IMAP over SSH Howto

Tired of managing n+1 passwords? Hate having an extra network port open on that server box? Want to have automated replication of email to your laptop in a Unix command line geek-friendly fashion?

Here's how to make OfflineIMAP synchronize mail between local and remote Maildirs .

  • on the client:

    • create an SSH key pair with no passphrase:

      $ ssh-keygen -t rsa -N '' -f ~/.ssh/imap-preauth-key
  • on the server:

    • install Binc IMAP on the server; no need to have it actually listen for network connections

    • I store my mail as ~/.Mail on the server; create a ~/.bincimap on the server and adjust to fit:

      Mailbox {
        depot = "IMAPdir",
        umask = "0077",
        path = ".Mail",
    • create a shell script ~/bin/imapd-preauth that'll start the IMAP daemon in a preauthenticated mode; note that OfflineIMAP wants a certain style of handshake bincimapd doesn't know how to do, so we fix that with sed:

      set -e
      bincimapd|sed --unbuffered '1s/^FAKE OK PREAUTH/* PREAUTH/'

      Make the script executable (duh).

    • authorize the previously generated SSH key to run only the above script -- add the following to ~/.ssh/authorized_keys (split here for readability, make it all one line; replace THINGS to fit):

      no-X11-forwarding,no-agent-forwarding,no-pty SSHPUBLICKEYHERE
  • on the client:

    • tell OfflineIMAP about the preauthenticated IMAP connection:

      [Account SOMETHING]
      localrepository = local-SOMETHING
      remoterepository = remote-SOMETHING
      [Repository local-SOMETHING]
      type = Maildir
      localfolders = ~/data/mail/SOMETHING
      [Repository remote-SOMETHING]
      type = IMAP
      remotehost = HOSTNAME
      preauthtunnel = env -u SSH_AUTH_SOCK ssh -q -i ~/.ssh/imap-preauth-key %(remotehost)s fake-command

That should be it! Have fun.

(And if you just broke it, feel free to give one of the halves to me.)

2020-01-21T20:49:33-07:00, originally published 2007-02-09T21:11:00-08:00