msmtp / mailx doesn't work on my VPS with gmail, what to do?

Bailando · 2014-08-27 00:20:06

I would like to send notify emails from command line on my VPS. Unfortunately msmtp / mailx doesn't work on my VPS with gmail, what can I do?

My ~/.mailrc:

set from="myemailaddress@gmail.com (myemailaddress@gmail.com)"
set sendmail="/usr/bin/msmtp"
set message-sendmail-extra-arguments="-a gmail"

My ~/.msmptrc:

defaults
logfile /tmp/msmtp.log

# gmail account
account gmail
auth on
host smtp.gmail.com
port 587
user myemailaddress@gmail.com
password mypassword
from myemailaddress@gmail.com
tls on
tls_nocertcheck

# set default account to use (not necessary with single account)
account default : gmail

When I issue this command:

echo "test" | mailx -s "testmail" myotheremailaddress@gmail.com

I get this error message:

authentication failed (method PLAIN)
sendmail: server message: 534-5.7.14 <https://accounts.google.com/ContinueSignIn?sarp=1&scc=1&plt=AKgnsbsa2
sendmail: server message: 534-5.7.14 GdeQQpiZvfgRfSoPgdtmERJksQw94bgoYlxcLdjG08HBtK4awcuIU64e6ad-QgIbFg1w-o
sendmail: server message: 534-5.7.14 YwCNklcy_ElGk0zrgeIyCVKYuPRLqULTKhqF2rNPBkl26dVTAfeE6H_BN02vwFCcknnt3m
sendmail: server message: 534-5.7.14 CNi8g8seAvw7vd6DnCxtXt5h7C0c2h9ftNlFOog2MhjL1rJj9Z1nJQPh-5YmGZIBQL5pcv
sendmail: server message: 534-5.7.14 uVRM2Gw> Please log in via your web browser and then try again.
sendmail: server message: 534-5.7.14 Learn more at
sendmail: server message: 534 5.7.14 https://support.google.com/mail/bin/answer.py?answer=78754 fk9sm7693302wic.4 - gsmtp
sendmail: could not send mail (account default from /home/walaki/.msmtprc)

Last edited by Bailando (2014-08-27 00:21:27)

sdaoden · 2014-09-08 12:35:17

Hello Ballando, i cannot say anything about msmtp, but the mailx variable is "sendmail-arguments", not "message-sendmail-extra-arguments".
However, [1] says that the account argument is also unnecessary if only a single account is defined, so this shouldn't matter (but i dunno).
Note that S-nail (mailx) can deal with SMTP directly, and the Arch Linux Wiki includes a complete example of setting up mailx for use with gmail.com [2].

[1] <http://msmtp.sourceforge.net/doc/msmtp.html>
[2] <https://wiki.archlinux.org/index.php/S-nail>

P.S.: the Google page indicates that the given password is wrong.

weirddan455 · 2014-09-08 14:42:34

Thought I remembered reading that echo messes things up with msmtp. Try saving it to a file and use cat instead.

dif · 2014-09-09 09:15:32

Bailando wrote:

...
My ~/.msmptrc:
...

Is it just a typing mistake (.msmptrc instead of .msmtprc), or is it the name of that file in your system?

sdaoden · 2014-09-09 11:35:37

Ah! Oh! I see now where Ballando got inspired!
mailx has also learned to use encrypted passwords via *agent-shell-lookup*, just see [1].
You seem to be the source of inspiration for quite some people around here..

[1] <https://wiki.archlinux.org/index.php/S-nail>

Alyson Tiago Ferreira · 2015-10-20 17:37:30

I found the solution for server message: 534-5.7.14 on this serverfault question.

I had to enable access to gmail for less secure apps at this page: https://www.google.com/settings/security/lesssecureapps

sdaoden · 2015-10-20 19:16:39

Hi,

no, that is, maybe, but that showed up as

smtp-server: 530-5.5.1 Authentication Required. Learn more at
smtp-server: 530 5.5.1 http://support.google.com/mail/bin/answ … swer=14257 XXXXX - gsmtp

in 2014, and the support link still works.
As the maintainer of S-nail (mailx) -- as stated in its ArchLinux Wiki page i really have no plans to support OAuth 2.0 -- at least directly. And the SASL method for OAuth 2.0 isn't yet standard, nor does S-nail currently support SASL. A future version will likely do so, however, and if ArchLinux considers to include it...

Alyson Tiago Ferreira · 2015-10-20 20:09:50

Thanks for clarifying! So there is no way to authenticate due to missing support of SASL XOAUTH 2.0 by s-nail.

sdaoden · 2015-10-21 10:06:12

Hm. Ok, looking into that again it seems it really made it in August 2015, as RFC 7628:

The main use cases for OAuth 1.0a and OAuth 2.0 have so far focused
on an HTTP-based [RFC7230] environment only. This document
integrates OAuth 1.0a and OAuth 2.0 into non-HTTP-based applications
using the integration into the Simple Authentication and Security
Layer (SASL) [RFC4422].

So then S-nail could support OAuth indirectly if support for SASL would be added.

Regarding Google: i said back last year that this is incitement of the people - i am maybe a "lesser secure app", but if i want to store my password in clear text on my local box then this is my decision. S-nail offers the possibility to load locally encrypted passwords, so the password is in clear text only in main memory of the users local host, the transport over to Google is encrypted with TLS1.2. Why is that lesser secure than using a browser with enabled Javascript and Flash and - short - HTML5? Google says:

There are several ways to make this request, and they vary based on the type of application you are building. For example, a JavaScript application might request an access token using a browser redirect to Google, while an application installed on a device that has no browser uses web service requests.

Some requests require an authentication step where the user logs in with their Google account. After logging in, the user is asked whether they are willing to grant the permissions that your application is requesting. This process is called user consent.

If the user grants the permission, the Google Authorization Server sends your application an access token (or an authorization code that your application can use to obtain an access token). If the user does not grant the permission, the server returns an error.

So this is the same mechanism that the decade-old GSSAPI uses -- the user requests a ticket, which is then available locally and grants permissions to - in this case S-nail.
But ok, i'm fine with yet another authentication mechanism (let aside the trouble of the expert group which designed OAuth2.0, that is a different story). I'm not fine with being declared "lesser secure" because i want to store my password locally. That is my own choice, the freedom of being an unperfected idiot.

Anyway, hacking in SASL support is one of the lesser good ideas at the moment. But since i want to sit back and let S-nail rest in 2016 (to come back with a clear mind, what i hope) i'm thinking about adding SOCKS proxy support for v14.9, which then would allow usage of and over TOR. So this might turn S-nail into a more secure app, then.

sdaoden · 2015-10-21 13:42:08

I haven't tried it, but i have also found "Sign in using App Passwords" [3], which suggests that it should be possible to use any application without "less secure" turned on if you are willing to

1. give Google a phone number,
2. use 2-Step Verification, then
3. create a application specific password (16 characters)
4. use that password instead of your real Google account
password in S-nail.

[3] https://support.google.com/mail/answer/185833?hl=en

sdaoden · 2015-10-21 14:04:24

I've updated the Wiki accordingly, too.
Thanks.

sdaoden · 2015-11-25 19:35:57

FYI, today i saw draft-ietf-oauth-pop-architecture-06.txt fly by:

The OAuth 2.0 bearer token specification, as defined in RFC 6750,
allows any party in possession of a bearer token (a "bearer") to get
access to the associated resources (without demonstrating possession
of a cryptographic key). To prevent misuse, bearer tokens must be
protected from disclosure in transit and at rest.

Some scenarios demand additional security protection whereby a client
needs to demonstrate possession of cryptographic keying material when
accessing a protected resource. This document motivates the
development of the OAuth 2.0 proof-of-possession security mechanism.

I'm still in favour of GSS-API that ArchLinux ships in the standard install, there you simply call kinit(1) and have a -- protected -- local ticket that any application which uses GSS-API can use transparently.

Arch Linux

#1 2014-08-27 00:20:06

msmtp / mailx doesn't work on my VPS with gmail, what to do?

#2 2014-09-08 12:35:17

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#3 2014-09-08 14:42:34

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#4 2014-09-09 09:15:32

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#5 2014-09-09 11:35:37

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#6 2015-10-20 17:37:30

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#7 2015-10-20 19:16:39

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#8 2015-10-20 20:09:50

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#9 2015-10-21 10:06:12

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#10 2015-10-21 13:42:08

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#11 2015-10-21 14:04:24

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

#12 2015-11-25 19:35:57

Re: msmtp / mailx doesn't work on my VPS with gmail, what to do?

Board footer