Now that I have a laptop and a wireless ethernet card (YAY!), I want to check
my email from public wi-fi points like the café down the street. But POP
and SMTP send my password in cleartext which I obviously don't want other people
using the same wi-fi point to sniff.
The solution? SSH.
Prerequisites:
I will assume you are able to ssh into your server and therefore, you have
a login and password and know your server's address. (If you have a commercial
webhost hosting your website and email, ask them to enable SSH login for you.)
Step 1
Open Terminal,
type:
ssh -L 55110: mail.yourdomainname.com:110 SSHlogin@mail.yourdomainname.com(Replace "mail.yourdomainname.com" with
your POP3 mailserver address. And replace "SSHlogin" with your ssh
login.)Step 2
Open new Terminal window,
type:
ssh -L 5525:mail.yourdomainname.com:25 SSHlogin@mail.yourdomainname.com(Replace "mail.yourdomainname.com" with
your SMTP mailserver address. And replace
"SSHlogin" with your ssh login.)Step 3
In your email program edit your account to these settings:
POP server: 127.0.0.1
Use special port: 55110
SMTP server: 127.0.0.1
Use special port: 5525
Note: if your email program does not have a separate input box for a special port number, you may have to enter the above information in this format:
POP server: 127.0.0.1:55110
SMTP server: 127.0.0.1:5525
Step 4
Check your email without fear. Yay! (Or at least with less fear. Perfect security
is impossible, right?)
For the non-believers: If you don't believe POP3 and SMTP are sending your passwords in clear text, download tcpflow and then type this command in Terminal:
sudo /usr/local/bin/tcpflow -i en0 -cNow check your email.
Try this with and without SSH to make sure it's working. ("control+c" will
stop the tcpflow command.)
Benefit even from my home
DSL connection:
My DSL static I.P. no longer appears in the email headers of email I send.
In it's place is the I.P. address of my email server. I like this because
I don't always want everyone I send an email to, to know my static I.P. address.
A
note about the ports I chose:
I chose not to tunnel the standard POP and SMTP ports (110 and 25) because
doing so would require a sudo at the beginning of each command (forwarding
of ports below 1024 requires root privileges). To make the numbers easy to
remember, I simply put a "55" in front of each standard port number,
thus "110" became "55110" and "25" became "5525".
Endnote:
I was originally hoping after posting this hint, someone would leave a comment
telling me how to automate this. But I just stumbled upon a nice little freeware
app that will do the trick: SSH
Tunnel Manager.
Secure FTP:
Also, I've been using SSH Tunnel Manager to set up an
FTP forward (using my same port strategy: 5521) so I can use Dreamweaver's
built in FTP securely. Macromedia even has a tutorial for
this. There are other FTP programs (like Interarchy, RBrowser, etc.) that
support FTP via SSH tunnel (also called SFTP), but if you need and/or want
to use
dreamweaver's built
in FTP, then SSH Tunnel Manager does the trick.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20030721022245232