+ When configuring mutt-ng, there're some points to note about secure setups.
+
+ In practice, mutt-ng can be easily made as vulnerable as even the most insecure
+ mail user agents (in their default configuration) just by changing mutt-ng's
+ configuration files: it then can execute arbitrary programs and scripts
+ attached to messages, send out private data on its own, etc. Although this is
+ not believed to the common type of setup, please read this chapter carefully.
+
+ _\b6_\b._\b1 _\bP_\ba_\bs_\bs_\bw_\bo_\br_\bd_\bs
+
+ Although mutt-ng can be told the various passwords for accounts, please never
+ store passwords in configuration files. Besides the fact that the system's
+ operator can always read them, you could forget to replace the actual password
+ with asterisks when reporting a bug or asking for help via, for example, a
+ mailing list so that your mail including your password could be archived by
+ internet search engines, etc. Please never store passwords on disk.
+
+ _\b6_\b._\b2 _\bT_\be_\bm_\bp_\bo_\br_\ba_\br_\by _\bF_\bi_\bl_\be_\bs
+
+ Mutt-ng uses many temporary files for viewing messages, verifying digital sig-
+ natures, etc. The _\b$_\bu_\bm_\ba_\bs_\bk (section 7.4.331 , page 170) variable can be used to
+ change the default permissions of these files. Please only change it if you
+ really know what you are doing. Also, a different location for these files may
+ be desired which can be changed via the _\b$_\bt_\bm_\bp_\bd_\bi_\br (section 7.4.327 , page 169)
+ variable.
+
+ _\b6_\b._\b3 _\bI_\bn_\bf_\bo_\br_\bm_\ba_\bt_\bi_\bo_\bn _\bL_\be_\ba_\bk_\bs
+
+ _\b6_\b._\b3_\b._\b1 _\bM_\be_\bs_\bs_\ba_\bg_\be_\b-_\bI_\bD_\b: _\bh_\be_\ba_\bd_\be_\br_\bs
+
+ In the default configuration, mutt-ng will leak some information to the outside
+ world when sending messages: the generation of Message-ID: headers includes a
+ step counter which is increased (and rotated) with every message sent. If you'd
+ like to hide this information probably telling others how many mail you sent in
+ which time, you at least need to remove the %P expando from the default setting
+ of the _\b$_\bm_\bs_\bg_\bi_\bd_\b__\bf_\bo_\br_\bm_\ba_\bt (section 7.4.147 , page 124) variable. Please make sure
+ that you really know how local parts of these Message-ID: headers are composed.
+
+ The Mutt Next Generation E-Mail Client 81
+
+ _\b6_\b._\b3_\b._\b2 _\bm_\ba_\bi_\bl_\bt_\bo_\b:_\b-_\bs_\bt_\by_\bl_\be _\bl_\bi_\bn_\bk_\bs
+
+ As mutt-ng be can be set up to be the mail client to handle mailto: style links
+ in websites, there're security considerations, too. To keep the old behavior by
+ default, mutt-ng will be strict in interpreting them which means that arbitrary
+ header fields can be embedded in these links which could override existing
+ header fields or attach arbitrary files. This may be problematic if the
+ _\b$_\be_\bd_\bi_\bt_\b__\bh_\be_\ba_\bd_\be_\br_\bs (section 7.4.58 , page 102) variable is _\bu_\bn_\bs_\be_\bt, i.e. the user
+ doesn't want to see header fields while editing the message.
+
+ For example, following a link like
+
+ mailto:joe@host?Attach=~/.gnupg/secring.gpg
+
+ will send out the user's private gnupg keyring to joe@host if the user doesn't
+ follow the information on screen carefully enough.
+
+ When _\bu_\bn_\bs_\be_\bt_\bt_\bi_\bn_\bg the _\b$_\bs_\bt_\br_\bi_\bc_\bt_\b__\bm_\ba_\bi_\bl_\bt_\bo (section 7.4.315 , page 166) variable, mutt-
+ ng will
+
+ +\bo be less strict when interpreting these links by prepending a X-Mailto-
+ string to all header fields embedded in such a link _\ba_\bn_\bd
+
+ +\bo turn on the _\b$_\be_\bd_\bi_\bt_\b__\bh_\be_\ba_\bd_\be_\br_\bs (section 7.4.58 , page 102) variable by force
+ to let the user see all the headers (because they still may leak informa-
+ tion.)
+
+ _\b6_\b._\b4 _\bE_\bx_\bt_\be_\br_\bn_\ba_\bl _\ba_\bp_\bp_\bl_\bi_\bc_\ba_\bt_\bi_\bo_\bn_\bs
+
+ Mutt-ng in many places has to rely on external applications or for convenience
+ supports mechanisms involving external applications.
+
+ _\b6_\b._\b4_\b._\b1 _\bm_\ba_\bi_\bl_\bc_\ba_\bp
+
+ One of these is the mailcap mechanism as defined by RfC 1524. Mutt-ng can be
+ set up to _\ba_\bu_\bt_\bo_\bm_\ba_\bt_\bi_\bc_\ba_\bl_\bl_\by execute any given utility as listed in one of the mail-
+ cap files (see the _\b$_\bm_\ba_\bi_\bl_\bc_\ba_\bp_\b__\bp_\ba_\bt_\bh (section 7.4.120 , page 118) variable for
+ details.)
+
+ These utilities may have a variety of security vulnerabilities, including over-
+ writing of arbitrary files, information leaks or other exploitable bugs. These
+ vulnerabilities may go unnoticed by the user, especially when they are called
+ automatically (and without interactive prompting) from the mailcap file(s).
+ When using mutt-ng's autoview mechanism in combination with mailcap files,
+ please be sure to...
+
+ +\bo manually select trustworth applications with a reasonable calling sequence
+
+ +\bo periodically check the contents of mailcap files, especially after soft-
+ ware installations or upgrades
+
+ The Mutt Next Generation E-Mail Client 82
+
+ +\bo keep the software packages referenced in the mailcap file up to date
+
+ +\bo leave the _\b$_\bm_\ba_\bi_\bl_\bc_\ba_\bp_\b__\bs_\ba_\bn_\bi_\bt_\bi_\bz_\be (section 7.4.121 , page 119) variable in its
+ default state to restrict mailcap expandos to a safe set of characters
+
+ _\b6_\b._\b4_\b._\b2 _\bO_\bt_\bh_\be_\br
+
+ Besides the mailcap mechanism, mutt-ng uses a number of other external utili-
+ ties for operation.
+
+ The same security considerations apply for these as for tools involved via
+ mailcap (for example, mutt-ng is vulnerable to Denial of Service Attacks with
+ compressed folders support if the uncompressed mailbox is too large for the
+ disk it is saved to.)
+
+ As already noted, most of these problems are not built in but caused by wrong
+ configuration, so please check your configuration.
+
+ _\b7_\b. _\bR_\be_\bf_\be_\br_\be_\bn_\bc_\be
+
+ _\b7_\b._\b1 _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bl_\bi_\bn_\be _\bo_\bp_\bt_\bi_\bo_\bn_\bs