Why you need this#
When you run a server at home, you need to know if something strange happens. A script that sends you an email when it detects a failed login attempt, an expiring certificate, or a nearly full disk is invaluable. The problem is that your ISP blocks port 25, so you can’t use sendmail directly. That’s where msmtp comes in.
msmtp is a minimalist SMTP client. It’s not a full mail server, just sends emails through external servers like Gmail. Perfect for cases like ours.
Installation#
On Debian/Ubuntu:
sudo apt-get update
sudo apt-get install msmtp msmtp-mtaThe msmtp-mta option is important because it creates a symbolic link that makes other programs think you’re using traditional sendmail.
Basic configuration with Gmail#
Gmail has two options: app password or using the SMTP protocol directly. I’ll use app password because it’s more secure and works without enabling “less secure apps”.
First, create an app password on your Google account:
- Go to myaccount.google.com
- Security → App passwords (you need 2FA enabled)
- Select “Mail” and “Other (custom)”
- Gmail generates a 16-character password for you
Now create or edit ~/.msmtprc:
nano ~/.msmtprcAdd this:
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account gmail
host smtp.gmail.com
port 587
from tu-email@gmail.com
user tu-email@gmail.com
password tu-contraseña-de-aplicacion
account default : gmailCritical permissions:
chmod 600 ~/.msmtprcThis is important. If other users can read the file, they see your password.
Initial test#
Test that it works:
echo "Cuerpo del email" | msmtp tu-email@gmail.com -S from=tu-email@gmail.comCheck your inbox. If you receive the email, it’s working.
Using msmtp from security scripts#
Now integrate this into your alerts. Here’s a simple example that monitors failed SSH attempts:
#!/bin/bash
FAILED_ATTEMPTS=$(grep "Failed password" /var/log/auth.log | wc -l)
THRESHOLD=10
if [ $FAILED_ATTEMPTS -gt $THRESHOLD ]; then
{
echo "Asunto: ALERTA - Múltiples intentos de acceso SSH fallidos"
echo ""
echo "Se detectaron $FAILED_ATTEMPTS intentos fallidos en las últimas 24 horas"
echo ""
echo "Últimos intentos:"
grep "Failed password" /var/log/auth.log | tail -5
} | msmtp tu-email@gmail.com
fiSave it in /usr/local/bin/check-ssh-alerts.sh and make it executable:
sudo chmod +x /usr/local/bin/check-ssh-alerts.shAutomate with cron#
Add to crontab to run every hour:
sudo crontab -e0 * * * * /usr/local/bin/check-ssh-alerts.shCommon problems#
“SMTP Error: 535” → Wrong password. Verify that you used the app password, not your regular Google password.
“TLS connection refused” → Check that the certificate is in the correct path. Use ls /etc/ssl/certs/ca-certificates.crt.
Emails not arriving → Check the log: cat ~/.msmtp.log. Gmail sometimes rejects if it detects suspicious activity.
Additional security#
If the server runs as a regular user but scripts need to run as root, consider:
sudo visudoAnd add:
nobody ALL=(ALL) NOPASSWD: /usr/local/bin/check-ssh-alerts.shThis way you run the script without asking for a password in cron.
Conclusion#
With msmtp you have automatic security alerts in minutes, without the hassle of setting up a full SMTP server. I use it on my home server to monitor iptables changes, expiring certificates, and load spikes. Sleeping soundly knowing that something will alert me if there’s a problem.
Recommended equipment#
- Raspberry Pi 3 B+ — Lightweight low-power server to start your homelab
- Intel N100 Mini PC — Silent and efficient mini PC for 24/7 home server
Affiliate links. No extra cost to you.