Use getmail to get e-mail simply and securely

I like my e-mail approach to be quick, simple, and above all, secure. I use GnuPG with Mutt for digital signatures and message encryption, TLS encryption to keep my mail server sessions safe from the prying eyes of malicious security crackers, and my mail retrieval tool of choice is getmail. Here's how it all works together.

Many computer users like using monolithic, fancy, massively multi-function, GUI-fied mail clients. This is particularly true of people whose workday tends to revolve around Microsoft Office and its "personal information manager" application, Microsoft Outlook. It's such a huge, integrated collection of functionality that it can't properly be called a mere mail client any longer.

Others, like me, prefer their daily e-mail dealings to be quick, simple, and devoid of distractions. We often prefer separate tools for each part of the process -- one for retrieving incoming mail from the server, another for reading, managing, and composing e-mail, and another for sending it. Aside from the aesthetic simplicity of such an arrangement, this affords far greater control over the workings of the system, which not only allows for greater customizability for one's preferences, but also greater control over the security of the system. It requires greater understanding of how your tools work, however.

My choice for retrieving e-mail these days is called getmail.

Secure mail server authentication

In addition to preferring the quick, simple, and undistracted approach, I also like my e-mail to be secure. I use GnuPG with Mutt for digital signatures and message encryption, but that is only part of the story. There's also the matter of my relationship to my e-mail account on the mail server that receives my e-mails for me.

To ensure the best possible protection of that relationship, I use TLS encryption to keep my mail server sessions safe from the prying eyes of malicious security crackers. This provides general protection against eavesdropping on connections I establish with the server, but more specifically it protects authentication so that some script kiddie with Wireshark running on his computer won't be able to pick up my passwords.

As I explained in an article about basic Web security, TLS is the next generation of encryption to follow SSL. In fact, SSL and TLS are essentially different versions of the same thing. This is what protects your sessions at Web sites where the URI scheme in your browser's address bar is https://. TLS/SSL can be used for more than just protecting Web pages, though -- it is also useful for securing your connection to your e-mail server.

Configuring getmail

To establish a secure connection with your mail server, it has to support encrypted sessions. Check with whoever manages the server -- your ISP or hosting provider, corporate IT department network administrator, et cetera. If the mail server does not support some form of encrypted authentication, get a different provider if at all possible. As I pointed out in the article, "Basic email security tips," it's always a good idea to make sure your e-mail authentication process is encrypted.

I am providing my own getmail configuration file (with syntax modifications to protect my privacy, of course), called getmailrc, to illustrate how you might use getmail to secure connections with your incoming mail server when receiving e-mail. The contents of the file are:


delete = true


type = SimplePOP3SSLRetriever

port = 995

server =

username = username

password = password


type = Mboxrd

path = ~/Mail/Inbox

user = user

I'll explain each line in the file in turn:

  • [options] : While options exist in other sections, this section heading indicates that the immediately following lines refer to general getmail options.
  • delete = true : Because I am using a POP account, where I download emails from the server to store (and deal with) them locally, I set the delete option so that once an email is successfully downloaded it is deleted from the server. This saves space on the server, since I do not need copies of emails to languish there for eternity when I have copies of them here on my laptop.
  • [retriever] : Options following this section heading configure the behavior of the part of getmail that actually gets your e-mail from the mail server.
  • type = SimplePOP3SSLRetriever : The getmail utility offers several different "retriever types" that it uses to indicate the type of connection that should be made. The names of each are fairly self-explanatory, and this one in particular means it will use an SSL-encrypted POP3 protocol session.
  • port = 995 : SSL's default port for e-mail retrieval session encryption is 995. Some servers may use a different port number, but this is the most common when port 25 needs to remain free for those who wish (for some inexplicable reason) to use unencrypted sessions.
  • server = : Of course, getmail needs to know where to find the e-mail. Instead of "", you should use the hostname of the mail server where you have an e-mail account. Mine, like yours, is not "".
  • username = username : Here, you specify the username for your account on the mail server (instead of "username", unless that really is your account username) for authentication purposes. Depending on mail server configuration, it is probably either the part of your e-mail address that comes before the @ symbol, or the entire address -- possibly with the @ replaced by +.
  • password = password : This is why your getmailrc file (probably stored at ~/.getmail/getmailrc) should have 600 permissions (read/write for the owner and not for anyone else -- or even 400 when you aren't modifying it, for read-only access). It is the password used to authenticate with the mail server.
  • [destination] : Lines following this section heading are used to specify how and where to deposit e-mails once they have been downloaded.
  • type = Mboxrd : I use an "mbox" style of inbox file for my e-mails. Your value for the type option in the [destination] section may vary from this example. See the getmail manpage for more details.
  • path = ~/Mail/Inbox : Because I use mbox mail files, and I want the inbox to be called "Inbox" and reside in the ~/Mail directory, I need to have this line set as indicated. Mutt, my Mail User Agent, is configured to look there for e-mail when I want to read it, and getmail is configured with this line to put the e-mail there when it downloads it.
  • user = user : The name of your user account on the computer used for reading your e-mails -- in my case, my laptop -- goes here. Replace the "user" on the right side of the = with your user account name on the local system, and you're done.

The key parts for ensuring your e-mail download sessions are properly configured for encrypted connections are the type, port, username, and password options.

Securing the other tools:

In addition to getmail, of course, you should secure the other e-mail tools you use as well. You can use GnuPG and Mutt to encrypt email, and tools for handling outgoing mail like sSMTP can be configured to use TLS/SSL encryption as well.