Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Secure POP and SMTP email via SSH Internet

Now that I have a laptop and a wireless ethernet card (YAY!), I want to check my email from public wi-fi points like the café down the street. But POP and SMTP send my password in cleartext which I obviously don't want other people using the same wi-fi point to sniff. The solution? SSH.

Prerequisites:
I will assume you are able to ssh into your server and therefore, you have a login and password and know your server's address. (If you have a commercial webhost hosting your website and email, ask them to enable SSH login for you.)

Step 1
Open Terminal, type:

ssh -L 55110: mail.yourdomainname.com:110 SSHlogin@mail.yourdomainname.com
(Replace "mail.yourdomainname.com" with your POP3 mailserver address. And replace "SSHlogin" with your ssh login.)
Then enter your password at the prompt.

Step 2
Open new Terminal window, type:

ssh -L 5525:mail.yourdomainname.com:25 SSHlogin@mail.yourdomainname.com
(Replace "mail.yourdomainname.com" with your SMTP mailserver address. And replace "SSHlogin" with your ssh login.)
Then enter your password at the prompt.

Step 3
In your email program edit your account to these settings:

POP server: 127.0.0.1
Use special port: 55110

SMTP server: 127.0.0.1
Use special port: 5525

Note: if your email program does not have a separate input box for a special port number, you may have to enter the above information in this format:

POP server: 127.0.0.1:55110
SMTP server: 127.0.0.1:5525

Step 4
Check your email without fear. Yay! (Or at least with less fear. Perfect security is impossible, right?)

For the non-believers: If you don't believe POP3 and SMTP are sending your passwords in clear text, download tcpflow and then type this command in Terminal:

sudo /usr/local/bin/tcpflow -i en0 -c
Now check your email. Try this with and without SSH to make sure it's working. ("control+c" will stop the tcpflow command.)

Benefit even from my home DSL connection:
My DSL static I.P. no longer appears in the email headers of email I send. In it's place is the I.P. address of my email server. I like this because I don't always want everyone I send an email to, to know my static I.P. address.

A note about the ports I chose:
I chose not to tunnel the standard POP and SMTP ports (110 and 25) because doing so would require a sudo at the beginning of each command (forwarding of ports below 1024 requires root privileges). To make the numbers easy to remember, I simply put a "55" in front of each standard port number, thus "110" became "55110" and "25" became "5525".

Endnote:
I was originally hoping after posting this hint, someone would leave a comment telling me how to automate this. But I just stumbled upon a nice little freeware app that will do the trick: SSH Tunnel Manager.

Secure FTP:
Also, I've been using SSH Tunnel Manager to set up an FTP forward (using my same port strategy: 5521) so I can use Dreamweaver's built in FTP securely. Macromedia even has a tutorial for this. There are other FTP programs (like Interarchy, RBrowser, etc.) that support FTP via SSH tunnel (also called SFTP), but if you need and/or want to use dreamweaver's built in FTP, then SSH Tunnel Manager does the trick.

    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[67,909 views]  

Secure POP and SMTP email via SSH | 21 comments | Create New Account
Click here to return to the 'Secure POP and SMTP email via SSH' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Some E-mail Hosts Offers Secure Connections
Authored by: luhmann on Jul 23, '03 10:53:34AM
You could also look for an e-mail host that offers secure connections for POP, IMAP, and SMTP. I use Luxsci.com.

[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: atverd on Jul 23, '03 10:54:35AM

Port forwarding one of the best SSH features.
And actually you don't need to open separate connection for each port.

ssh name@domain.com -L55110:127.0.0.1:110 -L55025:127.0.0.1:25

will work fine.



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: kyngchaos on Jul 23, '03 11:46:37AM

shouldn't that be

ssh -L55110:mail.yourdomainname.com:110 -L55025:mail.yourdomainname.com:25 name@domain.com

like the original tip? the domain of the -L option is for the mail server, not the localhost. Unless your mail server happens to be on your Mac.



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: atverd on Jul 23, '03 12:26:20PM

No, in parameter -L you specify IP of the REMOTE machine.
-L55110:127.0.0.1:110 means "listen on port 55110 and if there is something open connection from remote end to 127.0.0.1:110 and transfer stuff to it over ssh"

Just try it, it will work and this way is more secure, because on remote machine you can enable pop3 to listen only on 127.0.0.1, so it's not exposed to outside world.



[ Reply to This | # ]
not really secure
Authored by: macubergeek on Jul 23, '03 07:37:52PM

While the connection between you and your ISP's mailserver is encrypted the mail remains "in the clear" as it passes over the Internet backbone. PGP is the answer if you're worried about security.



[ Reply to This | # ]
without an ssh login on your mail box
Authored by: deeraeya on Jul 23, '03 11:40:36AM
For a long time I didn't have shell access to the machine on which I was getting my email. For example my university email was accessed by POP but I didn't have ssh access to that account. So I thought that ssh forwarding couldn't help me.

But it turned out that it could have. Sure it is not a secure tunnel all the way but it does help with wireless networks.

laptop --- basestation --- wiredbox --- mailserver

If you have a wired-box off the wireless segment which you can ssh to, say your home cable box or an account on a friend's, then you can tunnel so that the wiredbox acts as a proxy to your mailserver - the section between the wiredbox and the mail-server is not encrypted though! So it isn't really all that great but it does protect against the casual wireless sniffer.

Again - the password will be in **plaintext** between the box you ssh to and your mailserver.

This works for me:

ssh -L 11011:mailbox.uni.edu:110 -N sshid@mysshloginbox.com &

This says to forward localhost:11011 -> mailbox.uni.edu:110 _via_ mysshloginbox.com (-N says "don't execute any commands - just forward")

Notice that the difference between this line and the ones above is that there are two different server names in the line.

I had read the "secure pop over ssh" tip a million times before really reading the ssh forwarding syntax. I was pretty chuffed to see this. It can probably be adjusted for SMTP sending as well but I haven't tested this.

This is also very useful for corporate firewall situations in which 110 and 25 are blocked but, by geek demand, 22 is open ;)

[ Reply to This | # ]

Secure POP and SMTP Email via SSH (final update)
Authored by: breen on Jul 23, '03 12:31:35PM

A warning of sorts here: I just read a story in this morning's paper (no link, sorry) about some lowlife who managed to install a keystroke logger on several public terminals at Kinko's. He was able to profit from knowing people's passwords.

If you're logging in, even over ssh, with a password you're vulnerable to this.

Consider setting up an ssh public key and storing it on one of those mini-USB disks (I think I got the idea from a posting here!) and using that to log in. It's not completely portable, but better than risking your passwords.

[Note to self: remember to take the damn USB thingie with you!]

Breen



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: jeffiel on Jul 23, '03 12:32:40PM
I've been doing this for a while, and wrote a shell script to automate the starting and stopping of the tunnel. FYI, you don't want mutliple copies of the tunnel running simultaneously, so this script can also be used to start, stop, and restart the tunnel properly.
#!/bin/bash

MAILHOST='YOUR_MAIL_HOST'
USERNAME='YOUR_MAIL_ACCOUNT'

# to use public/private key file for authentication, provide the filename of your private key here
PRIVATE_KEY_FILE='PATH_TO_A_PRIVATE_KEY'

if [ -n "$PRIVATE_KEY_FILE" ]
then
       PRIVATE_KEY_FILE="-i $PRIVATE_KEY_FILE"
fi

if [ -n "$1" ]
then
        do=$1
else
        do=start
fi;

case "$do" in
        start)

                PID=`ps -aux | grep "ssh -l $USERNAME $PRIVATE_KEY_FILE -L 2025:127.0.0.1:25" | grep -v 'grep' |  awk '{print $2
}'`
                if [ "${PID}" != "" ]; then
                  kill $PID
                  echo "Stopped process" $PID
                fi

                ssh -l $USERNAME $PRIVATE_KEY_FILE -L 2025:127.0.0.1:25 -L 2143:127.0.0.1:143 -N -f $MAILHOST

                PID=`ps -aux | grep "ssh -l $USERNAME $PRIVATE_KEY_FILE -L 2025:127.0.0.1:25" | grep -v 'grep' |  awk '{print $2
}'`
                if [ "${PID}" != "" ]; then
                  echo "Started new process" $PID
                else
                        echo "Failed to restart"
                        exit 0
                fi


        ;;

        stop)
                PID=`ps -aux | grep "ssh -l $USERNAME $PRIVATE_KEY_FILE -L 2025:127.0.0.1:25" | grep -v 'grep' |  awk '{print $2
}'`
                if [ "${PID}" != "" ]; then
                  kill $PID
                  echo "Stopped process" $PID
                else
                  echo "Failed to find PID"
                fi
                exit 0
        ;;

        *)
                echo "Usage (start|stop)"

        ;;
esac


Usage notes:
  • Called with no args, it will start (or restart) the tunnel
  • Called with the argument stop will kill the tunnel
  • Make sure to chmod u+x the file after you save it, preferably to a bin directory in your path, such as /usr/bin/ /usr/local/bin etc..
  • You can add an optional keyfile to use public/private key encryption instead of a password. Setting up key encryption with SSH is a pain in the ass, and your ISP may or may not allow it. Seek other references on setting this up.


[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: jeffiel on Jul 23, '03 12:34:12PM

Oh yes, and my scripts uses local ports 2025 and 2143. Make changes to your mail client appropriately.



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: kakilaki on Nov 18, '04 12:13:12AM

Hi,

I used your code to try and open a port and send mail from Mail on OS X 10.3 via my University email address. I used it to log onto my desktop in Uni as the main mail server does not listen for ports. However, whenever I try and send mail it comes up with the same error as if I wasn't using port forwarding. Is this something I have to set up in Mail or is the University blocking this option and how do I check?

Thanks very much



[ Reply to This | # ]
Configure port forwards more easily
Authored by: don4r on Jul 23, '03 12:34:52PM
Instead of typing the -L55110:ip.ad.dr.es:110, you can create ~/.ssh/config and add something like the following:

Host my.mail.server
    User userName
    LocalForward 55110 ip.ad.dr.es:110

You can have multiple LocalForward lines as well.

[ Reply to This | # ]
Use ssh-agent and aliases
Authored by: Anonymous on Jul 23, '03 12:44:52PM

Setup ssh-agent (search this site for plent of different ways to do this). This will allow passwordless logins. Put the ssh command in your ~/.cshrc file:

alias smtp 'ssh mymailhost.domain.com -C -L 6110:127.0.0.1:110 -L 2525:127.0.0.1:25'

Or, for a background connection on a hardwired machine (say, a box at work that never goes down):

alias smtp 'ssh mymailhost.domain.com -C -N -L 6110:127.0.0.1:110 -L 2525:127.0.0.1:25 &'

Now, typing "smtp" at the command line of your machine will do all of it in the background, no password or anything required. Also, ssh will generally allow you to sleep a laptop for an hour or 2 before killing the connection (how long depends upon the client and server versions and configurations).

Also, no need to download tcpflow to sniff pwd, just use the built in tcpdump:

tcpdump -i en0 -X

---
Regards,

Ed Hintz



[ Reply to This | # ]
Use ssh-agent and aliases
Authored by: uurf on Jul 23, '03 04:26:16PM
"no need to download tcpflow to sniff pwd, just use the built in tcpdump:"

tcpdump -i en0 -X

"dyld: tcpdump can't open library: /usr/lib/libpcap.A.dylib (No such file or directory, errno = 2)"

/usr/lib/libpcap.a
/usr/lib/libpcap.dylib
are present, however... odd.

[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: usingmac on Jul 23, '03 12:45:21PM

Okay so this works. I haven't tried it yet.

I am confused though. If i have a mail server listening on port 110 for pop and 25 for smtp and I use this command and configure my email client to use the forwarding port, Please answer this question

How can the mail server understand the ssh message? either smtp or pop? what are the steps that are happening to allow the secure part to occur? Is a ssh from client A opening a connection over port 22 and then the ssh on the email server seeing the complete instruction and opens a communication to the server port and passing the info through?

Is that how it works. In this case, it is neccessary for the email server to have ssh installed as well? If this is the case, one could block port 110 from any machine except say localhost?



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: sben on Jul 23, '03 01:32:33PM

You're pretty close.

Here's the exact communication chain:

[email client] [ssh client] [ssh server] [email server]

Connection (1) is unencrypted. As far as the email client is concerned, it's talking directly to the email server -- it speaks SMTP to the destination, and receives SMTP responses back.

Connection (2) is encrypted. The ssh client takes the communication from the email client -- it doesn't care about the details of the communication -- encrypts them, and passes it over to the ssh server.

Connection (3) in unencrypted. The ssh server takes the encrypted communication from the ssh client, unencrypts it (again, not caring about the details of what it's unencrypting -- it could be SMTP, or POP3, or HTTP, or gibberish, as far as it's concerned), and passes it over to the email server. Similar to connection (1), the email server thinks it's talking directly to the email client -- it receives SMTP messages, and sends back SMTP messages in response.

In an ideal world, the email client and ssh client are on the same machine, since that connection is unencrypted. If they are on the same machine, the only way to snoop on that side of the connection is if there's some sort of trojan horse snooping software running on that machine. This setup will certainly work if the clients are on different machines, but will be significantly less secure, since you can't necessarily trust the intervening network (esp. if you're using wireless!).

For the same reaons, the ssh server and email server should be on the same machine. If they aren't, but you absolutely trust the intermediate network (a plausible, though not great, assumption on a corporate network), you may still be secure.



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: sben on Jul 23, '03 01:34:34PM

Argh, it previewed okay, but turned out wrong after I posted....

Here's that communication chain again:

[email client] --(1)-- [ssh client] --(2)-- [ssh server] --(3)-- [email server]



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: macemoneta on Jul 23, '03 02:06:23PM

Don't forget -- you have X-windows! Instead of tunneling the various protocols, just start X-windows and ssh to the destination with the "-X" option (add "-C", for compression on slow links):

ssh -X -C user@host

Now you can start your favorite server-based mail program, news reader, web browser, whatever, and EVERYTHING is encrypted back to the server!



[ Reply to This | # ]
Secure POP and SMTP Email via SSH (final update)
Authored by: CaptCosmic on Jul 23, '03 04:18:12PM

If you're hosting your own mail server, it would be more standard to actually setup S-POP3, S-IMAP, and SMTP TLS support. You can install Postfix and get TLS support without much difficulty. And Courier Mail package provides both secure and insecure versions of POP and IMAP.

---
Capt Cosmic



[ Reply to This | # ]
How to get this working with POPFile?
Authored by: theNonsuch on Aug 02, '03 03:34:48PM
Can anyone clarify if it's possible to use this method when you use a local mail filter like POPFile?

For those who don't use it, POPFile is a great Bayesian filter which runs on OS X under perl. You direct mail server queries to the localhost, and POPfile then goes and fetches your mail for you.

For example, in my email client right now this is how I have POPFile referenced:

POP server: 127.0.0.1
Username: pop.mymailserver.com:myUsername

And then POPFile parses the username to know where to go and what username to use.

Anyone? I'd love to get this working...



[ Reply to This | # ]
Automate SSH Tunnel Manager?
Authored by: jhales on Mar 07, '05 12:05:55PM

I am doing this via SSH Tunnel Manager, I wanted to further automate this by running SSH Tunnel Manager everytime I started mail.app, is there a way to do this with AppleScript? Or could someone recommend another alternate way to automate this that will be user specific (in other words, I might want to setup different tunnels depending on who is logged on)?



[ Reply to This | # ]
Secure POP and SMTP email via HTTPS
Authored by: marionX on Jul 11, '08 08:52:11AM
if, however, you are in a network which does neither allow SSH nor POP3 nor SMTP access (such as public wifis at airports, restaurants etc.) you might find it interesting to tunnel you mail communiction via HTTPS.

an interesting project can be found on www.serFISH.com/mail. a small client app can be downloaded for free which acts as a local mail server and forwards mail communications either to the mail server or an HTTP tunnelling service.

fancy approach i guess :-)

[ Reply to This | # ]