Recipe 8.15 Securing POPIMAP with SSH

Previous page
Table of content
Next page

Recipe 8.15 Securing POP/IMAP with SSH

8.15.1 Problem

You want to read mail on a POP or IMAP mail server securely. The mail server machine runs an SSH daemon.

8.15.2 Solution

Use SSH port forwarding. [Recipe 6.14]

  1. Choose an arbitrary, unused TCP port number on your client machine, such as 12345.

  2. Assuming your client is myclient and your mail server is mailhost, open a tunnel to its POP server (TCP port 110):

    myclient$ ssh -f -N -L 12345:localhost:110 mailhost

    or IMAP server (port 143):

    myclient$ ssh -f -N -L 12345:localhost:143 mailhost

    or whatever other port your mail server listens on.

  3. Configure your mail client to connect to the mail server on port 12345 of localhost, instead of the POP or IMAP port on mailhost.

8.15.3 Discussion

As we discussed in our recipe on general port forwarding [Recipe 6.14], ssh -L opens a secure connection from the SSH client to the SSH server, tunneling the data from TCP-based protocol (in this case POP or IMAP) across the connection. We add -N so ssh keeps the tunnel open without requiring a remote command to do so.

Be aware that our recipe uses localhost in two subtly different ways. When we specify the tunnel:

12345:localhost:143

the name "localhost" is interpreted on the SSH server side. But when your mail client connects to localhost, the name is interpreted on the SSH client side. This is normally the behavior you want. However, if the server machine is not listening on the loopback address for some reason, you may need to specify the server name explicitly instead:

12345:mailhost:143

In addition, if the server machine is multihomed (has multiple real network interfaces), the situation may be more complicated. Find out which socket the mail server is listening on by asking your systems staff, or by looking yourself: [Recipe 9.14]

mailhost$ netstat --inet --listening

If your mail client and SSH client are on different hosts, consider adding the -g option of ssh to permit connections to the forwarded port from other hosts. Be careful, however, as this option allows anyone with connectivity to the client machine to use your tunnel.

If your SSH server and mail server are on different hosts, say sshhost and mailhost, then use this tunnel instead:

myclient$ ssh -f -N -L 12345:mailhost:143 sshhost

sshhost could be an SSH login gateway for a corporate network, while mailhost is an internal mail server on which you have a mailbox but no SSH login. sshhost must have connectivity to mailhost, and your client machine to sshhost, but your client machine cannot reach mailhost directly (that's the point of the gateway).

8.15.4 See Also

ssh(1) and sshd(8) discuss port forwarding and its configuration keywords briefly. For more depth, try Chapter 9 of our previous book, SSH, The Secure Shell: The Definitive Guide (O'Reilly), which goes into great detail on the subject.

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
Cisco Voice Gateways and Gatekeepers
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy