Home / server / Questions / 149452
Accepted
bias
Asked: 2010-06-09 15:47:54 +0800 CST

How can I use fetchmail (or another email grabber) with OSX keychain for authentication?

  • 772

Many fetchmail tutorials I've read says putting your email account password clear-text in a config file is safe. However, I prefer security through layers [***silly example:* if my terminal is up and someone suspecting such email foolery slides over and simply types "grep -i pass ~/.*" then, oops, all my base are belong to them! especially if my email provider uses openid (or I'm dumb enough to use the same password for my bank)]**.

Now, with msmtp (as opposed to sendmail) I can authenticate using the OSX keychain. Is there a free/open-source email 'grabber' that lets me use Keychains (or at least, that lets me MD5 the password)?

email security password password-management

5 Answers

  1. From a simple utility perspective, yes, you can use Keychain. I strongly encourage you to read the entire security(1) man page which has additional caveats.

    You can enter the password using the Keychain program or via the command-line:

    # WARNING: exposes password in ps(1), history(1), etc.
$ security add-internet-password -a $USER -s pop3.example.com -w 'Mellon!'

    You can extract this with:

    # Note: by default, first use will prompt
$ security find-internet-password -s pop3.example.com -a $USER -g

    If you Always Allow, security(1) will be able to pull these credentials without further prompts. This may be a risk on your system. You could opt to have this always prompt for your password before launching, however.

    Finally, using this, you can wrap your fetchmail call with a springboard script that sets the password to be used.

    user=$USER
server=pop3.example.com
# WARNING: insecure tmpfile creation and usage
# As [DAM][1] mentions, see mkstemp(3)
tmpfile=/tmp/fetchmailrc.$$ 

password=$(security find-internet-password -s $server -a $USER -g 2>&1 \
           | perl -ne '/password: "(\S*)"/ and print $1')

# create temporary fetchmailrc and pass to fetchmail, etc...
cat <<EoF > $tmpfile
poll $server with proto POP3 and options no dns
  user $user with pass '$password' is $user here 
  options keep mda '/usr/bin/procmail -d %T'
EoF

fetchmail -d -f $tmpfile
rm -f $tmpfile

    While this does achieve your stated goal of not having obvious files laying around with passwords, I did note the security risks still present with this configuration, which you should consider.

    • 5

  2. If the keychain allows the plaintext password to be lifted, then it is possible, but you can't MD5 passwords locally, as the server wants it in its own format (usually plaintext)

    • 1

  3. To use standard imap/smtp/pop3 you need a plaintext password. So if you want to store that locally it needs to be in a format which is reversible, which isn't great news for using the Keychain. However, if the mail server supports it then you can authenticate using an X.509 certificate and SSL. That certificate can be with or without password, and can be stored in the Mac OS X Keychain.

    What I can't answer is whether any software actually supports this setup, since I'm not a Mac user. Plus you'd also need your server to support X509 authentication.

    • 1

  4. @medina,

    Instead of "tmpfile=/tmp/fetchmailrc.$$", I'd recommend using mktemp(1) if it's available.

    • 1
  5. Best Answer

    If retrieving mail via POP3 is sufficient for you, have a look at the excellent mpop. It's from the same author as msmtp and also has OSX keychain support for storing authentication credentials.

    For IMAP4, you could use the very nice OfflineIMAP and connect it to an OSX keychain using William Snow Orvis' Python hook.

    I personally prefer those tools over fetchmail (due to e.g. download speed, feature set, configuration), but your mileage may vary.

    • 1