1MSMTP(1)                    General Commands Manual                   MSMTP(1)
2
3
4

NAME

6       msmtp - An SMTP client
7

SYNOPSIS

9       Sendmail mode (default):
10              msmtp [option...] [--] recipient...
11              msmtp [option...] -t [--] [recipient...]
12
13       Configuration mode:
14              msmtp --configure <mailaddress>
15
16       Server information mode:
17              msmtp [option...] --serverinfo
18
19       Remote Message Queue Starting mode:
20              msmtp [option...] --rmqs=host|@domain|#queue
21

DESCRIPTION

23       In  the  default  sendmail mode, msmtp reads a mail from standard input
24       and sends it to an SMTP server for delivery.
25       In server information mode, msmtp  prints  information  about  an  SMTP
26       server.
27       In  Remote  Message  Queue  Starting mode, msmtp sends a Remote Message
28       Queue Starting request for a host, domain, or queue to an SMTP server.
29

EXIT STATUS

31       The standard sendmail exit status codes are used, as defined in  sysex‐
32       its.h.
33

OPTIONS

35       Options override configuration file settings.
36       They are compatible with sendmail where appropriate.
37
38       General options
39
40              --version
41                     Print  version  information,  including information about
42                     the libraries used.
43
44              --help Print help.
45
46              -P, --pretend
47                     Print the configuration settings that would be used,  but
48                     do  not  take  further action.  An asterisk (`*') will be
49                     printed instead of your password.
50
51              -v, -d, --debug
52                     Print lots of debugging information, including the  whole
53                     conversation  with  the SMTP server. Be careful with this
54                     option: the (potentially dangerous) output  will  not  be
55                     sanitized, and your password may get printed in an easily
56                     decodable format!
57
58       Changing the mode of operation
59
60              --configure=mailaddress
61                     Generate a configuration for the given mail  address  and
62                     print it. This can be modified or copied unchanged to the
63                     configuration file.  Note that this only works  for  mail
64                     domains  that  publish  appropriate  SRV records; see RFC
65                     8314.
66
67              -S, --serverinfo
68                     Print information about the SMTP server  and  exit.  This
69                     includes  information about supported features (mail size
70                     limit, authentication, TLS, DSN, ...) and about  the  TLS
71                     certificate (if TLS is active).
72
73              --rmqs=(host|@domain|#queue)
74                     Send  a  Remote  Message  Queue  Starting request for the
75                     given host, domain, or queue to the SMTP server and exit.
76
77       Configuration options
78
79              -C, --file=filename
80                     Use the given file instead  of  ~/.msmtprc  or  $XDG_CON‐
81                     FIG_HOME/msmtp/config as the user configuration file.
82
83              -a, --account=account_name
84                     Use  the  given  account  instead  of  the  account named
85                     "default". The settings of this account  may  be  changed
86                     with  command  line  options.  This option cannot be used
87                     together with the --host option.
88
89              --host=hostname
90                     Use this SMTP server with settings from the command line;
91                     do  not use any configuration file data. This option can‐
92                     not be used together with the --account option.
93
94              --port=number
95                     Set the port number to connect to. See the port command.
96
97              --source-ip=[IP]
98                     Set or unset an IP address to bind the socket to. See the
99                     source_ip command.
100
101              --proxy-host=[IP|hostname]
102                     Set  or  unset  a  SOCKS proxy to use. See the proxy_host
103                     command.
104
105              --proxy-port=[number]
106                     Set or unset a port number for the proxy  host.  See  the
107                     proxy_port command.
108
109              --socket=[socketname]
110                     Set  or  unset a local unix domain socket name to connect
111                     to. See the socket command.
112
113              --timeout=(off|seconds)
114                     Set or unset a network timeout, in seconds. See the time‐
115                     out command.
116
117              --protocol=(smtp|lmtp)
118                     Set the protocol. See the protocol command.
119
120              --domain=[string]
121                     Set the argument of the SMTP EHLO (or LMTP LHLO) command.
122                     See the domain command.
123
124              --auth[=(on|off|method)]
125                     Enable or disable authentication  and  optionally  choose
126                     the method.  See the auth command.
127
128              --user=[username]
129                     Set  or  unset  the user name for authentication. See the
130                     user command.
131
132              --passwordeval=[eval]
133                     Evaluate password for authentication. See the  passworde‐
134                     val command.
135
136              --tls[=(on|off)]
137                     Enable or disable TLS/SSL. See the tls command.
138
139              --tls-starttls[=(on|off)]
140                     Enable  or disable STARTTLS for TLS. See the tls_starttls
141                     command.
142
143              --tls-trust-file=[file]
144                     Set or unset a trust file for TLS. See the tls_trust_file
145                     command.
146
147              --tls-crl-file=[file]
148                     Deprecated.  Set  or  unset a certificate revocation list
149                     (CRL) file for TLS. See the tls_crl_file command.
150
151              --tls-fingerprint=[fingerprint]
152                     Set or unset the fingerprint of a  trusted  TLS  certifi‐
153                     cate. See the tls_fingerprint command.
154
155              --tls-key-file=[file]
156                     Set  or  unset  a  key file for TLS. See the tls_key_file
157                     command.
158
159              --tls-cert-file=[file]
160                     Set or unset a cert file for TLS. See  the  tls_cert_file
161                     command.
162
163              --tls-certcheck[=(on|off)]
164                     Enable  or disable server certificate checks for TLS. See
165                     the tls_certcheck command.
166
167              --tls-priorities=[priorities]
168                     Set or unset TLS priorities. See the tls_priorities  com‐
169                     mand.
170
171              --tls-host-override=[host]
172                     Set  or unset override for TLS host verification. See the
173                     tls_host_override command.
174
175              --tls-min-dh-prime-bits=[bits]
176                     Deprecated, use --tls-priorities instead.  Set  or  unset
177                     minimum  bit  size  of the Diffie-Hellman (DH) prime. See
178                     the tls_min_dh_prime_bits command.
179
180       Options specific to sendmail mode
181
182              -f, --from=address
183                     Set the envelope-from address.
184                     If no account was chosen yet (with --account or  --host),
185                     this  option  will  choose the first account that has the
186                     given envelope-from address (set with the from  command).
187                     If no such account is found, "default" is used.
188                     See  the from command for substitution patterns supported
189                     in address.
190
191              -N, --dsn-notify=(off|cond)
192                     Set  or  unset  DSN  notification  conditions.  See   the
193                     dsn_notify command.
194
195              -R, --dsn-return=(off|ret)
196                     Set  or  unset  the  DSN  notification  amount.  See  the
197                     dsn_return command.  Note that hdrs  is  accepted  as  an
198                     alias for headers to be compatible with sendmail.
199
200              --set-from-header[=(auto|on|off)]
201                     Set  From  header  handling. See the set_from_header com‐
202                     mand.
203
204              --set-date-header[=(auto|off)]
205                     Set Date header handling. See  the  set_date_header  com‐
206                     mand.
207
208              --remove-bcc-headers[=(on|off)]
209                     Enable  or  disable  the  removal of Bcc headers. See the
210                     remove_bcc_headers command.
211
212              --undisclosed-recipients[=(on|off)]
213                     Enable or disable the replacement of To/Cc/Bcc with  "To:
214                     undisclosed-recipients:;".   See  the undisclosed_recipi‐
215                     ents command.
216
217              -X, --logfile=[file]
218                     Set or unset the log file. See the logfile command.
219
220              --logfile-time-format=[fmt]
221                     Set or unset the log  file  time  format.  See  the  log‐
222                     file_time_format command.
223
224              --syslog[=(on|off|facility)]
225                     Enable or disable syslog logging. See the syslog command.
226
227              -t, --read-recipients
228                     Read recipient addresses from the To, Cc, and Bcc headers
229                     of the mail in addition to the recipients  given  on  the
230                     command  line.   If any Resent- headers are present, then
231                     the addresses from any Resent-To, Resent-Cc, and  Resent-
232                     Bcc  headers  in  the  first block of Resent- headers are
233                     used instead.
234
235              --read-envelope-from
236                     Read the envelope from address from the  From  header  of
237                     the mail.
238
239              --aliases=[file]
240                     Set or unset an aliases file. See the aliases command.
241
242              -Fname Msmtp adds a From header to mails that lack it, using the
243                     envelope from address. This option allows one  to  set  a
244                     full name to be used in that header.
245
246              --auto-from[=(on|off)]
247                     Obsolete. See the auto_from command.
248
249              --maildomain=[domain]
250                     Obsolete. See the maildomain command.
251
252              --     This  marks  the  end of options. All following arguments
253                     will be treated as  recipient  addresses,  even  if  they
254                     start with a `-'.
255
256       The following options are accepted but ignored for sendmail compatibil‐
257       ity:
258       -Btype, -bm, -G, -hN, -i, -L tag, -m, -n, -O option=value, -ox value
259

USAGE

261       A suggestion for a suitable configuration file can be  generated  using
262       the  --configure  option.   Normally,  a system wide configuration file
263       and/or a user configuration file contain information about  which  SMTP
264       server  to  use and how to use it, but all settings can also be config‐
265       ured on the command line.
266       The information about SMTP  servers  is  organized  in  accounts.  Each
267       account  describes one SMTP server: host name, authentication settings,
268       TLS settings, and so on. Each configuration file  can  define  multiple
269       accounts.
270
271       The user can choose which account to use in one of three ways:
272
273       --account=id
274              Use the given account. Command line settings override configura‐
275              tion file settings.
276
277       --host=hostname
278              Use only the settings from the command line; do not use any con‐
279              figuration file data.
280
281       --from=address or --read-envelope-from
282              Choose  the  first account from the system or user configuration
283              file that has a matching envelope-from address as specified by a
284              from  command. This works only when neither --account nor --host
285              is used.
286              Subadresses  are  supported.  For  example,  the  envelope  from
287              address  user+detail@example.com  will  match  the  account  for
288              user@example.com.
289
290       If none of the above options is used (or if no account has  a  matching
291       from command), then the account "default" is used.
292
293       Msmtp  transmits mails unaltered to the SMTP server, with the following
294       exceptions:
295       - The Bcc header(s) will be removed. This behavior can be changed  with
296       the remove_bcc_headers command and --remove-bcc-headers option.
297       -  A  From header will be added if the mail does not have one. This can
298       be changed  with  the  set_from_header  command  and  --set-from-header
299       option.  The header will use the envelope from address and optionally a
300       full name set with the -F option.
301       - A Date header will be added if the mail does not have one.  This  can
302       be  changed  with  the  set_date_header  command  and --set-date-header
303       option.
304       - When undisclosed_recipients is set, the  original  To,  Cc,  and  Bcc
305       headers are removed and replaced with "To: undisclosed-recipients:;".
306
307       Skip to the EXAMPLES section for a quick start.
308

CONFIGURATION FILES

310       If  it  exists  and  is  readable,  a  system  wide  configuration file
311       SYSCONFDIR/msmtprc will be loaded, where  SYSCONFDIR  depends  on  your
312       platform.  Use --version to find out which directory is used.
313       If  it exists and is readable, a user configuration file will be loaded
314       (~/.msmtprc will be tried first followed by $XDG_CONFIG_HOME/msmtp/con‐
315       fig  by  default, but see --version). Accounts defined in the user con‐
316       figuration file override accounts from the system configuration file.
317       Configuration data from either file can  be  changed  by  command  line
318       options.
319
320       A  configuration  file  is a simple text file.  Empty lines and comment
321       lines (whose first non-blank character is `#') are ignored.
322       Every other line must contain a command and may contain an argument  to
323       that command.
324       The  argument  may be enclosed in double quotes ("), for example if its
325       first or last character is a blank.
326       If a file name starts with the tilde (~), this tilde will  be  replaced
327       by  $HOME.   If  a  command accepts the argument on, it also accepts an
328       empty argument and treats that as if it was on.
329       Commands are organized  in  accounts.  Each  account  starts  with  the
330       account command and defines the settings for one SMTP account.
331
332       Skip to the EXAMPLES section for a quick start.
333
334       Commands are as follows:
335
336       defaults
337              Set  defaults.  The  following  configuration  commands will set
338              default values for all following account definitions in the cur‐
339              rent configuration file.
340
341       account name [:account[,...]]
342              Start  a new account definition with the given name. The current
343              default values are filled in.
344              If a colon and a list of previously defined  accounts  is  given
345              after  the  account  name,  the  new account, with the filled in
346              default values, will inherit all settings from the  accounts  in
347              the list.
348
349       host hostname
350              The SMTP server to send the mail to.  The argument may be a host
351              name or a network address.  Every account definition  must  con‐
352              tain this command.
353
354       port number
355              The  port  that  the  SMTP server listens on.  The default is 25
356              ("smtp"), unless TLS without STARTTLS is used, in which case  it
357              is 465 ("smtps").
358
359       source_ip [IP]
360              Set a source IP address to bind the outgoing connection to. Use‐
361              ful only in special cases on multi-home systems. An empty  argu‐
362              ment disables this.
363
364       proxy_host [IP|hostname]
365              Use  a  SOCKS  proxy.  All  network traffic will go through this
366              proxy host, including DNS queries, except for a DNS  query  that
367              might  be  necessary to resolve the proxy host name itself (this
368              can be avoided by using an IP address as proxy  host  name).  An
369              empty  hostname  argument  disables  proxy usage.  The supported
370              SOCKS protocol version is 5. If you want to use this  with  Tor,
371              see also "Using msmtp with Tor" below.
372
373       proxy_port [number]
374              Set the port number for the proxy host. An empty number argument
375              resets this to the default port.
376
377       socket socketname
378              Set the file name of a unix domain socket to  connect  to.  This
379              overrides both host/port and proxy_host/proxy_port.
380
381       timeout (off|seconds)
382              Set  or  unset  a  network timeout, in seconds. The argument off
383              means that no timeout will be set, which means that the  operat‐
384              ing system default will be used.
385
386       protocol (smtp|lmtp)
387              Set  the  protocol to use. Currently only SMTP and LMTP are sup‐
388              ported. SMTP is the default. See  the  port  command  above  for
389              default ports.
390
391       domain argument
392              Use  this  command to set the argument of the SMTP EHLO (or LMTP
393              LHLO) command.  The default is localhost, which  is  stupid  but
394              usually  works.  Try to change the default if mails get rejected
395              due to anti-SPAM measures. Possible choices are the domain  part
396              of your mail address (provider.example for joe@provider.example)
397              or the fully qualified domain name of your host (if available).
398
399       auth [(on|off|method)]
400              Enable or disable authentication and optionally choose a  method
401              to use. The argument on chooses a method automatically.
402              Usually  a user name and a password are used for authentication.
403              The user name is specified in the configuration  file  with  the
404              user  command.  There  are five different methods to specify the
405              password:
406              1. Add the password to the system key ring.  Currently supported
407              key rings are the Gnome key ring and the Mac OS X Keychain.  For
408              the Gnome key ring, use the command secret-tool (part of Gnome's
409              libsecret)  to  store passwords: secret-tool store --label=msmtp
410              host mail.freemail.example service smtp user joe.smith.  On  Mac
411              OS  X, use the following command: security add-internet-password
412              -s mail.freemail.example -r smtp -a joe.smith -w.  In both exam‐
413              ples,  replace  mail.freemail.example with the SMTP server name,
414              and joe.smith with your user name.
415              2. Store the password in an encrypted files, and use  passworde‐
416              val to specify a command to decrypt that file, e.g. using GnuPG.
417              See EXAMPLES.
418              3. Store the password in the configuration file using the  pass‐
419              word  command.   (Usually  it  is  not considered a good idea to
420              store passwords in cleartext files.  If you do  it  anyway,  you
421              must make sure that the file can only be read by yourself.)
422              4. Store the password in ~/.netrc. This method is probably obso‐
423              lete.
424              5. Type the password into the terminal when it is required.
425              It is recommended to use method 1 or 2.
426              Multiple authentication methods exist. Most servers support only
427              some  of  them.  Historically, sophisticated methods were devel‐
428              oped to protect passwords from being  sent  unencrypted  to  the
429              server,  but  nowadays everybody needs TLS anyway, so the simple
430              methods suffice since the whole session is protected. A suitable
431              authentication  method  is chosen automatically, and when TLS is
432              disabled for some reason, only methods that avoid sending clear‐
433              text passwords are considered.
434              The  following  user  / password methods are supported: plain (a
435              simple cleartext method,  with  base64  encoding,  supported  by
436              almost all servers), scram-sha-1 (a method that avoids cleartext
437              passwords), cram-md5 (an obsolete method that  avoids  cleartext
438              passwords, but is not considered secure anymore), digest-md5 (an
439              overcomplicated obsolete method that avoids cleartext passwords,
440              but  is  not  considered  secure anymore), login (a non-standard
441              cleartext method similar to but worse than  the  plain  method),
442              ntlm (an obscure non-standard method that is now considered bro‐
443              ken; it sometimes requires a special domain parameter passed via
444              ntlmdomain).
445              There  are  currently  three authentication methods that are not
446              based on user / password information and have to be chosen manu‐
447              ally:  oauthbearer  or  its predecessor xoauth2 (an OAuth2 token
448              from the mail provider is used as the password.  See  the  docu‐
449              mentation  of  your mail provider for details on how to get this
450              token. The passwordeval command can be used to  pass  the  regu‐
451              larly changing tokens into msmtp from a script or an environment
452              variable), external (the authentication happens outside  of  the
453              protocol, typically by sending a TLS client certificate, and the
454              method merely confirms that this authentication succeeded),  and
455              gssapi  (the Kerberos framework takes care of secure authentica‐
456              tion, only a user name is required).
457              It depends on the underlying authentication library and its ver‐
458              sion whether a particular method is supported or not. Use --ver‐
459              sion to find out which methods are supported.
460
461       user login
462              Set the user name for authentication. An empty  argument  unsets
463              the user name.
464
465       password secret
466              Set  the  password  for authentication. An empty argument unsets
467              the password.  Consider using the passwordeval command or a  key
468              ring  instead  of this command, to avoid storing cleartext pass‐
469              words in the configuration file.
470
471       passwordeval [eval]
472              Set the password for authentication to the  output  (stdout)  of
473              the  command  eval.   This  can be used e.g. to decrypt password
474              files on the fly or to query key rings, and thus to avoid  stor‐
475              ing cleartext passwords.
476              Note  that  the  eval  command must not mess with standard input
477              (stdin) because that is where msmtp reads the mail from.  If  in
478              doubt, append </dev/null to eval.
479
480       ntlmdomain [domain]
481              Set  a  domain for the ntlm authentication method. This is obso‐
482              lete.
483
484       tls [(on|off)]
485              Enable or disable TLS (also known as SSL)  for  secured  connec‐
486              tions.
487              Transport Layer Security (TLS) "... provides communications pri‐
488              vacy over  the  Internet.   The  protocol  allows  client/server
489              applications to communicate in a way that is designed to prevent
490              eavesdropping,  tampering,  or  message  forgery"  (quote   from
491              RFC2246).
492              A server can use TLS in one of two modes: via a STARTTLS command
493              (the session starts with the normal protocol initialization, and
494              TLS  is  then started using the protocol's STARTTLS command), or
495              immediately (TLS is initialized before the normal protocol  ini‐
496              tialization;  this  requires a separate port). The first mode is
497              the default, but you can switch to the second mode by  disabling
498              tls_starttls.
499              When  TLS is started, the server sends a certificate to identify
500              itself. To verify the  server  identity,  a  client  program  is
501              expected  to  check that the certificate is formally correct and
502              that it was issued by a Certificate Authority (CA) that the user
503              trusts.  (There can also be certificate chains with intermediate
504              CAs.)
505              The list of trusted CAs is specified  using  the  tls_trust_file
506              command.  The default value ist "system" and chooses the system-
507              wide default, but you can also choose the trusted CAs yourself.
508              A fundamental problem with this is that you need to  trust  CAs.
509              Like any other organization, a CA can be incompetent, malicious,
510              subverted by bad people, or forced  by  government  agencies  to
511              compromise  end  users without telling them. All of these things
512              happened and continue to happen worldwide.   The  idea  to  have
513              central  organizations that have to be trusted for your communi‐
514              cation to be secure is fundamentally broken.
515              Instead of putting trust in a CA, you can choose to trust only a
516              single  certificate  for  the server you want to connect to. For
517              that purpose, specify the certificate fingerprint with  tls_fin‐
518              gerprint. This makes sure that no man-in-the-middle can fake the
519              identity of the server by presenting you a  fraudulent  certifi‐
520              cate  issued  by  some CA that happens to be in your trust list.
521              However, you have to update the fingerprint whenever the  server
522              certificate  changes,  and you have to make sure that the change
523              is legitimate each time, e.g. when the old certificate  expired.
524              This is inconvenient, but it's the price to pay.
525              Information  about  a  server  certificate  can be obtained with
526              --serverinfo --tls --tls-certcheck=off. This includes the issuer
527              CA   of   the   certificate  (so  you  can  trust  that  CA  via
528              tls_trust_file), and the fingerprint of the certificate (so  you
529              can trust that particular certificate via tls_fingerprint).
530              TLS also allows the server to verify the identity of the client.
531              For this purpose, the client has to present a certificate issued
532              by a CA that the server trusts. To present that certificate, the
533              client also needs the matching key file. You can  set  the  cer‐
534              tificate  and  key  files  using tls_cert_file and tls_key_file.
535              This mechanism can also be used to authenticate users,  so  that
536              traditional user / password authentication is not necessary any‐
537              more. See the external mechanism in auth.
538              You can also use client certificates  stored  on  some  external
539              authentication  device  by  specifying  GnuTLS  device  URIs  in
540              tls_cert_file and tls_key_file. You can find  the  correct  URIs
541              using  p11tool  --list-privkeys --login (p11tool is bundled with
542              GnuTLS). If your device requires a PIN to access the  data,  you
543              can  specify  that  using  one  of the password mechanisms (e.g.
544              passwordeval, password).
545
546       tls_starttls [(on|off)]
547              Choose the TLS variant: start TLS from within the  session  (on,
548              default), or tunnel the session through TLS (off).
549
550       tls_trust_file file
551              Activate server certificate verification using a list of trusted
552              Certification Authorities (CAs).  The  default  is  the  special
553              value "system", which selects the system default. An empty argu‐
554              ment disables trust in CAs.  If you select a file, it must be in
555              PEM format, and you should also use tls_crl_file.
556
557       tls_crl_file [file]
558              Deprecated.  This  sets a certificate revocation list (CRL) file
559              for TLS, to check for revoked certificates (an  empty  argument,
560              which  is  the default, disables this).  Nowadays automatic OCSP
561              checks replace CRL file checks.
562
563       tls_fingerprint [fingerprint]
564              Set the fingerprint of a single certificate to accept  for  TLS.
565              This  certificate  will  be  trusted  regardless of its contents
566              (this overrides tls_trust_file).  The fingerprint should  be  of
567              type SHA256, but can for backwards compatibility also be of type
568              SHA1  or  MD5  (please  avoid  this).   The  format  should   be
569              01:23:45:67:....   Use  --serverinfo  --tls  --tls-certcheck=off
570              --tls-fingerprint= to get the server certificate fingerprint.
571
572       tls_key_file file
573              Send a client certificate to the server (use this together  with
574              tls_cert_file}).   The  file  must  contain the private key of a
575              certificate in PEM format. An empty argument disables this  fea‐
576              ture.
577
578       tls_cert_file file
579              Send  a client certificate to the server (use this together with
580              tls_key_file).  The file must contain a certificate in PEM  for‐
581              mat. An empty argument disables this feature.
582
583       tls_certcheck [(on|off)]
584              Enable  or  disable  checks  of the server certificate. They are
585              enabled by default.  Disabling them will override tls_trust_file
586              and tls_fingerprint.  WARNING: When the checks are disabled, TLS
587              sessions will not be secure!
588
589       tls_priorities [priorities]
590              Set priorities for TLS session parameters. The default is set by
591              the  TLS  library and can be selected by using an empty argument
592              to this command. The interpretation  of  the  priorities  string
593              depends  on the TLS library. Use --version to find out which TLS
594              library you use.
595              For GnuTLS, see the section on Priority Strings in the manual.
596              For libtls, the priorites string is a  space-separated  list  of
597              parameter  strings prefixed with either PROTOCOLS=, CIPHERS=, or
598              ECDHECURVES=. These parameter strings  will  be  passed  to  the
599              functions   tls_config_parse_protocols,  tls_config_set_ciphers,
600              and tls_config_set_ecdhecurves. Unrecognized parts of the prior‐
601              ities   string  will  be  ignored.  Example:  "PROTOCOLS=TLSv1.3
602              CIPHERS=ECDHE-RSA-AES128-SHA256 ECDHECURVES=P-384".
603
604       tls_host_override [host]
605              By default, TLS host verification uses the host  name  given  by
606              the  host  command.   This command allows one to use a different
607              host name for verification.  This  is  only  useful  in  special
608              cases.
609
610       tls_min_dh_prime_bits [bits]
611              Deprecated,  use tls_priorities instead.  Set or unset the mini‐
612              mum number of Diffie-Hellman (DH) prime bits  accepted  for  TLS
613              sessions.  The  default  is  set  by  the TLS library and can be
614              selected by using an empty argument to this command. Only  lower
615              the  default  (for example to 512 bits) if there is no other way
616              to make TLS work with the remote server.
617
618       from envelope_from
619              Set the envelope-from address. The following  substitution  pat‐
620              terns are supported:
621              %U  will  be replaced by $USER, or if that fails by $LOGNAME, or
622              if that fails by the login name of the user running msmtp.
623              %H will be replaced by $HOSTNAME, or if that fails by  the  host
624              name of the system.
625              %C will be replaced by the canonical name of %H.
626              %M  will  be  replaced  by the contents of /etc/mailname (poten‐
627              tially a different directory is used depending on the build con‐
628              figuration;  see  the output of msmtp --version and look for the
629              location of the system configuration file).
630              Note that the obsolete auto_from command replaces this envelope-
631              from address.
632
633       dsn_notify (off|condition)
634              This  command  sets the condition(s) under which the mail system
635              should send DSN (Delivery  Status  Notification)  messages.  The
636              argument  off  disables  explicit  DSN requests, which means the
637              mail system decides when to  send  DSN  messages.  This  is  the
638              default.   The condition must be never, to never request notifi‐
639              cation, or a comma separated list (no spaces!) of one or more of
640              the  following: failure, to request notification on transmission
641              failure, delay, to be notified of message delays, success, to be
642              notified  of  successful transmission. The SMTP server must sup‐
643              port the DSN extension.
644
645       dsn_return (off|amount)
646              This command controls how much of a mail should be  returned  in
647              DSN  (Delivery  Status  Notification) messages. The argument off
648              disables explicit DSN requests,  which  means  the  mail  system
649              decides  how  much of a mail it returns in DSN messages. This is
650              the default.  The amount must be headers,  to  just  return  the
651              message  headers,  or  full,  to return the full mail.  The SMTP
652              server must support the DSN extension.
653
654       set_from_header [(auto|on|off)]
655              When to set a From header: auto adds a From header if  the  mail
656              does  not  have one (this is the default), on always sets a From
657              header and overrides any existing one, and off never sets a From
658              header.
659              If the mail server rejects the mail because its From header does
660              not match the envelope from address  (a  common  anti-spam  mea‐
661              sure), then you might want to set this option to on.
662              For  compatibility  with older versions, add_missing_from_header
663              [(on|off)] is still supported and corresponds to  the  auto  and
664              off settings.
665
666       set_date_header [(on|off)]
667              When  to  set a Date header: auto adds a Date header if the mail
668              does not have one (this is the default), and off  never  sets  a
669              Date header.
670              For  compatibility  with older versions, add_missing_date_header
671              [(on|off)] is still supported and corresponds to  the  auto  and
672              off settings.
673
674       remove_bcc_headers [(on|off)]
675              This command controls whether to remove Bcc headers. The default
676              is to remove them.
677
678       undisclosed_recipients [(on|off)]
679              When set, the original To, Cc, and Bcc headers of the  mail  are
680              removed  and  a  single new header line "To: undisclosed-recipi‐
681              ents:;" is added. The default setting is off.
682
683       logfile [file]
684              An empty argument disables logging (this is the default).
685              When logging is enabled by  choosing  a  log  file,  msmtp  will
686              append  one  line to the log file for each mail it tries to send
687              via the account that this log file was chosen for.
688              The line will include the following information: date  and  time
689              in the format specified by logfile_time_format, host name of the
690              SMTP server, whether TLS was used,  whether  authentication  was
691              used, authentication user name (only if authentication is used),
692              envelope-from address, recipient addresses, size of the mail  as
693              transferred to the server (only if the delivery succeeded), SMTP
694              status code and SMTP error message (only in case of failure  and
695              only  if  available), error message (only in case of failure and
696              only if available), exit code (from sysexits.h; EX_OK  indicates
697              success).
698              If  the filename is a dash (-), msmtp prints the log line to the
699              standard output.
700
701       logfile_time_format [fmt]
702              Set or unset the log file time format. This will be used as  the
703              format  string  for  the  strftime() function. An empty argument
704              chooses the default ("%b %d %H:%M:%S").
705
706       syslog [(on|off|facility)]
707              Enable or disable syslog logging. The facility  can  be  one  of
708              LOG_USER,  LOG_MAIL, LOG_LOCAL0, ..., LOG_LOCAL7. The default is
709              LOG_USER.
710              Each time msmtp tries to send a mail via the account  that  con‐
711              tains  this  syslog command, it will log one entry to the syslog
712              service with the chosen facility.
713              The line will include the following information:  host  name  of
714              the  SMTP  server,  whether TLS was used, whether authentication
715              was used, envelope-from address, recipient  addresses,  size  of
716              the mail as transferred to the server (only if the delivery suc‐
717              ceeded), SMTP status code and SMTP error message (only  in  case
718              of  failure  and only if available), error message (only in case
719              of failure and only if available), exit code  (from  sysexits.h;
720              EX_OK indicates success).
721
722       aliases [file]
723              Replace  local  recipients  with  addresses in the aliases file.
724              The aliases file is a cleartext file containing mappings between
725              a  local  address  and a list of replacement addresses. The map‐
726              pings are of the form:
727                  local: someone@example.com, person@domain.example
728              Multiple replacement addresses are separated with commas.   Com‐
729              ments start with `#' and continue to the end of the line.
730              The  local  address  default  has  special  significance  and is
731              matched if the local address is not found in the  aliases  file.
732              If  no default alias is found, then the local address is left as
733              is.
734              An empty argument to the aliases command disables  the  replace‐
735              ment of local addresses.  This is the default.
736
737       auto_from [(on|off)]
738              Obsolete;  you can achieve the same and more using the substitu‐
739              tion patterns of the from command.
740              Enable or disable automatic envelope-from addresses. The default
741              is  off.   When  enabled,  an  envelope-from address of the form
742              user@domain will be generated.  The local part will  be  set  to
743              USER  or,  if  that  fails, to LOGNAME or, if that fails, to the
744              login name of the current user.  The domain part can be set with
745              the  maildomain  command.  If the maildomain is empty, the enve‐
746              lope-from address will only consist of the  user  name  and  not
747              have  a  domain  part. When auto_from is disabled, the envelope-
748              from address must be set explicitly.
749
750       maildomain [domain]
751              Obsolete; you can achieve the same and more using the  substitu‐
752              tion patterns of the from command.
753              Set  a  domain  part  for  the  generation  of  an envelope-from
754              address. This is only used when auto_from is on. The domain  may
755              be empty.
756

EXAMPLES

758       Configuration file
759
760       # Example for a user configuration file ~/.msmtprc
761       #
762       #  This file focusses on TLS and authentication. Features not used here
763       include
764       # logging, timeouts, SOCKS proxies,  TLS  parameters,  Delivery  Status
765       Notification
766       # (DSN) settings, and more.
767
768       # Set default values for all following accounts.
769       defaults
770
771       # Use the mail submission port 587 instead of the SMTP port 25.
772       port 587
773
774       # Always use TLS.
775       tls on
776
777       #  Set a list of trusted CAs for TLS. The default is to use system set‐
778       tings, but
779       # you can select your own file.
780       #tls_trust_file /etc/ssl/certs/ca-certificates.crt
781
782       # A freemail service
783       account freemail
784
785       # Host name of the SMTP server
786       host smtp.freemail.example
787
788       # As an alternative to tls_trust_file, you can use tls_fingerprint
789       # to pin a single certificate. You have to update the fingerprint  when
790       the
791       #  server  certificate  changes,  but an attacker cannot trick you into
792       accepting
793       # a fraudulent certificate. Get the fingerprint with
794       #     $     msmtp      --serverinfo      --tls      --tls-certcheck=off
795       --host=smtp.freemail.example
796       #tls_fingerprint  00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11
797       :22:33
798
799       # Envelope-from address
800       from joe_smith@freemail.example
801
802       # Authentication. The password is given using one of five methods,  see
803       below.
804       auth on
805       user joe.smith
806
807       #  Password  method  1: Add the password to the system keyring, and let
808       msmtp get
809       # it automatically. To set the keyring password  using  Gnome's  libse‐
810       cret:
811       # $ secret-tool store --label=msmtp \
812       #   host smtp.freemail.example \
813       #   service smtp \
814       #   user joe.smith
815
816       #  Password method 2: Store the password in an encrypted file, and tell
817       msmtp
818       # which command to use to decrypt it. This is usually used with  GnuPG,
819       as in
820       #  this  example.  Usually  gpg-agent  will ask once for the decryption
821       password.
822       passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
823
824       # Password method 3: Store the password directly in this file.  Usually
825       it is not
826       #  a good idea to store passwords in cleartext files. If you do it any‐
827       way, at
828       # least make sure that this file can only be read by yourself.
829       #password secret123
830
831       # Password method 4: Store the password in  ~/.netrc.  This  method  is
832       probably not
833       # relevant anymore.
834
835       #  Password method 5: Do not specify a password. Msmtp will then prompt
836       you for
837       # it. This means you need to be able to type into a terminal when msmtp
838       runs.
839
840       # A second mail address at the same freemail service
841       account freemail2 : freemail
842       from joey@freemail.example
843
844       # The SMTP server of your ISP
845       account isp
846       host mail.isp.example
847       from smithjoe@isp.example
848       auth on
849       user 12345
850
851       # Set a default account
852       account default : freemail
853
854
855       Using msmtp with Mutt
856
857       Create  a  configuration  file for msmtp and add the following lines to
858       your Mutt configuration file:
859       set sendmail="/path/to/msmtp"
860       set use_from=yes
861       set realname="Your Name"
862       set from=you@example.com
863       set envelope_from=yes
864       The envelope_from=yes option lets Mutt use  the  -f  option  of  msmtp.
865       Therefore msmtp chooses the first account that matches the from address
866       you@example.com.
867       Alternatively, you can use the -a option:
868       set sendmail="/path/to/msmtp -a my-account"
869       Or set everything from the command line (but note that you cannot set a
870       password this way):
871       set  sendmail="/path/to/msmtp  --host=mailhub  -f  me@example.com --tls
872       --tls-trust-file=trust.crt"
873
874       If you have multiple mail accounts in your msmtp configuration file and
875       let  Mutt  use  the  -f  option to choose the right one, you can easily
876       switch accounts in Mutt with the following Mutt configuration lines:
877       macro generic "<esc>1" ":set from=you@example.com"
878       macro generic "<esc>2" ":set from=you@your-employer.example"
879       macro generic "<esc>3" ":set from=you@some-other-provider.example"
880
881
882       Using msmtp with mail
883
884       Define a default account, and put the following in your ~/.mailrc:
885       set sendmail="/path/to/msmtp"
886
887
888       Using msmtp with Tor
889
890       Use the following settings:
891       proxy_host 127.0.0.1
892       proxy_port 9050
893       tls on
894       Use an IP address as proxy host name, so that msmtp does not leak a DNS
895       query when resolving it.
896       TLS is required to prevent exit hosts from reading your SMTP session.
897       Do  not  set domain to something that you do not want to reveal (do not
898       set it at all if possible).
899
900
901       Aliases file
902
903       # Example aliases file
904
905       # Send root to Joe and Jane
906       root: joe_smith@example.com, jane_chang@example.com
907
908       # Send cron to Mark
909       cron: mark_jones@example.com
910
911       # Send everything else to admin
912       default: admin@domain.example
913
914

FILES

916       SYSCONFDIR/msmtprc
917              System configuration  file.  Use  --version  to  find  out  what
918              SYSCONFDIR is on your platform.
919
920       ~/.msmtprc or $XDG_CONFIG_HOME/msmtp/config
921              User configuration file.
922
923       ~/.netrc and SYSCONFDIR/netrc
924              The  netrc file contains login information. Before prompting for
925              a   password,   msmtp   will   search   it   in   ~/.netrc   and
926              SYSCONFDIR/netrc.
927

ENVIRONMENT

929       USER, LOGNAME
930              These variables override the user's login name when constructing
931              an envelope-from address. LOGNAME is only used if USER is unset.
932
933       TMPDIR Directory to create temporary files in. If this is unset, a sys‐
934              tem specific default directory is used.
935              A  temporary  file is only created when the -t/--read-recipients
936              or --read-envelope-from option is used. The file is then used to
937              buffer  the  headers  of the mail (but not the body, so the file
938              won't get very large).
939
940       EMAIL, SMTPSERVER
941              These environment variables are used only if neither --host  nor
942              --account is used and there is no default account defined in the
943              configuration files. In this case, the host name is  taken  from
944              SMTPSERVER,  and  the envelope from address is taken from EMAIL,
945              unless overridden by --from or  --read-envelope-from.  Currently
946              SMTPSERVER  must  contain  a plain host name (no URL), and EMAIL
947              must contain a plain address (no names  or  additional  informa‐
948              tion).
949

AUTHORS

951       msmtp was written by Martin Lambers <marlam@marlam.de>.
952       Other  authors  are  listed in the AUTHORS file in the source distribu‐
953       tion.
954

SEE ALSO

956       sendmail(8), netrc(5) or ftp(1)
957
958
959
960                                    2020-10                           MSMTP(1)
Impressum