Outgoing Email

MTAs in Fedora

In Fedora, an email client composing a message typically calls sendmail (/usr/sbin/sendmail) to dispatch the message to an SMTP server. The command name "sendmail" serves generically—like "xerox" or "kleenex"—and need not conjure the old-original Sendmail MTA. For example:

-> sendmail --version | head -1
msmtp version 1.4.32

Instead, /usr/sbin/sendmail is a symbolic link that ultimately resolves to one of several candidate MTAs available under Fedora. Still, Sendmail informs this indirection with both the command name that clients expect and the interface that clients assume. Any candidate MTA must accept the interface laid down by Sendmail long ago. That is, any emulator or drop-in replacement for Sendmail must gracefully handle the latter's parameters and syntax, even if graceful just means ignore.

The alternatives system manages the default program for submitting outgoing email to an SMTP server. An email client simply calls the default command sendmail, which is the initial symbolic link in a multi-link chain to the actual MTA executable in effect:

-> file `which sendmail`
/usr/sbin/sendmail: symbolic link to /etc/alternatives/mta
-> file /etc/alternatives/mta
/etc/alternatives/mta: symbolic link to /usr/sbin/sendmail.msmtp
-> file /usr/sbin/sendmail.msmtp
/usr/sbin/sendmail.msmtp: symbolic link to /usr/bin/msmtp
-> file /usr/bin/msmtp
/usr/bin/msmtp: ELF 64-bit LSB executable, 

The alternatives command allows root to change what MTA the nominal command sendmail ultimately invokes. For example:

-> alternatives --config mta
There are 6 programs which provide 'mta'.

  Selection    Command
-----------------------------------------------
   1           /usr/sbin/sendmail.exim
*+ 2           /usr/sbin/sendmail.msmtp
   3           /usr/sbin/sendmail.ssmtp
   4           /usr/sbin/sendmail.sendmail
   5           /usr/sbin/sendmail.postfix
   6           /usr/bin/esmtp-wrapper

Enter to keep the current selection[+], or type selection number:
-> alternatives --display mta | grep currently
 link currently points to /usr/sbin/sendmail.msmtp

The choices depend on what packages are installed on a system; YMMV. The alternatives system admits a notion of priority among candidates; the asterisk above marks the highest-priority MTA. A plus sign indicates the current MTA.

Which Port?

A typical SMTP server listens on port 587 or 465 for messages submitted by an email client. From an end-user's perspective, the salient distinction between these ports is how to choose TLS/SSL settings when configuring an email client. Although wording varies by client, the essential ingredient is "STARTTLS", which names a command in the SMTP protocol. Port 587 requires STARTTLS; port 465 eschews STARTTLS. In Thunderbird's configuration dialog, for example, selecting STARTTLS for Connection security suggests port 587, while selecting SSL/TLS suggests port 465.

Your email provider may offer both ports. In the absence of the provider's guidance on which port to choose, the official standard favors port 587 for the initial submission of an email from a client. But port 465 is a de-facto standard.

Under the hood, port 465 mandates secure communication from the get-go, whereas port 587 adopts a when-ready attitude. For port 465, the client and server first establish a TLS channel and subsequently tunnel the entire SMTP session through that channel. For port 587, the client and server establish their connection and do initial SMTP business in clear text. When the client is ready to submit private data, it issues a STARTTLS request. The client and server then secure their connection with TLS for subsequent communication.

Actually, there's a bit more to the story for port 587. If both parties agree, a client and server may conduct the entire session in clear text over port 587—user name, password, message contents. A rightly wary client may choose to terminate communication with a server that refuses its STARTTLS request, however. And a no-nonsense server may call for a STARTTLS request before it cooperates further with a client.

Port 25 also figures in SMTP, now largely for exchanges between SMTP servers proper. Its former role for email submission has been retired in efforts to quash spam. Many ISPs simply drop traffic addressed to it.

To see what ports your mail server opens, tell nmap to probe ports 25, 465, and 587:

-> nmap -Pn -pT25,465,587 smtp.gmail.com

PORT    STATE    SERVICE
25/tcp  filtered smtp
465/tcp open     smtps
587/tcp open     submission

You can add option -sV if you want nmap to probe for version information.

You can easily see the operational differences between connections over ports 465 and 587 by observing SMTP sessions in action.

MSMTP

MSMTP is an SMTP client providing a simple drop-in replacement for the Sendmail MTA. It accommodates multiple SMTP providers.

MSMTP conveniently supports both system-wide and user-specific configuration files:

-> msmtp --version | grep 'configuration file'
System configuration file name: /etc/msmtprc
User configuration file name: /home/ray/.msmtprc

You can also select an alternative configuration file with option --file (-C). And you can override settings in configuration files with command-line options. To have msmtp report its final, aggregate configuration, use option --pretend (-P).

MSMTP offers the notion of accounts in support of multiple SMTP providers and multiple configurations for a given SMTP provider. An account is established in a configuration file simply by naming a group of related settings, such as server, port, security, username, etc. A configuration file can establish multiple accounts, including a default account. To send a message using from an account other than the default, use option --account (-a).

Use the following settings to have msmtp verify the SMPT server's certificate.

tls            on
tls_certcheck  on
tls_trust_file /etc/ssl/certs/ca-bundle.crt

The file above contains the certificate for several trusted Certificate Authorities. The certificate remitted by the server must be trusted by one of the authorities listed. Package ca-certificates installs ca-bundle.crt.

To configure an account connecting to its SMTP server at port 465, include these settings:

port           465
tls            on
tls_starttls   off

Since the connection to port 465 establishes a TLS/SLL channel, you don't want msmtp to issue a STARTTLS request to the SMTP server.

To configure an account connecting to its SMTP server at port 587, include these settings:

port           587
tls            on
tls_starttls   on

Since the initial channel to port 587 is not encrypted, you want msmtp to issue a STARTTLS request to the SMTP server before exchanging user data.

Package msmtp does not register with the alternatives system, but you can make the introductions like so:

-> ln -s /usr/bin/msmtp /usr/sbin/sendmail.msmtp 
-> alternatives --install /usr/sbin/sendmail mta /usr/sbin/sendmail.msmtp 100 \
                --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /usr/share/man/man1/msmtp.1.gz

Now you can choose msmtp as the default MTA:

-> alternatives --set mta /usr/sbin/sendmail.msmtp
-> sendmail --version | head -1
msmtp version 1.4.32
-> man --where sendmail
/usr/share/man/man1/msmtp.1.gz

If you should later wish to deregister msmtp:

-> alternatives --remove mta /usr/bin/sendmail.msmtp

sSMTP

sSMTP is an SMTP client. It provides a simple drop-in replacement for the Sendmail MTA.

sSMTP uses a single configuration file, /etc/ssmtp/ssmtp.conf, documented in man page ssmtp.conf(5).

Package ssmtp registers with the alternatives system.

Get SMTP Server Information

You can have msmtp retrieve information about an SMTP server by using option --serverinfo (-S). For example, here it queries the Gmail server on port 587:

-> msmtp --serverinfo --host smtp.gmail.com --port 587 --tls --tls-certcheck=off
SMTP server at smtp.gmail.com (qg-in-f109.1e100.net [74.125.29.109]), port 587:
    smtp.gmail.com ESMTP i36sm2604831qkh.36 - gsmtp
TLS certificate information:
    Owner:
        Common Name: smtp.gmail.com
        Organization: Google Inc
        Locality: Mountain View
        State or Province: California
        Country: US
    Issuer:
        Common Name: Google Internet Authority G2
        Organization: Google Inc
        Country: US
    Validity:
        Activation time: Wed 18 Feb 2015 05:19:56 AM EST
        Expiration time: Wed 30 Dec 2015 07:00:00 PM EST
    Fingerprints:
        SHA1: D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60
        MD5:  5A:01:9E:79:12:D4:BF:B1:68:79:ED:FA:9E:CD:C0:F5
Capabilities:
    SIZE 35882577:
        Maximum message size is 35882577 bytes = 34.22 MiB
    PIPELINING:
        Support for command grouping for faster transmission
    STARTTLS:
        Support for TLS encryption via the STARTTLS command
    AUTH:
        Supported authentication methods:
        PLAIN LOGIN 

You'll get an abridged report if you omit those TLS options above.

Here is the Gmail server on port 465 instead of port 587:

-> msmtp --serverinfo --host smtp.gmail.com --port 465 --tls --tls-certcheck=off --tls-starttls=off
SMTP server at smtp.gmail.com (qg-in-f109.1e100.net [74.125.29.109]), port 465:
    smtp.gmail.com ESMTP c88sm2610685qge.26 - gsmtp
TLS certificate information:
    Owner:
        Common Name: smtp.gmail.com
        Organization: Google Inc
        Locality: Mountain View
        State or Province: California
        Country: US
    Issuer:
        Common Name: Google Internet Authority G2
        Organization: Google Inc
        Country: US
    Validity:
        Activation time: Wed 18 Feb 2015 05:19:56 AM EST
        Expiration time: Wed 30 Dec 2015 07:00:00 PM EST
    Fingerprints:
        SHA1: D3:7C:82:FC:D0:5F:8F:D7:DA:A2:59:8C:42:D7:B2:9F:C1:9F:7E:60
        MD5:  5A:01:9E:79:12:D4:BF:B1:68:79:ED:FA:9E:CD:C0:F5
Capabilities:
    SIZE 35882577:
        Maximum message size is 35882577 bytes = 34.22 MiB
    PIPELINING:
        Support for command grouping for faster transmission
    AUTH:
        Supported authentication methods:
        PLAIN LOGIN 

If you omit the TLS options above, you get the silent treatment:

-> time msmtp --serverinfo --host smtp.gmail.com --port 465
msmtp: the server sent an empty reply

real	10m0.084s