msmtp 1.8.4 is released
This version adds support for the OAUTHBEARER authentication method and fixes a few minor bugs.
News
Support for OAUTHBEARER / XOAUTH2
The git repository contains new support for the OAUTHBEARER authentication
method, formerly known as XOAUTH2, a method pushed mainly by Google.
This means msmtp can now use an OAuth2 token for authentication by setting
auth oauthbearer in the configuration file. The token is typically
passed to msmtp via the passwordeval command since it changes
regularly.
However, msmtp does not provide a way to generate such a token. This depends on
your mail provider.
Since I do not use this method myself, it would be great if you could test this
feature and maybe document how to generate the necessary token for your mail
provider, so that I can add examples to the documentation.
Looking forward to your feedback!
Source code moved
The source code moved to git.marlam.de, see the updated download instructions.
The reason is that gitlab vanished from Debian stable and there is no working upgrade path
to the version in Debian backports. Sorry for the inconvenience.
msmtp 1.8.3 is released
This version fixes a security problem that affects version 1.8.2 (older versions are not affected):
when the new default value system for tls_trust_file is used, the result
of certificate verification was not properly checked.
Update 2019-02-14: This problem has been assigned CVE-2019-8337. This is the patch that fixes it (included in version 1.8.3).
msmtp 1.8.2 is released
This version simplifies configuration:
- A new
--configure user@example.comoption automatically generates a configuration for the given mail address. This works for domains that publish appropriate SRV records (as they should according to RFC 8314). - You now only need
tls onto activate TLS because there is a new default value fortls_trust_filethat selects the system default trust.
msmtp 1.8.1 is released
This version fixes a bug that broke TLS 1.3 support.
If you do not want to upgrade to the 1.8 series yet but you need TLS 1.3 support, you can apply this patch to msmtp version 1.6.8 or 1.4.32.
msmtp 1.8.0 is released
This is the first release of the new stable release series. Noteworthy changes since 1.6.8:
- A minimal SMTP server called msmtpd was added that listens on the local host
and pipes mails to msmtp (or another program). It is intended to be used with
system services that cannot be configured to call msmtp directly. You can
disable it with the configure option
--without-msmtpd. - Using OpenSSL is discouraged and may not be supported in the future. Please use GnuTLS instead. The reasons are explained here.
- As using GNU SASL is most likely unnecessary, it is disabled by default now. Since everything uses TLS nowadays and thus can use PLAIN authentication, you really only need it for GSSAPI.
- If your system requires a library for IDN support, libidn2 is now used instead of the older libidn.
- The CRAM-MD5 authentication method is marked as obsolete / insecure and will not be chosen automatically anymore.
- The
passwordevalcommand does not require the password to be terminated by a new line character anymore. - The new
logfile_time_formatcommand allows to customize log file time stamps. - Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile() is removed.
msmtp 1.8.0rc1 is released
This is a release candidate for the upcoming 1.8.x stable release series. The following changes were made:
- A minimal SMTP server called msmtpd was added that listens on the local host
and pipes mails to msmtp (or another program). It is intended to be used with
system services that cannot be configured to call msmtp directly. You can
disable it with the configure option
--without-msmtpd. - Using OpenSSL is discouraged and may not be supported in the future. Please use GnuTLS instead. The reasons are explained here.
- As using GNU SASL is most likely unnecessary, it is disabled by default now. Since everything uses TLS nowadays and thus can use PLAIN authentication, you really only need it for GSSAPI.
- The CRAM-MD5 authentication method is marked as obsolete / insecure and will not be chosen automatically anymore.
- If your system requires a library for IDN support, libidn2 is now used instead of the older libidn.
- Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking mkstemp() or tmpfile() is removed.
Using msmtp with OpenSSL is discouraged, please use GnuTLS
It is recommended to use msmtp with GnuTLS instead of OpenSSL. The upcoming version of msmtp will not use OpenSSL automatically anymore, and if you choose it manually, you will get a warning.
The reason for this is that the OpenSSL-related code in msmtp is essentially
unmaintained. I don't work on it myself anymore, and the last time somebody
sent a patch was 8 years ago.
As a result, if you use msmtp with OpenSSL today, you don't get support for
TLS SNI, --tls-priorities, --tls-crl-file, or
--tls-min-dh-prime-bits.
The code is hard to read, maintain, and improve due to severe limitations in the usability and documentation of the OpenSSL API. A few examples:
- With OpenSSL, we need to write our own functions to verify host names and convert
ASN1 times to
time_t. This is insane, as both actions are required by virtually all TLS clients and are hard to get right, see e.g. here and here. Any usable TLS library must provide such functions. I understand that OpenSSL 1.1.0 finally added support for host name verification, but it still leaves you alone with the terrible ASN1 time representation. - Just initializing the library is a complex topic. The OpenSSL wiki has a 1800 word long Wiki page on library initialization. Again, this is insane. If any explicit initialization is required at all, it should be done with one single simple function call.
- We have a function in msmtp that does nothing but try to find out why an OpenSSL input/output error occurred. It has 50 lines of code and has to consult three different error codes from various parts of the OpenSSL API to do just that. Insane.
Complexity is the enemy of security. I have given up on OpenSSL years ago and will not work to improve and update the OpenSSL-related code in msmtp. If someone wants to do that work, I will accept patches, but I will continue to recommend using GnuTLS instead. If the OpenSSL support in msmtp remains in its current state, it will eventually be removed.
New experimental feature: msmtpd, a minimal SMTP server
There is an experimental new feature in the git repository: msmtpd, a minimal SMTP server
that listens on a local interface and pipes each incoming mail to msmtp (or a different program).
It is intended to be used with system services that expect an SMTP server on the local host and
cannot be configured to use the sendmail interface that msmtp provides.
If you are interested, use configure --with-msmtpd to enable it, and let us know
what you think.
msmtp 1.6.8 is released
New in this release:
- Support for TLS Server Name Indication (SNI)
- Support for binding the outgoing connection to a source IP,
using the new
--source-ipoption orsource_ipcommand
msmtp 1.6.7 is released
New in this release:
- Support for
~/.config/msmtp/configas configuration file - Network timeout handling on Windows
- Fixed command line handling of SHA256 TLS fingerprints
- Fixed SIGPIPE handling (affects at least Mac OS X)
- Add french translation, and update german translation
Repository mirror
The main git repository at gitlab.marlam.de/marlam/msmtp is now mirrored at github.com/marlam/msmtp-mirror.
Project moved
After many years, this project moved from Sourceforge to a self-hosted gitlab instance:
https://gitlab.marlam.de/marlam/msmtp.
Older news are stored in the news archive.