Secure POP and SMTP email via SSH

Jul 23, '03 10:03:00AM

Contributed by: SimonDorfman.com

Now that I have a laptop and a wireless ethernet card (YAY!), I want to check my email from public wi-fi points like the café down the street. But POP and SMTP send my password in cleartext which I obviously don't want other people using the same wi-fi point to sniff. The solution? SSH.

Prerequisites:
I will assume you are able to ssh into your server and therefore, you have a login and password and know your server's address. (If you have a commercial webhost hosting your website and email, ask them to enable SSH login for you.)

Step 1
Open Terminal, type:

ssh -L 55110: mail.yourdomainname.com:110 SSHlogin@mail.yourdomainname.com
(Replace "mail.yourdomainname.com" with your POP3 mailserver address. And replace "SSHlogin" with your ssh login.)
Then enter your password at the prompt.

Step 2
Open new Terminal window, type:

ssh -L 5525:mail.yourdomainname.com:25 SSHlogin@mail.yourdomainname.com
(Replace "mail.yourdomainname.com" with your SMTP mailserver address. And replace "SSHlogin" with your ssh login.)
Then enter your password at the prompt.

Step 3
In your email program edit your account to these settings:

POP server: 127.0.0.1
Use special port: 55110

SMTP server: 127.0.0.1
Use special port: 5525

Note: if your email program does not have a separate input box for a special port number, you may have to enter the above information in this format:

POP server: 127.0.0.1:55110
SMTP server: 127.0.0.1:5525

Step 4
Check your email without fear. Yay! (Or at least with less fear. Perfect security is impossible, right?)

For the non-believers: If you don't believe POP3 and SMTP are sending your passwords in clear text, download tcpflow and then type this command in Terminal:

sudo /usr/local/bin/tcpflow -i en0 -c
Now check your email. Try this with and without SSH to make sure it's working. ("control+c" will stop the tcpflow command.)

Benefit even from my home DSL connection:
My DSL static I.P. no longer appears in the email headers of email I send. In it's place is the I.P. address of my email server. I like this because I don't always want everyone I send an email to, to know my static I.P. address.

A note about the ports I chose:
I chose not to tunnel the standard POP and SMTP ports (110 and 25) because doing so would require a sudo at the beginning of each command (forwarding of ports below 1024 requires root privileges). To make the numbers easy to remember, I simply put a "55" in front of each standard port number, thus "110" became "55110" and "25" became "5525".

Endnote:
I was originally hoping after posting this hint, someone would leave a comment telling me how to automate this. But I just stumbled upon a nice little freeware app that will do the trick: SSH Tunnel Manager.

Secure FTP:
Also, I've been using SSH Tunnel Manager to set up an FTP forward (using my same port strategy: 5521) so I can use Dreamweaver's built in FTP securely. Macromedia even has a tutorial for this. There are other FTP programs (like Interarchy, RBrowser, etc.) that support FTP via SSH tunnel (also called SFTP), but if you need and/or want to use dreamweaver's built in FTP, then SSH Tunnel Manager does the trick.

Comments (21)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20030721022245232