Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to use SSH for secure mail Network doesn't support SSL or TLS. I don't like sniffable passwords in general and really don't like them when the system has a wireless connection. Here's how to make it easy to use tunnel IMAP or POP3 through SSH. As a bonus, SSH supports compression (-C), which
may improve your transfer speeds.

SSH tunneling requires a remote server with SSH. This does not need to be the same server you're retrieving mail from - you might ssh into a
login server on the same network as your mail server. MAILSERVER and SSHSERVER refer to the IMAP/POP3 and SSH servers respectively.

Read the rest of this article if you'd like a detailed how-to on setting up secure mail transfer.

Here are the step-by-step instructions:
  1. Setup SSH for password-less connections to your SSH server. The downside to this is that anyone with access to your account on your client will be able to login as you on the SSH server - if this risk is unacceptable, you'll want to skip this item and run the script under the Terminal so you can enter the password instead.

  2. Generate an SSH version 1 or 2 key pair, using ssh-keygen and ssh-keygen -t rsa, respectively. If you choose not to use a password, you might want to use this key only for connecting to the mail server, in which case you should give it a different name than the default.

  3. Add the public key (~/.ssh/ to ~/.ssh/authorized_keys (SSH1) or ~/.ssh/authorized_keys2 (SSH2) on SSHSERVER.

  4. Test using ssh SSHSERVER - you shouldn't need a password to connect

  5. Install Apple's Script Menu
    • this will enable you to launch a mail session from the menubar
    • this can also be used to return to Mail if you hide the Dock.
    Script Menu is a very useful tool to have in any case.

  6. Store the script below in your Scripts folder (~/Library/Scripts) with a name such as "Secure Mail". Make sure you replace SSHSERVER with the hostname of your SSH server and MAILSERVER with the hostname of your mail server. POP3 users will need to replace 143 with 110.
    setenv SSHCMD "ssh -C -f -N -L 1430:SSHSERVER:143 MAILSERVER";
    setenv SSHCOUNT `ps ax | grep "$SSHCMD" | grep -v grep | wc -l`;

    # Only start a new ssh tunnel if we don't have a previous connection
    if ($SSHCOUNT == 0) $SSHCMD;

    open /Applications/
  7. Edit your Mail preferences to set the server to localhost and the port to 1430.

  8. Quit Mail.

  9. Test by opening "Secure Mail" from the Scripts menu.
[Editor's note: I have not tried this on my machine as of yet.]
  • Currently 2.33 / 5
  You rated: 5 / 5 (3 votes cast)

How to use SSH for secure mail | 7 comments | Create New Account
Click here to return to the 'How to use SSH for secure mail' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Won't work in Classic
Authored by: Anonymous on Oct 18, '01 11:46:10AM

If you still use a Classic based mailer (I'm still holding on to Claris Emailer), this stunt won't work. For some reason, the Classic environment and BSD environment don't seem to like sharing localhost connections. My workaround for this was to use MacSSH within Classic to perform the same stunt. Also, Emailer would not accept ed@ as a valid entry for POP, so I setup a DNS entry for; Emailer is happy with for POP and for SMTP. Kind of annoying to have OpenSSH there and have to use MacSSH in Classic, but that's the way it goes... As for the inevitable comment about migrating to, well, I'm just not real happy with it yet. I really wish Apple would open the Emailer source...

[ Reply to This | # ]
Authored by: jldera on Nov 27, '01 07:31:10PM

If I'm to read this correctly, you're secure tunnelling from your Mac to an SSH server, and then doing port forwarding on top of it. So that, all of my traffic between my Mac and that server is encrypted to SSH standards. However, if I'm then using the SSH server to connect to say,, any traffic between the server and will remain unencrypted. Am I just confused on how you wrote it, or is that the case. If the latter, then why are you wasting time doing all of this, just get a provider that has POP over SSL.

[ Reply to This | # ]
Authored by: Anonymous on Jan 03, '02 02:47:26PM
Yes, POP is still sending a cleartext password. In my given example, the cleartext password is going over the encrypted tunnel to the server, and then being transmitted unencrypted over Now, if somebody's sniffing my localhost traffic on my OpenBSD server, my POP password is the least of my worries. ;-) Alternatively, this same method can be applied to a corporate network. Given where I discuss pointing your port forward to another address, the assumption is you have a secured network. In my case, at my place of employment, the corporate network exists behind a firewall, using the RFC1918 space, so the same method can be used to tunnel the cleartext password over the internet, then be used on the secured corporate network.

Basically, you need to do a threat assessment. A secured end-to-end connection, such as an SSL connection like you mention, would be ideal. It's also impossible in Claris Emailer, and likewise other apps I'm sure. Things that come to mind are BBEdit and Dreamweaver, which incorporate ftp functionality (mind you they may support better methods these days; I haven't used the ftp stuff in ages). Assuming you have an app which does not support SSL, port forwarding is one way to work around it. For that matter, in a threat assessment, I can assure you there will be people sniffing 802.11 traffic at MWSF; I am one of them. ;-) In your given example of port forwarding to say a home ssh box, then upstream to the ISP, while there's still risk of sniffing between the home box and the ISP, it's significantly lower than cleartexting over an 802.11 at MWSF. Port forwarding, like all other methods, is just one tool. It should be in your toolbox, but it's up to the individual to make a threat assessment and devise a security policy relevant to the individual threats.

[ Reply to This | # ]
Duh-referred article
Authored by: Anonymous on Jan 03, '02 02:53:18PM
I mention in the above "my example", but then don't link to it. Sorry, brain dead day I guess. Here'sthe example of which I speak...

[ Reply to This | # ]
SSH1 doesn't support -N
Authored by: phyxeld on May 24, '02 03:03:01PM

Well, seeing how old this thread is, I doubt I'll get a reply, but here goes:

I've been try to set up a solution as desribed here, but my ISP only has SSH1 installed. This means the -N option will not work, which means I have to open (and leave open) an interactive shell for each tunnel, which means I can't script it.

I described my problem further in my slashdot journal here:

Any ideas on a working solution?
Please email me at or reply if you know anything that might help...

[ Reply to This | # ]
Forwarding multiple ports; Terminating?
Authored by: rkarash on Jul 25, '02 09:18:30PM

(Sorry, phyxeld, I don't know the answer to your SSH1 question.)

How do I forward more than one port? I'm guessing that I have more than one -L option in the command string, and this indeed seems to work.

I'm tunneling both the SMTP port (25) and the POP3 port (110).

Also, how do I turn off the SSH tunnels? For example, when I want to put the machine to sleep?

[ Reply to This | # ]
Forwarding multiple ports; Terminating?
Authored by: rkarash on Jul 25, '02 10:37:04PM

Replying to my own msg...

Using brute force, I determine the process id of my ssh process and kill it with

kill -9 pid

[ Reply to This | # ]