Debian - Relayer les e-mails vers un compte (msmtp, MailX, Sendmail)
Assuming you want a server-focused msmtp setup on Debian 13 (system-wide, non‑interactive, secure, for relaying from services/cron/git), here’s a concise, complete guide.
1 — Install msmtp
Commands to install msmtp
1
2
sudo apt update
sudo apt install -y msmtp msmtp-mta
2 — System-wide config (/etc/msmtprc)
Create /etc/msmtprc with root ownership and strict permissions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
sudo tee /etc/msmtprc > /dev/null <<'EOF'
# /etc/msmtprc — system-wide msmtp config
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
timeout 30
# Default account (adjust for your SMTP provider)
account default
host smtp.example.com
port 587
from noreply@example.com
user smtp-user@example.com
# Use passwordeval to avoid plaintext in this file:
passwordeval /usr/local/bin/msmtp-get-pass.sh
# Set default account
account default : default
EOF
sudo chown root:root /etc/msmtprc
sudo chmod 600 /etc/msmtprc
For external SMTP (implicit TLS, port 465) create or replace
/etc/msmtprc with this (adjust host, user, from). Save as root and set permissions to 600.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
sudo tee /etc/msmtprc > /dev/null <<'EOF'
# /etc/msmtprc — implicit TLS (port 465) example
defaults
auth on
tls on
tls_starttls off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
timeout 30
account external
host smtp.example.com
port 465
from noreply@example.com
user smtp-user@example.com
# Prefer passwordeval to avoid plaintext passwords:
passwordeval /usr/local/bin/msmtp-get-pass.sh
account default : external
EOF
sudo chown root:root /etc/msmtprc
sudo chmod 600 /etc/msmtprc
3 — Secure credential helper
Create a script that securely reads credentials (example reads from /root/.msmtp.pass with strict perms):
1
2
3
4
5
sudo tee /usr/local/bin/msmtp-get-pass.sh > /dev/null <<'EOF'
#!/bin/sh
cat /root/.msmtp.pass
EOF
sudo chmod 700 /usr/local/bin/msmtp-get-pass.sh
Place the SMTP password in /root/.msmtp.pass:
1
2
3
4
5
sudo tee /root/.msmtp.pass > /dev/null <<'EOF'
your_smtp_password_here
EOF
sudo chown root:root /root/.msmtp.pass
sudo chmod 600 /root/.msmtp.pass
Alternative: integrate with a secrets manager or HashiCorp Vault; adjust script accordingly.
4 — Logging
Create logfile and logrotate:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo touch /var/log/msmtp.log
sudo chown root:adm /var/log/msmtp.log
sudo chmod 640 /var/log/msmtp.log
# Rotate logs by creating /etc/logrotate.d/msmtp
sudo tee /etc/logrotate.d/msmtp > /dev/null <<'EOF'
/var/log/msmtp.log {
daily
rotate 14
compress
missingok
notifempty
create 0640 root adm
}
EOF
5 — Sendmail wrapper (system MTA integration)
msmtp-mta installs sendmail wrapper. Verify path and alternatives:
1
2
which sendmail
# typically /usr/sbin/sendmail -> msmtp sendmail wrapper
Services that call sendmail (postfix-less setups, cron, git send-email) will use msmtp.
For Git:
1
2
git config --global sendemail.smtpServer localhost
# or set GIT_SEND_EMAIL_COMMAND to use msmtp directly in hooks
6 — Test sending
Quick test (verbose):
1
2
3
4
# smtp port 587
echo -e "Subject: msmtp test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com
# smtp port 465
echo -e "Subject: msmtp port 465 test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com
Check /var/log/msmtp.log for success/errors.
7 — Common provider tweaks
- For port 465 (implicit TLS): host smtp.example.com port 465 tls on tls_starttls off
- For OAuth2: set auth oauthbearer and use passwordeval to supply the access token; implement token-refresh script.
8 — Permissions & security checklist
- /etc/msmtprc: 600 root:root
- Credential file or helper: only readable by root (600)
- Helper script: 700 root:root
- Log: 640 root:adm with logrotate
- Prefer passwordeval over plaintext password in config.
9 — Example minimal relay (no auth)
If your server relays via an internal SMTP relay with no auth:
1
2
3
4
5
6
7
8
9
defaults
logfile /var/log/msmtp.log
account relay
host smtp-relay.internal.local
port 25
from noreply@example.com
account default : relay
If you want, I can produce a ready /etc/msmtprc and helper script tailored to a specific provider (e.g., Gmail, Office365, SendGrid) — tell me the provider and whether you’ll use an app password or OAuth2.
1
echo -e "Subject: msmtp port 465 test\n\nThis is a test" | msmtp --debug --from=default recipient@example.com
Notes:
- Use an app-specific password or secrets manager if supported by provider.
- If authentication fails, verify provider requires implicit TLS on 465 (not STARTTLS) and check logs (/var/log/msmtp.log) for TLS errors.
To send mail from system tools (sendmail, mailx) on Debian 13 using msmtp as the sendmail-compatible MTA, follow these steps.
Install packages
1
sudo apt install bsd-mailx
Verify sendmail wrapper msmtp-mta provides /usr/sbin/sendmail. Confirm:
1
2
which sendmail
ls -l /usr/sbin/sendmail
If another MTA is installed (postfix/exim), remove or reconfigure it to avoid conflicts:
1
sudo apt remove --purge postfix exim4 -y # only if you intend to use msmtp as sendmail
Test sending via sendmail
1
printf 'Subject: test\n\nThis is a test' | sendmail -v recipient@example.com
Or with mailx:
1
echo "Body text" | mailx -s "Test mailx" recipient@example.com
Troubleshooting
- Check /var/log/msmtp.log for msmtp errors.
- For TLS handshake issues, ensure tls_trust_file points to /etc/ssl/certs/ca-certificates.crt.
- If auth fails, verify username/password and provider settings (implicit TLS port 465 vs STARTTLS 587).
- Run a verbose debug send:
1
echo -e "Subject: debug\n\nbody" | msmtp --debug --from=default recipient@example.com