msmtp - An SMTP client
- Sendmail mode (default):
- msmtp [option...] [--] recipient...
msmtp [option...] -t [--] [recipient...]
- Server information mode:
- msmtp [option...] --serverinfo
- Remote Message Queue Starting mode:
- msmtp [option...] --rmqs=
In the default sendmail mode, msmtp reads a mail from standard input and sends
it to an SMTP server for delivery.
In server information mode, msmtp prints information about an SMTP server.
In Remote Message Queue Starting mode, msmtp sends a Remote Message Queue
Starting request for a host, domain, or queue to an SMTP server.
The standard sendmail exit status codes are used, as defined in sysexits.h.
Options override configuration file settings.
They are compatible with sendmail where appropriate.
- General options
- Print version information, including information about the
- Print help.
- -P, --pretend
- Print the configuration settings that would be used, but do
not take further action. An asterisk (`*') will be printed instead of your
- -v, -d, --debug
- Print lots of debugging information, including the whole
conversation with the SMTP server. Be careful with this option: the
(potentially dangerous) output will not be sanitized, and your password
may get printed in an easily decodable format!
- Changing the mode of operation
- -S, --serverinfo
- Print information about the SMTP server and exit. This
includes information about supported features (mail size limit,
authentication, TLS, DSN, ...) and about the TLS certificate (if TLS is
- Send a Remote Message Queue Starting request for the given
host, domain, or queue to the SMTP server and exit.
- Configuration options
- -C, --file=filename
- Use the given file instead of ~/.msmtprc as the user
- -a, --account=account_name
- Use the given account instead of the account named
"default". The settings of this account may be changed with
command line options. This option cannot be used together with the
- Use this SMTP server with settings from the command line;
do not use any configuration file data. This option cannot be used
together with the --account option.
- Set the port number to connect to. See the port
- Set or unset a network timeout, in seconds. See the
- Set or unset a SOCKS proxy to use. See the
- Set or unset a port number for the proxy host. See the
- Set the protocol. See the protocol command.
- Set the argument of the SMTP EHLO (or LMTP LHLO) command.
See the domain command.
- Enable or disable authentication and optionally choose the
method. See the auth command.
- Set or unset the user name for authentication. See the
- Evaluate password for authentication. See the
- Enable or disable TLS/SSL. See the tls command.
- Enable or disable STARTTLS for TLS. See the
- Set or unset a trust file for TLS. See the
- Set or unset a certificate revocation list (CRL) file for
TLS. See the tls_crl_file command.
- Set ot unset the fingerprint of a trusted TLS certificate.
See the tls_fingerprint command.
- Set or unset a key file for TLS. See the
- Set or unset a cert file for TLS. See the
- Enable or disable server certificate checks for TLS. See
the tls_certcheck command.
- Set or unset minimum bit size of the Diffie-Hellman (DH)
prime. See the tls_min_dh_prime_bits command.
- Set or unset TLS priorities. See the tls_priorities
- Options specific to sendmail mode
- -f, --from=address
- Set the envelope-from address. It is only used when
auto_from is off.
If no account was chosen yet (with --account or --host), this
option will choose the first account that has the given envelope-from
address (set with the from command). If no such account is found,
"default" is used.
- Enable or disable automatic envelope-from addresses. The
default is off. See the auto_from command.
- Set the domain part for the --auto-from address. See
the maildomain command.
- -N, --dsn-notify=(off|cond)
- Set or unset DSN notification conditions. See the
- -R, --dsn-return=(off|ret)
- Set or unset the DSN notification amount. See the
dsn_return command. Note that hdrs is accepted as an alias
for headers to be compatible with sendmail.
- Enable or disable the addition of a missing From header.
See the add_missing_from_header command.
- Enable or disable the addition of a missing Date header.
See the add_missing_date_header command.
- Enable or disable the removal of Bcc headers. See the
- -X, --logfile=[file]
- Set or unset the log file. See the logfile
- Enable or disable syslog logging. See the syslog
- -t, --read-recipients
- Read recipient addresses from the To, Cc, and Bcc headers
of the mail in addition to the recipients given on the command line. If
any Resent- headers are present, then the addresses from any Resent-To,
Resent-Cc, and Resent-Bcc headers in the first block of Resent- headers
are used instead.
- Read the envelope from address from the From header of the
mail. Currently this header must be on a single line for this option to
- Set or unset an aliases file. See the aliases
- Msmtp adds a From header to mails that lack it, using the
envelope from address. This option allows one to set a full name to be
used in that header.
- This marks the end of options. All following arguments will
be treated as recipient addresses, even if they start with a `-'.
The following options are accepted but ignored for sendmail compatibility:
, -bm, -G, -hN
, -i, -L tag
, -m, -n, -O
, -o x value
Normally, a system wide configuration file and/or a user configuration file
contain information about which SMTP server to use and how to use it, but all
settings can also be configured on the command line.
The information about SMTP servers is organized in accounts. Each account
describes one SMTP server: host name, authentication settings, TLS settings,
and so on. Each configuration file can define multiple accounts.
The user can choose which account to use in one of three ways:
- Use the given account. Command line settings override
configuration file settings.
- Use only the settings from the command line; do not use any
configuration file data.
- --from=address or --read-envelope-from
- Choose the first account from the system or user
configuration file that has a matching envelope-from address as specified
by a from command. This works only when neither --account
nor --host is used.
If none of the above options is used (or if no account has a matching
command), then the account "default" is used.
Msmtp transmits mails unaltered to the SMTP server, with the following
- The Bcc header(s) will be removed. This behavior can be changed with the
command and --remove-bcc-headers
- A From header will be added if the mail does not have one. This can be changed
with the add_missing_from_header
option. The header will use the envelope from
address and optionally a full name set with the -F
- A Date header will be added if the mail does not have one. This can be changed
with the add_missing_date_header
Skip to the EXAMPLES section for a quick start.
If it exists and is readable, a system wide configuration file
SYSCONFDIR/msmtprc will be loaded, where SYSCONFDIR depends on your platform.
to find out which directory is used.
If it exists and is readable, a user configuration file will be loaded
(~/.msmtprc by default, but see --version
). Accounts defined in the
user configuration file override accounts from the system configuration file.
Configuration data from either file can be changed by command line options.
A configuration file is a simple text file. Empty lines and comment lines (whose
first non-blank character is `#') are ignored.
Every other line must contain a command and may contain an argument to that
The argument may be enclosed in double quotes ("), for example if its first
or last character is a blank.
If a file name starts with the tilde (~), this tilde will be replaced by $HOME.
If a command accepts the argument on
, it also accepts an empty argument
and treats that as if it was on
Commands are organized in accounts. Each account starts with the account
command and defines the settings for one SMTP account.
Skip to the EXAMPLES section for a quick start.
Commands are as follows:
- Set defaults. The following configuration commands will set
default values for all following account definitions in the current
- account name [:account[,...]]
- Start a new account definition with the given name. The
current default values are filled in.
If a colon and a list of previously defined accounts is given after the
account name, the new account, with the filled in default values, will
inherit all settings from the accounts in the list.
- host hostname
- The SMTP server to send the mail to. The argument may be a
host name or a network address. Every account definition must contain this
- port number
- The port that the SMTP server listens on. The default is 25
("smtp"), unless TLS without STARTTLS is used, in which case it
is 465 ("smtps").
- timeout (off|seconds)
- Set or unset a network timeout, in seconds. The argument
off means that no timeout will be set, which means that the
operating system default will be used.
- proxy_host [IP|hostname]
- Use a SOCKS proxy. All network traffic will go through this
proxy host, including DNS queries, except for a DNS query that might be
necessary to resolve the proxy host name itself (this can be avoided by
using an IP address as proxy host name). An empty hostname argument
disables proxy usage. The supported SOCKS protocol version is 5. If you
want to use this with Tor, see also "Using msmtp with Tor"
- proxy_port [number]
- Set the port number for the proxy host. An empty
number argument resets this to the default port.
- protocol (smtp|lmtp)
- Set the protocol to use. Currently only SMTP and LMTP are
supported. SMTP is the default. See the port command above for
- domain argument
- Use this command to set the argument of the SMTP EHLO (or
LMTP LHLO) command. The default is localhost, which is stupid but
usually works. Try to change the default if mails get rejected due to
anti-SPAM measures. Possible choices are the domain part of your mail
address (provider.example for email@example.com) or the fully qualified
domain name of your host (if available).
- auth [(on|off|method)]
- Enable or disable authentication and optionally choose a
method to use. The argument on chooses a method automatically.
Usually a user name and a password are used for authentication. The user
name is specified in the configuration file with the user command.
There are five different methods to specify the password:
1. Add the password to the system key ring. Currently supported key rings
are the Gnome key ring and the Mac OS X Keychain. For the Gnome key ring,
use the command secret-tool (part of Gnome's libsecret) to store
passwords: secret-tool store --label=msmtp host mail.freemail.example
service smtp user joe.smith. On Mac OS X, use the Keychain Access GUI
application. The account name is same as the user name. The keychain item
name is smtp://<hostname> where <hostname> matches the host
2. Store the password in an encrypted files, and use passwordeval to
specify a command to decrypt that file, e.g. using GnuPG. See EXAMPLES.
3. Store the password in the configuration file using the password
command. (Usually it is not considered a good idea to store passwords in
plain text files. If you do it anyway, you must make sure that the file
can only be read by yourself.)
4. Store the password in ~/.netrc. This method is probably obsolete.
5. Type the password into the terminal when it is required.
It is recommended to use method 1 or 2.
Multiple authentication methods exist. Most servers support only some of
them. Historically, sophisticated methods were developed to protect
passwords from being sent unencrypted to the server, but nowadays
everybody needs TLS anyway, so the simple methods suffice since the whole
session is protected. A suitable authentication method is chosen
automatically, and when TLS is disabled for some reason, only methods that
avoid sending clear text passwords are considered.
The following user / password methods are supported: plain (a simple
plain text method, with base64 encoding, supported by almost all servers),
scram-sha-1 (a method that avoids clear-text passwords),
cram-md5 (an obsolete method that avoids clear-text passwords),
digest-md5 (an overcomplicated obsolete method that avoids
clear-text passwords, but is not considered secure anymore), login
(a non-standard clear-text method similar to but worse than the plain
method), ntlm (an obscure non-standard method that is now
considered broken; it sometimes requires a special domain parameter passed
There are currently two authentication methods that are not based on user /
password information and have to be chosen manually: external (the
authentication happens outside of the protocol, typically by sending a TLS
client certificate, and the method merely confirms that this
authentication succeeded), and gssapi (the Kerberos framework takes
care of secure authentication, only a user name is required).
It depends on the underlying authentication library and its version whether
a particular method is supported or not. Use --version to find out
which methods are supported.
- user login
- Set the user name for authentication. An empty argument
unsets the user name.
- password secret
- Set the password for authentication. An empty argument
unsets the password. Consider using the passwordeval command or a
key ring instead of this command, to avoid storing plain text passwords in
the configuration file.
- passwordeval [eval]
- Set the password for authentication to the output (stdout)
of the command eval. This can be used e.g. to decrypt password
files on the fly or to query key rings, and thus to avoid storing plain
- ntlmdomain [domain]
- Set a domain for the ntlm authentication method.
This is obsolete.
- tls [(on|off)]
- Enable or disable TLS (also known as SSL) for secured
connections. You also need tls_trust_file or
tls_fingerprint, and for some servers you may need to disable
Transport Layer Security (TLS) "... provides communications privacy
over the Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping, tampering,
or message forgery" (quote from RFC2246).
A server can use TLS in one of two modes: via a STARTTLS command (the
session starts with the normal protocol initialization, and TLS is then
started using the protocol's STARTTLS command), or immediately (TLS is
initialized before the normal protocol initialization; this requires a
separate port). The first mode is the default, but you can switch to the
second mode by disabling tls_starttls.
When TLS is started, the server sends a certificate to identify itself. To
verify the server identity, a client program is expected to check that the
certificate is formally correct and that it was issued by a Certificate
Authority (CA) that the user trusts. (There can also be certificate chains
with intermediate CAs.)
The list of trusted CAs is specified using the tls_trust_file
command. Usually there is some system-wide default file available, e.g.
/etc/ssl/certs/ca-certificates.crt on Debian-based systems, but you can
also choose to select the trusted CAs yourself.
One practical problem with this approach is that the client program should
also check if the server certificate has been revoked for some reason,
using a Certificate Revocation List (CRL). A CRL file can be specified
using the tls_crl_file command, but getting the relevant CRL files
and keeping them up to date is not straightforward. You are basically on
A much more serious and fundamental problem is is that you need to trust
CAs. Like any other organization, a CA can be incompetent, malicious,
subverted by bad people, or forced by government agencies to compromise
end users without telling them. All of these things happened and continue
to happen worldwide. The idea to have central organizations that have to
be trusted for your communication to be secure is fundamentally broken.
Instead of putting trust in a CA, you can choose to trust only a single
certificate for the server you want to connect to. For that purpose,
specify the certificate fingerprint with tls_fingerprint. This
makes sure that no man-in-the-middle can fake the identity of the server
by presenting you a fraudulent certificate issued by some CA that happens
to be in your trust list. However, you have to update the fingerprint
whenever the server certificate changes, and you have to make sure that
the change is legitimate each time, e.g. when the old certificate expired.
This is inconvenient, but it's the price to pay.
Information about a server certificate can be obtained with
--serverinfo --tls --tls-certcheck=off. This includes the
issuer CA of the certificate (so you can trust that CA via
tls_trust_file), and the fingerprint of the certificate (so you can
trust that particular certificate via tls_fingerprint).
TLS also allows the server to verify the identity of the client. For this
purpose, the client has to present a certificate issued by a CA that the
server trusts. To present that certificate, the client also needs the
matching key file. You can set the certificate and key files using
tls_cert_file and tls_key_file. This mechanism can also be
used to authenticate users, so that traditional user / password
authentication is not necessary anymore. See the external mechanism
- tls_starttls [(on|off)]
- Choose the TLS variant: start TLS from within the session
(on, default), or tunnel the session through TLS (
- tls_trust_file file
- Activate server certificate verification using a list of
truted Certification Authorities (CAs). The file must be in PEM format.
Some systems provide a system-wide default file, e.g.
/etc/ssl/certs/ca-certificates.crt on Debian-based systems with the
ca-certificates package. An empty argument disables this. You should also
- tls_crl_file [file]
- Set a certificate revocation list (CRL) file for TLS, to
check for revoked certificates. An empty argument disables this.
- tls_fingerprint [fingerprint]
- Set the fingerprint of a single certificate to accept for
TLS. This certificate will be trusted regardless of its contents. The
fingerprint should be of type SHA256, but can for backwards compatibility
also be of type SHA1 or MD5 (please avoid this). The format should be
01:23:45:67:.... Use --serverinfo --tls --tls-certcheck=off
--tls-fingerprint= to get the server certificate fingerprint.
- tls_key_file file
- Send a client certificate to the server (use this together
with tls_cert_file}). The file must contain the private key of a
certificate in PEM format. An empty argument disables this feature.
- tls_cert_file file
- Send a client certificate to the server (use this together
with tls_key_file). The file must contain a certificate in PEM
format. An empty argument disables this feature.
- tls_certcheck [(on|off)]
- Enable or disable checks of the server certificate.
WARNING: When the checks are disabled, TLS sessions will be vulnerable to
- tls_min_dh_prime_bits [bits]
- Set or unset the minimum number of Diffie-Hellman (DH)
prime bits that mpop will accept for TLS sessions. The default is set by
the TLS library and can be selected by using an empty argument to this
command. Only lower the default (for example to 512 bits) if there is no
other way to make TLS work with the remote server.
- tls_priorities [priorities]
- Set the priorities for TLS sessions. The default is set by
the TLS library and can be selected by using an empty argument to this
command. See the GnuTLS documentation of the gnutls_priority_init
function for a description of the priorities string.
- from envelope_from
- Set the envelope-from address. This address will only be
used when auto_from is off.
- auto_from [(on|off)]
- Enable or disable automatic envelope-from addresses. The
default is off. When enabled, an envelope-from address of the form
user@domain will be generated. The local part will be set to USER
or, if that fails, to LOGNAME or, if that fails, to the login name
of the current user. The domain part can be set with the maildomain
command. If the maildomain is empty, the envelope-from address will only
consist of the user name and not have a domain part. When auto_from is
disabled, the envelope-from address must be set explicitly.
- maildomain [domain]
- Set a domain part for the generation of an envelope-from
address. This is only used when auto_from is on. The domain may be
- dsn_notify (off|condition)
- This command sets the condition(s) under which the mail
system should send DSN (Delivery Status Notification) messages. The
argument off disables explicit DSN requests, which means the mail
system decides when to send DSN messages. This is the default. The
condition must be never, to never request notification, or a
comma separated list (no spaces!) of one or more of the following:
failure, to request notification on transmission failure,
delay, to be notified of message delays, success, to be
notified of successful transmission. The SMTP server must support the DSN
- dsn_return (off|amount)
- This command controls how much of a mail should be returned
in DSN (Delivery Status Notification) messages. The argument off
disables explicit DSN requests, which means the mail system decides how
much of a mail it returns in DSN messages. This is the default. The
amount must be headers, to just return the message headers,
or full, to return the full mail. The SMTP server must support the
- add_missing_from_header [(on|off)]
- This command controls whether to add a From header if the
mail does not have one. The default is to add it.
- add_missing_date_header [(on|off)]
- This command controls whether to add a Date header if the
mail does not have one. The default is to add it.
- remove_bcc_headers [(on|off)]
- This command controls whether to remove Bcc headers. The
default is to remove them.
- logfile [file]
- An empty argument disables logging (this is the default).
When logging is enabled by choosing a log file, msmtp will append one line
to the log file for each mail it tries to send via the account that this
log file was chosen for.
The line will include the following information: date and time, host name of
the SMTP server, whether TLS was used, whether authentication was used,
authentication user name (only if authentication is used), envelope-from
address, recipient addresses, size of the mail as transferred to the
server (only if the delivery succeeded), SMTP status code and SMTP error
message (only in case of failure and only if available), error message
(only in case of failure and only if available), exit code (from
sysexits.h; EX_OK indicates success).
If the filename is a dash (-), msmtp prints the log line to the standard
- syslog [(on|off|facility)]
- Enable or disable syslog logging. The facility can be one
of LOG_USER, LOG_MAIL, LOG_LOCAL0, ..., LOG_LOCAL7. The default is
Each time msmtp tries to send a mail via the account that contains this
syslog command, it will log one entry to the syslog service with the
The line will include the following information: host name of the SMTP
server, whether TLS was used, whether authentication was used,
envelope-from address, recipient addresses, size of the mail as
transferred to the server (only if the delivery succeeded), SMTP status
code and SMTP error message (only in case of failure and only if
available), error message (only in case of failure and only if available),
exit code (from sysexits.h; EX_OK indicates success).
- aliases [file]
- Replace local recipients with addresses in the aliases
file. The aliases file is a plain text file containing mappings between a
local address and a list of domain addresses. A local address is defined
as one without an `@' character and a domain address is one with an `@'
character. The mappings are of the form:
local: firstname.lastname@example.org, email@example.com
Multiple domain addresses are separated with commas. Comments start with `#'
and continue to the end of the line.
The local address default has special significance and is matched if
the local address is not found in the aliases file. If no default
alias is found, then the local address is left as is.
An empty argument to the aliases command disables the replacement of local
addresses. This is the default.
# Example for a user configuration file ~/.msmtprc
# This file focusses on TLS and authentication. Features not used here include
# logging, timeouts, SOCKS proxies, TLS parameters, Delivery Status Notification
# (DSN) settings, and more.
# Set default values for all following accounts.
# Use the mail submission port 587 instead of the SMTP port 25.
# Always use TLS.
# Set a list of trusted CAs for TLS. You can use a system-wide default file,
# as in this example, or download the root certificate of your CA and use that.
# Additionally, you should use the tls_crl_file command to check for revoked
# certificates, but unfortunately getting revocation lists and keeping them
# up to date is not straightforward.
# A freemail service
# Host name of the SMTP server
# As an alternative to tls_trust_file/tls_crl_file, you can use tls_fingerprint
# to pin a single certificate. You have to update the fingerprint when the
# server certificate changes, but an attacker cannot trick you into accepting
# a fraudulent certificate. Get the fingerprint with
# $ msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.freemail.example
# Envelope-from address
# Authentication. The password is given using one of five methods, see below.
# Password method 1: Add the password to the system keyring, and let msmtp get
# it automatically. To set the keyring password using Gnome's libsecret:
# $ secret-tool store --label=msmtp \
# host smtp.freemail.example \
# service smtp \
# user joe.smith
# Password method 2: Store the password in an encrypted file, and tell msmtp
# which command to use to decrypt it. This is usually used with GnuPG, as in
# this example. Usually gpg-agent will ask once for the decryption password.
passwordeval gpg2 --no-tty -q -d ~/.msmtp-password.gpg
# Password method 3: Store the password directly in this file. Usually it is not
# a good idea to store passwords in plain text files. If you do it anyway, at
# least make sure that this file can only be read by yourself.
# Password method 4: Store the password in ~/.netrc. This method is probably not
# relevant anymore.
# Password method 5: Do not specify a password. Msmtp will then prompt you for
# it. This means you need to be able to type into a terminal when msmtp runs.
# A second mail address at the same freemail service
account freemail2 : freemail
# The SMTP server of your ISP
# Set a default account
account default : freemail
Using msmtp with Mutt
Create a configuration file for msmtp and add the following lines to your Mutt
set realname="Your Name"
The envelope_from=yes option lets Mutt use the -f
option of msmtp.
Therefore msmtp chooses the first account that matches the from address
Alternatively, you can use the -a
set sendmail="/path/to/msmtp -a my-account"
Or set everything from the command line (but note that you cannot set a password
set sendmail="/path/to/msmtp --host=mailhub -f firstname.lastname@example.org --tls
If you have multiple mail accounts in your msmtp configuration file and let Mutt
use the -f
option to choose the right one, you can easily switch
accounts in Mutt with the following Mutt configuration lines:
macro generic "<esc>1" ":set
macro generic "<esc>2" ":set
macro generic "<esc>3" ":set
Using msmtp with mail
Define a default account, and put the following in your ~/.mailrc:
Using msmtp with Tor
Use the following settings:
Use an IP address as proxy host name, so that msmtp does not leak a DNS query
when resolving it.
TLS is required to prevent exit hosts from reading your SMTP session. You also
to check the server
Do not set domain
to something that you do not want to reveal (do not set
it at all if possible).
# Example aliases file
# Send root to Joe and Jane
root: email@example.com, firstname.lastname@example.org
# Send cron to Mark
# Send everything else to admin
- System configuration file. Use --version to find out
what SYSCONFDIR is on your platform.
- User configuration file.
- ~/.netrc and SYSCONFDIR/netrc
- The netrc file contains login information. Before prompting
for a password, msmtp will search it in ~/.netrc and
- USER, LOGNAME
- These variables override the user's login name when
constructing an envelope-from address. LOGNAME is only used if USER is
- Directory to create temporary files in. If this is unset, a
system specific default directory is used.
A temporary file is only created when the -t/--read-recipients or
--read-envelope-from option is used. The file is then used to
buffer the headers of the mail (but not the body, so the file won't get
- EMAIL, SMTPSERVER
- These environment variables are used only if neither
--host nor --account is used and there is no default account
defined in the configuration files. In this case, the host name is taken
from SMTPSERVER, and the envelope from address is taken from EMAIL, unless
overridden by --from or --read-envelope-from. Currently
SMTPSERVER must contain a plain host name (no URL), and EMAIL must contain
a plain address (no names or additional information).
msmtp was written by Martin Lambers <email@example.com>.
Other authors are listed in the AUTHORS file in the source distribution.
(5) or ftp