Sick of the bloat and unnecessary load of sendmail or even postfix ? Try sSMTP instead.

In conjunction with Google (example, any decent mail service is just as applicable) you can securely ensure your server can notify you as necessary with the smallest overhead possible.

  1. You’re probably already using 2-step sign in (or should be!) so generate a Google application specific password for “ssmtp”

It’s not strictly necessary that you create a unique one for ssmtp though it is a good idea. Remember that password will now be sitting in a plain text file on one or more servers.

2-step auth and application password info,

  1. Configure /etc/ssmtp/ssmtp.conf similar to below,
# /etc/ssmtp/ssmtp.conf<br></br>
[email protected]<br></br><br></br><br></br>
# EOF<br></br>```

Some other information sources regarding sSMTP suggest changing permissions on ssmtp.conf to 0640 or similar, so that only root or possibly users in the group owning the file can read it.

If you do this you will restrict unprivileged user ability to send mail. Alternatively you can setuid on the ssmtp binary (`chmod 4755 /usr/sbin/ssmtp` etc) though this opens up it’s own can of worms.

eg. This is what happens if a user can’t read ssmtp.conf, or the binary isn’t setuid/setgid to get to it either.

[[email protected] ~]$ echo "Test 123 from noprivs" | mail -s "Test 123" username

send-mail: Cannot open mailhub:25

[[email protected] ~]$


/etc/aliases is not used by ssmtp

With the above root= statement all mail for UID’s less than 500 should go to the email address specified there. Google will always use the authenticated user account for the from: ID and not what the sSMTP client sends as the from: ID, so ALL your unprivileged users who can use sSMTP will appear to send from that account. Bear that in mind.

The rewrite statement will help if you have local users who have identically named accounts. Otherwise it may be problematic in causing bounces or delivering mail to people you don’t necessarily want it going to.

Reverse aliases can be set in /etc/ssmtp/revaliases, which is useful for translating specific local accounts to different external mail server accounts so they are not sent via Google.

# /etc/ssmtp/revaliases<br></br>
noprivs:[email protected]:smtp.internal.domain:25<br></br>
# EOF<br></br>```

3. Test

Send using CLI mail command like below,

[[email protected] ~]$ echo "Test 123 from test to nobody" | mail -s "Test 123 from test to nobody" cstubbs

[[email protected] ~]$ exit


[[email protected] ~]# tail /var/log/maillog

Apr 1 08:44:44 server sSMTP[1681]: Creating SSL connection to host

Apr 1 08:44:44 server sSMTP[1681]: SSL connection using RC4-SHA

Apr 1 08:44:50 server sSMTP[1681]: Sent mail for [email protected] (221 2.0.0 closing connection r10sm11827337pbf.22) uid=502 username=test outbytes=548

[[email protected] ~]#


Check inbox,

Received: from server.example.domain (server.example.domain. [])<br></br>
        by with ESMTPS id o7sm11833217pbq.8.2012.<br></br>
        (version=SSLv3 cipher=OTHER);<br></br>
        Sun, 01 Apr 2012 05:46:53 -0700 (PDT)<br></br>
Received: by server.example.domain (sSMTP sendmail emulation); Sun,  1 Apr 2012 08:46:49 -0400<br></br>
From: [email protected]<br></br>
Date: Sun, 01 Apr 2012 08:46:49 -0400<br></br>
To: nobody<br></br>
Subject: Test 123 from test to nobody<br></br>
User-Agent: Heirloom mailx 12.4 7/29/08<br></br>
MIME-Version: 1.0<br></br>
Content-Type: text/plain; charset=us-ascii<br></br>
Content-Transfer-Encoding: 7bit```

Test 123 from test to nobody

You can set the debug option in ssmtp.conf to on in order to get a full plaintext log of the conversation sSMTP has to the remote server/s.

Author image
About colin-stubbs