How to install and configure MSMTP on OSX?

Asked 12/1, 2019 at 11:58 Answered 19/4, 2023 at 1:59

Following the instructions on ArchLinux to install and configure msmtp does not work. The file /etc/ssl/certs/ca-certificates.crt or anything like it is missing, and trying to use msmtp to send mail will result in a certificate error.

What is an alternate configuration for OSX High Sierra so that msmtp can be used to send mail like in the tutorial?

Note: I answered this question for myself some time ago and decided it's useful and worth sharing, so I created this question and answer. It would be nice if someone with more knowledge of certificates and fingerprints could provide a higher quality answer with more detail and background information about the difference between using a certificate or a fingerprint, for example.

Note years later: I know it's a self answered Q/A but this has 1k views so maybe remember to upvote a useful Q/A.

Ladylove answered 12/1, 2019 at 11:58 Comment(0)

An alternative method that works for me and avoids the issue of the tls_fingerprint expiring.

Use MacPorts to install the curl CA bundle:

sudo port install curl-ca-bundle

Locate the bundle:

port contents curl-ca-bundle

Port curl-ca-bundle contains:
  /opt/local/etc/openssl/cert.pem
  /opt/local/share/curl/curl-ca-bundle.crt

Add the following line to .msmptrc

tls_trust_file /opt/local/share/curl/curl-ca-bundle.crt

It works:

Hatchet:~ me$ mail [email protected]
Subject: Hi Mike
done
.
EOT

No error. From the log file:

exitcode=EX_OK

Croesus answered 19/4, 2023 at 1:59 Comment(2)

Confirming that this works very nicely on 10.9.5 (Mavericks), and avoids the problem of expiring tls fingerprints. – Indign 12/8, 2023 at 13:5

Great! Finally someone got annoyed enough by expiring fingerprints to find the proper answer :) – Ladylove 14/8, 2023 at 6:19

You can use the tls_fingerprint field in ~/.msmtprc instead of tls_trust_file. To generate the field value for tls_fingerprint, you can run the command

msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.gmail.com --port=587 | egrep -o "([0-9A-Za-z]{2}:){31}[0-9A-Za-z]{2}"

tls_fingerprint and tls_trust_file are mutually exclusive, so do not try to use both, or msmtp will have a configuration error.

Here is a script you can run to install and configure msmtp for use with a gmail account on either Ubuntu 18 or Mac OSX High Sierra.

Ladylove answered 12/1, 2019 at 12:2 Comment(1)

The caveat on this method is that the tls_fingerprint expires after what seems to be a random length of time. When mail stops working you have to generate a new fingerprint. There must be a better way. – Croesus 19/4, 2023 at 0:2