Gmail Workspace / Gmail Suite send e-Mail from server using msmtp

We are in the process of migrating to Gmail, to be able to delegate managing a mail server.

We used ssmtp on our server to email mails before, using our own mail server (Zimbra).

I have now managed to get Gmail Workspace working, and would like to share some pointers on how to do that.

This is done on a Debian / Ubuntu system.

Set up 2 factor authentication

Login to your Google account:

https://myaccount.google.com/

Click on the Security tab and scroll down to 2-step Verification, enable it.

image

You will probably need to provide your mobile phone number to Google or choose another option here.

Set up an App password

Click on “App passwords” below the 2-Step Verification.

Google will require you to sign-in again.

image

(Note I already have an app password set up, your screen might look a bit different in the beginning)

Click on Select app, and select Other (custom name)

image

You can enter any name you like – it is for your reference. For example,

image

Click on Generate

A popup window will appear. Your app password will be shown only this one time, so be sure to copy it.

image

Note that the password is just shown as four segments of four characters each to be easier to read, there will be no spaces in the actual password.

In this case the password is

lwsznhkychasbbrh

Click on Done.

Switch to msmtp

ssmtp is not maintained anymore, and will also possibly have issues connecting to Gmail:

/var/log/syslog:Oct 15 09:52:22 Athena sSMTP[19076]: SSL connection using ECDHE_ECDSA_CHACHA20_POLY1305
/var/log/syslog:Oct 15 09:52:22 Athena sSMTP[19076]: Authorization failed (535 5.7.8 
https://support.google.com/mail/?p=BadCredentials ************.79 – gsmtp)

ssmtp: Authorization failed (535 5.7.8  https://support.google.com/mail/?p=BadCredentials *************.4 – gsmtp)

Apparently the ECDHE auth part might be a problem for some users on newer systems.

The workaround is to switch to msmtp.

Remove ssmtp (all commands run as root)

apt-get purge ssmtp

Install msmtp

apt-get install msmtp msmtp-mta

Set up msmtp

nano /etc/msmtprc

Put in the following data:

defaults
auth           on
tls            on
tls_starttls   on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

account        gmail
host           smtp.gmail.com
port           587

from           [email protected]
user           [email protected]
password       lwsznhkychasbbrh

account default : gmail

Change your login data (from, user, and password – I have taken lwsznhkychasbbrh from the example above).

Note that you do not need to restart a service or anything like that – the access data will be used for the next email the server tries to send.

Use the app password generated above – your account password will not work:

msmtp: authentication failed (method PLAIN)
msmtp: server message: 534-5.7.9 Application-specific password required. Learn more at
msmtp: server message: 534 5.7.9 
https://support.google.com/mail/?p=InvalidSecondFactor *************.29 – gsmtp
msmtp: could not send mail (account default from /etc/msmtprc)

Also, please note that the app password should be entered without spaces between the characters (as discussed above)

Secure this file (it contains login data!):

chmod 600 /etc/msmtprc

image

Enable Less secure apps

https://admin.google.com/u/2/ac/security/lsa

Unfortunately, you will also need to enable Less secure apps access for your accounts in Google Admin, otherwise you would continue to get the same error message:

msmtp: authentication failed (method PLAIN)
msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn more at
msmtp: server message: 535 5.7.8  https://support.google.com/mail/?p=BadCredentials **********.34 – gsmtp
msmtp: could not send mail (account default from /etc/msmtprc)

image

Change this to “Allow users to manage their access to less secure apps” and click on Save.

Send a test message

If everything works correctly, you can now send a test message:

echo ‘test’ | msmtp [email protected]

If this command returns without an error, then everything works.

Also, if you refresh your App passwords view, you will see that the app password has been used (“last used”):

image

(this might not always be accurate as per my tests, though).

If it would not work, you would get an output similar to the following:

msmtp: authentication failed (method PLAIN)
msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn more at
msmtp: server message: 535 5.7.8 
https://support.google.com/mail/?p=BadCredentials ***********.9 – gsmtp
msmtp: could not send mail (account default from /etc/msmtprc)

Note: This error will also appear if you delete your app password using the trash can icon you can see above. This, by the way is a useful feature of the App passwords: if you suspect a breach, you can simply delete the app password and set up your device with another app password.

If you continue to get this error, check whether you have enabled less secure apps, as I have instructed you to do (above).

Note II: you will get an info about freshly created app passwords in your email account:

image

Note III: you will also get the sent messages in your sent folder:

image

Ref

Bonus

Google mentions their rate limits on this page:

  • 10.000 recipients per day for the SMTP relay service (requires a static IP address or valid G Suite user sign-in)
  • 2.000 messages per day for the Gmail SMTP