Send mail from outside a firewalll via Mail.app

Aug 29, '03 09:25:00AM

Contributed by: Anonymous

I should begin by saying that Mail.app is a very pleasant mail reader to use. Sadly, it's just not powerful or practical when it comes to really interacting with real world network environments. In particular, it has none of the essential pre-connect or tunneling features of the unix mail readers like mutt. About the only thing one can control is the ports of the servers your using; luckily that is enough when you have root access to you own machine. Anyway, I got sick of needing to manually set up ssh port forwarding every time I wanted to send mail from my laptop when I was off campus, so I set up the following little trick to make it automatic.

[robg adds: I haven't tested this one...]

First, I use multiple mail accounts and I don't want my mail outgoing mail server to say localhost in the Mail.app, so I changed the 127.0.0.1 localhost line in /etc/hosts to read:

127.0.0.1       localhost joe_mail bob_mail
You can just ignore all the bob stuff to make it work smoothly with just one server, named joe. Second, we create two new service identifiers by adding the following four lines to /etc/services, though I think you should only need the /tcp lines:
joe_sm         1025/tcp
joe_sm         1025/udp
bob_sm         2025/tcp
bob_sm         2025/udp
Third, we create two new pseudo-daemon's by adding the following two lines (shown as two lines per entry; enter as one long line each) to /etc/inetd.conf:
joe_sm        stream  tcp     nowait  nyarlathotep    /usr/libexec/tcpd      
    /usr/bin/ssh -T -q joe.fuq.edu /usr/bin/nc localhost 25
bob_sm        stream  tcp     nowait  nyarlathotep    /usr/libexec/tcpd      
    /usr/bin/ssh -T -q bob.fuq.org /usr/bin/nc localhost 25
This obviously requires that ssh be configured for automatic login, which I should not need to explain (see this hint), and you can obviously replace ssh with other passsword-free connection methods, like say an expect script. You should be careful of MOTDs and greetings, as these confuse Mail.app unless they are blocked. The /usr/libexec/tcpd wrapper is not strictly necessary, but it provides some security, see below.

/usr/bin/nc is the netcat program. It can be found on most any modern unix distribution, and is available via fink. A similar program called socket is present on some systems and will also work. It's important to note that /usr/bin/nc cannot be replaced with telnet -KE8, as telnet spews out text and confuses Mail.app.

Fourth, we need to give tcpd rules to prevent remote connections (you can skip this step if you use a firewall). /etc/hosts.allow should contain the line ssh: 127.0.0.1; /etc/hosts.deny should contain the line ssh: ALL. Finally, configure the outgoing mail server for your main account to be joe_mail on port 1025 (and my outgoing mail server for my other account is bob_mail of port 2025).

The major flaw in this approach is the need to go outside of "user space" and modify system config files. You could do this with user space daemons too, but its not worth the effort.

General advice for unix newbies on implementing this hint: Use telnet 127.0.0.1 1025 to test your progress and telnet to your machine's port 1025 to test the security. Use killall -HUP inetd to make inetd reread the inetd.conf file.

Comments (23)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20030827145105498