It seems that msmtp distributed under GPLv3+ supports Mac OS X keychain. (snip) I updated my patch for msmtp (msmtp-gnome-keyring.patch). It works well and I removed plain password texts from my ~/.msmtprc.

Basically, it does the same thing but it gets much simplified. I choose network password instead of generic secret type to keep secret and its associated parameters; user, server and protocol.

In addition, I noted some code snippets to access gnome-keyring with its python binding below just for the record. There is not much documents for gnome-keyring, so I tried and figured ways to access keyring and control secrets and its associated information out along the way with using ipython.

NOTE: If you try to play with these snippets, I recommend you to backup your keyring before that as my code might make your keyring corrupted.

>>>
>>> import gnomekeyring as gk
>>> import glib
>>>
>>> # Set temporal application name. gnome-keyring requires this.
>>> # (it will be replaced later).
>>> glib.set_application_name("msmtp")
>>>                                     
>>> # get default keyring name. you can also specify it explicitly.
>>> keyring = gk.get_default_keyring_sync()
>>>
>>> # display name for password.
>>> display_name = 'SMTP secret for foo@example.com/smtp.example.com'
>>>
>>> # select type. if you want some kind of "network" password, it seems that
>>> # appropriate type is network_password because it has a schema already.
>>> type = gk.ITEM_NETWORK_PASSWORD
>>>
>>> # just a utility function to create attrs easily.
>>> def parse(s):
>>>    ret = {}
>>>    try:
>>>        ret = dict([(k,v) for k,v in [x.split(':') for x in s.split(',')] if k and v])
>>>    except ValueError:
>>>        pass
>>>    return ret
>>>
>>> # create attrs :: {} (dict)
>>> attrs = {
>>>  'user':None, 'domain':None, 'server':None, 'object':None,
>>>   'protocol':None, 'authtype':None, 'port':None,
>>>}
>>> usr_attrs = parse("server:smtp.example.com,user:foo@example.com,protocol:smtp")
>>> attrs.update(usr_attrs) 
>>>
>>> # Then, set password.
>>> secret = 'xxxxxxxxx'
>>>
>>> # Now it gets ready to add into the keyring. Do it.
>>> # Its id will be returned if success or an excpetion will be raised.
>>> id = gk.item_create_sync(keyring, type, display_name, usr_attrs, secret, False)
>>>
>>>
>>> # you can search it. (results :: [matched_network_password_info_dict, ...]
>>> results = gk.find_network_password_sync(**attrs)
>>> results = gk.find_network_password_sync(user='foo@example.com', 
>>>                      domain=None, server=...)
>>> # r = results[0]
>>> # r.get('item_id'), r.get('secret'), r.get('server'), ....
>>>
>>> # another way.
>>> # NOTE: Returned objects is *different* from the above. (not dict)
>>> results = gk.find_items_sync(type, attrs)
>>> 
>>> if results:
>>>    res = results[0]
>>>    # res.keyring, res.item_id, res.attributes, res.secret
>>>    info = gk.item_get_info_sync(res.keyring, res.item_id)
>>>    # info.get_display_name()
>>>
>>>
>>> # allow application 'msmtp' (/usr/bin/msmtp) to r/w access to this secret.
>>> acontrol = gk.AccessControl(gk.ApplicationRef(), gk.ACCESS_READ | gk.ACCESS_WRITE)
>>> acontrol.set_display_name('msmtp')
>>> acontrol.set_path_name('/usr/bin/msmtp')
>>>
>>> acontrol_list = gk.item_get_acl_sync(keyring, id)
>>> acontrol_list.append(acontrol)
>>>
>>> gk.item_set_acl_sync(keyring, id, acontrol_list)
>>>