PROMO SELL

Tuesday, March 08, 2005

SSH Tunnell using POP3 for IMAP Mail

Who wants to read this
If you have a POP mail account on a remote server, provided by your ISP/work/school and wants to access your mails from your home/local machine through a secure channel.

Please note I will be reffering to POP3 as just POP throughout this article.

Why Secure POP
The normal POP communcations sends everything in clear text, including your mail account passwords. We need to use a secure channel, where everything will be encrypted between your local machine and the remote mail server. The rational is analogous to the use of encrypted HTTPS versus the normal HTTP communication when we access secure webservices.

Check for IMAP with SSL support
IMAP with SSL encrypts the mail communications the same way HTTPS encrypts the website communications. Sadly not all mail servers support this. ( My ISP replied to me "at this time we do not provide SSL mail due to stability issues in current implementations" )

If you have SSL mail, all you need to do is configure your mail tool to use SSL. All the popular mail clients like Mozilla/Netscape Mail, Eudora , Outlook Express etc supports SSL. The SSL option may not be On by default so please edit the Configuration/Settings of your mail client to use SSL.

On Mozilla 0.95/Netscape6.x Mail :

Select Menu:
Mail -> Mail & Newsgroups Account Settings
From the popup Dialog:
Select "Server Settings", Check "Use Secure connection (SSL) "
Select "Outgoing server (SMTP)" , Check "Always" for "Use secure connection ( SSL)"

If your remote server supports SSH
If you dont know much about SSH, please google the web for more information and then download and install SSH on your local machine. Most of the Linux machines should have it already installed.

If you already use SSH ( like as a secure replacement for telnet/ftp ) and just want to know about POP through SSH then jump ahead to the SSH tunnelling section.

The following instructions are for Linux/Unix. But the concept is the same for other platforms as well. Instead of the command line invocations, you might use a GUI application.

Run ssh with the hostname or IP address of the mail server. If you get the following response you cannot use SSH.


$ ssh mail.remoteserver
ssh: connect to address xxx.xxx.xxx.xxx port 22: Connection refused
$

If you can connect to the remote server using SSH, then we can setup a secure tunnell through SSH for your POP communications. The tunnell connects a port on your local machine ( say 1234 ) to the POP3 port ( port 110 ) of your remote server.



$ ssh -P -f -L 1234:remoteserver:110 user@remoteserver sleep 25

-L specifies the port forwarding 1234 on local machine to 110 od remoteserver.
-f tells SSH to fork out and run in the background.
-P option allows us ti open a non privilaged port - like 1234 - which does not require root access ( ports higher than 1024 ).

"sleep 25" is the command to execute at the remote server so as long as the command is executing at the server the tunnell will be kept open. In the example the connection will be open for 25 seconds, you can specify any duration to sleep.

This is called port forwarding in technical jargon, which means the local port on your machine will just forward any communication coming there to the POP server port. So in the mail tool when we configure the mail server name instead of the remoteserver:110 we will say localhost:12345

Now you have the POP tunnell yo get your mail to your local machine. Now if you want to send a mail for your mail through the SMTP server on the remote machine you can setup another secure tunnell to the SMTP port ( port 25 ) of the remote mail server as follows.



$ ssh -P -f -L 1235:remoteserver.net:25
user@remoteserver sleep 25
Test the tunnell
Once you have setup the the tunnel as explained above, test whether they are connecting correctly by telnetting to the tunnell ports.

First test the incoming POP tunnel. After connecting if you see the name of your remote server then your tunnell is working. Press the escape charecter "ctrl+]" to get to telnet prompt and then type "close" to exit.



$ telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK QPOP (version 3.1.2) at remoteserver.net starting.
^]

telnet> close
Connection closed.
$

Now check the same for the outbound tunnell. Type "quit" to close connection.



$ telnet localhost 1235
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 remoteserver.net ESMTP Sendmail 8.8.6/8.8.2; Thu, 6 Dec 2001 22:24:54 -0800

quit
Connection closed by foreign host.
$
Mail tool configuration
In the settings/configuration for incoming POP server pleasee specify localhost as the server and 1234 as the port. For outgoing SMTP mail server please specify localhost and 4321 as server and the port. And make sure you enable the tunnels before getting sending the mail.

One click tunnelling
I have put the above commands into shellscripts for convenience. And to make it even easier I have created a desktop shortcut on my linux workstation, which will bring up the scripts inside a small xterm window. So whenever I need to get or send mail, I just click on the desktop icon and type in the password/passphrase on the xterm that pops up with the tunnell script.

These are the scripts I use , you can either use these or create your own which suits your needs.





$cat getmail.sh


#/bin/sh
DELAY=300
ps -ef | grep -i ssh | grep 1234 | grep -v grep | grep -v sshd
echo ""
ssh -P -f -L 1234:mail.foo.net:110 user@foo.net sleep $DELAY
sleep $DELAY
$


$cat putmail.sh


#/bin/sh
DELAY=300 ps -ef | grep -i ssh | grep 1235 | grep -v grep | grep -v sshd
echo ""


ssh -P -f -L 1235:mail.foo.net:25 user@foo.net sleep $DELAY
sleep $DELAY
$


$cat tunnel.sh


#/bin/sh
xterm -geometry 60x5+60+10 -bg red -fg white -T
'local:1234]==[110:mail.foo.net]' -e /home/foo/bin/getmail.sh &
xterm -geometry 60x5+60+110 -bg green -fg black -T
'local:4321]==[ 25:mail.foo.net]' -e /home/foo/bin/putmail.sh &
$

No comments: