Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Send mail from outside a firewalll via Mail.app Internet
I should begin by saying that Mail.app is a very pleasant mail reader to use. Sadly, it's just not powerful or practical when it comes to really interacting with real world network environments. In particular, it has none of the essential pre-connect or tunneling features of the unix mail readers like mutt. About the only thing one can control is the ports of the servers your using; luckily that is enough when you have root access to you own machine. Anyway, I got sick of needing to manually set up ssh port forwarding every time I wanted to send mail from my laptop when I was off campus, so I set up the following little trick to make it automatic.

[robg adds: I haven't tested this one...]

First, I use multiple mail accounts and I don't want my mail outgoing mail server to say localhost in the Mail.app, so I changed the 127.0.0.1 localhost line in /etc/hosts to read:
127.0.0.1       localhost joe_mail bob_mail
You can just ignore all the bob stuff to make it work smoothly with just one server, named joe. Second, we create two new service identifiers by adding the following four lines to /etc/services, though I think you should only need the /tcp lines:
joe_sm         1025/tcp
joe_sm         1025/udp
bob_sm         2025/tcp
bob_sm         2025/udp
Third, we create two new pseudo-daemon's by adding the following two lines (shown as two lines per entry; enter as one long line each) to /etc/inetd.conf:
joe_sm        stream  tcp     nowait  nyarlathotep    /usr/libexec/tcpd      
    /usr/bin/ssh -T -q joe.fuq.edu /usr/bin/nc localhost 25
bob_sm        stream  tcp     nowait  nyarlathotep    /usr/libexec/tcpd      
    /usr/bin/ssh -T -q bob.fuq.org /usr/bin/nc localhost 25
This obviously requires that ssh be configured for automatic login, which I should not need to explain (see this hint), and you can obviously replace ssh with other passsword-free connection methods, like say an expect script. You should be careful of MOTDs and greetings, as these confuse Mail.app unless they are blocked. The /usr/libexec/tcpd wrapper is not strictly necessary, but it provides some security, see below.

/usr/bin/nc is the netcat program. It can be found on most any modern unix distribution, and is available via fink. A similar program called socket is present on some systems and will also work. It's important to note that /usr/bin/nc cannot be replaced with telnet -KE8, as telnet spews out text and confuses Mail.app.

Fourth, we need to give tcpd rules to prevent remote connections (you can skip this step if you use a firewall). /etc/hosts.allow should contain the line ssh: 127.0.0.1; /etc/hosts.deny should contain the line ssh: ALL. Finally, configure the outgoing mail server for your main account to be joe_mail on port 1025 (and my outgoing mail server for my other account is bob_mail of port 2025).

The major flaw in this approach is the need to go outside of "user space" and modify system config files. You could do this with user space daemons too, but its not worth the effort.

General advice for unix newbies on implementing this hint: Use telnet 127.0.0.1 1025 to test your progress and telnet to your machine's port 1025 to test the security. Use killall -HUP inetd to make inetd reread the inetd.conf file.
    •    
  • Currently 2.00 / 5
  You rated: 2 / 5 (3 votes cast)
 
[12,436 views]  

Send mail from outside a firewalll via Mail.app | 23 comments | Create New Account
Click here to return to the 'Send mail from outside a firewalll via Mail.app' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Send mail from outside a firewalll via Mail.app
Authored by: sapporo on Aug 29, '03 10:19:41AM

So basically you are implementing a service to forward connections through a ssh tunnel, right? Nice.

Cheers,
-sapporo.



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: zaphon on Aug 29, '03 10:30:10AM

Or you could actually use the "authentication" feature of outgoing e-mail. This is a much better option from both an end user and server operator point of view (no more of this silly pop before smtp crap needed, nor any need to allow any networks to relay specifically). Combine this with SSL enabled services, and it's all nice and secure as well.

Punching SSH tunnels just seems like a lot of work to solve a problem that can easily be solved by making the server more secure.



[ Reply to This | # ]
Not relevent
Authored by: nyarlathotep on Aug 31, '03 11:15:46AM

This hint is for people who have no clout with the sysadmin on their mail server, i.e. most of the world. It is exactly this "only one way to do it" philosophy which makes the Mac such a weak system for many purposes.

As someone else mentioned, one can also use this hint to get other protocols working, i.e. you can use IMAP on a system which only supports POP. I'm even considering setting up an LDAP daemon via this trick, but I'm concerned that it willl be slow.



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: tomn on Aug 29, '03 11:39:01AM
What a cool way of doing this. I was just trying to figure this out yesterday.. shoudl have waited a day. :) Just tested this.. and it does work. I modified it slightly though.

Insted of using my normal ssh keys, I created a new key with no passphrase. When I put the entry in the .ssh/authorized_keys2 file I gave it the nc command. Here's the entry:

command="/usr/local/bin/nc 127.0.0.1 25",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa KEY
Then.. I changed the inetd line to:
snet_sm stream  tcp     nowait  tomn    /usr/libexec/tcpd       /usr/bin/ssh -T -q -l tomn -i /Users/tomn/.ssh/id_snet_email pluto.sneaky.net
This allows that key to ONLY run "nc localhost 25".

Now, I'm setting up the rest of my tunnels. I am also going to use this to forward to our internal IMAP server. (Which doesn't have IMAP-SSL enabled.)

[ Reply to This | # ]

neet
Authored by: nyarlathotep on Aug 31, '03 11:44:59AM

That is a nice tip too thanks, but if you cared enough to have a pasword on your ssh-private keys, wouldn't you just be using ssh-agent? I don't care what any sysadmin says about autoomated logins, the least secure thing in the world is for me to continually be typing my passphrase into scp/ssh sesssions right in front of students. Sure, the passphrase is only good on that one machine, but it gives out a lot of general information about what my passphrases look like. No pasephrase is possibly more secure.. and ssh-agent is obviously the "only right way."

You might need to pull some stunts for the inetd spawned ssh processses to know about the ssh-agent, but I can imagine several ways of doing that.



[ Reply to This | # ]
On using other daemons
Authored by: nyarlathotep on Aug 31, '03 11:54:57AM

I'm using it for IMAP too (as my looser ass mail server does not support IMAP), but I did not bother to post those tips as I figured very few peoplee were in that situation. I noticed that just imapd does not appear to have an configuration options at all, which massively sucks. Mail.app needs to tell it to lok in the Mail directory for additional folders, as it defaults to my frigging home directory! I'm sure there are ways to configure it, but they do not appear to bee advertised anyplace.

I'd also like email name completion for people with emai laccounts on the ssame mail server. I wass considering setting up LDAP via this method, but it seems like itm ight be slow (if it needs to start the ssh tunnel and daemon every time).



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: gvaughn on Aug 29, '03 12:00:56PM

Great hint! I've been gradually working to get all the pieces together for myself for a while. But there's one thing I'd like to know. What happens if the network connection is dropped and later reconnects? Will this handle things gracefully -- the new call to localhost:1025 will re-open the tunnel if it is not currently open?



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: gvaughn on Aug 29, '03 12:03:37PM

One other question: my investigations had led me to xinetd instead of inetd. What's the advantage of using one over the other?



[ Reply to This | # ]
xinetd vs. inetd
Authored by: nyarlathotep on Aug 31, '03 03:22:08PM

xinetd is a far superior program, but Mac OS X (and maybe all BSDs) come with inetd, so its less work to use that one. You could install a user space xinetd daemon, but thats really too much work (unless you do not have root access on your PowerBook).

You could also modify this hint for xinetd if your using a Linux laptop, execpt that this would be silly, as Linux would include more serious mail readers like mutt.



[ Reply to This | # ]
xinetd vs. inetd
Authored by: gvaughn on Aug 31, '03 03:35:47PM

My Powerbook G4 running 10.2.6 shows both xinetd and inetd in the process list. I believe I read somewhere that inetd is subordinate to xinetd in OS X (now, what version that started, I'm not sure).

In light of this, would we be better off using xinetd?



[ Reply to This | # ]
xinetd vs. inetd
Authored by: nyarlathotep on Aug 31, '03 05:16:49PM

I'm running only inetd on my PowerBook under 10.2.6, but you may have gotten an xinetd installed via fink.. or you may have a more recent 10.2.6 patch.

The truth is that it should not matter what you use. Starting an ssh process is lots of overhead and having one inetd pass the call off to another should be an unnoticible delay. So your question really should be "What should we do to make this a robust change?" i.e. what can we do to prevent an upgrade from breaking this. I have absolutely no idea. Infact, that is part of why I bothered to submit this hint was to provide myself with a permenent record of just what the hell I did, so that I can undo / redo it after 10.3 breaks everything. :)



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: tomn on Aug 29, '03 02:23:42PM

This opens the tunnel each time your mail program tries to connect to the server. It's then closed when you're done sending mail or logout of the IMAP/POP server. SO.. the tunnel isn't up all the time anyway and Mail.app will re-connect if it fails.



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: n9yty on Aug 29, '03 12:22:32PM

Dumb question, but how is this radically different from stunnel? I suppose it's largely the authentication, but otherwise isn't this essentially the same?



[ Reply to This | # ]
stunnel
Authored by: nyarlathotep on Aug 31, '03 11:34:46AM

I'm the author of this hint and I'd consider stunnel to be a better solution, but using stunnel requires either (a) having some clout with the sysadmin on your mail system or (b) configuring complex user space daemons on your mail system (difficult to maintain). The authentication for this method is marginally "better" as ssh public-keys and an ssh-agent should be way more secure then Mac's keychains database if your laptop gets stolen or gets a password sniffing virus, but lets be honest with ourselves, those are rediculously obscure situations.. and do not warent any aditional work to prevent.



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: morgion on Aug 30, '03 11:45:29PM

For me, using gogeek_mail (added to the localhost entry in /etc/hosts) in Mail.app returns an error, but using 127.0.0.1 in Mail.app works fine.

I've used tomn's varriant, and added the lines to /etc/services, /etc/hosts, and /etc/inetd.conf, and set up my authorized_keys on the remote host.

running telnet 127.0.0.1 1025 returns:
Trying 127.0.0.1...
Connected to localhost.

telnet gogeek_mail 1025 returns:
gogeek_mail: No address associated with nodename

I used gogeek_m as the service and inetd.conf names. The only change to tomn's method was using gogeek.org in the authorized_keys, because using 12.0.0.1 returned:
(UNKNOWN) [127.0.0.1] 25 (smtp) : Connection refused
Connection to gogeek.org closed.

Help?



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: morgion on Sep 01, '03 03:43:16PM

I had to take it upon myself to solve this problem...

Even though I had made changes to /etc/hosts, lookupd (the prog that reads and caches the file, among other sources of info) wasn't configured to even read Flat Files.

The solution is to change the line in /etc/lookupd/hosts:
LookupOrder CacheAgent NIAgent DNSAgent FFAgent

The key: make sure 'FFAgent' is in the LookupOrder. Otherwise your changes won't even be noticed.



[ Reply to This | # ]
Problems with Panther? - setgroups: Operation not permitted
Authored by: morgion on Oct 25, '03 06:56:26AM

After doing a complete wipe of my drive and installing a fresh Panther, I went through the steps of trying to set this up again.

However, after everything's done, I test it by entering the following into the Terminal (after proper setup in NetInfo for 127.0.0.1, in /etc/services, and /etc/inetd.conf and my remote host):

% telnet gogeek_smtp 50025

But I get the following:

% Trying 127.0.0.1...
% Connected to localhost.
% Escape character is '^]'.
% inetd: setgroups: Operation not permitted
% Connection closed by foreign host.
What gives? I've done sudo killall -HUP inetd xinetd lookupd, but still no go!

[ Reply to This | # ]
Problems with Panther? - setgroups: Operation not permitted
Authored by: morgion on Oct 25, '03 01:44:27PM

Oops, my bad. Not only did I accidentally start inetd as a non-root user, but inetd isn't even running by default on Panther; xinetd is!

But there are still problems; now when I try % telnet gogeek_smtp 50025, I get the following:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
... and after a short (3-4 second) delay...
Connection closed by foreign host.

Mail.app still can't connect to gogeek_smtp.



[ Reply to This | # ]
Problems with Panther? - setgroups: Operation not permitted
Authored by: nyarlathotep on Jan 24, '04 11:02:18PM

I don't remember if I did anything diffrently when I set up this trink under Panter, the basic idea still works flawlessly for me. I think /etc/inetd.con is still used, so you don't need to learn the config file formats of xinetd unless you want to.



[ Reply to This | # ]
Problems with Panther? - setgroups: Operation not permitted
Authored by: marcmac on Feb 04, '04 04:25:41AM

I just got this working in Panther. I found that the server wasn't connecting to the mail server at all, because the root user (as whom xinetd was launching ssh) was failing on a host key check.

I did sudo su -, then as root ran the ssh command by hand, told it to add the key to the known hosts, etc - and once the root user was able to log in without interaction, I didnt' have any more problems.

(One other stupid problem I had - my mail server was refusing to relay mail from 127.0.0.1)



[ Reply to This | # ]
Send mail from outside a firewalll via Mail.app
Authored by: JasonPro on Mar 03, '04 01:51:20AM
Just to bring this hint up do date with xinetd (Panther), here are some instructions: create a file called imap-sshforward (imap can be any service, substitute if you want) in /etc/xinetd.d/ with the following contents:

service imap-sshforward                                                         
{                                                                               
    type        = UNLISTED                                                      
    only_from   = localhost                                                     
    port        = 10143                                                         
    disable     = no                                                            
    socket_type = stream                                                        
    wait        = no                                                            
    user        = YOURUSERNAMEHERE                                                      
    groups      = yes                                                           
    server      = /usr/bin/ssh                                            
    server_args =  -T -q YOURSSHHOST nc YOURMAILEXCHANGER
}
YOURSSHHOST and YOURMAILEXCHANGER may be the same machine but they don't have to be. In my case, I can ssh into a machine that is on a secured network to my mail exchanger. Also, notice that I used port 10143 instead of the usual 143. I don't know if you can use 143 since that is a privaleged port and this service is set to not run as root. In any case, Mail and any other mail program can easily be configured to use other ports so it doesn't matter.

When you've set up this file, simply kill -HUP XINETD'sPID where XINETID'sPID can be found by doing ps xac | grep xinetd. Xinetd should pick up the new service and be all set.

In order to set up other services such as SMTP and POP3 in this way, just create a new file as before and substitute the new service name wherever imap occurs. Then change the port numbers accordingly and you should be set.

[ Reply to This | # ]
can't get this to work... help anyone?
Authored by: nick on Nov 20, '04 06:26:11AM
i made a file called pop3-tunnel in /etc/xinetd with the following content:
service pop3-tunnel
{
type = UNLISTED
only_from = localhost
port = 55110
disable = no
socket_type = stream
wait = no
user = SSHSERVER-USERNAME
groups = yes
server = /usr/bin/ssh
server_args = -T -q SSHSERVER /usr/bin/nc POPSERVER
}

then i registerd the service in /etc/services:
pop3-tunnel 55110/udp # Post Office Protocol - Version 3
pop3-tunnel 55110/tcp # Post Office Protocol - Version 3

then i killed xinetd and started it in debug mode.

then i tried to telnet to the popserver:
# telnet localhost 55110
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
no port[s] to connect to
Connection closed by foreign host.

if i start the ssh-tunnel handish with the following command, it works fine:
niko$ ssh -N -C -L 55110:POPSERVER:110 niko@SSHSERVER


with xinetd-method, how does the SSHSERVER know that it should use port 110 to connect to the POPSERVER? any help is highly appreciated.

[ Reply to This | # ]
can't get this to work... help anyone?
Authored by: jurg on Feb 05, '05 06:28:50AM

The server also has to have netcat installed. Then use:
server_args = -T -q SSHSERVER /usr/bin/nc POPSERVER 110



[ Reply to This | # ]