I've moved to an OfflineIMAP + Gnus setup that's outlined at various places. Gnus can be configured to use ~/.authinfo as a netrc style of file to read passwords from and can easily use encrypted authinfo files as well. Offlineimap, on the other hand, offers no such support and passwords to the local and remote imap accounts are normally stored in clear text in .offlineimaprc.

For the local account this can be overcome by not running a dovecot server but making offlineimap spawn a dovecot process when needed:

 [Repository LocalGmail]
 type = IMAP
 preauthtunnel = /usr/sbin/dovecot -c ~/.dovecot.conf --exec-mail imap

Read more