[sf-lug] sending mail through SSH port forwarding

John Magolske b79net at gmail.com
Wed Oct 22 13:05:42 PDT 2008

Thank you to all who responded!

* John Magolske <b79net at gmail.com> [081013 14:05]:
> In an attempt to send email through SSH for protection against
> password sniffing while using public wifi, I set up port forwarding
> with this command:
> ssh -l remote_username -L 9999:mydomain.net:25 user1 at mydomain.net -N -f

To clarify, my objective is to avoid is transmitting my email account
passwords as plaintext between my laptop and the server when fetching
and sending email. If the mail itself is encrypted as well, I guess
that's a nice bonus in terms of having some privacy within the context
of insecure wifi networks. I do understand that once the mail moves
beyond my mail server & into the wild there's no security at all
unless I'm using something like pgp encryption.

* Jeff Tchang <jeff.tchang at gmail.com> [081013 16:07]:
> Exactly what do you mean by disconnecting and reconnecting the DSL
> connection? You mean the connection on the remote host?
> In general the tunnel will go down when you disconnect your SSH
> session cleanly. If you don't do it cleanly the open socket will
> linger a while until the TCP timeout is reached.

In the above ssh command, the -f switch puts ssh in the background,
and I haven't figured out a way to cleanly close it. After
disconnecting from the net (unplugging my laptop from my DSL modem,
etc.), hours later that ssh command still shows up in top, and I have
to kill it by PID before re-invoking the command to set up the port
forwarding again. For now I'm running the command without the -f
switch in a separate screen tty, then using Ctrl-C to kill it. I know
there's a better way to do this...just picked up the book "SSH The
Secure Shell" which should shed some light on the matter.

* Jeffrey Malone <ieatlint at tehinterweb.com> [081013 22:04]:
> You may wish to look into SSL SMTP, however.  Many providers have it
> for SMTP and POP3 (and probably IMAP).  The advantages being that
> there would be no need to relay off another server (which puts you at
> the mercy of that server's availability) and no need to pre-configure
> the tunnel before sending an email.  Also, you then will have the same
> connection settings for both secure and "insecure" networks.

Using SSL ends up being a really simple simple solution. For fetching
email I'm using fdm, so specifying "pop3s" and the appropriate port #
(995 for POP3, & 585 for IMAP in my case) in ~/.fdm/accounts.conf does
the job:

account "user1_account"  pop3s server "mail.mydomain.net" port "995" user "user1" pass "*****"

There's an excellent description of how SSL works in this context
on the fdm list [1]. (fdm is a combination of a retriever and mail
delivery agent, ie, replaces getmail and procmail with one program.
I've found it to be a fast & clean solution.)

To send mail I'm using msmtp, which employs TSL, but my mail server
returns this error:

    msmtp:  TLS handshake failed: The Diffie Hellman prime sent
            by the server is not acceptable (not long enough).

This is a know issue [2]. The work-arounds involve increasing the
Diffie Hellmann prime size on the server side (which doesn't seem to
be an option with my hosting service), or patching msmtp. For now I've
decided to just use port forwarding through SSH until I have more
control of my mail server.

* Asheesh Laroia <asheesh at asheesh.org> [081013 22:04]:
> Tyler Trafford wrote:
> > Related reading:
> > http://www.debian-administration.org/articles/487
> I created my own version of the above that I like more.  See
> http://www.asheesh.org/note/sysop/mail-tunnel.html .

These look like interesting solutions. If I understand correctly, this
type of approach is useful in situations where SMTP is not an option.
Otherwise, would it have any advantages over SSL SMTP? I'll try this
out sometime when I have root access to my mail server.





John Magolske

More information about the sf-lug mailing list