Difference between revisions of "SSMTP"

From ArchWiki
Jump to: navigation, search
m (edit summary removed)
(Security: As of ssmtp 2.64-12 the conf files are secured by the package; hooks are no longer needed.)
Line 61: Line 61:
  
 
==Security==
 
==Security==
Because your email password is stored as cleartext in {{ic|/etc/ssmtp/ssmtp.conf}}, it is important to secure the file.
+
Because your email password is stored as cleartext in {{ic|/etc/ssmtp/ssmtp.conf}}, it is important that this file is secure. By default, the entire {{ic|/etc/ssmtp}} directory is accessible only by root and the mail group. The {{ic|/usr/bin/ssmtp}} binary runs as the mail group and can read this file. There is no reason to add yourself or other users to the mail group.
Securing ssmtp.conf will ensure that:
 
*if any users have unprivileged access to your system, they cannot read the file and see your email password, while still letting them send out email
 
*if your user account is ever compromised, the hacker cannot read the {{ic|ssmtp.conf}} file, and therefore your email password, unless he gains access to the root account as well
 
 
 
To secure {{ic|ssmtp.conf}}, do this:
 
 
 
Create an {{ic|ssmtp}} group:
 
# groupadd ssmtp
 
 
 
Set ssmtp.conf group owner to the new {{ic|ssmtp}} group:
 
# chown :ssmtp /etc/ssmtp/ssmtp.conf
 
 
 
Set the group owner of the ''ssmtp'' binary to the new {{ic|ssmtp}} group:
 
# chown :ssmtp /usr/bin/ssmtp
 
 
 
Make sure only root, and the {{ic|ssmtp}} group can access {{ic|ssmtp.conf}}:
 
# chmod 640 /etc/ssmtp/ssmtp.conf
 
 
 
Set the SGID bit on the ''ssmtp'' binary.
 
# chmod g+s /usr/bin/ssmtp
 
 
 
Finally add a pacman hook to always set the file permissions on {{ic|/usr/bin/ssmtp}} after the package has been upgraded:
 
 
 
{{hc|/root/bin/ssmtp-set-permissions|
 
<nowiki>#!/bin/bash
 
 
 
chown :ssmtp /usr/bin/ssmtp
 
chmod g+s /usr/bin/ssmtp
 
</nowiki>}}
 
 
 
Make the file executable:
 
# chmod u+x /root/bin/ssmtp-set-permissions
 
 
 
Now add the pacman hook:
 
{{hc|/usr/share/libalpm/hooks/ssmtp-set-permissions.hook|
 
<nowiki>[Trigger]
 
Operation = Install
 
Operation = Upgrade
 
Type = Package
 
Target = ssmtp
 
 
 
[Action]
 
Description = Set ssmtp permissions for security
 
When = PostTransaction
 
Exec = /root/bin/set-ssmtp-permissions</nowiki>}}
 
 
 
Now, all the regular users can still send email using the terminal, but none can read the {{ic|ssmtp.conf}} file.
 
  
 
==Sending email==
 
==Sending email==

Revision as of 17:16, 13 March 2018

SSMTP is a program which delivers email from a local computer to a configured mailhost (mailhub). It is not a mail server (like feature-rich mail server sendmail) and does not receive mail, expand aliases or manage a queue. One of its primary uses is for forwarding automated email (like system alerts) off your machine and to an external email address.

ssmtp is unmaintained. Consider using something like msmtp instead.

Installation

Install the package ssmtp.

Forward to a Gmail mail server

To configure SSMTP, you will have to edit its configuration file (/etc/ssmtp/ssmtp.conf) and enter your account settings.

If your Gmail account is secured with two-factor authentication, you need to generate a unique App Password to use in ssmtp.conf. You can do so on your App Passwords page. Use the generated 16-character password in the AuthPass line. Spaces in the password can be omitted.

/etc/ssmtp/ssmtp.conf

# The user that gets all the mails (UID < 1000, usually the admin)
root=username@gmail.com

# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also https://support.google.com/mail/answer/78799
mailhub=smtp.gmail.com:587

# The address where the mail appears to come from for user authentication.
rewriteDomain=gmail.com

# The full hostname.  Must be correctly formed, fully qualified domain name or GMail will reject connection.
hostname=yourlocalhost.yourlocaldomain.tld

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
AuthUser=username
AuthPass=password
AuthMethod=LOGIN

# Email 'From header's can override the default domain?
FromLineOverride=yes
Note: Take note, that the shown configuration is an example for Gmail, You may have to use other settings. If it is not working as expected read the man page ssmtp(8), please.

Create aliases for local usernames (optional)

/etc/ssmtp/revaliases
root:username@gmail.com:smtp.gmail.com:587
mainuser:username@gmail.com:smtp.gmail.com:587

To test whether the Gmail server will properly forward your email:

$ echo test | mail -v -s "testing ssmtp setup" tousername@somedomain.com
Note:

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: "Recently"? [1] and [2]. (Discuss in Talk:SSMTP#)
Gmail has recently started blocking emails from senders that do not authenticate using OAuth. To allow SSMTP to use gmail's SMTP server, you need to allow access to unsecure apps.

Change the 'From' text by editing /etc/passwd to receive mail from 'root at myhost' instead of just 'root'.

# chfn -f 'root at myhost' root
# chfn -f 'mainuser at myhost' mainuser

Which changes /etc/passwd to:

$ grep myhostname /etc/passwd
root:x:0:0:root@myhostname,,,:/root:/bin/bash
mainuser:x:1000:1000:mainuser@myhostname,,,:/home/mainuser:/bin/bash

Security

Because your email password is stored as cleartext in /etc/ssmtp/ssmtp.conf, it is important that this file is secure. By default, the entire /etc/ssmtp directory is accessible only by root and the mail group. The /usr/bin/ssmtp binary runs as the mail group and can read this file. There is no reason to add yourself or other users to the mail group.

Sending email

To send email from the terminal, do:

$ echo "this is the body" | mail -s "Subject" username@somedomain.com

or interactively as:

$ mail username@somedomain.com
Note: When using mail interactively, after typing the Subject and hitting enter, you type the body. Hit Ctrl+d on a blank line to end your message and automatically send it out.

An alternate method for sending emails is to create a text file and send it with ssmtp or mail

test-mail.txt
To:username@somedomain.com
From:youraccount@gmail.com
Subject: Test

This is a test mail.

Send the test-mail.txt file

$ mail username@somedomain.com < test-mail.txt

Attachments

If you need to be able to add attachments, install and configure Mutt and Msmtp and then go see the tip at nixcraft.

Alternatively, you can attach using uuencode:

$ uuencode file.txt file.txt | mail user@domain.com

References