Skip to content

Instantly share code, notes, and snippets.

Created April 16, 2014 14:48
Show Gist options
  • Save chrisgillis/10888032 to your computer and use it in GitHub Desktop.
Save chrisgillis/10888032 to your computer and use it in GitHub Desktop.
Golang SSL SMTP Example
package main
import (
// SSL/TLS Email Example
func main() {
from := mail.Address{"", "username@example.tld"}
to := mail.Address{"", "username@anotherexample.tld"}
subj := "This is the email subject"
body := "This is an example body.\n With two lines."
// Setup headers
headers := make(map[string]string)
headers["From"] = from.String()
headers["To"] = to.String()
headers["Subject"] = subj
// Setup message
message := ""
for k,v := range headers {
message += fmt.Sprintf("%s: %s\r\n", k, v)
message += "\r\n" + body
// Connect to the SMTP Server
servername := "smtp.example.tld:465"
host, _, _ := net.SplitHostPort(servername)
auth := smtp.PlainAuth("","username@example.tld", "password", host)
// TLS config
tlsconfig := &tls.Config {
InsecureSkipVerify: true,
ServerName: host,
// Here is the key, you need to call tls.Dial instead of smtp.Dial
// for smtp servers running on 465 that require an ssl connection
// from the very beginning (no starttls)
conn, err := tls.Dial("tcp", servername, tlsconfig)
if err != nil {
c, err := smtp.NewClient(conn, host)
if err != nil {
// Auth
if err = c.Auth(auth); err != nil {
// To && From
if err = c.Mail(from.Address); err != nil {
if err = c.Rcpt(to.Address); err != nil {
// Data
w, err := c.Data()
if err != nil {
_, err = w.Write([]byte(message))
if err != nil {
err = w.Close()
if err != nil {
Copy link

mununki commented Jun 28, 2019

Awesome! It works perfectly with Daum mail under SSL.
Thank you for sharing your code.

Copy link

asheikm commented Apr 30, 2020

This is a wonderful example you've provided. (Thank you very much!) However, it doesn't work. I get the following error message:

2014/08/16 07:44:45 tls: first record does not look like a TLS handshake
panic: tls: first record does not look like a TLS handshake

goroutine 16 [running]:
runtime.panic(0x18d660, 0xc2080005a0)
/usr/local/go/src/pkg/runtime/panic.c:279 +0xf5
log.Panic(0x671e30, 0x1, 0x1)
/usr/local/go/src/pkg/log/log.go:307 +0xb6
/Users/richardeng/fred.go:52 +0x7a9

Line 52, as in your example, refers to the tls.Dial() call. What's wrong??

(FYI, the servername I'm using is "".)

Please verify if you are using correct port

Copy link

cddmp commented Jan 5, 2021

Please note, this example is prone to man-in-the-middle attacks. InsecureSkipVerify must be set to false, otherwise the server certificate is not being verified. Thus, a mitm attacker can just present any (e.g. self-signed) certificate and the client will silently accept and connect. You don't want that!
See also

You should also add the date header, in order to be conform with RFC 5322:
headers["Date"] = time.Now().Format("Mon, 02 Jan 2006 15:04:05 -0700")

Thanks for the example!

Copy link

demon36 commented Jan 10, 2021

thanks a lot @chrisgillis & @cddmp

Copy link

saphena commented Apr 22, 2021

Works perfectly, thanks for sharing

You can lose the annoying Go Vet warnings about composite literal using unkeyed fields by:-

from := mail.Address{Name:"", Address:"username@example.tld"}
to := mail.Address{Name:"", Address:"username@anotherexample.tld"}

Copy link

This worked for me. Thanks a lot

Copy link

Awesome, thanks for this!

Copy link

afa7789 commented Apr 5, 2022

This indeed works.

Copy link

yngfoxx commented Nov 2, 2022

Generational answer 🫡
Passed on from debugger to debugger

Copy link

didate commented Mar 1, 2023

Work well.

Copy link

Works great!

Copy link

Thanks a lot

Copy link

amitsaha commented Sep 5, 2023

This worked great for STMP. My tls config didn't require the insecure verify as well:

// TLS config
tlsconfig := &tls.Config{
	ServerName: host,

In case someone finds it useful, to send a HTML body, add the following headers:

body := "<html><body><h1>Hello World!</h1></body></html>"

headers["MIME-Version"] = "1.0"
headers["Content-Type"] = "text/html; charset=UTF-8"

Copy link

fritx commented Jul 9, 2024

// Setup message
message := ""
for k,v := range headers {
    message += fmt.Sprintf("%s: %s\r\n", k, v)
message += "\r\n" + body

Should we make the protection for SMTP-header-injection more explicit? like:

// Setup message
message := ""
for k, v := range headers {
	line := fmt.Sprintf("%s: %s", k, v)
	// security assurance: RFC 5321
	if err := validateLine(line); err != nil {
		return err
	message += line + "\r\n"
message += "\r\n" + body

// validateLine checks to see if a line has CR or LF as per RFC 5321.
func validateLine(line string) error {
	if strings.ContainsAny(line, "\n\r") {
		return errors.New("[mailer] smtp: A line must not contain CR or LF")
	return nil

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment