Tag Archives: openssl

Sending mail on the Linux command line (Ubuntu 18.04)

How to send end-to-end encrypted emails on the Linux command line.

If you want to add attachments, use mutt or mail from GNU Mailutils as the mail client. The following examples use mailx and ssmtp.

Unencrypted mail

Install package "bsd-mailx":

$ sudo apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 


  • Mail gets sent to postmaster@example.com (see mail.rc).
  • Mail server is mail.example.com (see mail.rc).
  • Email message body is terminated by a single "." as the last line.

Encrypted mail (Inline PGP)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

Check that you have GnuPG version 2 installed, and If you haven't done so before, create private and public GnuPG key.

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
$ gpg --gen-key

Import public PGP key from recipient.

$ gpg --import alice.pub

First sign message (clearsign - ascii signature will be appended to text), then encrypt message, then mail message.

$ echo "Hello Alice, if you can read this your PGP mail client is working." | \
    gpg --clearsign | \
    gpg -a -r alice@example.com --encrypt | \
    mailx -s "PGP encrypted mail test" alice@example.com


  • First sign the message. "gpg --clearsign" uses the default private key to sign message. Check with "gpg -K". Otherwise use option "--default-key bob@example.com" to choose a specific private key.
  • Then encrypt the message. Check with "gpg -k" that recipient is properly added to your GPG keyring.
  • Finally send mail message. Email body is simply the signed and encrypted message text in ASCII format.
  • Email subject will not be encrypted.

Encrypted mail (S/MIME)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).

You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called "bob.pem").


The public certificate of the recipient must be in PEM format too (in the following example it is called "alice.pem"). You can extract it from an email signature if the recipient already sent you a signed email.


Install the package "ssmtp".

$ sudo apt-get install ssmtp

Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.

$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | \
    openssl smime -sign -signer bob.pem -text | \
    openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | \
    ssmtp -t


  • Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
  • If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
  • You still need the public certificate of the recipient, and make somehow sure that it is authentic.
  • Again, the email subject will not be encrypted.

Security check for postfix (STARTTLS connection)

$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -starttls smtp -verify 3 -verify_return_error -debug -CApath /etc/ssl/certs -connect

"-tls1_2" forces the TLSv1.2 protocol. Make sure protocol and cipher list match.

"-verify 3" enables server certificate verification and sets the length of the certificate chain. In this case there are 3 certificates in the certificate chain, including the root CA. Make sure the public root CA certificate is in the "-CApath" directory. "-verify_return_error" enforces the certificate verification to succeed.

The "-cipher" option specifies the list of ciphers to be transferred to the server. The server then decides which of these ciphers to use. As we only give one cipher, we force the postfix server to only use this one. If the server does not support this cipher, openssl will return with an error.

If everything goes well, you will see a long output from the server (including the protocol and cipher from your openssl command line options) and something like "Verify return code: 0 (ok)". Quit the connection with the postfix server by typing "quit" and hit return.


Create a self-signed certificate for ip address


default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_ca
x509_extensions = v3_ca

countryName = Country
countryName_default = GB
countryName_min = 2
countryName_max = 2
localityName = Locality
localityName_default = London
organizationName = Organization
organizationName_default = Roland Ltd.
organizationalUnitName = OU
organizationalUnitName_default = Roland-OU
commonName = CN
commonName_default =
commonName_max = 64
emailAddress = Email
emailAddress_default = postmaster@local.example
emailAddress_max = 40


# openssl req -newkey rsa -config openssl.conf -days 32 -x509 -out new.cert -keyout new.key

Add the option "-nodes" to avoid having to type in a password for the private key. You will need this e.g. if you use the certificate for Apache and do not want to type in the private key password every time you restart your webserver.

You also might want to add "-sha512" to make the signature algorithm use the SHA512 digest. Otherwise a reasonable default will be used. For Ubuntu 14.04 (OpenSSL 1.0.1f) the default has already been set to SHA256.


Check sasl authentication with Postfix

Create base64 encrypted username and password:

$ echo -ne '\000username\000password' | openssl base64
$ AHl5eQB4eHg=

Start TLS session with mailserver:

$ openssl s_client -connect mailserver:25 -starttls smtp
250 DSN
ehlo test
250-SIZE 20480000
250 DSN
235 2.7.0 Authentication successful

Note that even though we use plain text username and password which are only base64-encoded, they are sent encrypted over the network because of the starttls command line option.