Getting email off your Linux server with ssmtp and yandex

linux_mailA quick note to self about configuration of servers with ssmtp and yandex mail service (any other would work too, of course). I keep forgetting how it is done and keep spending time looking about so here goes the summary.

Install ssmtp package, if missing, install also bsd-mailx.

Configuration for ssmtp goes into /etc/ssmtp/ssmtp.conf

MailHub=smtp.yandex.ru:587 # Provider SMTP server hostname and port
UseStartTLS=YES # Secure connection (SSL/TLS)
FromLineOverride=YES # Force the From: line
Hostname=example.com # The name of this host
RewriteDomain=example.com # The host the mail appears to be coming from
Root=webmaster@example.com # Redirect mail for root@ to webmaster@example.com
AuthUser=webmaster@example.com # Provider mail account
AuthPass=password # The password for the mail account

Note that it is not UseTLS anymore but UseStartTLS, otherwise you’ll get

May 25 18:47:18 example sSMTP[315]: Creating SSL connection to host
May 25 18:47:18 example sSMTP[315]: SSL connection using (null)
May 25 18:47:18 example sSMTP[315]: Cannot open smtp.yandex.ru:587

Now all of the accounts that send email must be mentioned in the /etc/ssmtp/revaliases file and be mapped to this existing account at the provider:

root:webmaster@example.com:smtp.yandex.ru
www-data:webmaster@example.com:smtp.yandex.ru
cron:webmaster@example.com:smtp.yandex.ru

Now we have a working configuration but the password for the service is exposed in a world-readable config file. To fix that, we create a new group:

groupadd ssmtp

Change the ownership of both the config file and the sSMTP binary to this group:

chown :ssmtp /etc/ssmtp/ssmtp.conf

chown :ssmtp /usr/sbin/ssmtp

Set the SGID bit for the binary so that others invoking it get the proper permissions:

chmod g+s /usr/sbin/ssmtp

And restrict the permissions of the config file:

chmod 640 /etc/ssmtp/ssmtp.conf

Now everything should work like a charm… unless I forgot something again :)

Leave a Reply

Your email address will not be published. Required fields are marked *