Configuring Mailto in an XDG Environment

Edit: Security features described below have since been incorporated into mutt as the mailto_allow directive.

It’s time to configure your web browser to open mailto links using mutt. You know you want to.

Nimble mutt action.

You also know it’s going to be tricky, as mutt is a command-line program, and command line programs are like appliances that refuse to die. They work well but don’t match your cupboards from IKEA made from particle board. Still, mutt has a nice trick up its sleeve: It can process mailto arguments on the command line.


There is only one problem: Mutt is unable to process every mailto attribute and fails on attributes it does not recognize (like Body).

> Stopped

[The above mailto link is taken directly from the official mutt mailing list page. Mutt’s fleas have a good sense of irony.]

The solution is to wrap mutt in a script that parses mailto links. Using a whitelist of valid attributes has an added benefit of heightening security, as potentially malicious attributes are automatically discarded.

Use that script in a desktop file.

cat "$HOME/.local/share/applications/mutt-mailto.desktop"
> [Desktop Entry]
> Type=Application
> Name=Mutt Mailto Handler
> GenericName=MUA
> Comment=Supposedly sucks less.
> Exec=/home/ingvar/MuttMailto
> Terminal=true
> MimeType=x-scheme-handler/mailto
> NoDisplay=true

Inform the desktop environment.


Make it stick.

xdg-mime default mutt-mailto.desktop x-scheme-handler/mailto

Now you’re cooking with gas.

2 thoughts on “Configuring Mailto in an XDG Environment

  1. Mutt is not the problem. Your shell is intercepting the & in the mailto url to put mutt in the background, the trying to run `body=subscribe` as a command. If you quote the whole mailto url, the problem goes away.

    1. … It all seems so obvious in retrospect. I suppose my brain failed to parse the ampersand on account of it not trailing. Thank you!

      The article remains unedited, for purposes of humility (and whitelisting’s continued relevance to security).


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s