Post

Debian - Relayer les e-mails vers un compte (msmtp, MailX, Sendmail)

Posté Mis à jour
Par Yann
6 min lire
Debian - Relayer les e-mails vers un compte (msmtp, MailX, Sendmail)

Assuming you want a server-focused msmtp setup on Debian 13 (system-wide, non‑interactive, secure, for relaying from services/cron/git), here’s a concise, complete guide.

1 — Install msmtp

Commands to install msmtp

1
2

sudo apt update
sudo apt install -y msmtp msmtp-mta

2 — System-wide config (/etc/msmtprc)

Create /etc/msmtprc with root ownership and strict permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

sudo tee /etc/msmtprc > /dev/null <<'EOF'
# /etc/msmtprc — system-wide msmtp config
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log
timeout        30

# Default account (adjust for your SMTP provider)
account        default
host           smtp.example.com
port           587
from           noreply@example.com
user           smtp-user@example.com
# Use passwordeval to avoid plaintext in this file:
passwordeval   /usr/local/bin/msmtp-get-pass.sh

# Set default account
account default : default
EOF
sudo chown root:root /etc/msmtprc
sudo chmod 600 /etc/msmtprc

For external SMTP (implicit TLS, port 465) create or replace /etc/msmtprc with this (adjust host, user, from). Save as root and set permissions to 600.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

sudo tee /etc/msmtprc > /dev/null <<'EOF'
# /etc/msmtprc — implicit TLS (port 465) example
defaults
auth           on
tls            on
tls_starttls   off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log
timeout        30

account external
host    smtp.example.com
port    465
from    noreply@example.com
user    smtp-user@example.com
# Prefer passwordeval to avoid plaintext passwords:
passwordeval /usr/local/bin/msmtp-get-pass.sh

account default : external
EOF
sudo chown root:root /etc/msmtprc
sudo chmod 600 /etc/msmtprc

3 — Secure credential helper

Create a script that securely reads credentials (example reads from /root/.msmtp.pass with strict perms):

1
2
3
4
5

sudo tee /usr/local/bin/msmtp-get-pass.sh > /dev/null <<'EOF'
#!/bin/sh
cat /root/.msmtp.pass
EOF
sudo chmod 700 /usr/local/bin/msmtp-get-pass.sh

Place the SMTP password in /root/.msmtp.pass:

1
2
3
4
5

sudo tee /root/.msmtp.pass > /dev/null <<'EOF'
your_smtp_password_here
EOF
sudo chown root:root /root/.msmtp.pass
sudo chmod 600 /root/.msmtp.pass

Alternative: integrate with a secrets manager or HashiCorp Vault; adjust script accordingly.

4 — Logging

Create logfile and logrotate:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

sudo touch /var/log/msmtp.log
sudo chown root:adm /var/log/msmtp.log
sudo chmod 640 /var/log/msmtp.log
# Rotate logs by creating /etc/logrotate.d/msmtp
sudo tee /etc/logrotate.d/msmtp > /dev/null <<'EOF'
/var/log/msmtp.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
    create 0640 root adm
}
EOF

5 — Sendmail wrapper (system MTA integration)

msmtp-mta installs sendmail wrapper. Verify path and alternatives:

1
2

which sendmail
# typically /usr/sbin/sendmail -> msmtp sendmail wrapper

Services that call sendmail (postfix-less setups, cron, git send-email) will use msmtp.

For Git:

1
2

git config --global sendemail.smtpServer localhost
# or set GIT_SEND_EMAIL_COMMAND to use msmtp directly in hooks

6 — Test sending

Quick test (verbose):

1
2
3
4

# smtp port 587
echo -e "Subject: msmtp test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com
# smtp port 465
echo -e "Subject: msmtp port 465 test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com

Check /var/log/msmtp.log for success/errors.

7 — Common provider tweaks

  • For port 465 (implicit TLS): host smtp.example.com port 465 tls on tls_starttls off
  • For OAuth2: set auth oauthbearer and use passwordeval to supply the access token; implement token-refresh script.

8 — Permissions & security checklist

  • /etc/msmtprc: 600 root:root
  • Credential file or helper: only readable by root (600)
  • Helper script: 700 root:root
  • Log: 640 root:adm with logrotate
  • Prefer passwordeval over plaintext password in config.

9 — Example minimal relay (no auth)

If your server relays via an internal SMTP relay with no auth:

1
2
3
4
5
6
7
8
9

defaults
logfile /var/log/msmtp.log

account relay
host    smtp-relay.internal.local
port    25
from    noreply@example.com

account default : relay

If you want, I can produce a ready /etc/msmtprc and helper script tailored to a specific provider (e.g., Gmail, Office365, SendGrid) — tell me the provider and whether you’ll use an app password or OAuth2.

1

echo -e "Subject: msmtp port 465 test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com

Notes:

  • Use an app-specific password or secrets manager if supported by provider.
  • If authentication fails, verify provider requires implicit TLS on 465 (not STARTTLS) and check logs (/var/log/msmtp.log) for TLS errors.

To send mail from system tools (sendmail, mailx) on Debian 13 using msmtp as the sendmail-compatible MTA, follow these steps.

Install packages

1

sudo apt install bsd-mailx

Verify sendmail wrapper msmtp-mta provides /usr/sbin/sendmail. Confirm:

1
2

which sendmail
ls -l /usr/sbin/sendmail

If another MTA is installed (postfix/exim), remove or reconfigure it to avoid conflicts:

1

sudo apt remove --purge postfix exim4 -y   # only if you intend to use msmtp as sendmail

Test sending via sendmail

1

printf 'Subject: test\n\nThis is a test' | sendmail -v recipient@example.com

Or with mailx:

1

echo "Body text" | mailx -s "Test mailx" recipient@example.com

Troubleshooting

  • Check /var/log/msmtp.log for msmtp errors.
  • For TLS handshake issues, ensure tls_trust_file points to /etc/ssl/certs/ca-certificates.crt.
  • If auth fails, verify username/password and provider settings (implicit TLS port 465 vs STARTTLS 587).
  • Run a verbose debug send: 
    1

    echo -e "Subject: debug\n\nbody" | msmtp --debug --from=default recipient@example.com

10 — smtp port 465

Voici une version corrigée et complète de /etc/msmtprc, adaptée à votre configuration (TLS implicite sur le port 465) — elle force explicitement l’adresse d’enveloppe et utilise passwordeval :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# /etc/msmtprc — implicit TLS (port 465) example
defaults
auth           on
tls            on
tls_starttls   off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log
timeout        30

# account definition
account default
host    yannig.net
port    465
protocol smtp
user    yann@yannig.net
from    yann@yannig.net
# If your SMTP server requires the "MAIL FROM" to match the authenticated user,
# ensure 'user' is the full email address (as set above).
# Prefer passwordeval to avoid plaintext passwords:
passwordeval /usr/local/bin/msmtp-get-pass.sh

# Optional: do not override the From header unless explicitly requested
allow_from_override off
set_from_header on
auto_from off

# Optional: stricter TLS checks (uncomment if needed)
# tls_certcheck on

# If you need a specific HELO/EHLO domain (avoid 'localhost' if the server rejects it)
# maildomain yannig.net

# Default account to use
# account default

Remarques rapides

  • J’ai mis user = yann@yannig.net pour éviter que le serveur exige une correspondance entre auth et MAIL FROM.
  • from est explicitement l’adresse complète.
  • allow_from_override est désactivé pour éviter qu’un en-tête From fourni par un client ne remplace l’enveloppe.
  • Si votre script passwordeval retourne la commande ou le mot de passe correctement, laissez-le tel quel ; sinon remplacez par password “votre_mot_de_passe” (moins sûr).

Testez ensuite :

1

echo -e "Subject: msmtp port 465 test\n\nThis is a test" | msmtp --debug --from=default yann@yannig.net

Vérifiez dans le debug que la ligne SMTP montre :

1

--> MAIL FROM:<yann@yannig.net>

11 — Identifiants sécurisés

Créez un script qui lit en toute sécurité les identifiants et mot de passe SMTP

1
2
3
4
5
6

sudo tee /usr/local/bin/msmtp-get-pass.sh > /dev/null <<'EOF'
#!/bin/sh
printf '%s\n' 'Mot_de_passe_smtp_en_clair'
exit 0
EOF
sudo chmod 700 /usr/local/bin/msmtp-get-pass.sh

Fichier /etc/msmtprc

1
2
3
4
5
6
7
8
9
10
11
12
13
14

defaults
auth           on
tls            on
tls_starttls   off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

account default
host           yannig.net
port           465
from           yann@yannig.net
user           yann@yannig.net
passwordeval   /usr/local/bin/msmtp-get-pass.sh
aliases        /etc/aliases

Tester envoi message depuis root, pour les droits de lecture du mot de passe

1
2
3
4
5

sudo -s
# mail
echo "Test envoi via msmtp `date`" | mail -s "Alpine Linux ntfy" yick@yick.eu
# msmtp debug
echo -e "Subject: Test\n\nThis is a test" | msmtp --debug yick@yick.eu
Blog, Applications
messagerie
Cet article est sous licence CC BY 4.0 par l'auteur.