aerc is terminal-based and often used with local mail credentials and GPG keys.
¶ Account and Credential Security
- Store IMAP/SMTP credentials with restrictive file permissions.
- Prefer OAuth/app passwords instead of account master password reuse.
- Use separate accounts for admin/service mailboxes.
¶ Transport and Trust
- Enforce TLS verification for IMAP/SMTP connections.
- Reject invalid certificates and pin trusted CAs where needed.
- Use secure SSH sessions when operating remotely.
- Protect local config and cache directories.
- Keep GPG/PGP keyrings secure for signed/encrypted mail workflows.
- Keep aerc and dependencies updated.