Wouldn’t it be nice to get an occasional email from one of your Raspberries when something is wrong? Maybe your filesystem is filling up or the monitoring you’ve set up needs to alert you that some of the network devices are overheating. Back in the day, you could just run Sendmail and pipe some text to your email address. But, because of all the spammers in the world, the email relays have gotten much more stringent of who could just dump email messages on their servers for delivery. If you’ve got a Gmail account, there’s a fairly straightforward way to allow your Raspberries access to your Gmail in a fairly secure fashion.
How Does eMail Work?
There are actually quite a few moving parts to getting a message from your Raspberry to your Gmail account. Whether it be Sendmail or Nagios, is the MUA or “mail user agent”. It puts the email header and body together and then passes it off to an MTA or “mail transport agent”. The MTA must be configured to get the email out the door, off your Raspberry, and out to a mail relay. You can configure that MTA on your server once and forget it. Once you get things working, mail will just work. But we need to make sure that our MTA has a reliable connection to a relay. Gmail offers a great relay service but enforces security. Gone are the days of a simple SMTP connection on port 25! Today, Gmail requires that your incoming connection be secure. There are facilities for highly secure connections for your enterprise and of course cost, but I want to focus on free, secure, and easy.
Luckily, we don’t need to reinvent the wheel to get our email for work. We just need to make sure that our wheel stays in its lane. We’re going to be using TLS to create an encrypted tunnel connection from the MUA to the mail relay at Gmail. Think of the protection offered by ssh with SSL–same game! Once we get there, we will also need to authenticate to Gmail, but we can use our existing Gmail account and password, so no big stretch there.
Sure, all of this sounds like a tall order, but relief is on the way! msmstp is a lightweight (as compared to trying to configure Sendmail) MTA. It’s secure, small, free, and runs quietly in the background. Let’s get a few things installed, and then we can look at configurations. We don’t need to install much:
apt install bsd-mailx msmtp msmtp-mta
If you’re not logged in a root, you’ll need to prepend “sudo ” to this line. Don’t forget “apt update” as a first step to getting your repos in sync.
Configuring Secure eMail
You can follow the default installation methods and install msmtp for one user. I wanted the MTA to be available system-wide. I’m the only user, but there are multiple procs running that might want to get in touch with me! Keep in mind that every email emanating from this Raspberry will be going through your Gmail account.
OK, the config is in /etc/msmtprc and it looks like this:
#Set default values for all accounts. defaults auth on tls on tls_starttls on tls_trust_file /etc/ssl/certs/ca-certificates.crt logfile /var/log/msmtp.log #Gmail settings account gmail host smtp.gmail.com port 587 from email@example.com user yourname password D33pD4arkS3cr3t #Set a default account account default : gmail
In effect, what we’re doing is saying: all users will default to mailing through this account, use TLS, log to file, use Gmail’s SMTP relay on port 587, connecting with our Gmail address by authenticating with our username and password. Secure this file, as there’s a clear text password in it:
chown root:msmtp /etc/msmtprc chmod 640 /etc/msmtprc
Yes, You Can Encrypt Your Password
Passwords for msmtp can be stored in plaintext, encrypted files, or a keyring. Setting up an encrypted key is not hard to do. First, you’ll need a gpg key, then you’ll use that to encrypt your password. So, let’s generate a key:
I just accept all the defaults. Leave the passphrase blank because you won’t be around to enter it. This is being used by automated processes. If you want a REAL key, generate more! Anyways, you’ll need to wiggle your mouse or stir the keyboard to create entropy to help randomize the key. It honestly didn’t take very long on my RPi4…
If you want to see what you’ve got, type the following:
gpg --list-secret-keys --keyid-format LONG
…and you’ll see your new key. Now that you’ve got a key, you can encrypt your password:
gpg --encrypt --output=msmtp-password.gpg --firstname.lastname@example.org
Type in the password that you’re encrypting on the blank line and hit enter. The cursor will move down. Hit CTRL-D to end the process. Move the generated file (msmtp-password.gpg) to /etc/. Edit the password line in your /etc/msmtprc file to reflect the fact that your password is now encrypted:
passwordeval gpg --decrypt /etc/msmtp-password.gpg
Alright! Let’s check our work. Try this simple one-liner to test:
echo "BEEP BEEP" | mailx -s "Subject: This is a test!" email@example.com
You should get an email in your inbox, fairly immediately. If this test works, it should work for anything that tries to email you from this Raspberry! Cool, huh? And we didn’t have to configure Sendmail!
IF you DO get an error
It probably looks like this:
root@mail:~# echo "BEEP BEEP" | mailx -s "Subject: This is a test!" firstname.lastname@example.org send-mail: authentication failed (method PLAIN) send-mail: server message: 535-5.7.8 Username and Password not accepted. Learn more at send-mail: server message: 535 5.7.8 https://support.google.com/mail/?p=BadCredentials f33sm9715130qtb.56 - gsmtp send-mail: could not send mail (account default from /etc/msmtprc) Can't send mail: sendmail process failed with error code 77 root@mail:~#
Remember I mentioned security? Yeah, we’ve got to ratchet down the security at gmail. We have to “Allow less secure apps” in order to get this to work. The first two comments below brought this up. I changed this setting years ago and forgot about it. Let’s go over to google.com and adjust some settings.
Go to Google and sign in and then to Account Settings. It’s in the 9-dots pull-down menu (AKA “the waffle” or the “App Launcher Icon”, next to your picture in the upper right.
Now, from the left hand column menu, choose “Security” (4th item down). Scroll down until you find “Less Secure App Access”.