IMAP over SSH Howto

Tired of managing n+1 passwords? Hate having an extra network port open on that server box? Want to have automated replication of email to your laptop in a Unix command line geek-friendly fashion?

Here's how to make OfflineIMAP synchronize mail between local and remote Maildirs.

  • on the client:

    • create an SSH key pair with no passphrase:
    $ ssh-keygen -t rsa -N '' -f ~/.ssh/imap-preauth-key
  • on the server:

    • install Binc IMAP on the server; no need to have it actually listen for network connections

    • I store my mail as ~/.Mail on the server; create a ~/.bincimap on the server and adjust to fit:

    Mailbox {
      depot = "IMAPdir",
      umask = "0077",
      path = ".Mail",
    • create a shell script ~/bin/imapd-preauth that'll start the IMAP daemon in a preauthenticated mode; note that OfflineIMAP wants a certain style of handshake bincimapd doesn't know how to do, so we fix that with sed:
    set -e
    bincimapd|sed --unbuffered '1s/^FAKE OK PREAUTH/* PREAUTH/'

    Make the script executable (duh).

    • authorize the previously generated SSH key to run only the above script -- add the following to ~/.ssh/authorized_keys (split here for readability, make it all one line; replace THINGS to fit):
    no-X11-forwarding,no-agent-forwarding,no-pty SSHPUBLICKEYHERE
  • on the client:

    • tell OfflineIMAP about the preauthenticated IMAP connection:
    [Account SOMETHING]
    localrepository = local-SOMETHING
    remoterepository = remote-SOMETHING
    [Repository local-SOMETHING]
    type = Maildir
    localfolders = ~/data/mail/SOMETHING
    [Repository remote-SOMETHING]
    type = IMAP
    remotehost = HOSTNAME
    preauthtunnel = env -u SSH_AUTH_SOCK ssh -q -i ~/.ssh/imap-preauth-key %(remotehost)s fake-command

That should be it! Have fun.

(And if you just broke it, feel free to give one of the halves to me.)

  • imap
  • email
  • offline
  • software
  • offlineimap
  • ssh
  • howto