07 — Email Relay (msmtp + Gmail)¶
msmtp is a small SMTP client used as a sendmail replacement. It lets the Z2 send outbound email through Gmail's SMTP servers — used by smartd for drive health alerts and any other service that needs to send mail.
Why route through Gmail¶
Major mail providers block messages from residential IPs to fight spam. Sending email directly from a home server to recipients almost always lands in junk folders or gets rejected. Routing through Gmail's SMTP relay (with proper authentication) bypasses this — Gmail trusts itself.
Prerequisites¶
Before configuring msmtp, you need:
- A Gmail account with 2-Factor Authentication enabled
- An app password generated for SMTP access
To generate an app password:
- Go to https://myaccount.google.com/apppasswords
- Create a new app password named "Z2 Mini smartd" (or similar)
- Copy the 16-character password — you only see it once
Installation¶
What each provides:
msmtp— the SMTP clientmsmtp-mta— symlinks/usr/sbin/sendmailto msmtp, so other programs (smartd, cron) use it transparentlymailutils— provides themailcommand for testing
When prompted whether to enable AppArmor support, say Yes. (Important — see "AppArmor configuration" below.)
Configuration file¶
File: /etc/msmtprc
defaults
auth on
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
account gmail
host smtp.gmail.com
port 587
from gabrielgabrie99@gmail.com
user gabrielgabrie99@gmail.com
password <16-character-app-password>
account default : gmail
Lock down permissions (the file contains your password):
AppArmor configuration¶
Ubuntu's AppArmor security framework restricts what msmtp is allowed to do, even when running as root. The default profile doesn't allow writing to /var/log/msmtp.log, so we need a local override.
File: /etc/apparmor.d/local/usr.bin.msmtp
The rwk permissions are: read, write, lock. All three are needed for msmtp to write logs.
Reload the profile after creating/editing:
Create the log file¶
sudo touch /var/log/msmtp.log
sudo chown root:root /var/log/msmtp.log
sudo chmod 644 /var/log/msmtp.log
Log rotation¶
File: /etc/logrotate.d/msmtp
Keeps 4 weeks of compressed history.
Testing¶
Send a test email through msmtp directly:
Should arrive in your Gmail inbox within a few seconds. Check the log:
You should see a successful entry showing the SMTP transaction.
To test from mail (which is what smartd uses internally via sendmail):
Note: when running as your normal user, msmtp can't read /etc/msmtprc (root-owned). Always test with sudo.
Troubleshooting¶
"cannot log to /var/log/msmtp.log: Permission denied"
AppArmor is blocking the write. Verify the profile:
Look for "DENIED" entries. Make sure /etc/apparmor.d/local/usr.bin.msmtp exists with rwk permissions and the profile has been reloaded.
"cannot lock (tried for 10 seconds): Permission denied"
You have rw but not k (lock) in your AppArmor override. Should be rwk, not rw,.
"authentication failed"
The Gmail app password is wrong, or the account isn't using 2FA. Generate a fresh app password and update /etc/msmtprc.
Connection timeouts
Network blocking outbound port 587. Verify with:
If this fails, the network is the problem (rare on student housing, but possible). Tailscale doesn't help here — outbound SMTP needs to reach Gmail directly.
Verbose debug output:
Shows the entire SMTP conversation, including TLS handshake and any error responses from Gmail.
Password rotation¶
App passwords should be rotated periodically, especially if the password has been seen in logs, screenshots, or chat histories.
- Go to https://myaccount.google.com/apppasswords
- Revoke the existing one
- Generate a new one
- Update
/etc/msmtprcwith the new password - Test:
Files and locations¶
| Purpose | Path |
|---|---|
| Main config | /etc/msmtprc |
| AppArmor override | /etc/apparmor.d/local/usr.bin.msmtp |
| Log | /var/log/msmtp.log |
| Log rotation config | /etc/logrotate.d/msmtp |
| sendmail symlink | /usr/sbin/sendmail → /usr/bin/msmtp |