through the pipe is already secured. NeoMutt will ignore $ssl_starttls and $ssl_force_tls, behaving as if TLS has already been negotiated.

When $tunnel_is_secure is unset, NeoMutt will respect the values of $ssl_starttls and $ssl_force_tls. It is highly recommended to set $ssl_force_tls in this case, to force STARTTLS negotiation. Note that doing so will prevent connection to an IMAP server configured for preauthentication( PREAUTH ). If you use this configuration, it is recommended to use a secure tunnel.

3. POP3 Support

NeoMutt has POP3 support and has the ability to work with mailboxes located on a remote POP3 server and fetch mail for local browsing.

Remote POP3 servers can be accessed using URLs with the pop protocol for unencrypted and pops for encrypted communication, see Section 1.2, “URL Syntax” for details.

3.1. Remote POP3 mailboxes

Polling for new mail is more expensive over POP3 than locally. For this reason the frequency at which NeoMutt will check for mail remotely can be controlled by the $pop_check_interval variable, which defaults to every 60 seconds.

Due to limitations in POP3, this method doesn't allow for some features such as editing messages, changing their flags or even deleting them. However, using Section 8.1, “Header Caching” and Section 8.2, “Body Caching”, NeoMutt simulates the new/old/read flags as well as flagged and replied. NeoMutt applies some logic on top of remote messages but cannot change them so that modifications of flags are lost when messages are downloaded from the POP3 server (either by NeoMutt or other tools).

# A sample configuration file for setting up a remote POP3 mailbox

# If an SMTP password has been set, use this to set the same password for POP3.
set pop_pass=$smtp_pass

# Set the POP3 server and user
set pop_host="pops://user@example.com"

# Use the remote server as the mailbox
set folder=$pop_host
set spool_file=+

3.2. Fetching mail from a POP3 server

Another way to access your POP3 mail is the <fetch-mail> function (default: G). It allows to connect to $pop_host, fetch all your new mail and place it in the local $spool_file. After this point, NeoMutt runs exactly as if the mail had always been local. The <fetch-mail> function will ask whether you want to delete the messages on the remote server, leaving only your local copies.

Note

If you only need to fetch all messages to a local mailbox, you should consider using a specialized program, such as fetchmail(1), getmail(1) or similar.

# A sample configuration file for fetching mail from a POP3 server

# The spool file contains the local copies of your messages. If it doesn't
# exist, initialize it as an empty file.
set spool_file="/home/user/.mailspool"

# The POP3 server and user from which to fetch messages
set pop_host="pops://user@example.com"

4. IMAP Support

NeoMutt has IMAP support and has the ability to work with folders located on a remote IMAP server.

You can access the remote inbox by selecting the folder by its URL (see Section 1.2, “URL Syntax” for details) using the imap or imaps protocol. Alternatively, a pine-compatible notation is also supported, i.e. {[username@]imapserver[:port][/ssl]}path/to/folder

Note that not all servers use / as the hierarchy separator. NeoMutt should correctly notice which separator is being used by the server and convert paths accordingly.

The IMAP protocol has a subscription feature where the server manages a list of of subscribed folders. To add or remove a folder to the list of subscribed folders use the commands:

subscribe-to imap-folder-uri
unsubscribe-from imap-folder-uri

imap-folder-uri must be an IMAP URI, from which the server and the folder is derived, e.g.

subscribe-to imaps://mail.example.org/inbox

Instead of the above commands you can also use the <subscribe> and <unsubscribe> functions of the browser (default keys s and u ) to subscribe to or unsubscribe from a folder while browsing the folders on the IMAP server. The browser can be instructed to only display the folders you are subscribed to with the <toggle-subscribed> functions. See also the $imap_list_subscribed variable.

Because the list of subscribed folders is managed by the IMAP server, NeoMutt can also ask the server for that list. If $imap_check_subscribed is set, NeoMutt will do that and add those folders to its mailboxes list just as if you had used the mailboxes command on each of them, so that these folders get checked periodically for new mail.

Polling for new mail on an IMAP server can cause noticeable delays. So, you'll want to carefully tune the $mail_check and $timeout variables. Reasonable values are:

set mail_check=90
set timeout=15

with relatively good results even over slow modem lines.

Note

Note that if you are using mbox as the mail store on UW servers prior to v12.250, the server has been reported to disconnect a client if another client selects the same folder.

4.1. The IMAP Folder Browser

As of version 1.2, NeoMutt supports browsing mailboxes on an IMAP server. This is mostly the same as the local file browser, with the following differences:

  • In lieu of file permissions, NeoMutt displays the string IMAP, possibly followed by the symbol +, indicating that the entry contains both messages and subfolders. On Cyrus-like servers folders will often contain both messages and subfolders. A mailbox name with a trailing delimiter (usually / or .) indicates subfolders.

  • For the case where an entry can contain both messages and subfolders, the selection key (bound to enter by default) will choose to descend into the subfolder view. If you wish to view the messages in that folder, you must use view-file instead (bound to space by default).

  • You can create, delete and rename mailboxes with the <create-mailbox>, <delete-mailbox>, and <rename-mailbox> commands (default bindings: C, d and r, respectively). You may also <subscribe> and <unsubscribe> to mailboxes (normally these are bound to s and u, respectively).

4.2. Authentication

NeoMutt supports four authentication methods with IMAP servers: SASL, GSSAPI, CRAM-MD5, and LOGIN. There is also support for the pseudo-protocol ANONYMOUS, which allows you to log in to a public IMAP server without having an account. To use ANONYMOUS, simply make your username blank or anonymous.

SASL is a special super-authenticator, which selects among several protocols (including GSSAPI, CRAM-MD5, ANONYMOUS, and DIGEST-MD5) the most secure method available on your host and the server. Using some of these methods (including DIGEST-MD5 and possibly GSSAPI), your entire session will be encrypted and invisible to those teeming network snoops. It is the best option if you have it. To use it, you must have the Cyrus SASL library installed on your system and compile NeoMutt with the --with-sasl flag.

NeoMutt will try whichever methods are compiled in and available on the server, in the following order: SASL, ANONYMOUS, GSSAPI, CRAM-MD5, LOGIN.

There are a few variables which control authentication:

  • $imap_user– controls the username under which you request authentication on the IMAP server, for all authenticators. This is overridden by an explicit username in the mailbox path (i.e. by using a mailbox name of the form {user@host} ).

  • $imap_pass– a password which you may preset, used by all authentication methods where a password is needed.

  • $imap_authenticators– a colon-delimited list of IMAP authentication methods to try, in the order you wish to try them. If specified, this overrides NeoMutt's default (attempt everything, in the order listed above).

5. SMTP Support

Besides supporting traditional mail delivery through a sendmail-compatible program, NeoMutt supports delivery through SMTP.

If the configuration variable $smtp_url is set, NeoMutt will contact the given SMTP server to deliver messages; if it is unset, NeoMutt will use the program specified by $sendmail.

For details on the URL syntax, please see Section 1.2, “URL Syntax”.

The built-in SMTP support supports encryption (the smtps protocol using SSL or TLS) as well as SMTP authentication using SASL. The authentication mechanisms for SASL are specified in $smtp_authenticators defaulting to an empty list which makes NeoMutt try all available methods from most-secure to least-secure.

6. OAUTHBEARER and XOAUTH2 Support

Preliminary OAUTH support for IMAP, POP, and SMTP is provided via external scripts.

At least for Gmail, you can use the oauth2.py script from Google's gmail-oauth2-tools: https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py

You'll need to get your own oauth client credentials for Gmail here: https://console.developers.google.com/apis/credentials

Then, you'd use oauth2.py with --generate_oauth2_token to get a refresh token, and configure NeoMutt with:

set imap_authenticators="oauthbearer"
set imap_oauth_refresh_command="/path/to/oauth2.py --quiet --user=[email_address]\
    --client_id=[client_id] --client_secret=[client_secret]\
    --refresh_token=[refresh_token]"

For Office365, you can use the mutt_oauth2.py script written by Alexander Perlis: https://github.com/neomutt/neomutt/blob/main/contrib/oauth2/mutt_oauth2.py

You'll need to get your own oauth client credentials by following the script instructions: https://github.com/neomutt/neomutt/blob/main/contrib/oauth2/README.md

set imap_authenticators="xoauth2"
set imap_oauth_refresh_command="/path/to/mutt_oauth2.py /path/to/token"

Substitute pop or smtp for imap in the above examples to configure for those. Please note that xoauth2 support has not yet been implemented for pop.

7. Managing Multiple Accounts

Usage:

account-hook regex command

If you happen to have accounts on multiple IMAP, POP and/or SMTP servers, you may find managing all the authentication settings inconvenient and error-prone. The account-hook command may help. This hook works like folder-hook but is invoked whenever NeoMutt needs to access a remote mailbox (including inside the folder browser), not just when you open the mailbox. This includes (for example) polling for new mail, storing Fcc messages and saving messages to a folder. As a consequence, account-hook should only be used to set connection-related settings such as passwords or tunnel commands but not settings such as sender address or name (because in general it should be considered unpredictable which account-hook was last used).

Some examples:

account-hook . 'unset imap_user; unset imap_pass; unset tunnel'
account-hook imap://host1/ 'set imap_user=me1 imap_pass=foo'
account-hook imap://host2/ 'set tunnel="ssh host2 /usr/libexec/imapd"'
account-hook smtp://user@host3/ 'set tunnel="ssh host3 /usr/libexec/smtpd"'

To manage multiple accounts with, for example, different values of $record or sender addresses, folder-hook has to be be used together with the mailboxes command.

Example 6.2. Managing multiple accounts

mailboxes imap://user@host1/INBOX
folder-hook imap://user@host1/ 'set folder=imap://host1/ ; set record=+INBOX/Sent'
mailboxes imap://user@host2/INBOX
folder-hook imap://user@host2/ 'set folder=imap://host2/ ; set record=+INBOX/Sent'

In example Example 6.2, “Managing multiple accounts” the folders are defined using mailboxes so NeoMutt polls them for new mail. Each folder-hook triggers when one mailbox below each IMAP account is opened and sets $folder to the account's root folder. Next, it sets $record to the INBOX/Sent folder below the newly set $folder. Please notice that the value the + mailbox shortcut refers to depends on the current value of $folder and therefore has to be set separately per account. Setting other values like $from or $signature is analogous to setting $record.

8. Local Caching

NeoMutt contains two types of local caching: (1) the so-called header caching and (2) the so-called body caching which are both described in this section.

Header caching is optional as it depends on external libraries, body caching is always enabled if NeoMutt is compiled with POP and/or IMAP support as these use it (body caching requires no external library).

8.1. Header Caching

NeoMutt provides optional support for caching message headers for the following types of folders: IMAP, POP, Maildir and MH. Header caching greatly speeds up opening large folders because for remote folders, headers usually only need to be downloaded once. For Maildir and MH, reading the headers from a single file is much faster than looking at possibly thousands of single files (since Maildir and MH use one file per message.)

Header caching can be enabled by configuring one of the database backends. One of bdb, gdbm, kyotocabinet, lmdb, qdbm, rocksdb, tdb, tokyocabinet.

If enabled, $header_cache can be used to either point to a file or a directory. If set to point to a file, one database file for all folders will be used (which may result in lower performance), but one file per folder if it points to a directory.

Additionally, $header_cache_backend can be set to specify which backend to use. The list of available backends can be specified at configure time with a set of --with-<backend> options. Currently, the following backends are supported: bdb, gdbm, kyotocabinet, lmdb, qdbm, rocksdb, tdb, tokyocabinet.

Take a look at the benchmark script provided in the following repository: contrib-hcache-benchmark. There you can find a way of finding the storage backend for your needs.

8.2. Body Caching

Both cache methods can be combined using the same directory for storage (and for IMAP/POP even provide meaningful file names) which simplifies manual maintenance tasks.

In addition to caching message headers only, NeoMutt can also cache whole message bodies. This results in faster display of messages for POP and IMAP folders because messages usually have to be downloaded only once.

For configuration, the variable $message_cache_dir must point to a directory. There, NeoMutt will create a hierarchy of subdirectories named like the account and mailbox path the cache is for.

8.3. Cache Directories

For using both, header and body caching, $header_cache and $message_cache_dir can be safely set to the same value.

In a header or body cache directory, NeoMutt creates a directory hierarchy named like: proto:user@hostname where proto is either pop or imap. Within there, for each folder, NeoMutt stores messages in single files and header caches in files with the .hcache extension. All files can be removed as needed if the consumed disk space becomes an issue as NeoMutt will silently fetch missing items again. Pathnames are always stored in UTF-8 encoding.

For Maildir and MH, the header cache files are named after the MD5 checksum of the path.

8.4. Maintenance

NeoMutt does not (yet) support maintenance features for header cache database files so that files have to be removed in case they grow too big. It depends on the database library used for header caching whether disk space freed by removing messages is re-used.

For body caches, NeoMutt can keep the local cache in sync with the remote mailbox if the $message_cache_clean variable is set. Cleaning means to remove messages from the cache which are no longer present in the mailbox which only happens when other mail clients or instances of NeoMutt using a different body cache location delete messages (NeoMutt itself removes deleted messages from the cache when syncing a mailbox). As cleaning can take a noticeable amount of time, it should not be set in general but only occasionally.

Search by Algolia