I've moved to an OfflineIMAP + Gnus setup that's outlined at various places. Gnus can be configured to use ~/.authinfo as a netrc style of file to read passwords from and can easily use encrypted authinfo files as well. Offlineimap, on the other hand, offers no such support and passwords to the local and remote imap accounts are normally stored in clear text in .offlineimaprc.

For the local account this can be overcome by not running a dovecot server but making offlineimap spawn a dovecot process when needed:

 [Repository LocalGmail]
 type = IMAP
 preauthtunnel = /usr/sbin/dovecot -c ~/.dovecot.conf --exec-mail imap

For the remote connection, ideally it should read the password from .authinfo.gpg that Gnus may also read if it's configured to access the remote server directly. This can be pulled off rather easily. Add an include to .offlineimaprc like this:

 [general]
 pythonfile = ~/.offlineimap.py

where ~/.offlineimap.py just defines a single function called get_authinfo_password:

 #!/usr/bin/python
 import re, os
 
 def get_authinfo_password(machine, login, port):
     s = "machine %s login %s password ([^ ]*) port %s" % (machine, login, port)
     p = re.compile(s)
     authinfo = os.popen("gpg -q --no-tty -d ~/.authinfo.gpg").read()
     return p.search(authinfo).group(1)

Now, all that's left is to change remotepass to something like this:

 remotepasseval = get_authinfo_password("imap.gmail.com", "username@gmail.com", 993)

Of course, .authinfo.gpg should also have the corresponding entry:

 machine imap.gmail.com login username@gmail.com password  port 993

That's it, no more cleartext passwords.