diff --git a/MAIL_SETUP.md b/MAIL_SETUP.md new file mode 100644 index 0000000..50354bc --- /dev/null +++ b/MAIL_SETUP.md @@ -0,0 +1,98 @@ +# Mail Setup + +Neomutt + mbsync + msmtp with OAuth2 for Outlook.com personal accounts. +Config files are in the dotfiles repo — this covers the manual steps needed on a fresh install. + +## Packages + +```bash +sudo dnf install rbw isync msmtp neomutt +``` + +## 1. rbw (Bitwarden CLI) + +```bash +rbw config set email robharbaugh@outlook.com +rbw config set base_url https://vault.bitwarden.com +rbw login +``` + +## 2. Azure OAuth2 App Registration + +Do this once. The client ID and secret live in Bitwarden. + +1. Go to portal.azure.com — sign in with robharbaugh@outlook.com as a personal account +2. Search **App registrations** → **New registration** +3. Name: anything (e.g. `neomutt`) +4. Supported account types: **Accounts in any organizational directory and personal Microsoft accounts** +5. Redirect URI: **Web** → `http://localhost/` +6. Click **Register**, copy the **Application (client) ID** → save to rbw as `outlook-oauth-client-id` +7. **Certificates & secrets** → **New client secret** → copy the **Value** → save to rbw as `outlook-oauth-client-secret` +8. **API permissions** → **Add a permission** → **APIs my organization uses** → **Office 365 Exchange Online** +9. **Delegated permissions** → add: `IMAP.AccessAsUser.All`, `SMTP.Send`, `offline_access` + +## 3. GPG Key + +Check for an existing key first: + +```bash +gpg --list-secret-keys +``` + +If none, generate one: + +```bash +gpg --full-generate-key +``` + +Choose RSA 4096, no expiry, use robharbaugh@outlook.com as the email. +Note the short key ID (e.g. `A40B4F53`) — update the keychain line in `.zshrc` with it: + +```zsh +eval "$(keychain --eval --quiet --gpg github git)" +``` + +## 4. OAuth2 Token + +```bash +mkdir -p ~/.config/neomutt +export GPG_TTY=$(tty) +python3 /usr/share/neomutt/oauth2/mutt_oauth2.py \ + ~/.config/neomutt/outlook.tokens \ + --authorize \ + --provider microsoft \ + --authflow localhostauthcode \ + --encryption-pipe "gpg --encrypt --recipient robharbaugh@outlook.com" \ + --decryption-pipe "gpg --decrypt" \ + --client-id "$(rbw get outlook-oauth-client-id)" \ + --client-secret "$(rbw get outlook-oauth-client-secret)" +``` + +Enter `robharbaugh@outlook.com` when prompted for email and GPG recipient. +This opens a browser for the one-time Microsoft login. Tokens are saved to +`~/.config/neomutt/outlook.tokens` (encrypted, not in git). + +## 5. Stow configs + +```bash +cd ~/.dotfiles +stow laptop +``` + +This symlinks mbsync, msmtp, neomutt, and all other configs into place. + +## 6. Initial mail sync + +```bash +mkdir -p ~/mail/outlook ~/.local/share/msmtp +mbsync +``` + +The first sync will take a while depending on mailbox size. + +## Token file + +`~/.config/neomutt/outlook.tokens` is managed by mutt-oauth2 and is not in git. +It is GPG-encrypted with your key. If it is lost, re-run step 4. +Tokens refresh automatically — you should never need to re-authorize unless +you revoke the app in Azure.