1MSMTP(1) General Commands Manual MSMTP(1)
2
6 msmtp - An SMTP client
7
9 Sendmail mode (default):
10 msmtp [option...] [--] recipient...
11 msmtp [option...] -t [--] [recipient...]
12 Configuration mode:
14 msmtp --configure <mailaddress>
15 Server information mode:
17 msmtp [option...] --serverinfo
18 Remote Message Queue Starting mode:
20 msmtp [option...] --rmqs=host|@domain|#queue
21
23 In the default sendmail mode, msmtp reads a mail from standard input
24 and sends it to an SMTP server for delivery.
25 In server information mode, msmtp prints information about an SMTP
26 server.
27 In Remote Message Queue Starting mode, msmtp sends a Remote Message
28 Queue Starting request for a host, domain, or queue to an SMTP server.
29
31 The standard sendmail exit status codes are used, as defined in sysex‐
32 its.h.
33
35 Options override configuration file settings.
36 They are compatible with sendmail where appropriate.
37 General options
39 --version
41 Print version information, including information about
42 the libraries used.
43 --help Print help.
45 -P, --pretend
47 Print the configuration settings that would be used, but
48 do not take further action. An asterisk (`*') will be
49 printed instead of your password.
50 -v, -d, --debug
52 Print lots of debugging information, including the whole
53 conversation with the SMTP server. Be careful with this
54 option: the (potentially dangerous) output will not be
55 sanitized, and your password may get printed in an easily
56 decodable format!
57 Changing the mode of operation
59 --configure=mailaddress
61 Generate a configuration for the given mail address and
62 print it. This can be modified or copied unchanged to the
63 configuration file. Note that this only works for mail
64 domains that publish appropriate SRV records; see RFC
65 8314.
66 -S, --serverinfo
68 Print information about the SMTP server and exit. This
69 includes information about supported features (mail size
70 limit, authentication, TLS, DSN, ...) and about the TLS
71 certificate (if TLS is active).
72 --rmqs=(host|@domain|#queue)
74 Send a Remote Message Queue Starting request for the
75 given host, domain, or queue to the SMTP server and exit.
76 Configuration options
78 -C, --file=filename
80 Use the given file instead of ~/.msmtprc or $XDG_CON‐
81 FIG_HOME/msmtp/config as the user configuration file.
82 -a, --account=account_name
84 Use the given account instead of the account named "de‐
85 fault". The settings of this account may be changed with
86 command line options. This option cannot be used together
87 with the --host option.
88 --host=hostname
90 Use this SMTP server with settings from the command line;
91 do not use any configuration file data. This option can‐
92 not be used together with the --account option.
93 --port=number
95 Set the port number to connect to. See the port command.
96 --source-ip=[IP]
98 Set or unset an IP address to bind the socket to. See the
99 source_ip command.
100 --proxy-host=[IP|hostname]
102 Set or unset a SOCKS proxy to use. See the proxy_host
103 command.
104 --proxy-port=[number]
106 Set or unset a port number for the proxy host. See the
107 proxy_port command.
108 --socket=[socketname]
110 Set or unset a local unix domain socket name to connect
111 to. See the socket command.
112 --timeout=(off|seconds)
114 Set or unset a network timeout, in seconds. See the time‐
115 out command.
116 --protocol=(smtp|lmtp)
118 Set the protocol. See the protocol command.
119 --domain=[string]
121 Set the argument of the SMTP EHLO (or LMTP LHLO) command.
122 See the domain command.
123 --auth[=(on|off|method)]
125 Enable or disable authentication and optionally choose
126 the method. See the auth command.
127 --user=[username]
129 Set or unset the user name for authentication. See the
130 user command.
131 --passwordeval=[cmd]
133 Evaluate password for authentication. See the passworde‐
134 val command.
135 --tls[=(on|off)]
137 Enable or disable TLS/SSL. See the tls command.
138 --tls-starttls[=(on|off)]
140 Enable or disable STARTTLS for TLS. See the tls_starttls
141 command.
142 --tls-trust-file=[file]
144 Set or unset a trust file for TLS. See the tls_trust_file
145 command.
146 --tls-crl-file=[file]
148 Deprecated. Set or unset a certificate revocation list
149 (CRL) file for TLS. See the tls_crl_file command.
150 --tls-fingerprint=[fingerprint]
152 Set or unset the fingerprint of a trusted TLS certifi‐
153 cate. See the tls_fingerprint command.
154 --tls-key-file=[file]
156 Set or unset a key file for TLS. See the tls_key_file
157 command.
158 --tls-cert-file=[file]
160 Set or unset a cert file for TLS. See the tls_cert_file
161 command.
162 --tls-certcheck[=(on|off)]
164 Enable or disable server certificate checks for TLS. See
165 the tls_certcheck command.
166 --tls-priorities=[priorities]
168 Set or unset TLS priorities. See the tls_priorities com‐
169 mand.
170 --tls-host-override=[host]
172 Set or unset override for TLS host verification. See the
173 tls_host_override command.
174 --tls-min-dh-prime-bits=[bits]
176 Deprecated, use --tls-priorities instead. Set or unset
177 minimum bit size of the Diffie-Hellman (DH) prime. See
178 the tls_min_dh_prime_bits command.
179 Options specific to sendmail mode
181 -f, --from=address
183 Set the envelope-from address.
184 If no account was chosen yet (with --account or --host),
185 this option will choose the first account that has the
186 given envelope-from address (set with the from command).
187 If no such account is found, "default" is used.
188 See the from and allow_from_override commands.
189 -N, --dsn-notify=(off|cond)
191 Set or unset DSN notification conditions. See the dsn_no‐
192 tify command.
193 -R, --dsn-return=(off|ret)
195 Set or unset the DSN notification amount. See the dsn_re‐
196 turn command. Note that hdrs is accepted as an alias for
197 headers to be compatible with sendmail.
198 --set-from-header[=(auto|on|off)]
200 Set From header handling. See the set_from_header com‐
201 mand.
202 --set-date-header[=(auto|off)]
204 Set Date header handling. See the set_date_header com‐
205 mand.
206 --set-msgid-header[=(auto|off)]
208 Set Message-ID header handling. See the set_msgid_header
209 command.
210 --remove-bcc-headers[=(on|off)]
212 Enable or disable the removal of Bcc headers. See the re‐
213 move_bcc_headers command.
214 --undisclosed-recipients[=(on|off)]
216 Enable or disable the replacement of To/Cc/Bcc with "To:
217 undisclosed-recipients:;". See the undisclosed_recipi‐
218 ents command.
219 -X, --logfile=[file]
221 Set or unset the log file. See the logfile command.
222 --logfile-time-format=[fmt]
224 Set or unset the log file time format. See the log‐
225 file_time_format command.
226 --syslog[=(on|off|facility)]
228 Enable or disable syslog logging. See the syslog command.
229 -t, --read-recipients
231 Read recipient addresses from the To, Cc, and Bcc headers
232 of the mail in addition to the recipients given on the
233 command line. If any Resent- headers are present, then
234 the addresses from any Resent-To, Resent-Cc, and Resent-
235 Bcc headers in the first block of Resent- headers are
236 used instead.
237 --read-envelope-from
239 Read the envelope from address from the From header of
240 the mail.
241 --aliases=[file]
243 Set or unset an aliases file. See the aliases command.
244 -Fname Msmtp adds a From header to mails that lack it, using the
246 envelope from address. This option allows one to set a
247 full name to be used in that header.
248 --auto-from[=(on|off)]
250 Obsolete. See the auto_from command.
251 --maildomain=[domain]
253 Obsolete. See the maildomain command.
254 -- This marks the end of options. All following arguments
256 will be treated as recipient addresses, even if they
257 start with a `-'.
258 The following options are accepted but ignored for sendmail compatibil‐
260 ity:
261 -Btype, -bm, -G, -hN, -i, -L tag, -m, -n, -O option=value, -ox value
262
264 A suggestion for a suitable configuration file can be generated using
265 the --configure option. Normally, a system wide configuration file
266 and/or a user configuration file contain information about which SMTP
267 server to use and how to use it, but all settings can also be config‐
268 ured on the command line.
269 The information about SMTP servers is organized in accounts. Each ac‐
270 count describes one SMTP server: host name, authentication settings,
271 TLS settings, and so on. Each configuration file can define multiple
272 accounts.
273 The user can choose which account to use in one of three ways:
275 --account=id
277 Use the given account. Command line settings override configura‐
278 tion file settings.
279 --host=hostname
281 Use only the settings from the command line; do not use any con‐
282 figuration file data.
283 --from=address or --read-envelope-from
285 Choose the first account from the system or user configuration
286 file that has a matching envelope-from address as specified by a
287 from command. This works only when neither --account nor --host
288 is used.
289 Subadresses are supported. For example, the envelope from ad‐
290 dress user+detail@example.com will match the account for
291 user@example.com.
292 Furthermore, the envelope-from address of the account may be a
293 wildcard pattern. See the from command.
294 If none of the above options is used (or if no account has a matching
296 from command), then the account "default" is used.
297 Msmtp transmits mails unaltered to the SMTP server, with the following
299 exceptions:
300 - The Bcc header(s) will be removed. This behavior can be changed with
301 the remove_bcc_headers command and --remove-bcc-headers option.
302 - A From header will be added if the mail does not have one. This can
303 be changed with the set_from_header command and --set-from-header op‐
304 tion. The header will use the envelope from address and optionally a
305 full name set with the -F option.
306 - A Date header will be added if the mail does not have one. This can
307 be changed with the set_date_header command and --set-date-header op‐
308 tion.
309 - A Message-ID header will be added if the mail does not have one. This
310 can be changed with the set_msg_header command and --set-msgid-header
311 option.
312 - When undisclosed_recipients is set, the original To, Cc, and Bcc
313 headers are removed and replaced with "To: undisclosed-recipients:;".
314 Skip to the EXAMPLES section for a quick start.
316
318 If it exists and is readable, a system wide configuration file
319 SYSCONFDIR/msmtprc will be loaded, where SYSCONFDIR depends on your
320 platform. Use --version to find out which directory is used.
321 If it exists and is readable, a user configuration file will be loaded
322 (~/.msmtprc will be tried first followed by $XDG_CONFIG_HOME/msmtp/con‐
323 fig by default, but see --version). Accounts defined in the user con‐
324 figuration file override accounts from the system configuration file.
325 Configuration data from either file can be changed by command line op‐
326 tions.
327 A configuration file is a simple text file. Empty lines and comment
329 lines (whose first non-blank character is `#') are ignored.
330 Every other line must contain a command and may contain an argument to
331 that command.
332 The argument may be enclosed in double quotes ("), for example if its
333 first or last character is a blank.
334 If a file name starts with the tilde (~), this tilde will be replaced
335 by $HOME. If a command accepts the argument on, it also accepts an
336 empty argument and treats that as if it was on.
337 Commands are organized in accounts. Each account starts with the ac‐
338 count command and defines the settings for one SMTP account.
339 Skip to the EXAMPLES section for a quick start.
341 Commands are as follows:
343 defaults
345 Set defaults. The following configuration commands will set de‐
346 fault values for all following account definitions in the cur‐
347 rent configuration file.
348 account name [:account[,...]]
350 Start a new account definition with the given name. The current
351 default values are filled in.
352 If a colon and a list of previously defined accounts is given
353 after the account name, the new account, with the filled in de‐
354 fault values, will inherit all settings from the accounts in the
355 list.
356 eval cmd
358 Replace the current configuration file line with the first line
359 of the output (stdout) of the command cmd. This can be used to
360 decrypt settings or to create them via scripts. For example,
361 eval echo host localhost replaces the current line with host lo‐
362 calhost.
363 The cmd command must not mess with standard input; if in doubt,
364 append < /dev/null.
365 Note that for passwords you can also use the passwordeval com‐
366 mand instead of eval password cmd. This has the advantage that
367 the command is only evaluated if needed.
368 host hostname
370 The SMTP server to send the mail to. The argument may be a host
371 name or a network address. Every account definition must con‐
372 tain this command.
373 port number
375 The port that the SMTP server listens on. The default is 25
376 ("smtp"), unless TLS without STARTTLS is used, in which case it
377 is 465 ("smtps").
378 source_ip [IP]
380 Set a source IP address to bind the outgoing connection to. Use‐
381 ful only in special cases on multi-home systems. An empty argu‐
382 ment disables this.
383 proxy_host [IP|hostname]
385 Use a SOCKS proxy. All network traffic will go through this
386 proxy host, including DNS queries, except for a DNS query that
387 might be necessary to resolve the proxy host name itself (this
388 can be avoided by using an IP address as proxy host name). An
389 empty hostname argument disables proxy usage. The supported
390 SOCKS protocol version is 5. If you want to use this with Tor,
391 see also "Using msmtp with Tor" below.
392 proxy_port [number]
394 Set the port number for the proxy host. An empty number argument
395 resets this to the default port.
396 socket socketname
398 Set the file name of a unix domain socket to connect to. This
399 overrides both host/port and proxy_host/proxy_port.
400 timeout (off|seconds)
402 Set or unset a network timeout, in seconds. The argument off
403 means that no timeout will be set, which means that the operat‐
404 ing system default will be used.
405 protocol (smtp|lmtp)
407 Set the protocol to use. Currently only SMTP and LMTP are sup‐
408 ported. SMTP is the default. See the port command above for de‐
409 fault ports.
410 domain argument
412 Use this command to set the argument of the SMTP EHLO (or LMTP
413 LHLO) command. The default is localhost, which is stupid but
414 usually works. Try to change the default if mails get rejected
415 due to anti-SPAM measures. Possible choices are the domain part
416 of your mail address (provider.example for joe@provider.example)
417 or the fully qualified domain name of your host (if available).
418 The following substitution patterns are supported:
419 %H will be replaced by $HOSTNAME, or if that fails by the host
420 name of the system.
421 %C will be replaced by the canonical name of %H.
422 %M will be replaced by the contents of /etc/mailname (poten‐
423 tially a different directory is used depending on the build con‐
424 figuration; see the output of msmtp --version and look for the
425 location of the system configuration file).
426 auth [(on|off|method)]
428 Enable or disable authentication and optionally choose a method
429 to use. The argument on chooses a method automatically.
430 Usually a user name and a password are used for authentication.
431 The user name is specified in the configuration file with the
432 user command. There are five different methods to specify the
433 password:
434 1. Add the password to the system key ring. Currently supported
435 key rings are the Gnome key ring and the Mac OS X Keychain. For
436 the Gnome key ring, use the command secret-tool (part of Gnome's
437 libsecret) to store passwords: secret-tool store --label=msmtp
438 host mail.freemail.example service smtp user joe.smith. On Mac
439 OS X, use the following command: security add-internet-password
440 -s mail.freemail.example -r smtp -a joe.smith -w. In both exam‐
441 ples, replace mail.freemail.example with the SMTP server name,
442 and joe.smith with your user name.
443 2. Store the password in an encrypted files, and use passworde‐
444 val to specify a command to decrypt that file, e.g. using GnuPG.
445 See EXAMPLES.
446 3. Store the password in the configuration file using the pass‐
447 word command. (Usually it is not considered a good idea to
448 store passwords in cleartext files. If you do it anyway, you
449 must make sure that the file can only be read by yourself.)
450 4. Store the password in ~/.netrc. This method is probably obso‐
451 lete.
452 5. Type the password into the terminal when it is required.
453 It is recommended to use method 1 or 2.
454 Multiple authentication methods exist. Most servers support only
455 some of them. Historically, sophisticated methods were devel‐
456 oped to protect passwords from being sent unencrypted to the
457 server, but nowadays everybody needs TLS anyway, so the simple
458 methods suffice since the whole session is protected. A suitable
459 authentication method is chosen automatically, and when TLS is
460 disabled for some reason, only methods that avoid sending clear‐
461 text passwords are considered.
462 The following user / password methods are supported: plain (a
463 simple cleartext method, with base64 encoding, supported by al‐
464 most all servers), scram-sha-1 (a method that avoids cleartext
465 passwords), scram-sha-256 (same but with stronger hash),
466 cram-md5 (an obsolete method that avoids cleartext passwords,
467 but is not considered secure anymore), digest-md5 (an overcom‐
468 plicated obsolete method that avoids cleartext passwords, but is
469 not considered secure anymore), login (a non-standard cleartext
470 method similar to but worse than the plain method), ntlm (an ob‐
471 scure non-standard method that is now considered broken; it
472 sometimes requires a special domain parameter passed via ntlmdo‐
473 main).
474 There are currently three authentication methods that are not
475 based on user / password information and have to be chosen manu‐
476 ally: oauthbearer or its predecessor xoauth2 (an OAuth2 token
477 from the mail provider is used as the password. See the docu‐
478 mentation of your mail provider for details on how to get this
479 token. The passwordeval command can be used to pass the regu‐
480 larly changing tokens into msmtp from a script or an environment
481 variable), external (the authentication happens outside of the
482 protocol, typically by sending a TLS client certificate, and the
483 method merely confirms that this authentication succeeded), and
484 gssapi (the Kerberos framework takes care of secure authentica‐
485 tion, only a user name is required).
486 It depends on the underlying authentication library and its ver‐
487 sion whether a particular method is supported or not. Use --ver‐
488 sion to find out which methods are supported.
489 user login
491 Set the user name for authentication. An empty argument unsets
492 the user name.
493 password secret
495 Set the password for authentication. An empty argument unsets
496 the password. Consider using the passwordeval command or a key
497 ring instead of this command, to avoid storing cleartext pass‐
498 words in the configuration file.
499 passwordeval [cmd]
501 Set the password for authentication to the output (stdout) of
502 the command cmd. This can be used e.g. to decrypt password
503 files on the fly or to query key rings, and thus to avoid stor‐
504 ing cleartext passwords.
505 The cmd command must not mess with standard input; if in doubt,
506 append < /dev/null.
507 ntlmdomain [domain]
509 Set a domain for the ntlm authentication method. This is obso‐
510 lete.
511 tls [(on|off)]
513 Enable or disable TLS (also known as SSL) for secured connec‐
514 tions.
515 Transport Layer Security (TLS) "... provides communications pri‐
516 vacy over the Internet. The protocol allows client/server ap‐
517 plications to communicate in a way that is designed to prevent
518 eavesdropping, tampering, or message forgery" (quote from
519 RFC2246).
520 A server can use TLS in one of two modes: via a STARTTLS command
521 (the session starts with the normal protocol initialization, and
522 TLS is then started using the protocol's STARTTLS command), or
523 immediately (TLS is initialized before the normal protocol ini‐
524 tialization; this requires a separate port). The first mode is
525 the default, but you can switch to the second mode by disabling
526 tls_starttls.
527 When TLS is started, the server sends a certificate to identify
528 itself. To verify the server identity, a client program is ex‐
529 pected to check that the certificate is formally correct and
530 that it was issued by a Certificate Authority (CA) that the user
531 trusts. (There can also be certificate chains with intermediate
532 CAs.)
533 The list of trusted CAs is specified using the tls_trust_file
534 command. The default value ist "system" and chooses the system-
535 wide default, but you can also choose the trusted CAs yourself.
536 A fundamental problem with this is that you need to trust CAs.
537 Like any other organization, a CA can be incompetent, malicious,
538 subverted by bad people, or forced by government agencies to
539 compromise end users without telling them. All of these things
540 happened and continue to happen worldwide. The idea to have
541 central organizations that have to be trusted for your communi‐
542 cation to be secure is fundamentally broken.
543 Instead of putting trust in a CA, you can choose to trust only a
544 single certificate for the server you want to connect to. For
545 that purpose, specify the certificate fingerprint with tls_fin‐
546 gerprint. This makes sure that no man-in-the-middle can fake the
547 identity of the server by presenting you a fraudulent certifi‐
548 cate issued by some CA that happens to be in your trust list.
549 However, you have to update the fingerprint whenever the server
550 certificate changes, and you have to make sure that the change
551 is legitimate each time, e.g. when the old certificate expired.
552 This is inconvenient, but it's the price to pay.
553 Information about a server certificate can be obtained with
554 --serverinfo --tls --tls-certcheck=off. This includes the issuer
555 CA of the certificate (so you can trust that CA via
556 tls_trust_file), and the fingerprint of the certificate (so you
557 can trust that particular certificate via tls_fingerprint).
558 TLS also allows the server to verify the identity of the client.
559 For this purpose, the client has to present a certificate issued
560 by a CA that the server trusts. To present that certificate, the
561 client also needs the matching key file. You can set the cer‐
562 tificate and key files using tls_cert_file and tls_key_file.
563 This mechanism can also be used to authenticate users, so that
564 traditional user / password authentication is not necessary any‐
565 more. See the external mechanism in auth.
566 You can also use client certificates stored on some external au‐
567 thentication device by specifying GnuTLS device URIs in
568 tls_cert_file and tls_key_file. You can find the correct URIs
569 using p11tool --list-privkeys --login (p11tool is bundled with
570 GnuTLS). If your device requires a PIN to access the data, you
571 can specify that using one of the password mechanisms (e.g.
572 passwordeval, password).
573 tls_starttls [(on|off)]
575 Choose the TLS variant: start TLS from within the session (on,
576 default), or tunnel the session through TLS (off).
577 tls_trust_file file
579 Activate server certificate verification using a list of trusted
580 Certification Authorities (CAs). The default is the special
581 value "system", which selects the system default. An empty argu‐
582 ment disables trust in CAs. If you select a file, it must be in
583 PEM format, and you should also use tls_crl_file.
584 tls_crl_file [file]
586 Deprecated. This sets a certificate revocation list (CRL) file
587 for TLS, to check for revoked certificates (an empty argument,
588 which is the default, disables this). Nowadays automatic OCSP
589 checks replace CRL file checks.
590 tls_fingerprint [fingerprint]
592 Set the fingerprint of a single certificate to accept for TLS.
593 This certificate will be trusted regardless of its contents
594 (this overrides tls_trust_file). The fingerprint should be of
595 type SHA256, but can for backwards compatibility also be of type
596 SHA1 or MD5 (please avoid this). The format should be
597 01:23:45:67:.... Use --serverinfo --tls --tls-certcheck=off
598 --tls-fingerprint= to get the server certificate fingerprint.
599 tls_key_file file
601 Send a client certificate to the server (use this together with
602 tls_cert_file}). The file must contain the private key of a
603 certificate in PEM format. An empty argument disables this fea‐
604 ture.
605 tls_cert_file file
607 Send a client certificate to the server (use this together with
608 tls_key_file). The file must contain a certificate in PEM for‐
609 mat. An empty argument disables this feature.
610 tls_certcheck [(on|off)]
612 Enable or disable checks of the server certificate. They are en‐
613 abled by default. Disabling them will override tls_trust_file
614 and tls_fingerprint. WARNING: When the checks are disabled, TLS
615 sessions will not be secure!
616 tls_priorities [priorities]
618 Set priorities for TLS session parameters. The default is set by
619 the TLS library and can be selected by using an empty argument
620 to this command. The interpretation of the priorities string de‐
621 pends on the TLS library. Use --version to find out which TLS
622 library you use.
623 For GnuTLS, see the section on Priority Strings in the manual.
624 For libtls, the priorites string is a space-separated list of
625 parameter strings prefixed with either PROTOCOLS=, CIPHERS=, or
626 ECDHECURVES=. These parameter strings will be passed to the
627 functions tls_config_parse_protocols, tls_config_set_ciphers,
628 and tls_config_set_ecdhecurves. Unrecognized parts of the prior‐
629 ities string will be ignored. Example: "PROTOCOLS=TLSv1.3 CI‐
630 PHERS=ECDHE-RSA-AES128-SHA256 ECDHECURVES=P-384".
631 tls_host_override [host]
633 By default, TLS host verification uses the host name given by
634 the host command. This command allows one to use a different
635 host name for verification. This is only useful in special
636 cases.
637 tls_min_dh_prime_bits [bits]
639 Deprecated, use tls_priorities instead. Set or unset the mini‐
640 mum number of Diffie-Hellman (DH) prime bits accepted for TLS
641 sessions. The default is set by the TLS library and can be se‐
642 lected by using an empty argument to this command. Only lower
643 the default (for example to 512 bits) if there is no other way
644 to make TLS work with the remote server.
645 from envelope_from
647 Set the envelope-from address. The following substitution pat‐
648 terns are supported:
649 %U will be replaced by $USER, or if that fails by $LOGNAME, or
650 if that fails by the login name of the user running msmtp.
651 %H will be replaced by $HOSTNAME, or if that fails by the host
652 name of the system.
653 %C will be replaced by the canonical name of %H.
654 %M will be replaced by the contents of /etc/mailname (poten‐
655 tially a different directory is used depending on the build con‐
656 figuration; see the output of msmtp --version and look for the
657 location of the system configuration file).
658 Note that the obsolete auto_from command replaces this envelope-
659 from address.
660 To enforce the use of this envelope-from address and ignore the
661 -f / --from option, see the allow_from_override command.
662 Furthermore, the envelope-from address may be a wildcard pattern
663 as used for file name matching in the shell. This is the case if
664 it contains one of the characters ?, * or [. This allows a va‐
665 riety of envelope-from addresses given with the --from option to
666 match a single account.
667 allow_from_override (on|off)
669 By default, the --from option overrides the from command. Set
670 to off to disable this.
671 dsn_notify (off|condition)
673 This command sets the condition(s) under which the mail system
674 should send DSN (Delivery Status Notification) messages. The ar‐
675 gument off disables explicit DSN requests, which means the mail
676 system decides when to send DSN messages. This is the default.
677 The condition must be never, to never request notification, or a
678 comma separated list (no spaces!) of one or more of the follow‐
679 ing: failure, to request notification on transmission failure,
680 delay, to be notified of message delays, success, to be notified
681 of successful transmission. The SMTP server must support the DSN
682 extension.
683 dsn_return (off|amount)
685 This command controls how much of a mail should be returned in
686 DSN (Delivery Status Notification) messages. The argument off
687 disables explicit DSN requests, which means the mail system de‐
688 cides how much of a mail it returns in DSN messages. This is the
689 default. The amount must be headers, to just return the message
690 headers, or full, to return the full mail. The SMTP server must
691 support the DSN extension.
692 set_from_header [(auto|on|off)]
694 When to set a From header: auto adds a From header if the mail
695 does not have one (this is the default), on always sets a From
696 header and overrides any existing one, and off never sets a From
697 header.
698 If the mail server rejects the mail because its From header does
699 not match the envelope-from address (a common anti-spam mea‐
700 sure), then you might want to set this option to on.
701 The From header is created based on the envelope-from address.
702 Disable allow_from_override to prevent programs from setting
703 their own envelope-from address.
704 For compatibility with older versions, add_missing_from_header
705 [(on|off)] is still supported and corresponds to the auto and
706 off settings.
707 set_date_header [(auto|off)]
709 When to set a Date header: auto adds a Date header if the mail
710 does not have one (this is the default), and off never sets a
711 Date header.
712 For compatibility with older versions, add_missing_date_header
713 [(on|off)] is still supported and corresponds to the auto and
714 off settings.
715 set_msgid_header [(auto|off)]
717 When to set a Message-ID header: auto adds a Message-ID header
718 if the mail does not have one (this is the default), and off
719 never sets a Message-ID header.
720 remove_bcc_headers [(on|off)]
722 This command controls whether to remove Bcc headers. The default
723 is to remove them.
724 undisclosed_recipients [(on|off)]
726 When set, the original To, Cc, and Bcc headers of the mail are
727 removed and a single new header line "To: undisclosed-recipi‐
728 ents:;" is added. The default setting is off.
729 logfile [file]
731 An empty argument disables logging (this is the default).
732 When logging is enabled by choosing a log file, msmtp will ap‐
733 pend one line to the log file for each mail it tries to send via
734 the account that this log file was chosen for.
735 The line will include the following information: date and time
736 in the format specified by logfile_time_format, host name of the
737 SMTP server, whether TLS was used, whether authentication was
738 used, authentication user name (only if authentication is used),
739 envelope-from address, recipient addresses, size of the mail as
740 transferred to the server (only if the delivery succeeded), SMTP
741 status code and SMTP error message (only in case of failure and
742 only if available), error message (only in case of failure and
743 only if available), exit code (from sysexits.h; EX_OK indicates
744 success).
745 If the filename is a dash (-), msmtp prints the log line to the
746 standard output.
747 logfile_time_format [fmt]
749 Set or unset the log file time format. This will be used as the
750 format string for the strftime() function. An empty argument
751 chooses the default ("%b %d %H:%M:%S").
752 syslog [(on|off|facility)]
754 Enable or disable syslog logging. The facility can be one of
755 LOG_USER, LOG_MAIL, LOG_LOCAL0, ..., LOG_LOCAL7. The default is
756 LOG_USER.
757 Each time msmtp tries to send a mail via the account that con‐
758 tains this syslog command, it will log one entry to the syslog
759 service with the chosen facility.
760 The line will include the following information: host name of
761 the SMTP server, whether TLS was used, whether authentication
762 was used, envelope-from address, recipient addresses, size of
763 the mail as transferred to the server (only if the delivery suc‐
764 ceeded), SMTP status code and SMTP error message (only in case
765 of failure and only if available), error message (only in case
766 of failure and only if available), exit code (from sysexits.h;
767 EX_OK indicates success).
768 aliases [file]
770 Replace local recipients with addresses in the aliases file.
771 The aliases file is a cleartext file containing mappings between
772 a local address and a list of replacement addresses. The map‐
773 pings are of the form:
774 local: someone@example.com, person@domain.example
775 Multiple replacement addresses are separated with commas. Com‐
776 ments start with `#' and continue to the end of the line.
777 The local address default has special significance and is
778 matched if the local address is not found in the aliases file.
779 If no default alias is found, then the local address is left as
780 is.
781 An empty argument to the aliases command disables the replace‐
782 ment of local addresses. This is the default.
783 auto_from [(on|off)]
785 Obsolete; you can achieve the same and more using the substitu‐
786 tion patterns of the from command.
787 Enable or disable automatic envelope-from addresses. The default
788 is off. When enabled, an envelope-from address of the form
789 user@domain will be generated. The local part will be set to
790 USER or, if that fails, to LOGNAME or, if that fails, to the lo‐
791 gin name of the current user. The domain part can be set with
792 the maildomain command. If the maildomain is empty, the enve‐
793 lope-from address will only consist of the user name and not
794 have a domain part. When auto_from is disabled, the envelope-
795 from address must be set explicitly.
796 maildomain [domain]
798 Obsolete; you can achieve the same and more using the substitu‐
799 tion patterns of the from command.
800 Set a domain part for the generation of an envelope-from ad‐
801 dress. This is only used when auto_from is on. The domain may be
802 empty.
803
805 Configuration file
806 # Example for a user configuration file ~/.msmtprc
808 #
809 # This file focusses on TLS and authentication. Features not used here
810 include
811 # logging, timeouts, SOCKS proxies, TLS parameters, Delivery Status No‐
812 tification
813 # (DSN) settings, and more.
814 # Set default values for all following accounts.
816 defaults
817 # Use the mail submission port 587 instead of the SMTP port 25.
819 port 587
820 # Always use TLS.
822 tls on
823 # Set a list of trusted CAs for TLS. The default is to use system set‐
825 tings, but
826 # you can select your own file.
827 #tls_trust_file /etc/ssl/certs/ca-certificates.crt
828 # A freemail service
830 account freemail
831 # Host name of the SMTP server
833 host smtp.freemail.example
834 # As an alternative to tls_trust_file, you can use tls_fingerprint
836 # to pin a single certificate. You have to update the fingerprint when
837 the
838 # server certificate changes, but an attacker cannot trick you into ac‐
839 cepting
840 # a fraudulent certificate. Get the fingerprint with
841 # $ msmtp --serverinfo --tls --tls-certcheck=off
842 --host=smtp.freemail.example
843 #tls_fingerprint 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11
844 :22:33
845 # Envelope-from address
847 from joe_smith@freemail.example
848 # Authentication. The password is given using one of five methods, see
850 below.
851 auth on
852 user joe.smith
853 # Password method 1: Add the password to the system keyring, and let
855 msmtp get
856 # it automatically. To set the keyring password using Gnome's libse‐
857 cret:
858 # $ secret-tool store --label=msmtp \
859 # host smtp.freemail.example \
860 # service smtp \
861 # user joe.smith
862 # Password method 2: Store the password in an encrypted file, and tell
864 msmtp
865 # which command to use to decrypt it. This is usually used with GnuPG,
866 as in
867 # this example. Usually gpg-agent will ask once for the decryption
868 password.
869 passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
870 # Password method 3: Store the password directly in this file. Usually
872 it is not
873 # a good idea to store passwords in cleartext files. If you do it any‐
874 way, at
875 # least make sure that this file can only be read by yourself.
876 #password secret123
877 # Password method 4: Store the password in ~/.netrc. This method is
879 probably not
880 # relevant anymore.
881 # Password method 5: Do not specify a password. Msmtp will then prompt
883 you for
884 # it. This means you need to be able to type into a terminal when msmtp
885 runs.
886 # A second mail address at the same freemail service
888 account freemail2 : freemail
889 from joey@freemail.example
890 # The SMTP server of your ISP
892 account isp
893 host mail.isp.example
894 from smithjoe@isp.example
895 auth on
896 user 12345
897 # Set a default account
899 account default : freemail
900 Using msmtp with Mutt
903 Create a configuration file for msmtp and add the following lines to
905 your Mutt configuration file:
906 set sendmail="/path/to/msmtp"
907 set use_from=yes
908 set realname="Your Name"
909 set from=you@example.com
910 set envelope_from=yes
911 The envelope_from=yes option lets Mutt use the -f option of msmtp.
912 Therefore msmtp chooses the first account that matches the from address
913 you@example.com.
914 Alternatively, you can use the -a option:
915 set sendmail="/path/to/msmtp -a my-account"
916 Or set everything from the command line (but note that you cannot set a
917 password this way):
918 set sendmail="/path/to/msmtp --host=mailhub -f me@example.com --tls
919 --tls-trust-file=trust.crt"
920 If you have multiple mail accounts in your msmtp configuration file and
922 let Mutt use the -f option to choose the right one, you can easily
923 switch accounts in Mutt with the following Mutt configuration lines:
924 macro generic "<esc>1" ":set from=you@example.com"
925 macro generic "<esc>2" ":set from=you@your-employer.example"
926 macro generic "<esc>3" ":set from=you@some-other-provider.example"
927 Using msmtp with mail
930 Define a default account, and put the following in your ~/.mailrc:
932 set sendmail="/path/to/msmtp"
933 Using msmtp with Tor
936 Use the following settings:
938 proxy_host 127.0.0.1
939 proxy_port 9050
940 tls on
941 Use an IP address as proxy host name, so that msmtp does not leak a DNS
942 query when resolving it.
943 TLS is required to prevent exit hosts from reading your SMTP session.
944 Do not set domain to something that you do not want to reveal (do not
945 set it at all if possible).
946 Aliases file
949 # Example aliases file
951 # Send root to Joe and Jane
953 root: joe_smith@example.com, jane_chang@example.com
954 # Send cron to Mark
956 cron: mark_jones@example.com
957 # Send everything else to admin
959 default: admin@domain.example
960
963 SYSCONFDIR/msmtprc
964 System configuration file. Use --version to find out what
965 SYSCONFDIR is on your platform.
966 ~/.msmtprc or $XDG_CONFIG_HOME/msmtp/config
968 User configuration file.
969 ~/.netrc and SYSCONFDIR/netrc
971 The netrc file contains login information. Before prompting for
972 a password, msmtp will search it in ~/.netrc and
973 SYSCONFDIR/netrc.
974
976 USER, LOGNAME
977 These variables override the user's login name when constructing
978 an envelope-from address. LOGNAME is only used if USER is unset.
979 TMPDIR Directory to create temporary files in. If this is unset, a sys‐
981 tem specific default directory is used.
982 A temporary file is only created when the -t/--read-recipients
983 or --read-envelope-from option is used. The file is then used to
984 buffer the headers of the mail (but not the body, so the file
985 won't get very large).
986 EMAIL, SMTPSERVER
988 These environment variables are used only if neither --host nor
989 --account is used and there is no default account defined in the
990 configuration files. In this case, the host name is taken from
991 SMTPSERVER, and the envelope from address is taken from EMAIL,
992 unless overridden by --from or --read-envelope-from. Currently
993 SMTPSERVER must contain a plain host name (no URL), and EMAIL
994 must contain a plain address (no names or additional informa‐
995 tion).
996
998 msmtp was written by Martin Lambers <marlam@marlam.de>.
999 Other authors are listed in the AUTHORS file in the source distribu‐
1000 tion.
1001
1003 sendmail(8), netrc(5) or ftp(1)
1004 2022-06 MSMTP(1)