In Fedora, an email client composing a message typically calls sendmail (/usr/sbin/sendmail) to dispatch the message to an SMTP server. The command name "sendmail" serves generically—like "xerox" or "kleenex"—and need not conjure the old-original Sendmail MTA. For example:
-> sendmail --version | head -1 msmtp version 1.4.32
Instead, /usr/sbin/sendmail is a symbolic link that ultimately resolves to one of several candidate MTAs available under Fedora. Still, Sendmail informs this indirection with both the command name that clients expect and the interface that clients assume. Any candidate MTA must accept the interface laid down by Sendmail long ago. That is, any emulator or drop-in replacement for Sendmail must gracefully handle the latter's parameters and syntax, even if graceful just means ignore.
The alternatives system manages the default program for submitting outgoing email to an SMTP server. An email client simply calls the default command sendmail, which is the initial symbolic link in a multi-link chain to the actual MTA executable in effect:
-> file `which sendmail` /usr/sbin/sendmail: symbolic link to /etc/alternatives/mta -> file /etc/alternatives/mta /etc/alternatives/mta: symbolic link to /usr/sbin/sendmail.msmtp -> file /usr/sbin/sendmail.msmtp /usr/sbin/sendmail.msmtp: symbolic link to /usr/bin/msmtp -> file /usr/bin/msmtp /usr/bin/msmtp: ELF 64-bit LSB executable, …
The alternatives command allows root to change what MTA the nominal command sendmail ultimately invokes. For example:
-> alternatives --config mta There are 6 programs which provide 'mta'. Selection Command ----------------------------------------------- 1 /usr/sbin/sendmail.exim *+ 2 /usr/sbin/sendmail.msmtp 3 /usr/sbin/sendmail.ssmtp 4 /usr/sbin/sendmail.sendmail 5 /usr/sbin/sendmail.postfix 6 /usr/bin/esmtp-wrapper Enter to keep the current selection[+], or type selection number: -> alternatives --display mta | grep currently link currently points to /usr/sbin/sendmail.msmtp
The choices depend on what packages are installed on a system; YMMV. The alternatives system admits a notion of priority among candidates; the asterisk above marks the highest-priority MTA. A plus sign indicates the current MTA.
A typical SMTP server listens on port 587 or 465 for messages submitted by an email client. From an end-user's perspective, the salient distinction between these ports is how to choose TLS/SSL settings when configuring an email client. Although wording varies by client, the essential ingredient is "STARTTLS", which names a command in the SMTP protocol. Port 587 requires STARTTLS; port 465 eschews STARTTLS. In Thunderbird's configuration dialog, for example, selecting STARTTLS for suggests port 587, while selecting SSL/TLS suggests port 465.
Your email provider may offer both ports. In the absence of the provider's guidance on which port to choose, the official standard favors port 587 for the initial submission of an email from a client. But port 465 is a de-facto standard.
Under the hood, port 465 mandates secure communication from the get-go, whereas port 587 adopts a when-ready attitude. For port 465, the client and server first establish a TLS channel and subsequently tunnel the entire SMTP session through that channel. For port 587, the client and server establish their connection and do initial SMTP business in clear text. When the client is ready to submit private data, it issues a STARTTLS request. The client and server then secure their connection with TLS for subsequent communication.
Actually, there's a bit more to the story for port 587. If both parties agree, a client and server may conduct the entire session in clear text over port 587—user name, password, message contents. A rightly wary client may choose to terminate communication with a server that refuses its STARTTLS request, however. And a no-nonsense server may call for a STARTTLS request before it cooperates further with a client.
Port 25 also figures in SMTP, now largely for exchanges between SMTP servers proper. Its former role for email submission has been retired in efforts to quash spam. Many ISPs simply drop traffic addressed to it.
To see what ports your mail server opens, tell nmap to probe ports 25, 465, and 587:
-> nmap -Pn -p25,465,587 smtp.gmail.com ⋮ PORT STATE SERVICE 25/tcp filtered smtp 465/tcp open smtps 587/tcp open submission ⋮
You can add option -sV if you want nmap to probe for version information.
You can easily see the operational differences between connections over ports 465 and 587 by observing SMTP sessions in action.
MSMTP is an SMTP client providing a simple drop-in replacement for the Sendmail MTA. It accommodates multiple SMTP providers.
MSMTP conveniently supports both system-wide and user-specific configuration files:
-> msmtp --version | grep 'configuration file' System configuration file name: /etc/msmtprc User configuration file name: /home/ray/.msmtprc
You can also select an alternative configuration file with option --file (-C). And you can override settings in configuration files with command-line options. To have msmtp report its final, aggregate configuration, use option --pretend (-P).
MSMTP offers the notion of accounts in support of multiple SMTP providers and multiple configurations for a given SMTP provider. An account is established in a configuration file simply by naming a group of related settings, such as server, port, security, username, etc. A configuration file can establish multiple accounts, including a default account. To send a message using an account other than the default, use option --account (-a).
Use the following settings to have msmtp verify the SMPT server's certificate.
tls on tls_certcheck on tls_trust_file /etc/ssl/certs/ca-bundle.crt
The file above contains the certificate for several trusted Certificate Authorities. The certificate remitted by the server must be trusted by one of the authorities listed. Package ca-certificates installs ca-bundle.crt.
To configure an account connecting to its SMTP server at port 465, include these settings:
port 465 tls on tls_starttls off
Since the connection to port 465 establishes a TLS/SSL channel, you don't want msmtp to issue a STARTTLS request to the SMTP server.
To configure an account connecting to its SMTP server at port 587, include these settings:
port 587 tls on tls_starttls on
Since the initial channel to port 587 is not encrypted, you want msmtp to issue a STARTTLS request to the SMTP server before exchanging user data.
Package msmtp does not register with the alternatives system, but you can make the introductions like so:
-> ln -s /usr/bin/msmtp /usr/sbin/sendmail.msmtp -> alternatives --install /usr/sbin/sendmail mta /usr/sbin/sendmail.msmtp 100 \ --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /usr/share/man/man1/msmtp.1.gz
Now you can choose msmtp as the default MTA:
-> alternatives --set mta /usr/sbin/sendmail.msmtp -> sendmail --version | head -1 msmtp version 1.4.32 -> man --where sendmail /usr/share/man/man1/msmtp.1.gz
If you should later wish to deregister msmtp:
-> alternatives --remove mta /usr/bin/sendmail.msmtp
sSMTP is an SMTP client. It provides a simple drop-in replacement for the Sendmail MTA.
sSMTP uses a single configuration file, /etc/ssmtp/ssmtp.conf, documented in man page ssmtp.conf(5).
Package ssmtp registers with the alternatives system.
You can have msmtp retrieve information about an SMTP server by using option --serverinfo (-S). For example, here it queries the Gmail server on port 587:
-> msmtp --serverinfo --host smtp.gmail.com --port 587 --tls --tls-certcheck=off SMTP server at smtp.gmail.com (qg-in-f109.1e100.net [18.104.22.168]), port 587: smtp.gmail.com ESMTP i36sm2604831qkh.36 - gsmtp TLS certificate information: Owner: Common Name: smtp.gmail.com Organization: Google Inc Locality: Mountain View State or Province: California Country: US Issuer: Common Name: Google Internet Authority G2 Organization: Google Inc Country: US Validity: Activation time: Wed 18 Feb 2015 05:19:56 AM EST Expiration time: Wed 30 Dec 2015 07:00:00 PM EST Fingerprints: SHA1: D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60 MD5: 5A:01:9E:79:12:D4:BF:B1:68:79:ED:FA:9E:CD:C0:F5 Capabilities: SIZE 35882577: Maximum message size is 35882577 bytes = 34.22 MiB PIPELINING: Support for command grouping for faster transmission STARTTLS: Support for TLS encryption via the STARTTLS command AUTH: Supported authentication methods: PLAIN LOGIN
You'll get an abridged report if you omit those TLS options above.
Here is the Gmail server on port 465 instead of port 587:
-> msmtp --serverinfo --host smtp.gmail.com --port 465 --tls --tls-certcheck=off --tls-starttls=off SMTP server at smtp.gmail.com (qg-in-f109.1e100.net [22.214.171.124]), port 465: smtp.gmail.com ESMTP c88sm2610685qge.26 - gsmtp TLS certificate information: Owner: Common Name: smtp.gmail.com Organization: Google Inc Locality: Mountain View State or Province: California Country: US Issuer: Common Name: Google Internet Authority G2 Organization: Google Inc Country: US Validity: Activation time: Wed 18 Feb 2015 05:19:56 AM EST Expiration time: Wed 30 Dec 2015 07:00:00 PM EST Fingerprints: SHA1: D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60 MD5: 5A:01:9E:79:12:D4:BF:B1:68:79:ED:FA:9E:CD:C0:F5 Capabilities: SIZE 35882577: Maximum message size is 35882577 bytes = 34.22 MiB PIPELINING: Support for command grouping for faster transmission AUTH: Supported authentication methods: PLAIN LOGIN
If you omit the TLS options above, you get the silent treatment:
-> time msmtp --serverinfo --host smtp.gmail.com --port 465 msmtp: the server sent an empty reply real 10m0.084s ⋮