1MSMTP(1)                    General Commands Manual                   MSMTP(1)
2
3
4

NAME

6       msmtp - An SMTP client
7

SYNOPSIS

9       Sendmail mode (default):
10              msmtp [option...] [--] recipient...
11              msmtp [option...] -t [--] [recipient...]
12
13       Configuration mode:
14              msmtp --configure <mailaddress>
15
16       Server information mode:
17              msmtp [option...] --serverinfo
18
19       Remote Message Queue Starting mode:
20              msmtp [option...] --rmqs=host|@domain|#queue
21

DESCRIPTION

23       In  the  default  sendmail mode, msmtp reads a mail from standard input
24       and sends it to an SMTP server for delivery.
25       In server information mode, msmtp  prints  information  about  an  SMTP
26       server.
27       In  Remote  Message  Queue  Starting mode, msmtp sends a Remote Message
28       Queue Starting request for a host, domain, or queue to an SMTP server.
29

EXIT STATUS

31       The standard sendmail exit status codes are used, as defined in  sysex‐
32       its.h.
33

OPTIONS

35       Options override configuration file settings.
36       They are compatible with sendmail where appropriate.
37
38       General options
39
40              --version
41                     Print  version  information,  including information about
42                     the libraries used.
43
44              --help Print help.
45
46              -P, --pretend
47                     Print the configuration settings that would be used,  but
48                     do  not  take  further action.  An asterisk (`*') will be
49                     printed instead of your password.
50
51              -v, -d, --debug
52                     Print lots of debugging information, including the  whole
53                     conversation  with  the SMTP server. Be careful with this
54                     option: the (potentially dangerous) output  will  not  be
55                     sanitized, and your password may get printed in an easily
56                     decodable format!
57
58       Changing the mode of operation
59
60              --configure=mailaddress
61                     Generate a configuration for the given mail  address  and
62                     print it. This can be modified or copied unchanged to the
63                     configuration file.  Note that this only works  for  mail
64                     domains  that  publish  appropriate  SRV records; see RFC
65                     8314.
66
67              -S, --serverinfo
68                     Print information about the SMTP server  and  exit.  This
69                     includes  information about supported features (mail size
70                     limit, authentication, TLS, DSN, ...) and about  the  TLS
71                     certificate (if TLS is active).
72
73              --rmqs=(host|@domain|#queue)
74                     Send  a  Remote  Message  Queue  Starting request for the
75                     given host, domain, or queue to the SMTP server and exit.
76
77       Configuration options
78
79              -C, --file=filename
80                     Use the given file instead  of  ~/.msmtprc  or  $XDG_CON‐
81                     FIG_HOME/msmtp/config as the user configuration file.
82
83              -a, --account=account_name
84                     Use  the  given  account  instead  of  the  account named
85                     "default". The settings of this account  may  be  changed
86                     with  command  line  options.  This option cannot be used
87                     together with the --host option.
88
89              --host=hostname
90                     Use this SMTP server with settings from the command line;
91                     do  not use any configuration file data. This option can‐
92                     not be used together with the --account option.
93
94              --port=number
95                     Set the port number to connect to. See the port command.
96
97              --source-ip=[IP]
98                     Set or unset an IP address to bind the socket to. See the
99                     source_ip command.
100
101              --proxy-host=[IP|hostname]
102                     Set  or  unset  a  SOCKS proxy to use. See the proxy_host
103                     command.
104
105              --proxy-port=[number]
106                     Set or unset a port number for the proxy  host.  See  the
107                     proxy_port command.
108
109              --socket=[socketname]
110                     Set  or  unset a local unix domain socket name to connect
111                     to. See the socket command.
112
113              --timeout=(off|seconds)
114                     Set or unset a network timeout, in seconds. See the time‐
115                     out command.
116
117              --protocol=(smtp|lmtp)
118                     Set the protocol. See the protocol command.
119
120              --domain=[string]
121                     Set the argument of the SMTP EHLO (or LMTP LHLO) command.
122                     See the domain command.
123
124              --auth[=(on|off|method)]
125                     Enable or disable authentication  and  optionally  choose
126                     the method.  See the auth command.
127
128              --user=[username]
129                     Set  or  unset  the user name for authentication. See the
130                     user command.
131
132              --passwordeval=[eval]
133                     Evaluate password for authentication. See the  passworde‐
134                     val command.
135
136              --tls[=(on|off)]
137                     Enable or disable TLS/SSL. See the tls command.
138
139              --tls-starttls[=(on|off)]
140                     Enable  or disable STARTTLS for TLS. See the tls_starttls
141                     command.
142
143              --tls-trust-file=[file]
144                     Set or unset a trust file for TLS. See the tls_trust_file
145                     command.
146
147              --tls-crl-file=[file]
148                     Set or unset a certificate revocation list (CRL) file for
149                     TLS. See the tls_crl_file command.
150
151              --tls-fingerprint=[fingerprint]
152                     Set or unset the fingerprint of a  trusted  TLS  certifi‐
153                     cate. See the tls_fingerprint command.
154
155              --tls-key-file=[file]
156                     Set  or  unset  a  key file for TLS. See the tls_key_file
157                     command.
158
159              --tls-cert-file=[file]
160                     Set or unset a cert file for TLS. See  the  tls_cert_file
161                     command.
162
163              --tls-certcheck[=(on|off)]
164                     Enable  or disable server certificate checks for TLS. See
165                     the tls_certcheck command.
166
167              --tls-min-dh-prime-bits=[bits]
168                     Set or unset minimum bit size of the Diffie-Hellman  (DH)
169                     prime. See the tls_min_dh_prime_bits command.
170
171              --tls-priorities=[priorities]
172                     Set  or unset TLS priorities. See the tls_priorities com‐
173                     mand.
174
175              --tls-host-override=[host]
176                     Set or unset override for TLS host verification. See  the
177                     tls_host_override command.
178
179       Options specific to sendmail mode
180
181              -f, --from=address
182                     Set the envelope-from address.
183                     If  no account was chosen yet (with --account or --host),
184                     this option will choose the first account  that  has  the
185                     given  envelope-from address (set with the from command).
186                     If no such account is found, "default" is used.
187                     See the from command for substitution patterns  supported
188                     in address.
189
190              -N, --dsn-notify=(off|cond)
191                     Set   or  unset  DSN  notification  conditions.  See  the
192                     dsn_notify command.
193
194              -R, --dsn-return=(off|ret)
195                     Set  or  unset  the  DSN  notification  amount.  See  the
196                     dsn_return  command.   Note  that  hdrs is accepted as an
197                     alias for headers to be compatible with sendmail.
198
199              --set-from-header[=(auto|on|off)]
200                     Set From header handling. See  the  set_from_header  com‐
201                     mand.
202
203              --set-date-header[=(auto|off)]
204                     Set  Date  header  handling. See the set_date_header com‐
205                     mand.
206
207              --remove-bcc-headers[=(on|off)]
208                     Enable or disable the removal of  Bcc  headers.  See  the
209                     remove_bcc_headers command.
210
211              -X, --logfile=[file]
212                     Set or unset the log file. See the logfile command.
213
214              --logfile-time-format=[fmt]
215                     Set  or  unset  the  log  file  time format. See the log‐
216                     file_time_format command.
217
218              --syslog[=(on|off|facility)]
219                     Enable or disable syslog logging. See the syslog command.
220
221              -t, --read-recipients
222                     Read recipient addresses from the To, Cc, and Bcc headers
223                     of  the  mail  in addition to the recipients given on the
224                     command line.  If any Resent- headers are  present,  then
225                     the  addresses from any Resent-To, Resent-Cc, and Resent-
226                     Bcc headers in the first block  of  Resent-  headers  are
227                     used instead.
228
229              --read-envelope-from
230                     Read  the  envelope  from address from the From header of
231                     the mail.
232
233              --aliases=[file]
234                     Set or unset an aliases file. See the aliases command.
235
236              -Fname Msmtp adds a From header to mails that lack it, using the
237                     envelope  from  address.  This option allows one to set a
238                     full name to be used in that header.
239
240              --auto-from[=(on|off)]
241                     Obsolete. See the auto_from command.
242
243              --maildomain=[domain]
244                     Obsolete. See the maildomain command.
245
246              --     This marks the end of options.  All  following  arguments
247                     will  be  treated  as  recipient  addresses, even if they
248                     start with a `-'.
249
250       The following options are accepted but ignored for sendmail compatibil‐
251       ity:
252       -Btype, -bm, -G, -hN, -i, -L tag, -m, -n, -O option=value, -ox value
253

USAGE

255       A  suggestion  for a suitable configuration file can be generated using
256       the --configure option.  Normally, a  system  wide  configuration  file
257       and/or  a  user configuration file contain information about which SMTP
258       server to use and how to use it, but all settings can also  be  config‐
259       ured on the command line.
260       The  information  about  SMTP  servers  is  organized in accounts. Each
261       account describes one SMTP server: host name, authentication  settings,
262       TLS  settings,  and  so on. Each configuration file can define multiple
263       accounts.
264
265       The user can choose which account to use in one of three ways:
266
267       --account=id
268              Use the given account. Command line settings override configura‐
269              tion file settings.
270
271       --host=hostname
272              Use only the settings from the command line; do not use any con‐
273              figuration file data.
274
275       --from=address or --read-envelope-from
276              Choose the first account from the system or  user  configuration
277              file that has a matching envelope-from address as specified by a
278              from command. This works only when neither --account nor  --host
279              is used.
280
281       If  none  of the above options is used (or if no account has a matching
282       from command), then the account "default" is used.
283
284       Msmtp transmits mails unaltered to the SMTP server, with the  following
285       exceptions:
286       -  The Bcc header(s) will be removed. This behavior can be changed with
287       the remove_bcc_headers command and --remove-bcc-headers option.
288       - A From header will be added if the mail does not have one.  This  can
289       be  changed  with  the  set_from_header  command  and --set-from-header
290       option.  The header will use the envelope from address and optionally a
291       full name set with the -F option.
292       -  A  Date header will be added if the mail does not have one. This can
293       be changed  with  the  set_date_header  command  and  --set-date-header
294       option.
295
296       Skip to the EXAMPLES section for a quick start.
297

CONFIGURATION FILES

299       If  it  exists  and  is  readable,  a  system  wide  configuration file
300       SYSCONFDIR/msmtprc will be loaded, where  SYSCONFDIR  depends  on  your
301       platform.  Use --version to find out which directory is used.
302       If  it exists and is readable, a user configuration file will be loaded
303       (~/.msmtprc will be tried first followed by $XDG_CONFIG_HOME/msmtp/con‐
304       fig  by  default, but see --version). Accounts defined in the user con‐
305       figuration file override accounts from the system configuration file.
306       Configuration data from either file can  be  changed  by  command  line
307       options.
308
309       A  configuration  file  is a simple text file.  Empty lines and comment
310       lines (whose first non-blank character is `#') are ignored.
311       Every other line must contain a command and may contain an argument  to
312       that command.
313       The  argument  may be enclosed in double quotes ("), for example if its
314       first or last character is a blank.
315       If a file name starts with the tilde (~), this tilde will  be  replaced
316       by  $HOME.   If  a  command accepts the argument on, it also accepts an
317       empty argument and treats that as if it was on.
318       Commands are organized  in  accounts.  Each  account  starts  with  the
319       account command and defines the settings for one SMTP account.
320
321       Skip to the EXAMPLES section for a quick start.
322
323       Commands are as follows:
324
325       defaults
326              Set  defaults.  The  following  configuration  commands will set
327              default values for all following account definitions in the cur‐
328              rent configuration file.
329
330       account name [:account[,...]]
331              Start  a new account definition with the given name. The current
332              default values are filled in.
333              If a colon and a list of previously defined  accounts  is  given
334              after  the  account  name,  the  new account, with the filled in
335              default values, will inherit all settings from the  accounts  in
336              the list.
337
338       host hostname
339              The SMTP server to send the mail to.  The argument may be a host
340              name or a network address.  Every account definition  must  con‐
341              tain this command.
342
343       port number
344              The  port  that  the  SMTP server listens on.  The default is 25
345              ("smtp"), unless TLS without STARTTLS is used, in which case  it
346              is 465 ("smtps").
347
348       source_ip [IP]
349              Set a source IP address to bind the outgoing connection to. Use‐
350              ful only in special cases on multi-home systems. An empty  argu‐
351              ment disables this.
352
353       proxy_host [IP|hostname]
354              Use  a  SOCKS  proxy.  All  network traffic will go through this
355              proxy host, including DNS queries, except for a DNS  query  that
356              might  be  necessary to resolve the proxy host name itself (this
357              can be avoided by using an IP address as proxy  host  name).  An
358              empty  hostname  argument  disables  proxy usage.  The supported
359              SOCKS protocol version is 5. If you want to use this  with  Tor,
360              see also "Using msmtp with Tor" below.
361
362       proxy_port [number]
363              Set the port number for the proxy host. An empty number argument
364              resets this to the default port.
365
366       socket socketname
367              Set the file name of a unix domain socket to  connect  to.  This
368              overrides both host/port and proxy_host/proxy_port.
369
370       timeout (off|seconds)
371              Set  or  unset  a  network timeout, in seconds. The argument off
372              means that no timeout will be set, which means that the  operat‐
373              ing system default will be used.
374
375       protocol (smtp|lmtp)
376              Set  the  protocol to use. Currently only SMTP and LMTP are sup‐
377              ported. SMTP is the default. See  the  port  command  above  for
378              default ports.
379
380       domain argument
381              Use  this  command to set the argument of the SMTP EHLO (or LMTP
382              LHLO) command.  The default is localhost, which  is  stupid  but
383              usually  works.  Try to change the default if mails get rejected
384              due to anti-SPAM measures. Possible choices are the domain  part
385              of your mail address (provider.example for joe@provider.example)
386              or the fully qualified domain name of your host (if available).
387
388       auth [(on|off|method)]
389              Enable or disable authentication and optionally choose a  method
390              to use. The argument on chooses a method automatically.
391              Usually  a user name and a password are used for authentication.
392              The user name is specified in the configuration  file  with  the
393              user  command.  There  are five different methods to specify the
394              password:
395              1. Add the password to the system key ring.  Currently supported
396              key rings are the Gnome key ring and the Mac OS X Keychain.  For
397              the Gnome key ring, use the command secret-tool (part of Gnome's
398              libsecret)  to  store passwords: secret-tool store --label=msmtp
399              host mail.freemail.example service smtp user joe.smith.  On  Mac
400              OS  X, use the following command: security add-internet-password
401              -s mail.freemail.example -r smtp -a joe.smith -w.  In both exam‐
402              ples,  replace  mail.freemail.example with the SMTP server name,
403              and joe.smith with your user name.
404              2. Store the password in an encrypted files, and use  passworde‐
405              val to specify a command to decrypt that file, e.g. using GnuPG.
406              See EXAMPLES.
407              3. Store the password in the configuration file using the  pass‐
408              word  command.   (Usually  it  is  not considered a good idea to
409              store passwords in cleartext files.  If you do  it  anyway,  you
410              must make sure that the file can only be read by yourself.)
411              4. Store the password in ~/.netrc. This method is probably obso‐
412              lete.
413              5. Type the password into the terminal when it is required.
414              It is recommended to use method 1 or 2.
415              Multiple authentication methods exist. Most servers support only
416              some  of  them.  Historically, sophisticated methods were devel‐
417              oped to protect passwords from being  sent  unencrypted  to  the
418              server,  but  nowadays everybody needs TLS anyway, so the simple
419              methods suffice since the whole session is protected. A suitable
420              authentication  method  is chosen automatically, and when TLS is
421              disabled for some reason, only methods that avoid sending clear‐
422              text passwords are considered.
423              The  following  user  / password methods are supported: plain (a
424              simple cleartext method,  with  base64  encoding,  supported  by
425              almost all servers), scram-sha-1 (a method that avoids cleartext
426              passwords), cram-md5 (an obsolete method that  avoids  cleartext
427              passwords, but is not considered secure anymore), digest-md5 (an
428              overcomplicated obsolete method that avoids cleartext passwords,
429              but  is  not  considered  secure anymore), login (a non-standard
430              cleartext method similar to but worse than  the  plain  method),
431              ntlm (an obscure non-standard method that is now considered bro‐
432              ken; it sometimes requires a special domain parameter passed via
433              ntlmdomain).
434              There  are  currently  three authentication methods that are not
435              based on user / password information and have to be chosen manu‐
436              ally:  oauthbearer  (an  OAuth2  token from the mail provider is
437              used as the  password.   See  the  documentation  of  your  mail
438              provider  for details on how to get this token. The passwordeval
439              command can be used to pass the regularly changing  tokens  into
440              msmtp  from  a script or an environment variable), external (the
441              authentication happens outside of  the  protocol,  typically  by
442              sending a TLS client certificate, and the method merely confirms
443              that this authentication succeeded), and  gssapi  (the  Kerberos
444              framework  takes care of secure authentication, only a user name
445              is required).
446              It depends on the underlying authentication library and its ver‐
447              sion whether a particular method is supported or not. Use --ver‐
448              sion to find out which methods are supported.
449
450       user login
451              Set the user name for authentication. An empty  argument  unsets
452              the user name.
453
454       password secret
455              Set  the  password  for authentication. An empty argument unsets
456              the password.  Consider using the passwordeval command or a  key
457              ring  instead  of this command, to avoid storing cleartext pass‐
458              words in the configuration file.
459
460       passwordeval [eval]
461              Set the password for authentication to the  output  (stdout)  of
462              the  command  eval.   This  can be used e.g. to decrypt password
463              files on the fly or to query key rings, and thus to avoid  stor‐
464              ing cleartext passwords.
465
466       ntlmdomain [domain]
467              Set  a  domain for the ntlm authentication method. This is obso‐
468              lete.
469
470       tls [(on|off)]
471              Enable or disable TLS (also known as SSL)  for  secured  connec‐
472              tions.
473              Transport Layer Security (TLS) "... provides communications pri‐
474              vacy over  the  Internet.   The  protocol  allows  client/server
475              applications to communicate in a way that is designed to prevent
476              eavesdropping,  tampering,  or  message  forgery"  (quote   from
477              RFC2246).
478              A server can use TLS in one of two modes: via a STARTTLS command
479              (the session starts with the normal protocol initialization, and
480              TLS  is  then started using the protocol's STARTTLS command), or
481              immediately (TLS is initialized before the normal protocol  ini‐
482              tialization;  this  requires a separate port). The first mode is
483              the default, but you can switch to the second mode by  disabling
484              tls_starttls.
485              When  TLS is started, the server sends a certificate to identify
486              itself. To verify the  server  identity,  a  client  program  is
487              expected  to  check that the certificate is formally correct and
488              that it was issued by a Certificate Authority (CA) that the user
489              trusts.  (There can also be certificate chains with intermediate
490              CAs.)
491              The list of trusted CAs is specified  using  the  tls_trust_file
492              command.  The default value ist "system" and chooses the system-
493              wide default, but you can also choose the trusted CAs yourself.
494              One practical problem with this approach is that the client pro‐
495              gram  should  also  check  if  the  server  certificate has been
496              revoked for some reason, using  a  Certificate  Revocation  List
497              (CRL).  A  CRL file can be specified using the tls_crl_file com‐
498              mand, but getting the relevant CRL files and keeping them up  to
499              date is not straightforward. You are basically on your own.
500              A  much more serious and fundamental problem is that you need to
501              trust CAs.  Like any other organization, a CA  can  be  incompe‐
502              tent,  malicious,  subverted by bad people, or forced by govern‐
503              ment agencies to compromise end users without telling them.  All
504              of  these things happened and continue to happen worldwide.  The
505              idea to have central organizations that have to be  trusted  for
506              your communication to be secure is fundamentally broken.
507              Instead of putting trust in a CA, you can choose to trust only a
508              single certificate for the server you want to  connect  to.  For
509              that  purpose, specify the certificate fingerprint with tls_fin‐
510              gerprint. This makes sure that no man-in-the-middle can fake the
511              identity  of  the server by presenting you a fraudulent certifi‐
512              cate issued by some CA that happens to be in  your  trust  list.
513              However,  you have to update the fingerprint whenever the server
514              certificate changes, and you have to make sure that  the  change
515              is  legitimate each time, e.g. when the old certificate expired.
516              This is inconvenient, but it's the price to pay.
517              Information about a server  certificate  can  be  obtained  with
518              --serverinfo --tls --tls-certcheck=off. This includes the issuer
519              CA  of  the  certificate  (so  you  can  trust   that   CA   via
520              tls_trust_file),  and the fingerprint of the certificate (so you
521              can trust that particular certificate via tls_fingerprint).
522              TLS also allows the server to verify the identity of the client.
523              For this purpose, the client has to present a certificate issued
524              by a CA that the server trusts. To present that certificate, the
525              client  also  needs  the matching key file. You can set the cer‐
526              tificate and key files  using  tls_cert_file  and  tls_key_file.
527              This  mechanism  can also be used to authenticate users, so that
528              traditional user / password authentication is not necessary any‐
529              more. See the external mechanism in auth.
530              You  can  also  use  client certificates stored on some external
531              authentication  device  by  specifying  GnuTLS  device  URIs  in
532              tls_cert_file  and  tls_key_file.  You can find the correct URIs
533              using p11tool --list-privkeys --login (p11tool is  bundled  with
534              GnuTLS).  If  your device requires a PIN to access the data, you
535              can specify that using one  of  the  password  mechanisms  (e.g.
536              passwordeval, password).
537
538       tls_starttls [(on|off)]
539              Choose  the  TLS variant: start TLS from within the session (on,
540              default), or tunnel the session through TLS (off).
541
542       tls_trust_file file
543              Activate server certificate verification using a list of trusted
544              Certification  Authorities  (CAs).  The  default  is the special
545              value "system", which selects the system default. An empty argu‐
546              ment disables trust in CAs.  If you select a file, it must be in
547              PEM format, and you should also use tls_crl_file.
548
549       tls_crl_file [file]
550              Set a certificate revocation list (CRL) file for TLS,  to  check
551              for revoked certificates. An empty argument disables this.
552
553       tls_fingerprint [fingerprint]
554              Set  the  fingerprint of a single certificate to accept for TLS.
555              This certificate will be  trusted  regardless  of  its  contents
556              (this  overrides  tls_trust_file).  The fingerprint should be of
557              type SHA256, but can for backwards compatibility also be of type
558              SHA1   or  MD5  (please  avoid  this).   The  format  should  be
559              01:23:45:67:....   Use  --serverinfo  --tls  --tls-certcheck=off
560              --tls-fingerprint= to get the server certificate fingerprint.
561
562       tls_key_file file
563              Send  a client certificate to the server (use this together with
564              tls_cert_file}).  The file must contain the  private  key  of  a
565              certificate  in PEM format. An empty argument disables this fea‐
566              ture.
567
568       tls_cert_file file
569              Send a client certificate to the server (use this together  with
570              tls_key_file).   The file must contain a certificate in PEM for‐
571              mat. An empty argument disables this feature.
572
573       tls_certcheck [(on|off)]
574              Enable or disable checks of the  server  certificate.  They  are
575              enabled by default.  Disabling them will override tls_trust_file
576              and tls_fingerprint.  WARNING: When the checks are disabled, TLS
577              sessions will not be secure!
578
579       tls_min_dh_prime_bits [bits]
580              Set  or  unset  the  minimum number of Diffie-Hellman (DH) prime
581              bits that mpop will accept for TLS sessions.  The default is set
582              by  the  TLS library and can be selected by using an empty argu‐
583              ment to this command.  Only lower the default  (for  example  to
584              512  bits)  if  there  is no other way to make TLS work with the
585              remote server.
586
587       tls_priorities [priorities]
588              Set the priorities for TLS sessions. The default is set  by  the
589              TLS  library  and  can be selected by using an empty argument to
590              this command.  See the GnuTLS documentation of the gnutls_prior‐
591              ity_init function for a description of the priorities string.
592
593       tls_host_override [host]
594              By  default,  TLS  host verification uses the host name given by
595              the host command.  This command allows to use a  different  host
596              name for verification. This is only useful in special cases.
597
598       from envelope_from
599              Set  the  envelope-from address. The following substitution pat‐
600              terns are supported:
601              %U will be replaced by $USER, or if that fails by  $LOGNAME,  or
602              if that fails by the login name of the user running msmtp.
603              %H  will  be replaced by $HOSTNAME, or if that fails by the host
604              name of the system.
605              %C will be replaced by the canonical name of %H.
606              %M will be replaced by the  contents  of  /etc/mailname  (poten‐
607              tially a different directory is used depending on the build con‐
608              figuration; see the output of msmtp --version and look  for  the
609              location of the system configuration file).
610              Note that the obsolete auto_from command replaces this envelope-
611              from address.
612
613       dsn_notify (off|condition)
614              This command sets the condition(s) under which the  mail  system
615              should  send  DSN  (Delivery  Status Notification) messages. The
616              argument off disables explicit DSN  requests,  which  means  the
617              mail  system  decides  when  to  send  DSN messages. This is the
618              default.  The condition must be never, to never request  notifi‐
619              cation, or a comma separated list (no spaces!) of one or more of
620              the following: failure, to request notification on  transmission
621              failure, delay, to be notified of message delays, success, to be
622              notified of successful transmission. The SMTP server  must  sup‐
623              port the DSN extension.
624
625       dsn_return (off|amount)
626              This  command  controls how much of a mail should be returned in
627              DSN (Delivery Status Notification) messages.  The  argument  off
628              disables  explicit  DSN  requests,  which  means the mail system
629              decides how much of a mail it returns in DSN messages.  This  is
630              the  default.   The  amount  must be headers, to just return the
631              message headers, or full, to return the  full  mail.   The  SMTP
632              server must support the DSN extension.
633
634       set_from_header [(auto|on|off)]
635              When  to  set a From header: auto adds a From header if the mail
636              does not have one (this is the default), on always sets  a  From
637              header and overrides any existing one, and off never sets a From
638              header.
639              If the mail server rejects the mail because its From header does
640              not  match  the  envelope  from address (a common anti-spam mea‐
641              sure), then you might want to set this option to on.
642              For compatibility with older  versions,  add_missing_from_header
643              [(on|off)]  is  still  supported and corresponds to the auto and
644              off settings.
645
646       set_date_header [(on|off)]
647              When to set a Date header: auto adds a Date header if  the  mail
648              does  not  have  one (this is the default), and off never sets a
649              Date header.
650              For compatibility with older  versions,  add_missing_date_header
651              [(on|off)]  is  still  supported and corresponds to the auto and
652              off settings.
653
654       remove_bcc_headers [(on|off)]
655              This command controls whether to remove Bcc headers. The default
656              is to remove them.
657
658       logfile [file]
659              An empty argument disables logging (this is the default).
660              When  logging  is  enabled  by  choosing  a log file, msmtp will
661              append one line to the log file for each mail it tries  to  send
662              via the account that this log file was chosen for.
663              The  line  will include the following information: date and time
664              in the format specified by logfile_time_format, host name of the
665              SMTP  server,  whether  TLS was used, whether authentication was
666              used, authentication user name (only if authentication is used),
667              envelope-from  address, recipient addresses, size of the mail as
668              transferred to the server (only if the delivery succeeded), SMTP
669              status  code and SMTP error message (only in case of failure and
670              only if available), error message (only in case of  failure  and
671              only  if available), exit code (from sysexits.h; EX_OK indicates
672              success).
673              If the filename is a dash (-), msmtp prints the log line to  the
674              standard output.
675
676       logfile_time_format [fmt]
677              Set  or unset the log file time format. This will be used as the
678              format string for the strftime()  function.  An  empty  argument
679              chooses the default ("%b %d %H:%M:%S").
680
681       syslog [(on|off|facility)]
682              Enable  or  disable  syslog  logging. The facility can be one of
683              LOG_USER, LOG_MAIL, LOG_LOCAL0, ..., LOG_LOCAL7. The default  is
684              LOG_USER.
685              Each  time  msmtp tries to send a mail via the account that con‐
686              tains this syslog command, it will log one entry to  the  syslog
687              service with the chosen facility.
688              The  line  will  include the following information: host name of
689              the SMTP server, whether TLS was  used,  whether  authentication
690              was  used,  envelope-from  address, recipient addresses, size of
691              the mail as transferred to the server (only if the delivery suc‐
692              ceeded),  SMTP  status code and SMTP error message (only in case
693              of failure and only if available), error message (only  in  case
694              of  failure  and only if available), exit code (from sysexits.h;
695              EX_OK indicates success).
696
697       aliases [file]
698              Replace local recipients with addresses  in  the  aliases  file.
699              The aliases file is a cleartext file containing mappings between
700              a local address and a list of replacement  addresses.  The  map‐
701              pings are of the form:
702                  local: someone@example.com, person@domain.example
703              Multiple  replacement addresses are separated with commas.  Com‐
704              ments start with `#' and continue to the end of the line.
705              The local  address  default  has  special  significance  and  is
706              matched  if  the local address is not found in the aliases file.
707              If no default alias is found, then the local address is left  as
708              is.
709              An  empty  argument to the aliases command disables the replace‐
710              ment of local addresses.  This is the default.
711
712       auto_from [(on|off)]
713              Obsolete; you can achieve the same and more using the  substitu‐
714              tion patterns of the from command.
715              Enable or disable automatic envelope-from addresses. The default
716              is off.  When enabled, an  envelope-from  address  of  the  form
717              user@domain  will  be  generated.  The local part will be set to
718              USER or, if that fails, to LOGNAME or, if  that  fails,  to  the
719              login name of the current user.  The domain part can be set with
720              the maildomain command.  If the maildomain is empty,  the  enve‐
721              lope-from  address  will  only  consist of the user name and not
722              have a domain part. When auto_from is  disabled,  the  envelope-
723              from address must be set explicitly.
724
725       maildomain [domain]
726              Obsolete;  you can achieve the same and more using the substitu‐
727              tion patterns of the from command.
728              Set a  domain  part  for  the  generation  of  an  envelope-from
729              address.  This is only used when auto_from is on. The domain may
730              be empty.
731

EXAMPLES

733       Configuration file
734
735       # Example for a user configuration file ~/.msmtprc
736       #
737       # This file focusses on TLS and authentication. Features not used  here
738       include
739       #  logging,  timeouts,  SOCKS  proxies, TLS parameters, Delivery Status
740       Notification
741       # (DSN) settings, and more.
742
743       # Set default values for all following accounts.
744       defaults
745
746       # Use the mail submission port 587 instead of the SMTP port 25.
747       port 587
748
749       # Always use TLS.
750       tls on
751
752       # Set a list of trusted CAs for TLS. The default is to use system  set‐
753       tings, but
754       # you can select your own file.
755       #tls_trust_file /etc/ssl/certs/ca-certificates.crt
756
757       #  If  you  select  your own file, you should also use the tls_crl_file
758       command to
759       # check for revoked certificates, but unfortunately getting  revocation
760       lists and
761       # keeping them up to date is not straightforward.
762       #tls_crl_file ~/.tls-crls
763
764       # A freemail service
765       account freemail
766
767       # Host name of the SMTP server
768       host smtp.freemail.example
769
770       #  As  an  alternative  to  tls_trust_file/tls_crl_file,  you  can  use
771       tls_fingerprint
772       # to pin a single certificate. You have to update the fingerprint  when
773       the
774       #  server  certificate  changes,  but an attacker cannot trick you into
775       accepting
776       # a fraudulent certificate. Get the fingerprint with
777       #     $     msmtp      --serverinfo      --tls      --tls-certcheck=off
778       --host=smtp.freemail.example
779       #tls_fingerprint  00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11
780       :22:33
781
782       # Envelope-from address
783       from joe_smith@freemail.example
784
785       # Authentication. The password is given using one of five methods,  see
786       below.
787       auth on
788       user joe.smith
789
790       #  Password  method  1: Add the password to the system keyring, and let
791       msmtp get
792       # it automatically. To set the keyring password  using  Gnome's  libse‐
793       cret:
794       # $ secret-tool store --label=msmtp \
795       #   host smtp.freemail.example \
796       #   service smtp \
797       #   user joe.smith
798
799       #  Password method 2: Store the password in an encrypted file, and tell
800       msmtp
801       # which command to use to decrypt it. This is usually used with  GnuPG,
802       as in
803       #  this  example.  Usually  gpg-agent  will ask once for the decryption
804       password.
805       passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
806
807       # Password method 3: Store the password directly in this file.  Usually
808       it is not
809       #  a good idea to store passwords in cleartext files. If you do it any‐
810       way, at
811       # least make sure that this file can only be read by yourself.
812       #password secret123
813
814       # Password method 4: Store the password in  ~/.netrc.  This  method  is
815       probably not
816       # relevant anymore.
817
818       #  Password method 5: Do not specify a password. Msmtp will then prompt
819       you for
820       # it. This means you need to be able to type into a terminal when msmtp
821       runs.
822
823       # A second mail address at the same freemail service
824       account freemail2 : freemail
825       from joey@freemail.example
826
827       # The SMTP server of your ISP
828       account isp
829       host mail.isp.example
830       from smithjoe@isp.example
831       auth on
832       user 12345
833
834       # Set a default account
835       account default : freemail
836
837
838       Using msmtp with Mutt
839
840       Create  a  configuration  file for msmtp and add the following lines to
841       your Mutt configuration file:
842       set sendmail="/path/to/msmtp"
843       set use_from=yes
844       set realname="Your Name"
845       set from=you@example.com
846       set envelope_from=yes
847       The envelope_from=yes option lets Mutt use  the  -f  option  of  msmtp.
848       Therefore msmtp chooses the first account that matches the from address
849       you@example.com.
850       Alternatively, you can use the -a option:
851       set sendmail="/path/to/msmtp -a my-account"
852       Or set everything from the command line (but note that you cannot set a
853       password this way):
854       set  sendmail="/path/to/msmtp  --host=mailhub  -f  me@example.com --tls
855       --tls-trust-file=trust.crt"
856
857       If you have multiple mail accounts in your msmtp configuration file and
858       let  Mutt  use  the  -f  option to choose the right one, you can easily
859       switch accounts in Mutt with the following Mutt configuration lines:
860       macro generic "<esc>1" ":set from=you@example.com"
861       macro generic "<esc>2" ":set from=you@your-employer.example"
862       macro generic "<esc>3" ":set from=you@some-other-provider.example"
863
864
865       Using msmtp with mail
866
867       Define a default account, and put the following in your ~/.mailrc:
868       set sendmail="/path/to/msmtp"
869
870
871       Using msmtp with Tor
872
873       Use the following settings:
874       proxy_host 127.0.0.1
875       proxy_port 9050
876       tls on
877       Use an IP address as proxy host name, so that msmtp does not leak a DNS
878       query when resolving it.
879       TLS is required to prevent exit hosts from reading your SMTP session.
880       Do  not  set domain to something that you do not want to reveal (do not
881       set it at all if possible).
882
883
884       Aliases file
885
886       # Example aliases file
887
888       # Send root to Joe and Jane
889       root: joe_smith@example.com, jane_chang@example.com
890
891       # Send cron to Mark
892       cron: mark_jones@example.com
893
894       # Send everything else to admin
895       default: admin@domain.example
896
897

FILES

899       SYSCONFDIR/msmtprc
900              System configuration  file.  Use  --version  to  find  out  what
901              SYSCONFDIR is on your platform.
902
903       ~/.msmtprc or $XDG_CONFIG_HOME/msmtp/config
904              User configuration file.
905
906       ~/.netrc and SYSCONFDIR/netrc
907              The  netrc file contains login information. Before prompting for
908              a   password,   msmtp   will   search   it   in   ~/.netrc   and
909              SYSCONFDIR/netrc.
910

ENVIRONMENT

912       USER, LOGNAME
913              These variables override the user's login name when constructing
914              an envelope-from address. LOGNAME is only used if USER is unset.
915
916       TMPDIR Directory to create temporary files in. If this is unset, a sys‐
917              tem specific default directory is used.
918              A  temporary  file is only created when the -t/--read-recipients
919              or --read-envelope-from option is used. The file is then used to
920              buffer  the  headers  of the mail (but not the body, so the file
921              won't get very large).
922
923       EMAIL, SMTPSERVER
924              These environment variables are used only if neither --host  nor
925              --account is used and there is no default account defined in the
926              configuration files. In this case, the host name is  taken  from
927              SMTPSERVER,  and  the envelope from address is taken from EMAIL,
928              unless overridden by --from or  --read-envelope-from.  Currently
929              SMTPSERVER  must  contain  a plain host name (no URL), and EMAIL
930              must contain a plain address (no names  or  additional  informa‐
931              tion).
932

AUTHORS

934       msmtp was written by Martin Lambers <marlam@marlam.de>.
935       Other  authors  are  listed in the AUTHORS file in the source distribu‐
936       tion.
937

SEE ALSO

939       sendmail(8), netrc(5) or ftp(1)
940
941
942
943                                    2020-04                           MSMTP(1)
Impressum