msmtp as PHP mailer - is GPG+passwordeval the best choice here? about msmtp HOT 3 CLOSED

System-wide configurations with passwords can be problematic: any user that can run msmtp and can make it decrypt the password can then make it dump the password in clear text. So whatever method you use, you need to make sure that only www-data is able to decrypt the password, and that other users cannot assume the www-data identity.

Oh, and if AppArmor is in the way, you can disable it with sudo aa-disable /etc/apparmor.d/usr.bin.msmtp.

from msmtp.

whatever method you use, you need to make sure that only www-data is able to decrypt the password

Yes, that is the case.
I guess I don't fully grasp how GPG works - if I use it in the way described, is it safer than storing the password as plaintext in the config file (which is also only readable by www-data)?
Or am I possibly opening an even bigger hole with a key pair without a passphrase, even if it's used only for that one purpose?
GPG's home dir for www-data needs to be writable, otherwise GPG won't work - that is at least one thing that could be safer with an openssl-encrypted password file.

Oh, and if AppArmor is in the way, you can disable it with sudo aa-disable /etc/apparmor.d/usr.bin.msmtp.

I read a few discussions regarding this, and I understand you don't much care for the way Debian packaged msmtp.
However, I think it's a good idea to keep the apparmor profile, but modify it to add openssl to the list of executable helpers.
I have not yet found a way to do this that would survive updates.

from msmtp.

I don't think I can help you with your GPG questions. They are probably better discussed elsewhere since they are not directly related to msmtp. I'll close this now, but feel free to reopen if there is need for further discussion.

from msmtp.