diff --git a/mail/mutt/Makefile b/mail/mutt/Makefile
index 52046032f61..78634e00d75 100644
--- a/mail/mutt/Makefile
+++ b/mail/mutt/Makefile
@@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.135 2020/06/19 05:59:38 sthen Exp $
+# $OpenBSD: Makefile,v 1.136 2020/06/21 11:41:31 sthen Exp $
 
 COMMENT=	tty-based e-mail client
 
 DISTNAME=	mutt-1.14.4
 EPOCH=		3
+REVISION=	0
 
 CATEGORIES=	mail
 HOMEPAGE=	http://www.mutt.org/
diff --git a/mail/mutt/patches/patch-imap_imap_c b/mail/mutt/patches/patch-imap_imap_c
new file mode 100644
index 00000000000..895cc9b2723
--- /dev/null
+++ b/mail/mutt/patches/patch-imap_imap_c
@@ -0,0 +1,25 @@
+$OpenBSD: patch-imap_imap_c,v 1.2 2020/06/21 11:41:31 sthen Exp $
+
+From dc909119b3433a84290f0095c0f43a23b98b3748 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sat, 20 Jun 2020 06:35:35 -0700
+Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
+
+$tunnel is used to create an external encrypted connection.  The
+default of $ssl_starttls is yes, meaning those kinds of connections
+will be broken by the CVE-2020-14093 fix.
+
+Index: imap/imap.c
+--- imap/imap.c.orig
++++ imap/imap.c
+@@ -532,8 +532,8 @@ int imap_open_connection (IMAP_DATA* idata)
+   {
+ #if defined(USE_SSL)
+     /* An unencrypted PREAUTH response is most likely a MITM attack.
+-     * Require a confirmation. */
+-    if (!idata->conn->ssf)
++     * Require a confirmation unless using $tunnel. */
++    if (!idata->conn->ssf && !Tunnel)
+     {
+       if (option(OPTSSLFORCETLS) ||
+           (query_quadoption (OPT_SSLSTARTTLS,