Difference between revisions of "SSMTP"

From ArchWiki
Jump to: navigation, search
(wikify some external links, use https for archlinux.org)
(Security: Add instructions for pacman hook setting permissions)
 
(34 intermediate revisions by 19 users not shown)
Line 1: Line 1:
[[Category:Mail Server]]
+
[[Category:Mail server]]
{{Note|This program still works as of 11-14-2009 but note that SSMTP is no longer being developed.  You might want to consider an alternative like [[MSMTP]].}}
+
[[ja:SSMTP]]
{{Note|22 Feb 2010: SSMTP seems to be maintained. SSMTP 2.6.4-1 was put in the Arch Linux packages at 2009-11-26. And in Debian unstable version 2.6.4-3 was put in their unstable repository on 2010-02-09 and move to testing just 10 days later: http://packages.qa.debian.org/s/ssmtp.html}}
+
SSMTP is a program which delivers email from a local computer to a configured mailhost (mailhub). It is not a mail server (like feature-rich mail server [[sendmail]]) and does not receive mail, expand aliases or manage a queue. One of its primary uses is for forwarding automated email (like system alerts) off your machine and to an external email address.
  
SSMTP is a program to deliver an email from a local computer to a configured mailhost (mailhub). It is not a mail server (like feature-rich mail server sendmail) and does not receive mail, expand aliases or manage a queue.  One of its primary uses is for forwarding automated email (like system alerts) off your machine and to an external email address.
+
ssmtp is unmaintained. Consider using something like [[msmtp]] instead.
  
 
==Installation==
 
==Installation==
To install SSMTP:
+
[[Install]] the package {{Pkg|ssmtp}}.
pacman -S ssmtp
 
  
==Forward to a Gmail Mail Server==
+
==Forward to a Gmail mail server==
To configure SSMTP, you will have to edit its configuration file ({{ic|/etc/ssmtp/ssmtp.conf}}) and enter your account settings:
+
To configure SSMTP, you will have to edit its configuration file ({{ic|/etc/ssmtp/ssmtp.conf}}) and enter your account settings
{{bc|<nowiki>
+
 
 +
If your Gmail account is secured with two-factor authentication, you need to generate a unique [https://support.google.com/mail/answer/185833 App Password] to use in {{ic|ssmtp.conf}}. You can do so on your [https://security.google.com/settings/security/apppasswords App Passwords] page. Use the generated 16-character password in the {{ic|AuthPass}} line. Spaces in the password can be omitted.
 +
 
 +
{{hc|/etc/ssmtp/ssmtp.conf|
 +
<nowiki>
 
# The user that gets all the mails (UID < 1000, usually the admin)
 
# The user that gets all the mails (UID < 1000, usually the admin)
 
root=username@gmail.com
 
root=username@gmail.com
  
 
# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
 
# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also http://mail.google.com/support/bin/answer.py?answer=78799
+
# See also https://support.google.com/mail/answer/78799
 
mailhub=smtp.gmail.com:587
 
mailhub=smtp.gmail.com:587
  
# The address where the mail appears to come from for user authentification.
+
# The address where the mail appears to come from for user authentication.
 
rewriteDomain=gmail.com
 
rewriteDomain=gmail.com
  
# The full hostname
+
# The full hostname.  Must be correctly formed, fully qualified domain name or GMail will reject connection.
hostname=localhost
+
hostname=yourlocalhost.yourlocaldomain.tld
  
# Use SSL/TLS before starting negotiation  
+
# Use SSL/TLS before starting negotiation
 
UseTLS=Yes
 
UseTLS=Yes
 
UseSTARTTLS=Yes
 
UseSTARTTLS=Yes
Line 32: Line 35:
 
AuthUser=username
 
AuthUser=username
 
AuthPass=password
 
AuthPass=password
 +
AuthMethod=LOGIN
  
 
# Email 'From header's can override the default domain?
 
# Email 'From header's can override the default domain?
Line 37: Line 41:
 
</nowiki>}}
 
</nowiki>}}
  
Change the file permissions of {{ic|/etc/ssmtp/ssmtp.conf}} because the password is printed in plain text (so that other users on your system cannot see your Gmail password).
+
{{note|Take note, that the shown configuration is an example for Gmail, You may have to use other settings. If it is not working as expected read the man page {{ic|man 8 ssmtp}}, please.}}
{{bc|chmod 640 /etc/ssmtp/ssmtp.conf}}
 
 
 
Change the config file group to mail to avoid "/etc/ssmtp/ssmtp.conf not found" error.
 
{{bc|chown root:mail /etc/ssmtp/ssmtp.conf}}
 
 
 
Users who can send mail need to belong to "mail" group (must log out and log back in for changes to be used).
 
{{bc|gpasswd -a mainuser mail}}
 
  
Create aliases for local usernames
+
Create aliases for local usernames (optional)
 
{{hc|/etc/ssmtp/revaliases|root:username@gmail.com:smtp.gmail.com:587
 
{{hc|/etc/ssmtp/revaliases|root:username@gmail.com:smtp.gmail.com:587
 
mainuser:username@gmail.com:smtp.gmail.com:587}}
 
mainuser:username@gmail.com:smtp.gmail.com:587}}
  
 
To test whether the Gmail server will properly forward your email:
 
To test whether the Gmail server will properly forward your email:
{{bc|<nowiki>echo test | mail -v -s "testing ssmtp setup" username@somedomain.com</nowiki>}}
+
{{bc|<nowiki>$ echo test | mail -v -s "testing ssmtp setup" tousername@somedomain.com</nowiki>}}
  
If you receive the error {{bc|send-mail: Cannot open mailhub:25}} be sure the user is a member of the "mail" group.
+
{{note|{{Accuracy|"Recently"? [https://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html] and [http://www.ghacks.net/2014/07/21/gmail-starts-block-less-secure-apps-enable-access/].}}
 +
Gmail has recently started blocking emails from senders that do not authenticate using OAuth.  To allow SSMTP to use gmail's SMTP server, you need to [https://support.google.com/accounts/answer/6010255 allow access to unsecure apps].}}
  
Change the 'From' text by editing {{ic|/etc/passwd}} to receive mail from 'root@myhostname' instead of just 'root'.
+
Change the 'From' text by editing {{ic|/etc/passwd}} to receive mail from 'root at myhost' instead of just 'root'.
{{bc|chfn -f root@myhostname root
+
{{bc|# chfn -f 'root at myhost' root
chfn -f mainuser@myhostname mainuser}}
+
# chfn -f 'mainuser at myhost' mainuser}}
 
Which changes {{ic|/etc/passwd}} to:
 
Which changes {{ic|/etc/passwd}} to:
{{hc|grep myhostname /etc/passwd|root:x:0:0:root@myhostname,,,:/root:/bin/bash
+
{{hc|$ grep myhostname /etc/passwd|root:x:0:0:root@myhostname,,,:/root:/bin/bash
 
mainuser:x:1000:1000:mainuser@myhostname,,,:/home/mainuser:/bin/bash}}
 
mainuser:x:1000:1000:mainuser@myhostname,,,:/home/mainuser:/bin/bash}}
  
An alternate method for sending emails is to create a text file and send it with 'ssmtp' or 'mail'
+
==Security==
 +
Because your email password is stored as cleartext in {{ic|/etc/ssmtp/ssmtp.conf}}, it is important to secure the file.
 +
Securing ssmtp.conf will ensure that:
 +
*if any users have unprivileged access to your system, they cannot read the file and see your email password, while still letting them send out email
 +
*if your user account is ever compromised, the hacker cannot read the {{ic|ssmtp.conf}} file, and therefore your email password, unless he gains access to the root account as well
 +
 
 +
To secure {{ic|ssmtp.conf}}, do this:
 +
 
 +
Create an {{ic|ssmtp}} group:
 +
# groupadd ssmtp
 +
 
 +
Set ssmtp.conf group owner to the new {{ic|ssmtp}} group:
 +
# chown :ssmtp /etc/ssmtp/ssmtp.conf
 +
 
 +
Set the group owner of the ''ssmtp'' binary to the new {{ic|ssmtp}} group:
 +
# chown :ssmtp /usr/bin/ssmtp
 +
 
 +
Make sure only root, and the {{ic|ssmtp}} group can access {{ic|ssmtp.conf}}:
 +
# chmod 640 /etc/ssmtp/ssmtp.conf
 +
 
 +
Set the SGID bit on the ''ssmtp'' binary.
 +
# chmod g+s /usr/bin/ssmtp
 +
 
 +
Finally add a pacman hook to always set the file permissions on {{ic|/usr/bin/ssmtp}} after the package has been upgraded:
 +
 
 +
{{hc|/root/bin/ssmtp-set-permissions|
 +
<nowiki>#!/bin/bash
 +
 
 +
chown :ssmtp /usr/bin/ssmtp
 +
chmod g+s /usr/bin/ssmtp
 +
</nowiki>}}
 +
 
 +
Make the file executable:
 +
# chmod u+x /root/bin/ssmtp-set-permissions
 +
 
 +
Now add the pacman hook:
 +
{{hc|/usr/share/libalpm/hooks/ssmtp-set-permissions.hook|
 +
<nowiki>[Trigger]
 +
Operation = Install
 +
Operation = Upgrade
 +
Type = Package
 +
Target = ssmtp
 +
 
 +
[Action]
 +
Description = Set ssmtp permissions for security
 +
When = PostTransaction
 +
Exec = /root/bin/set-ssmtp-permissions</nowiki>}}
 +
 
 +
Now, all the regular users can still send email using the terminal, but none can read the {{ic|ssmtp.conf}} file.
 +
 
 +
==Sending email==
 +
To send email from the terminal, do:
 +
 
 +
$ echo "this is the body" | mail -s "Subject" username@somedomain.com
 +
or interactively as:
 +
$ mail username@somedomain.com
 +
 
 +
{{Note|When using mail interactively, after typing the Subject and hitting enter, you type the body.
 +
Hit {{ic|Ctrl}}+{{ic|d}} on a blank line to end your message and automatically send it out.}}
 +
 
 +
An alternate method for sending emails is to create a text file and send it with ''ssmtp'' or ''mail''
 
{{hc|test-mail.txt|To:username@somedomain.com
 
{{hc|test-mail.txt|To:username@somedomain.com
 
From:youraccount@gmail.com
 
From:youraccount@gmail.com
Line 70: Line 128:
  
 
Send the {{ic|test-mail.txt}} file
 
Send the {{ic|test-mail.txt}} file
{{bc|mail username@somedomain.com < test-mail.txt}}
+
$ mail username@somedomain.com < test-mail.txt
  
 
===Attachments===
 
===Attachments===
This method does not work with attachments. If you need to be able to add attachments, install and configure [[Mutt]] and [[Msmtp]] and then go see the tip at [http://www.cyberciti.biz/tips/sending-mail-with-attachment.html nixcraft].
+
If you need to be able to add attachments, install and configure [[Mutt]] and [[Msmtp]] and then go see the tip at [http://www.cyberciti.biz/tips/sending-mail-with-attachment.html nixcraft].
 +
 
 +
Alternatively, you can attach using ''uuencode'':
 +
$ uuencode file.txt file.txt | mail user@domain.com
  
 
==References==
 
==References==
Line 79: Line 140:
 
*[http://tombuntu.com/index.php/2008/10/21/sending-email-from-your-system-with-ssmtp/ Sending Email From Your System with sSMTP]
 
*[http://tombuntu.com/index.php/2008/10/21/sending-email-from-your-system-with-ssmtp/ Sending Email From Your System with sSMTP]
 
*[http://www.scottro.net/qnd/qnd-ssmtp.html The Qnd Guide to ssmtp]
 
*[http://www.scottro.net/qnd/qnd-ssmtp.html The Qnd Guide to ssmtp]
*[http://mail.google.com/support/bin/answer.py?answer=78799 GMail Support - Configuring other mail clients]
+
*[https://support.google.com/mail/answer/78799 GMail Support - Configuring other mail clients]

Latest revision as of 09:12, 8 July 2017

SSMTP is a program which delivers email from a local computer to a configured mailhost (mailhub). It is not a mail server (like feature-rich mail server sendmail) and does not receive mail, expand aliases or manage a queue. One of its primary uses is for forwarding automated email (like system alerts) off your machine and to an external email address.

ssmtp is unmaintained. Consider using something like msmtp instead.

Installation

Install the package ssmtp.

Forward to a Gmail mail server

To configure SSMTP, you will have to edit its configuration file (/etc/ssmtp/ssmtp.conf) and enter your account settings.

If your Gmail account is secured with two-factor authentication, you need to generate a unique App Password to use in ssmtp.conf. You can do so on your App Passwords page. Use the generated 16-character password in the AuthPass line. Spaces in the password can be omitted. 

/etc/ssmtp/ssmtp.conf

# The user that gets all the mails (UID < 1000, usually the admin)
root=username@gmail.com

# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also https://support.google.com/mail/answer/78799
mailhub=smtp.gmail.com:587

# The address where the mail appears to come from for user authentication.
rewriteDomain=gmail.com

# The full hostname.  Must be correctly formed, fully qualified domain name or GMail will reject connection.
hostname=yourlocalhost.yourlocaldomain.tld

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
AuthUser=username
AuthPass=password
AuthMethod=LOGIN

# Email 'From header's can override the default domain?
FromLineOverride=yes
Note: Take note, that the shown configuration is an example for Gmail, You may have to use other settings. If it is not working as expected read the man page man 8 ssmtp, please.

Create aliases for local usernames (optional) 

/etc/ssmtp/revaliases
root:username@gmail.com:smtp.gmail.com:587
mainuser:username@gmail.com:smtp.gmail.com:587

To test whether the Gmail server will properly forward your email: 

$ echo test | mail -v -s "testing ssmtp setup" tousername@somedomain.com
Note:

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: "Recently"? [1] and [2]. (Discuss in Talk:SSMTP#)
Gmail has recently started blocking emails from senders that do not authenticate using OAuth. To allow SSMTP to use gmail's SMTP server, you need to allow access to unsecure apps.

Change the 'From' text by editing /etc/passwd to receive mail from 'root at myhost' instead of just 'root'. 

# chfn -f 'root at myhost' root
# chfn -f 'mainuser at myhost' mainuser

Which changes /etc/passwd to: 

$ grep myhostname /etc/passwd
root:x:0:0:root@myhostname,,,:/root:/bin/bash
mainuser:x:1000:1000:mainuser@myhostname,,,:/home/mainuser:/bin/bash

Security

Because your email password is stored as cleartext in /etc/ssmtp/ssmtp.conf, it is important to secure the file. Securing ssmtp.conf will ensure that:

  • if any users have unprivileged access to your system, they cannot read the file and see your email password, while still letting them send out email
  • if your user account is ever compromised, the hacker cannot read the ssmtp.conf file, and therefore your email password, unless he gains access to the root account as well

To secure ssmtp.conf, do this:

Create an ssmtp group: 

# groupadd ssmtp

Set ssmtp.conf group owner to the new ssmtp group: 

# chown :ssmtp /etc/ssmtp/ssmtp.conf

Set the group owner of the ssmtp binary to the new ssmtp group: 

# chown :ssmtp /usr/bin/ssmtp

Make sure only root, and the ssmtp group can access ssmtp.conf: 

# chmod 640 /etc/ssmtp/ssmtp.conf

Set the SGID bit on the ssmtp binary. 

# chmod g+s /usr/bin/ssmtp

Finally add a pacman hook to always set the file permissions on /usr/bin/ssmtp after the package has been upgraded: 

/root/bin/ssmtp-set-permissions
#!/bin/bash

chown :ssmtp /usr/bin/ssmtp
chmod g+s /usr/bin/ssmtp

Make the file executable: 

# chmod u+x /root/bin/ssmtp-set-permissions

Now add the pacman hook: 

/usr/share/libalpm/hooks/ssmtp-set-permissions.hook
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = ssmtp

[Action]
Description = Set ssmtp permissions for security
When = PostTransaction
Exec = /root/bin/set-ssmtp-permissions

Now, all the regular users can still send email using the terminal, but none can read the ssmtp.conf file.

Sending email

To send email from the terminal, do: 

$ echo "this is the body" | mail -s "Subject" username@somedomain.com

or interactively as: 

$ mail username@somedomain.com
Note: When using mail interactively, after typing the Subject and hitting enter, you type the body. Hit Ctrl+d on a blank line to end your message and automatically send it out.

An alternate method for sending emails is to create a text file and send it with ssmtp or mail 

test-mail.txt
To:username@somedomain.com
From:youraccount@gmail.com
Subject: Test

This is a test mail.

Send the test-mail.txt file 

$ mail username@somedomain.com < test-mail.txt

Attachments

If you need to be able to add attachments, install and configure Mutt and Msmtp and then go see the tip at nixcraft.

Alternatively, you can attach using uuencode: 

$ uuencode file.txt file.txt | mail user@domain.com

References

Retrieved from "https://wiki.archlinux.org/index.php?title=SSMTP&oldid=481489"